Sri Lanka Data Privacy Laws: PDPA No. 9 of 2022 Complete Guide (2026)

Sri Lanka's Personal Data Protection Act No. 9 of 2022 made the country the first in South Asia to enact standalone data protection legislation. Its substantive provisions covering data subject rights, controller obligations, and penalties remain pending as of May 2026 after Amendment Act No. 22 of 2025 removed fixed commencement dates.

Sri Lanka occupies a singular place in South Asian data privacy law. When Parliament certified the Personal Data Protection Act No. 9 of 2022 on March 19, 2022, the country became the first in the region to pass comprehensive standalone legislation governing the collection, use, and protection of personal data.

The law has not yet fully taken effect. Sri Lanka adopted a phased implementation approach, and the substantive controller and processor obligations remain pending as of May 2026. Understanding where the law stands, what has changed through the Personal Data Protection (Amendment) Act No. 22 of 2025, and what the Data Protection Authority is doing to prepare for enforcement is essential for any organization processing personal data of Sri Lankan residents.

This guide covers the complete framework -- the PDPA's structure, the constitutional context, the phased commencement history, the DPA's current status, data subject rights, legal bases for processing, controller and processor obligations, breach notification, cross-border transfer rules, penalties, the 2025 amendment, sector-specific laws, and practical compliance steps.

Quick Answer: Is Sri Lanka's PDPA in Force?

Partially. The parts of the PDPA that establish the Data Protection Authority and govern its administrative operations have been in force since 2023. The substantive provisions -- the rights of data subjects, the obligations on controllers and processors, and the enforcement and penalty mechanisms -- are not yet in force.

The original commencement date for those provisions was March 18, 2025. That date was first extended by Extraordinary Gazette No. 2427/34 issued on March 14, 2025, just days before the deadline. Then, the Personal Data Protection (Amendment) Act No. 22 of 2025, enacted on October 21, 2025 and published in the Government Gazette on October 31, 2025, removed all fixed timelines from the Act entirely.

Under the amended framework, the remaining parts of the PDPA will come into operation on a date the Minister in charge of the subject matter appoints by order published in the Gazette. No such order has been issued as of May 2026.

The DPA appointed its first permanent Director General in March 2026. Guidelines must be drafted and approved by the DPA Board, and a comprehensive rollout plan must be finalized before an enforcement date can be set. Organizations should treat full enforcement as a near-term prospect and build compliance programs now.

The Personal Data Protection Act No. 9 of 2022

The PDPA is structured in ten parts. It was developed through stakeholder consultations beginning in June 2019 under what was then the Ministry of Digital Infrastructure, with input from the Information and Communication Technology Agency (ICTA). Parliament approved the bill on March 9, 2022, and the Speaker certified it on March 19, 2022.

The Act draws heavily from the EU's General Data Protection Regulation while also incorporating elements from data protection frameworks in the United States and across Asia. It applies broadly to:

• Any controller or processor established in Sri Lanka
• Any controller or processor outside Sri Lanka that offers goods or services to data subjects in Sri Lanka
• Any controller or processor that monitors the behavior of data subjects located in Sri Lanka

This extraterritorial reach means foreign companies with Sri Lankan customers or users are subject to the PDPA regardless of where they are headquartered.

What Counts as Personal Data

The PDPA defines personal data as any information relating to an identified or identifiable natural person. This covers names, identification numbers, location data, online identifiers, and factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a person.

The Act also recognizes a special category of sensitive personal data that receives heightened protections. Sensitive data includes information revealing:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Health data
• Genetic data
• Biometric data used for identification purposes
• Data concerning a person's sex life or sexual orientation

Processing sensitive personal data requires explicit consent from the data subject or must fall within one of the narrow statutory exceptions.

Constitutional Context: No Explicit Privacy Right

Sri Lanka's 1978 Constitution does not contain an explicit right to privacy in its Chapter III fundamental rights provisions. This distinguishes Sri Lanka from many jurisdictions that have embedded data protection within a constitutional privacy guarantee.

The 2015 constitutional amendment introduced Article 14A, which protects the right of access to information held by public authorities. The Article acknowledges privacy only as a potential restriction on that access right -- not as a standalone fundamental right.

In the absence of a constitutional privacy guarantee, Sri Lankan courts have recognized privacy protections through the common law concept of actio iniuriarum. Cases including Nadarajah v Obeysekera and Hewamanna v Attorney General established that individuals have a right to personal space and residential privacy, though case law in this area remains limited and largely focused on spatial privacy.

