Law: Personal Data Protection Act, No. 9 of 2022 (PDPA)

Regulator: The Data Protection Authority of Sri Lanka (the Authority)

Summary: The Personal Data Protection Act, No. 9 of 2022 (PDPA) was passed in the Parliament of Sri Lanka and was endorsed on March 19, 2022. Section 1 of the PDPA provides for the mechanism and specific periods by and on which the PDPA would gradually come into force as follows. The provisions of the PDPA, except the provisions of Part IV and Part V of the PDPA, will come into operation on a date not earlier than 18 months and not later than 36 months from the date of the enactment of the PDPA.

The PDPA establishes a comprehensive regulatory framework for the protection of personal data, the first of its kind in Sri Lanka. It seeks to identify and strengthen the rights of data subjects and provide for the designation of the Data Protection Authority of Sri Lanka (the Authority). Other notable provisions under the PDPA include the obligation to develop a data protection management programme and the conditions on the use of personal data for direct marketing purposes. The PDPA also includes extensive provisions governing cross-border data transfers, which have data localisation implications applicable to all controllers and processors intending to process personal data outside of Sri Lanka.

On January 8, 2024, an Order which designated that confirmed that the Parts VI, VIII, IX, and X of the PDPA entered into effect on December 1, 2023, while Parts I, II, III, and VII of the PDPA will enter into effect March 18, 2025. In addition, Part V of the PDPA entered into force on July 17, 2023 and accordingly, established the Authority.