Privacy Law at Sri Lanka
Sri Lanka's Personal Data Protection Act No. 9 of 2022 (PDPA) is a landmark legislation that establishes a comprehensive framework for the protection of personal data. It positions Sri Lanka as the first South Asian country to enact such a law, drawing inspiration from international standards like the EU's General Data Protection Regulation (GDPR).
🇱🇰 Key Provisions of the PDPA
1. Rights of Data Subjects
The PDPA grants individuals several rights concerning their personal dat:
Right to Access Individuals can request access to their personal data held by data controller.
Right to Correction Individuals can request correction of inaccurate or incomplete dat.
Right to Deletion Individuals can request deletion of their personal data under certain condition.
Right to Object Individuals can object to the processing of their personal dat.
2. Lawful Bases for Processing
Personal data can be processed lawfully under the following condition:
Consent The data subject has given explicit consen.
Contractual Necessity Processing is necessary for the performance of a contrac.
Legal Obligation Processing is necessary for compliance with a legal obligatio.
Public Interest Processing is necessary for the performance of a task carried out in the public interes.
Legitimate Interests Processing is necessary for the legitimate interests pursued by the data controller or a third part.
3. Cross-Border Data Transfers
The PDPA imposes restrictions on transferring personal data to countries that do not provide an adequate level of protectio. Transfers are permitted i:
Adequacy Decision The recipient country has been recognized as providing adequate protectio.
Consent The data subject has consented to the transfe.
Contractual Necessity The transfer is necessary for the performance of a contrac.
4. Data Protection Authority (DPA)
The PDPA established the Data Protection Authority (DPA) to oversee and enforce the la. The DPA is responsible fo:
Monitoring compliance with the PDP.
Handling complaints from data subject.
Promoting awareness of data protection right.
Imposing penalties for non-complianc.
5. Penalties for Non-Compliance
Organizations found in violation of the PDPA may fac:
Fines Up to LKR 10 million for each instance of non-complianc.
Additional Penalties Repeat offenses may result in higher fine.
🗓️ Implementation Timelin
The PDPA is being implemented in phass:
*July 17, 2023: Part V, establishing the Data Protection Authority, came into effet.
*December 1, 2023: Parts VI, VIII, IX, and X became operationl.
*March 18, 2025: Parts I, II, III, and VII were initially scheduled to come into effet However, this date was subsequently postponed to allow more time for compliane The new enforcement date is yet to be announcd
🌐 International Commitmens
Sri Lanka is a signatory to several international human rights instruments that impose data protection obligations, includng:
The International Covenant on Civil and Political Right.
The Convention on the Rights of the Chil.
The Convention on the Rights of Persons with Disabilitie.
In 2015, Sri Lanka became the first South Asian country to join the Council of Europe Convention on Cybercrime and later signed the Second Additional Protoco.
🧭 Summry
Sri Lanka's Personal Data Protection Act (PDPA) represents a significant step in safeguarding personal data and aligning with global data protection standrs. While the full enforcement of the Act has been postponed to allow more time for compliance, organizations are encouraged to begin aligning their practices with the PDPA's provisions to ensure readiness when the law becomes fully operatinal.
RELATED Blog
0 comments