The PDPA fills this legislative gap. It provides a statutory foundation for personal data protection that does not depend on the constitutional framework. The 2025 Amendment Act also strengthened procedural protections against bias or discrimination arising from automated decision-making, which has constitutional dimensions even if no explicit privacy right exists.

Phased Commencement: The Full Timeline

Understanding exactly which parts of the PDPA are in force requires tracking a series of gazette orders and legislative changes.

Parts Currently in Force

July 17, 2023: Part V of the Act, which establishes the Data Protection Authority, came into operation. This allowed the President to appoint the DPA's Chairman and Board of Directors, with those appointments announced in October 2023.

December 1, 2023: Parts VI, VIII, IX, and X came into operation. These parts cover the DPA's organizational structure, staffing arrangements, funding mechanisms, and administrative operations.

Parts Not Yet in Force

Parts I, II, III, and VII cover the definitions and scope of the Act, data subject rights, and enforcement and penalties. These are the provisions that matter most for day-to-day compliance.

The original commencement date for these parts was March 18, 2025, as established by Extraordinary Gazette No. 2366/08 issued on January 8, 2024.

On March 14, 2025 -- just four days before the deadline -- Extraordinary Gazette No. 2427/34 repealed that date. This extended the deadline by approximately six months.

Then, on October 21, 2025, Parliament enacted the Personal Data Protection (Amendment) Act No. 22 of 2025. The Amendment Act, published in the Government Gazette on October 31, 2025, took a more fundamental step: it removed all fixed grace period timelines from the Act entirely. The remaining parts of the PDPA will now come into force on a date the Minister in charge of the subject matter appoints by gazette order. No such order has been issued as of May 2026.

Part IV, which governs the use of personal data to disseminate unsolicited messages and direct marketing communications, is also pending and subject to the same ministerial discretion mechanism.

The Data Protection Authority of Sri Lanka

The Data Protection Authority (DPA) is the independent regulatory body established under Part V of the PDPA to oversee and enforce Sri Lanka's data protection framework. It operates under the Ministry of Digital Economy.

Establishment and Governance

The DPA was established when Part V came into force on July 17, 2023. The Board of Directors, appointed by the President, oversees the Authority's functions. The DPA's headquarters are at the Bandaranaike Memorial International Conference Hall (BMICH) in Colombo.

First Permanent Director General

The DPA appointed Dimuth Bhashitha Atapattu as its first permanent Director General with effect from March 5, 2026. Atapattu is an officer of the Sri Lanka Administrative Service with extensive public and private sector experience, including previous roles at the Ministry of Digital Economy and international positions. He holds qualifications from the University of Colombo, the University of Melbourne, and the Postgraduate Institute of Management.

The Ministry of Digital Economy has indicated that Atapattu is expected to fast-track several aspects of implementation, including issuing instructions to government institutions. He will lead the drafting of new guidelines, which require approval by the DPA Board. A comprehensive rollout plan must be finalized before a new enforcement date can be determined.

Powers and Functions

Once full enforcement begins, the DPA will have broad authority to regulate personal data processing across both the public and private sectors. Its key powers include:

• Investigating complaints from data subjects about alleged violations of the PDPA
• Conducting audits and inspections of controllers and processors
• Issuing compliance directives to organizations found in violation
• Imposing administrative penalties for non-compliance
• Issuing sector-specific guidelines and codes of practice
• Making adequacy determinations for cross-border data transfers
• Advising the government on data protection policy matters

The 2025 Amendment Act specifically expanded the DPA's authority to issue sector-specific guidelines, broadening its supervisory reach across different industries.

Pre-Enforcement Regulatory Activity

Despite substantive enforcement being pending, the DPA has been active in building the regulatory groundwork. In September 2024, it opened public consultation on draft guidelines for Data Protection Management Programs (DPMP). The DPA has also published draft regulations on Data Protection Officer appointment requirements and draft rules on personal data breach notification procedures. A draft directive on the classification of categories of personal data is also under development. These drafts remain under finalization as of May 2026.

Lawful Bases for Processing Personal Data

When the substantive provisions take effect, every instance of personal data processing must rest on at least one lawful basis. The PDPA recognizes six bases, drawn directly from the GDPR framework.

Consent

The data subject has given consent to the processing of their personal data for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous. It must be given in writing or through a clear affirmative action and must be capable of withdrawal at any time.

Contractual Necessity

Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject before entering into a contract.

Legal Obligation

Processing is necessary to comply with a legal obligation imposed on the controller or processor under Sri Lankan law.

Emergency or Vital Interests

Processing is necessary to respond to an emergency that threatens the life, health, or safety of a person. This basis is reserved for genuine urgent situations where obtaining consent is not feasible.

