Data protection & privacy laws in Sri Lanka (2026)

The Personal Data Protection Act, No. 9 of 2022 was passed by Parliament on 19 March 2022 and certified by the Speaker. It applies to any person or entity that processes personal data of Sri Lankan data subjects, regardless of where the controller is located.

The Data Protection Authority of Sri Lanka (DPA) was constituted under Part V of the PDPA, which came into operation on 17 July 2023. Board members and Chairman are appointed by the President; the DPA is tasked with enforcement, guidelines, and promoting data protection. As of late 2025, recruitment of a Director General and senior management team was underway.

Parts VI, VIII, IX, and X (DPA staffing, offences, miscellaneous) came into force on 1 December 2023 per Gazette No. 2366/08. Parts I–III (definitions, data subject rights, controller obligations) and Part VII (enforcement/penalties) were originally scheduled for 18 March 2025 but that date was revoked by Gazette No. 2427/34 on 14 March 2025. The 2025 Amendment Act now gives the Minister discretion to bring all remaining provisions into force by gazette order.

Once fully in force, the PDPA confers rights to access, rectification, erasure, restriction of processing, data portability, and objection to automated decision-making. Data subjects may seek remedies through the DPA or courts, and the 2025 Amendment strengthened procedures against algorithmic bias and discrimination.

The Act requires lawful basis for processing (including consent), purpose limitation, data minimisation, privacy notices, appointment of Data Protection Officers in prescribed circumstances, and data breach notification to the DPA. Sensitive personal data (health, biometrics, religion, etc.) attracts heightened obligations.

The PDPA restricts transfers of personal data to jurisdictions lacking adequate protection. The 2025 Amendment introduced flexibility by allowing organisations to choose between resident, sovereign, or public cloud infrastructure depending on the sensitivity and security classification of data, pending DPA regulations specifying adequate-protection criteria.