Sri Lanka’s Personal Data Protection Act, No. 9 of 2022

March 2022

View the original document

National Regulations

The Personal Data Protection Act, No. 9 of 2022, enacted by the Parliament of the Democratic Socialist Republic of Sri Lanka, establishes a framework for regulating the processing of personal data. The Act recognises the increasing importance of safeguarding personal data rights amidst the rapid growth of the digital economy. Its primary purpose is to protect individuals’ privacy while fostering trust and innovation in digital services. It seeks to improve interoperability among data protection frameworks and enable cross-border cooperation for enforcement. By balancing privacy with technological and economic development, the Act ensures compliance with both domestic laws and international standards.

Overview of the act

The Act is divided into several parts, each focusing on specific aspects of personal data protection:

Part I: Processing of personal data

This section outlines the legal principles for processing personal data, emphasising lawfulness, transparency, accuracy, and confidentiality. Controllers are required to define explicit purposes for data processing, ensure data minimisation, and adopt technical measures to prevent unauthorised access.

Part II: Rights of data subjects

The Act grants data subjects rights such as access to their data, the ability to withdraw consent, rectification or completion of data, erasure of data, and objection to automated decision-making. It also establishes mechanisms for appeals in cases of non-compliance.

Part III: Controllers and processors

This part defines the responsibilities of data controllers and processors, including the appointment of Data Protection Officers (DPOs), the maintenance of data protection management programs, and compliance with impact assessments for high-risk processing activities.

Part IV: Use of personal data to disseminate solicited messages

Regulates the use of personal data for direct marketing and similar activities. Consent from data subjects is mandatory, and clear opt-out mechanisms must be provided.

Part V: Data Protection Authority

Establishes the Data Protection Authority of Sri Lanka, which oversees compliance, investigates breaches, imposes penalties, and issues guidance. The Authority has powers to audit and enforce data protection rules.

Part VI: Director-General and the staff of the authority

Outlines the appointment and roles of the Director-General and other staff members, ensuring the operational efficiency of the Authority. The section emphasises the qualifications and ethical standards required for leadership roles.

Part VII: Penalties

Specifies administrative penalties for non-compliance, emphasising deterrence and accountability. Repeat offenders may face escalating penalties.

Part VIII: Fund of the authority

Establishes the funding structure for the Authority, supported by fees, grants, and parliamentary appropriations.

Part IX: Miscellaneous

Covers additional provisions, including rules for borrowing funds, delegation of powers, and the confidentiality obligations of officials. It also includes safeguards against misuse of authority.