The Personal Data Protection Act of Sri Lanka: A Timely Legislation for Fostering Economic Growth
The PDPA is not merely a legal instrument— it is a strategic enabler of Sri Lanka’s digital transformation and economic development.
Sri Lanka’s journey towards establishing a comprehensive personal data protection framework began in 2019, culminating in the enactment of the Personal Data Protection Act No. 9 of 2022 (PDPA). This landmark legislation marks a significant step in aligning Sri Lanka with global data protection standards, particularly those set by the European Union’s General Data Protection Regulation (GDPR). The PDPA is not merely a legal instrument— it is a strategic enabler of Sri Lanka’s digital transformation and economic development.
A GDPR-Inspired Framework with Local Adaptation
The PDPA draws heavily from the GDPR, evident in its structure, principles, and rights afforded to data subjects. However, seemingly, international best practices and laws from other jurisdictions have also been looked at, ensuring the PDPA is tailored to Sri Lanka’s socio-economic context. This hybrid approach enhances the law’s interoperability and facilitates cross-border cooperation in data protection enforcement.
Phased Implementation and Regulatory Framework
Recognizing the need for businesses to adapt, the PDPA includes grace periods before its full operationalization. Initially scheduled to become effective by 18th March 2025, the implementation has been postponed to allow further time for compliance readiness.
A Personal Data Protection (Amendment) Bill was published in March 2025 to revise certain provisions, including the operational timelines and procedural aspects of data subject rights.
The Data Protection Authority (DPA), established under the PDPA, has begun issuing draft rules, regulations, directives, and guidelines, which will form the surrounding regulatory framework. These documents are crucial for operational clarity and were subject to stakeholder consultation as well.
Economic Implications: Building Trust and Attracting Investment
The PDPA’s preamble explicitly states its objective to foster growth and innovation in the digital economy while safeguarding personal data rights. This dual focus is vital for Sri Lanka’s ambition to become a regional technology hub.
In jurisdictions like the EU, companies are required to conduct Transfer Impact Assessments (TIAs) before transferring personal data to third countries. These assessments evaluate whether the destination country offers an essentially equivalent level of protection. A robust data protection regime like Sri Lanka’s PDPA can significantly enhance the country’s attractiveness as a data processing destination, particularly for IT, BPO, and BPM sectors.
Extraterritorial Scope and Global Relevance
One of the PDPA’s strengths lies in its extraterritorial applicability. The law applies not only to entities established in Sri Lanka but also to foreign controllers and processors who offer goods or services to individuals in Sri Lanka or monitor their behaviour. Moreover, the PDPA protects all data subjects, regardless of nationality or residence, if their data is processed in Sri Lanka.
This broad scope ensures that Sri Lanka can position itself as a trusted jurisdiction for global data operations, reinforcing its competitiveness in international markets.
Core Principles and Data Subject Rights
The PDPA enshrines key data protection principles akin to those in the GDPR:
- Purpose limitation
- Data minimization
- Lawfulness, fairness, and transparency
- Storage limitation
- Integrity and confidentiality
- Accountability
Controllers and processors are required to maintain detailed records, implement policies, and demonstrate compliance. For the first time in Sri Lanka, individuals are granted statutory rights over their personal data, including:
- Access
- Rectification and completion
- Erasure
- Objection to processing
- Withdrawal of consent
- Review of automated decisions
These rights empower individuals and enhance consumer trust—an essential ingredient for digital commerce and innovation.
Enforcement and Penalties
The Data Protection Authority is vested with extensive powers to investigate both public and private sector entities. It can act on its own initiative or based on complaints from data subjects. Following an inquiry, the DPA may issue directives, and non-compliance can attract penalties up to LKR 10 million in the first instance.
Such enforcement mechanisms are critical for ensuring accountability and deterring violations, thereby reinforcing Sri Lanka’s reputation as a secure data environment.
Surveillance Laws and Constitutional Safeguards
A key concern for international businesses is the surveillance landscape of the data importer country. Sri Lanka, as a constitutional democracy, does not have general laws permitting indiscriminate surveillance. Any surveillance must be authorized by specific legislation and conform to constitutional safeguards.
The PDPA further strengthens this position through:
- Section 3, which ensures that the PDPA prevails over any conflicting law, and that public authorities may process data under other laws only if consistent with the PDPA.
- Section 40, which restricts exemptions to the PDPA to those (i) that are lawful, necessary, and proportionate in a democratic society, for purposes such as national security, public health, and judicial independence, and (ii) that respect the essence of the fundamental rights and freedoms of data subjects.
These provisions provide minimum safeguards even in cases of lawful surveillance, enhancing Sri Lanka’s credibility in the eyes of foreign data exporters.
Conclusion: A Strategic Enabler for Digital Growth
The PDPA fills a critical gap in Sri Lanka’s legal framework, aligning the country with advanced global regimes and enhancing its appeal to international businesses. By ensuring secure and lawful handling of personal data, the PDPA fosters a trustworthy digital environment that encourages investment, innovation, and economic growth.
As Sri Lanka prepares for the full operationalization of the PDPA, it stands at the cusp of a transformative era—one where data protection is not just a legal obligation but a strategic asset for national development.
Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.