Sri Lanka's Digital Transformation and Data Protection

Sri Lanka, a diverse island nation of over 22 million people, is on a growth trajectory, with digital transformation at the heart of its economic and societal development.

The nation’s digital transformation vision aims to modernize public and business sectors, create jobs and drive economic growth to positively impact people’s lives and establish Sri Lanka as a digital leader in the Asia-Pacific region.

Since the adoption of digital technologies presents risks, such as identity theft, data breaches, algorithmic bias and social exclusion it is vital that these risks are mitigated. Therefore, data protection regulations that are human-centric and robust are essential to ensure that all citizens benefit from the digital economy.

In recognition of the growing global emphasis on data protection, Sri Lanka enacted the Personal Data Protection Act No. 9 of 2022 (PDPA). This legislation aims to ensure that citizens and consumers can trust that their personal data is processed lawfully, fairly and responsibly. Although the 1978 Constitution of Sri Lanka does not explicitly guarantee the right to privacy as a fundamental right, the revised Constitution’s Article 14A addresses privacy within the context of the right to access information.

Sri Lanka is also a signatory to several international human rights instruments that impose data protection obligations, including the International Covenant on Civil and Political Rights, the Convention on the Rights of the Child and the Convention on the Rights of Persons with Disabilities. In 2015, Sri Lanka became the first South Asian country to join the Council of Europe Convention on Cybercrime and later signed the Second Additional Protocol.

Furthermore, in February 2022 Sri Lanka joined a "Joint Declaration on Privacy and the Protection of Personal Data" alongside countries such as the EU, Australia, India and Japan. This declaration emphasizes a human-centric approach to data protection, aiming to build trust in digital services and support the UN 2030 Agenda for Sustainable Development.

The Sri Lankan courts have also recognized the concept of privacy, underscoring its importance in safeguarding individual integrity and dignity. National legislation, including the Computer Crime Act No. 24 of 2007 and the Right to Information Act No. 12 of 2016, provides some data protection safeguards. The PDPA represents a comprehensive legal framework regulating the processing of personal data across both the private and public sectors. It enforces rights and safeguards for data subjects and established the Data Protection Authority (DPA), which is tasked with overseeing the implementation and enforcement of the law.

The establishment of an effective and progressive DPA is crucial for building public trust and enhancing data flows with international partners. These efforts will create a level playing field for domestic businesses, attract new investment opportunities, and support Sri Lanka’s goal of becoming a digital leader in the Asia-Pacific region.