On September 24, 2024, the Data Protection Authority of Sri Lanka (DPA) announced that it had launched a public consultation on the draft directive on classification of categories of personal data for public authorities. The draft directive relates to controllers who are public authorities on the classification of categories of personal data permitted to be processed in a third country under Section 26(1) of the Personal Data Protection Act, No. 9 of 2022 (PDPA).

Scope

The draft directive specifies that the categories of personal data allowed to be processed by or on behalf of a public authority in a third country, as prescribed by the Minister through an adequacy decision under Section 26(2) of the PDPA, include:

• personal data processed in support of payments made by or on behalf of a public authority to or relating to the data subject, by or on behalf of the data subject to a public authority;
• personal data transmitted in email systems, conference call systems, and any other electronic communications services and platforms used by public authorities and their employees or contractors;
• personal data for which the data subject, or the data subject's authorized representative, has consented to the proposed processing of personal data in a third country;
• personal data which a regulatory or statutory body which regulates, authorizes, or supervises the public authority, or any Ministry responsible for administering the public authority permits to be processed in a third country;
• personal data relating to employees or contractors of a public authority in the context of their potential, current or former employment or engagement, including without limitation in relation to administration of pensions or obligations relating to social security;
• personal data concerning health that are processed as part of or in support of the provision of healthcare services by a medical practitioner licensed or otherwise accredited in Sri Lanka or another jurisdiction;
• personal data a copy of which is maintained in Sri Lanka and updated at a frequency commensurate with the nature of the personal data and purpose of processing;
• personal data where the public authority has readily enforceable contractual or other rights to have such personal data promptly relocated to Sri Lanka upon its request at a reasonable cost;
• personal data which the public authority has determined it is more expedient to process in a third country than in Sri Lanka for reasons of data security, cost of processing or quality of service, or for technical reasons; and
• personal data which, by their nature or by the nature of their processing, present minimal risk of harm to the data subject if such personal data were the subject of a personal data breach.

The draft directive does not apply to any personal data which have been identified under a policy of the Government of Sri Lanka as personal data that shall not be processed in a third country.

Definitions

The draft directive also includes key definitions, such as 'biometric data,' 'financial data,' 'child,' and 'genetic data.'

Public comments may be submitted to [email protected] by completing the feedback form until March 18, 2025.

You can read the press release here, the draft directive here, and download the feedback form here.