Data Protection in Sri Lanka

Data protection laws in Sri Lanka

Sri Lanka until recently did not have legislation pertaining to protection of data and privacy, although different sector specific laws such as the Computer Crimes Act No. 24 of 2007, the Banking Act No. 30 of 1988, the Electronic Transactions Act No. 19 of 2006, the Right to Information Act No. 12 of 2016 and the Telecommunications Act No. 25 of 1991 recognize the need for privacy and confidentiality. Identifying this lacuna, the Personal Data Protection Bill was first published as a draft bill in 2019. It was subject to several rounds of revisions, and subsequently was passed by the Parliament of Sri Lanka on 19 March, 2022 as the Personal Data Act No. 9 of 2022 (“PDPA”).

Although certified by the Speaker of Parliament, except for Part V of the PDPA which deals with provisions relating to the regulator under the law, i.e. the Data Protection Authority, the PDPA is yet to become operative as it provides for different time periods within which certain parts of the law would come into force, allowing controllers and processors a much-needed grace period. The majority of the law will come into operation within 18 to 36 months from the 19 March, 2022, while the part governing the sending of marketing messages using personal data would become operative within 24 to 48 months from the 19 March, 2022. With regard to Part V, it should be noted that an order has been issued by the Minister of Technology which provides that the said Part V of the PDPA has been brought into operation on 17 July, 2023. Accordingly, the Data Protection Authority is now in the process of being established, upon the completion of which the other parts of the PDPA are expected to follow suit.

The PDPA is primarily inspired by the European Union's General Data Protection Regulation (“GDPR”) and, therefore, shares many similarities with the GDPR.

The PDPA applies both territorially to the processing of personal data where such processing takes place wholly or partly within Sri Lanka, or by a person or entity within Sri Lanka; and extraterritorially, in so far as a person or entity outside Sri Lanka provides goods or services to individuals within Sri Lanka or monitors the behaviour of individuals within Sri Lanka.

Whilst the PDPA is the primary law that governs the protection of personal data in Sri Lanka, the following regulations / directions, which have been promulgated under the relevant sector specific laws, contain detailed provisions on data protection which are as follows:

  1. The Financial Consumer Protection Regulations No. 1 of 2023 (the “FCPR”), published on the 9 August, 2023, promulgated under the Monetary Law Act, No.58 of 1949 (now replaced by the Central Bank of Sri Lanka Act, No. 16 of 2023), provides obligations substantially similar to the PDPA in relation to the protection of personal information of financial consumers. The FCPR is applicable to licensed commercial banks, licensed specialised banks, licensed finance companies, specialized leasing companies, authorized primary dealers, authorized money brokers, licensed microfinance companies, participants of the payment and settlement systems or any other financial institutions approved by the Central Bank of Sri Lanka. The FCPR provides protection not only to personally identifiable information but also extends to all information pertaining to financial consumers, which includes corporate entities and other legal bodies. The FCPR also provides for grace periods before the same becomes operational, with a majority of the regulations becoming operational upon the expiration of 6 months from the date of its publication. Additionally, the requirements of the FCPR pertaining to the security of personal information are buttressed by the Regulatory Framework on Technology Risk Management and Resilience for Licensed Banks, directions No. 16 of 2021, dated 9 December 2021, promulgated under the Banking Act No. 30 of 1988 (as amended). The applicability of this framework however is limited to licensed commercial banks and licensed specialized banks in Sri Lanka and its concentration lies on the information security requirements of such organizations.
  2. The Special Direction No. 91 published by the Consumer Affairs Authority on the 17 May, 2023, under the Consumer Affairs Authority Act No. 09 of 2003 (as amended), sets out provisions governing e-commerce entities and platform operators for the purpose of protecting consumers. These directions, although not in extensive detail, enumerate the principles set out in PDPA, aiming to the protect the personal data of consumers. It should be noted that unlike the PDPA, these directions are operational as at date.

Continue reading

  • no results

Back to top