Short Title: | Personal Data Protection Act, No. 9 of 2022 |
Legislature: | Parliament of Sri Lanka |
Long Title: | An Act to provide for the regulation of processing of personal data; to identify and strengthen the rights of data subjects in relation to the protection of personal data; to provide for the establishment of the Data Protection Authority; and to provide for matters connected therewith or incidental thereto |
Citation: | Personal Data Protection Act, No. 9 of 2022 |
Territorial Extent: | Worldwide |
Enacted By: | Parliament of Sri Lanka |
Date Enacted: | March 9, 2022 |
Date Signed: | March 19, 2022 |
Signed By: | Speaker of the Parliament |
Date Effective: | July 17, 2023 (Part V) December 1, 2023 (Parts VI, VIII, IX, X) March 18, 2025 (Parts I, II, III, VII) |
Administered By: | Data Protection Authority of Sri Lanka |
Bill: | Personal Data Protection Bill |
Bill Citation: | Personal Data Protection Bill |
Introduced By: | Minister of Technology |
Date Introduced: | November 25, 2021 |
1St Reading: | January 20, 2022 |
2Nd Reading: | March 9, 2022 |
3Rd Reading: | March 9, 2022 |
Keywords: | Data protection, Privacy, Personal data |
Status: | not fully in force |
The Personal Data Protection Act, No. 9 of 2022 (abbreviated PDPA) is a comprehensive data protection law enacted to regulate the processing of personal data in Sri Lanka.[1] The Act aims to protect the privacy of individuals, establish rights for data subjects, and impose obligations on data controllers and processors.
The Act was passed by the Parliament of Sri Lanka in 2022[2] to address the growing need for data protection in the digital age. It is designed to safeguard personal data while allowing for legitimate data processing activities.
The Act applies to the processing of personal data:
The Act establishes the Data Protection Authority of Sri Lanka as the primary regulatory body responsible for enforcing the law and promoting data protection practices.
The Act grants several rights to data subjects, including:
Key obligations include:
The Act regulates the transfer of personal data outside Sri Lanka, requiring adequate protection measures or specific conditions to be met.
The Act provides additional protections for sensitive personal data, including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, and biometric data.
The Act empowers the Authority to impose penalties for non-compliance:
The Authority considers several factors when determining penalties, including the nature and duration of the violation, the number of data subjects affected, and any actions taken to mitigate damages.
The Act is being implemented in phases:
This phased implementation allows organizations and the government time to prepare for full compliance.
The Personal Data Protection Act represents a significant step in Sri Lanka's digital governance framework. It aligns Sri Lanka's data protection regime with international standards, potentially facilitating cross-border data flows and digital trade. The Act is expected to enhance trust in digital transactions and services while promoting responsible data handling practices across public and private sectors.