Public Interest

Processing is necessary for a task carried out in the public interest or in the exercise of powers, functions, or duties conferred by law on the controller or processor.

Legitimate Interests

Processing is necessary for the purposes of legitimate interests pursued by the controller, except where those interests are overridden by the fundamental rights and interests of the data subject. This basis requires a balancing test similar to the one used under the GDPR.

Data Subject Rights Under the PDPA

The PDPA grants individuals a comprehensive set of rights over their personal data. These rights are modeled closely on the GDPR and place significant obligations on controllers.

Right of Access

Data subjects can request access to all personal data a controller holds about them. The controller must provide this information in a concise, transparent, intelligible, and easily accessible form, including details about the purposes of processing, categories of data collected, and third parties with whom data has been shared.

Right to Rectification

When personal data is inaccurate or incomplete, data subjects can request the controller to correct or complete it. The controller must act without unreasonable delay.

Right to Erasure

Data subjects can request deletion of their personal data when it is no longer necessary for the purpose for which it was collected, when consent has been withdrawn, or when the processing was unlawful.

Right to Withdraw Consent

Where processing is based on consent, data subjects can withdraw that consent at any time through a written request. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.

Right to Object to Processing

Data subjects can object to the processing of their personal data, including for direct marketing purposes. The controller must cease processing unless it can demonstrate compelling legitimate grounds that override the interests of the data subject.

Right to Object to Automated Decision-Making

The PDPA gives data subjects the right to request a review of decisions made solely through automated processing, including profiling, that significantly affect them. The 2025 Amendment Act clarified procedures for seeking remedies against automated decision-making and strengthened protections against bias or discrimination from AI systems.

Response Timeframe

Controllers must respond to any written request from a data subject within 21 working days of receiving it. The 2025 Amendment Act further empowered the DPA to define specific timelines for different categories of subject access requests.

Controller and Processor Obligations

The PDPA imposes detailed obligations on both controllers (entities that determine the purposes and means of processing) and processors (entities that process data on behalf of controllers).

Record-Keeping

Controllers and processors must maintain detailed records of their data collection and processing activities. Records must be kept in writing or electronically, in a concise, transparent, intelligible, and easily accessible form. They must be available to data subjects on request and to the DPA during audits.

Purpose Limitation

Personal data must be collected for specified, explicit, and legitimate purposes. It cannot be further processed in a manner incompatible with those original purposes. Controllers must clearly define and communicate the purpose of collection at or before the point of collection.

Data Minimization and Accuracy

Controllers must ensure that personal data is adequate, relevant, and limited to what is necessary for the stated purposes. They must also take reasonable steps to ensure data is accurate and, where necessary, kept up to date.

Processor-Specific Duties

Processors must follow the instructions of the controller and assist the controller in meeting its PDPA obligations. A processor cannot engage a sub-processor without the prior authorization of the controller.

Data Protection Impact Assessments

Where a controller intends to carry out processing that involves systematic and extensive evaluation of personal data (including profiling), systematic monitoring of publicly accessible areas, or large-scale processing of sensitive personal data, it must conduct a Data Protection Impact Assessment (DPIA) before beginning such processing.

The DPIA must document the nature and scope of the proposed processing, the risks to data subjects, and the measures and safeguards the controller will implement to mitigate those risks. The controller must seek input from its Data Protection Officer when conducting the assessment.

Data Protection Officer Requirements

The PDPA requires certain organizations to appoint a Data Protection Officer. This requirement applies to controllers and processors whose core activities involve regular and systematic monitoring of data subjects on a large scale, or the large-scale processing of sensitive personal data.

Qualifications and Appointment

The DPO must have relevant academic qualifications and professional competency for the role. The DPA has published draft regulatory guidance on DPO qualifications and appointment procedures.

Responsibilities

The DPO serves as the primary point of contact between the organization, data subjects, and the DPA. Their duties include monitoring internal compliance, advising on DPIAs, training staff on data protection obligations, and cooperating with the DPA during investigations.

Publication Requirements

Controllers and processors must publish the contact details of their DPO on their website and communicate those details to the DPA upon appointment.

Shared DPOs

A group of related entities may appoint a single DPO who is easily accessible to each entity. Public authorities may likewise designate a single DPO for multiple authorities, provided the organizational structure supports this arrangement.

Breach Notification Requirements

The PDPA establishes mandatory breach notification obligations for controllers and processors.

Notification to the DPA

In the event of a personal data breach, the controller must notify the Data Protection Authority within 72 hours of becoming aware of the breach. The notification must describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.

This 72-hour notification window mirrors the requirement under the GDPR breach notification framework.

