Background of the Data Protection Law

Sri Lanka's Personal Data Protection Act No. 9 of 2022 (PDPA) is a landmark piece of legislation, marking the first of its kind in South Asia. The PDPA is tremendously inspired by the European Union's General Data Protection Regulation (GDPR), incorporating similar principles and standards.

The law was developed through a transparent process, including several rounds of stakeholder consultations and public feedback, beginning in June 2019 under the Ministry of Digital Infrastructure. The initial draft of the Personal Data Protection Bill was published in 2019, and after further revisions, it was passed by the Sri Lankan Parliament on 19th March 2022.

Although the Act was certified by the Speaker of Parliament, its provisions are being phased in gradually to allow data controllers and processors sufficient time to comply. The law applies both territorially—covering data processing within Sri Lanka—and extraterritorially, regulating entities outside Sri Lanka that offer goods or services to, or monitor the behaviour of, individuals within the country.

The implementation of the PDPA is structured over several years. Key dates include:

• July 17, 2023: Part V of the Act, establishing the Data Protection Authority, came into force.
• December 1, 2023: Parts VI, VIII, IX, and X came into operation.
• March 18, 2025: Parts I, II, III, and VII will come into operation.

The PDPA is set to be fully operational and enforceable by 18th March 2025, ensuring that Sri Lanka is well-positioned to protect personal data and foster a thriving, innovative digital economy.