= Personal Data Protection Act (Sri Lanka) =

Infobox
- Short Title: Personal Data Protection Act, No. 9 of 2022
- Legislature: Parliament of Sri Lanka
- Long Title: An Act to provide for the regulation of processing of personal data; to identify and strengthen the rights of data subjects in relation to the protection of personal data; to provide for the establishment of the Data Protection Authority; and to provide for matters connected therewith or incidental thereto
- Citation: Personal Data Protection Act, No. 9 of 2022, Personal Data Protection (Amendment) Act, No. 22 of 2025
- Territorial Extent: Worldwide
- Enacted By: Parliament of Sri Lanka
- Date Enacted: March 9, 2022, October 21, 2025 (Amendment)
- Date Signed: March 19, 2022, October 30, 2025 (Amendment)
- Signed By: Speaker of the Parliament
- Date Effective: July 17, 2023 (Part V), December 1, 2023 (Parts VI, VIII, IX, X), Remaining parts pending implementation date
- Administered By: Data Protection Authority of Sri Lanka
- Bill: Personal Data Protection Bill
- Bill Citation: Personal Data Protection Bill, Personal Data Protection (Amendment) Bill
- Introduced By: Minister of Technology, Minister of Digital Economy (Amendment)
- Date Introduced: November 25, 2021, March 27, 2025 (Amendment)
- Keywords: Data protection, Privacy, Personal data
- Status: not fully in force

The Personal Data Protection Act, No. 9 of 2022 (abbreviated PDPA) is a comprehensive data protection law enacted to regulate the processing of personal data in Sri Lanka. The Act aims to protect the privacy of individuals, establish rights for data subjects, and impose obligations on data controllers and processors.

== Background ==

The Act was passed by the Parliament of Sri Lanka in 2022 to address the growing need for data protection in the digital age. It is designed to safeguard personal data while allowing for legitimate data processing activities.

== Key features ==

=== Scope and application ===

The Act applies to the processing of personal data:
- Wholly or partly within Sri Lanka
- By controllers or processors domiciled or established in Sri Lanka
- Related to the offering of goods or services to data subjects in Sri Lanka
- Involving the monitoring of data subjects' behavior in Sri Lanka

=== Data Protection Authority ===

The Act establishes the Data Protection Authority of Sri Lanka as the primary regulatory body responsible for enforcing the law and promoting data protection practices.

=== Rights of data subjects ===

The Act grants several rights to data subjects, including:
- Right of access to personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to object to processing
- Right to withdraw consent
- Right to review automated decision-making

=== Obligations of data controllers and processors ===

Key obligations include:
- Ensuring lawful processing of personal data
- Implementing data protection management programs
- Conducting data protection impact assessments in certain cases
- Appointing Data Protection Officers under specific circumstances
- Notifying the Authority and affected individuals of personal data breaches

=== Cross-border data transfers ===

The Act regulates the transfer of personal data outside Sri Lanka, requiring adequate protection measures or specific conditions to be met.

=== Special categories of personal data ===

The Act provides additional protections for sensitive personal data, including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, and biometric data.

=== Penalties ===

The Act empowers the Authority to impose penalties for non-compliance:

- For the first instance of non-compliance, a penalty not exceeding ten million rupees may be imposed.
- For subsequent non-compliances, an additional penalty of twice the amount imposed for the previous non-compliance may be levied.

The Authority considers several factors when determining penalties, including the nature and duration of the violation, the number of data subjects affected, and any actions taken to mitigate damages.

== Implementation timeline ==

The Act is being implemented in phases. The initial implementation schedule was established and subsequently amended by official gazette notifications:

=== Phase 1: July 17, 2023 ===

The following part of the Act came into effect as per Gazette No. 2341/59 (dated July 21, 2023):

Part V – Establishment of the Data Protection Authority.

=== Phase 2: December 1, 2023 ===

The following provisions of the Act came into effect as per Gazette No. 2366/08 (dated January 8, 2024):

Part VI – Director-General and staff of the Data Protection Authority

Part VIII – Fund of the Authority

Part IX – Miscellaneous provisions

Part X – Interpretation

=== Phase 3: Repeal of March 18, 2025 Implementation Date ===

Initially, the following provisions were scheduled to take effect on March 18, 2025, according to Gazette No. 2366/08:

Part I – Preliminary provisions

Part II – Rights of data subjects

Part III – Controllers and processors

Part VII – Penalties

However, this implementation date was repealed by Gazette No. 2427/34 (dated March 14, 2025). Consequently, these provisions no longer have a confirmed implementation date, pending further government announcements.

=== Phase 4: Part IV (Pending) ===

According to the Data Protection Authority, Part IV, which addresses the 'use of personal data to disseminate solicited messages', will come into operation between twenty-four and forty-eight months from the date the Act was certified by the Speaker. The exact date for implementation of Part IV is yet to be determined.

This phased implementation aims to enable sufficient preparation and compliance by organizations and relevant authorities. The repeal of the third phase indicates further governmental review before these provisions come into force.

== Impact and significance ==

The Personal Data Protection Act represents a significant step in Sri Lanka's digital governance framework. It aligns Sri Lanka's data protection regime with international standards, potentially facilitating cross-border data flows and digital trade. The Act is expected to enhance trust in digital transactions and services while promoting responsible data handling practices across public and private sectors.

== See also ==
- Online Safety Act (Sri Lanka)
- General Data Protection Regulation
- Information privacy
- Privacy law
