A South Asian First: Sri Lanka’s Personal Data Protection Act

Estimated Reading Time: 6 minutes
April 9, 2024
A South Asian First: Sri Lanka’s Personal Data Protection Act

I know I covered India’s DPDPA first, but, as it turns out, Sri Lanka beat them to the punch. Sri Lanka’s Personal Data Protection Act (PDPA) was first introduced as a bill in the Official Gazette on November 25 2021; after three readings in Parliament, the PDPA was passed on March 9, 2022 and endorsed a couple of weeks later on March 19, 2022.

The PDPA establishes a comprehensive regulatory framework for the protection of personal data of its citizens, the first of its kind in Sri Lanka. It covers all the bases that a data protection regulation is expected to cover but has a few welcome additions in terms of explicit requirements for controllers/processors that similar legislation in other countries leaves open to interpretation.

Earlier this year, January 8 to be exact, an order from the government confirmed that Parts VI, VIII, IX, and X of the PDPA entered into effect on December 1, 2023, while Parts I, II, III, and VII of the PDPA will come into effect March 8, 2025.

The Legislation at a Glance

  • The PDPA applies to the processing of personal data unless it’s collected by an individual for personal, domestic, or household use.
  • The PDPA applies to any organization:
    • Processing personal data within Sri Lanka
    • Processing personal data and is a resident in Sri Lanka
    • Processing personal data for a company that is incorporated by or established under Sri Lankan law
    • Processing personal data as part of offering goods or services to people in Sri Lanka
  • The PDPA also creates the Data Protection Authority (DPA) of Sri Lanka.
    • The DPA is led by a board of 5-7 directors.
    • The President of Sri Lanka appoints the board members of the DPA.
    • The President of Sri Lanka also appoints a chairperson of the DPA from among the board members.

Five Rights for Sri Lankan Citizens

  • Citizens have the right to request access to all the data that has been collected on them by a data controller/processor.
  • Citizens have the right to withdraw any prior ‌consent to data collection.
  • Citizens have the right to request rectification of data collected on them if it is outdated, incorrect, or obsolete.
  • Citizens have the right to request that all data collected on them by a data controller/processor be erased.
  • Citizens have the right to inform the data controller/processor of their objection to automated decision-making.

These rights ensure Sri Lankan citizens not only retain control over their data but that data controllers/processors cannot collect data indiscriminately. 

The Available Conditions for Lawful Data Processing

  1. Informed, free, and granular consent is required 
  2. Data collection and processing must be necessary for fulfilling the contract between the data collector/processor and the data subject
  3. Data processing must be mandated by law
  4. Legitimate interest, where collection/processing does not infringe on a citizen’s rights
  5. Finally, public interest, for the likes of national security, health, or scientific research

You’re Going to Need a Data Protection Officer

Every data controller and processor subject to the PDPA has to ensure the appointment of a Data Protection Officer (DPO). The DPO must have the relevant academic qualifications and other necessary requirements to ensure their professional competency for the job.

Impact Assessments Aren’t Optional

Not only must the assessment contain a detailed record of all data collection and processing activities, it has to be updated to reflect any change in data collection, storage, or protection methodologies. These assessments need to be submitted to the Sri Lankan DPO and made available to data subjects should they request them. This is no mean feat.

The Data Protection Management Programme

The PDPA outlines additional responsibilities as part of the Data Protection Management Programme which include:

  • Creating and maintaining records to demonstrate compliance
  • Creating internal oversight mechanisms and / or procedures based on the structure, scale, volume, and sensitivity of collection and processing activities 
  • Create mechanisms and / or procedures to receive complaints, conduct of inquiries, and to identify personal data breaches
  • Integrate the above into internal governance and make sure they’re regularly updated

There’s nothing net-new here, but the fact each is included as an explicit requirement, rather than an insinuated nice-to-have, is great to see.

Cross-Border Data Transfers

Data collected or processed in Sri Lanka cannot be transferred to any third country without an adequacy decision. An adequacy decision has to be made in consultation with the Minister of Communication and is subject to periodic monitoring of the safeguards and privacy mechanisms in place in the third country. As is usually the case, there are exceptions, but the burden of proof is on the controller / processor:

  • The data subject, having been informed of the possible risks of such processing due to the absence of an adequacy decision, has consented 
  • The transfer is necessary for the performance of a contract 
  • The transfer is necessary for reasons of public interest

Penalties for Non-Compliance

Any organization found in non-compliance with any of the PDPA’s provisions can be fined up to ₹10 million ($119,910 / €111,200 / ¥866,930) for each instance of non-compliance, which is doubled for repeat offenses. 

Examples of Notable Enforcement

It’s still early, but the DPA is expected to be increasingly active in addressing data breaches and non-compliance issues.

What’s Next for Privacy Law in Sri Lanka

As with any new legislation, there will be growing pains, but the law clearly outlines many steps you can start working on while there’s still a grace period, at least for the parts of the Act that come into force next year; the good news is you/r company could have a lot of these in place in response to similar legislation elsewhere: 

  • Have a privacy policy that’s easy to find and understand
  • Appoint or hire a qualified Data Protection Officer 
  • Get your data protection impact assessment underway 
  • Start working through the steps outlined in the Data Protection Management Programme

If you’re looking for a helping hand creating a privacy program in Sri Lanka, we’re here to talk.

Questions about creating a privacy program?

Our team is here to help whenever you need us.

Author

  • From a misguided beginning in media planning some 18 years or so ago, Ash Lindley has worked across much of digital including SEO, digital analytics, and cloud architecture everywhere from an upstart digital agency to unwieldy full-service media agency environments, and a stint client-side for curiosity’s sake. As Strategy Lead, Ash is primarily focused on Wardley Mapping at InfoTrust, along with anything and everything privacy related in his spare time.

    View all posts
Last Updated: April 9, 2024

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.

  • This field is for validation purposes and should be left unchanged.