Sri Lanka
Summary
Law: Personal Data Protection Act, No. 9 of 2022 ('PDPA')
Regulator: The Data Protection Authority of Sri Lanka ('the Authority') (not yet established)
Summary: The PDPA was introduced as a bill in the Official Gazette on 25 November 2021. Following three readings in the Parliament of Sri Lanka, the PDPA was passed with amendments on March 9, 2022, and subsequently endorsed on March 19, 2022.
The PDPA establishes a comprehensive regulatory framework for the protection of personal data, the first of its kind in Sri Lanka. It seeks to identify and strengthen the rights of data subjects and provide for the designation of the Authority. Other notable provisions under the PDPA include the obligation to develop a data protection management program and the conditions on the use of personal data for direct marketing purposes. The PDPA also includes extensive provisions governing cross-border data transfers, which have data localization implications applicable to all controllers and processors intending to process personal data outside of Sri Lanka.
On January 8, 2024, an Order which designated that confirmed that the Parts VI, VIII, IX, and X of the PDPA entered into effect on December 1, 2023, while Parts I, II, III, and VII of the PDPA will enter into effect March 18, 2025. In addition, Part V of the PDPA entered into force on July 17, 2023 and accordingly, established the Authority.