Notification to Data Subjects

The DPA will determine the circumstances under which data subjects must be directly notified, as well as the manner and medium of that communication. Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, direct notification is expected.

Draft Rules Under Finalization

The DPA has published draft rules on personal data breach notifications and is in the process of finalizing those regulations. Controllers should monitor the DPA's website for updates on the final breach notification framework.

Cross-Border Data Transfers

The PDPA restricts the transfer of personal data outside Sri Lanka to ensure that data subject rights are protected regardless of where data is processed. Section 26 of the Act, as amended by the 2025 Amendment Act, now mandates that controllers engaging in cross-border data flows must ensure compliance and adopt binding instruments to safeguard data rights.

Adequacy Decisions

Transfers are permitted to countries or territories that the DPA has determined provide an adequate level of data protection. The adequacy determination process is similar to the mechanism used under EU adequacy decisions. The DPA has not yet issued any formal adequacy decisions as of May 2026.

Appropriate Safeguards

In the absence of an adequacy decision, controllers and processors may transfer data internationally if they implement appropriate safeguards. These must create binding and enforceable obligations on the recipient, ensuring data subjects retain access to their rights and remedies under the PDPA.

Permitted Transfers Without Safeguards

Cross-border transfers are also permitted when:

• The data subject has given explicit consent to the transfer
• The transfer is necessary for the performance of a contract with the data subject
• The transfer is necessary for important reasons of public interest
• The transfer is necessary for the establishment, exercise, or defense of legal claims

Cloud Computing Flexibility Under the 2025 Amendment

The 2025 Amendment Act introduced a significant operational change for cross-border data flows. Organizations can now choose between resident, sovereign, or public cloud facilities based on the sensitivity and security classification of their data. This allows both public and private sector controllers to make case-specific judgments balancing data sensitivity, storage costs, and access to AI capabilities. The change was designed to support digital economy growth while maintaining appropriate protections.

For a global perspective on how data localization obligations compare across jurisdictions, see data localization laws by country.

Penalties and Enforcement

The PDPA's enforcement and penalty provisions are in Part VII of the Act, which is not yet in force.

Financial Penalties

Once in effect, organizations that fail to comply with directives issued by the DPA face fines of up to 10 million Sri Lankan rupees (approximately USD 30,000) per instance of non-compliance. For repeat offenses, the penalty doubles with each subsequent violation.

When determining the amount of a penalty, the DPA must consider the nature and extent of the non-compliance, the impact on affected data subjects, any mitigating steps taken by the organization, and the organization's history of compliance.

Comparison to the GDPR

Unlike the GDPR, which calculates fines as a percentage of global annual revenue -- up to 4% for the most serious violations -- the PDPA uses fixed monetary caps. While these caps are meaningful within the Sri Lankan economy, they may be less significant for large multinational corporations. The 2025 amendment discussions included consideration of revenue-based penalties, but the final Act retained the fixed-cap approach.

Compliance Directives

Beyond financial penalties, the DPA can issue binding compliance directives requiring organizations to change their data processing practices, implement specific safeguards, or cease processing activities that violate the Act. Failure to comply with these directives can trigger additional penalties.

The 2025 Amendment Act: Key Changes

The Personal Data Protection (Amendment) Act No. 22 of 2025, enacted on October 21, 2025 and gazetted on October 31, 2025, made several substantive changes to the framework beyond removing fixed commencement dates.

Commencement Mechanism

The most significant structural change is the shift from fixed statutory timelines to ministerial discretion. The remaining parts of the PDPA will come into force on dates the Minister appoints by gazette order, allowing for a readiness-driven implementation schedule. No commencement date has been set as of May 2026.

Cloud Computing and AI

The amendment clarified the permissible use of cloud platforms for data processing, including AI applications. Organizations can choose between resident, sovereign, or public cloud solutions based on data sensitivity and security classification. The amendment also addressed shadow AI -- unauthorized AI tool usage within organizations -- introducing governance obligations for entities deploying AI systems.

Automated Decision-Making Protections

The amendment strengthened rights to challenge bias or discrimination and established clearer procedures for data subjects seeking remedies against decisions made through automated processing or profiling systems.

Expanded Regulatory Toolkit

The amendment expanded the DPA's authority to issue sector-specific guidelines and defined the DPA's power to set specific timelines for responding to data subject requests, giving the regulator more operational flexibility.

Cross-Border Transfer Obligations

Section 26 was amended to explicitly mandate that controllers engaging in international data transfers adopt binding instruments to safeguard the rights of data subjects in the destination country.

Unsolicited Messages and Direct Marketing

Part IV of the PDPA specifically addresses the use of personal data to disseminate unsolicited messages, including direct marketing communications. Part IV has not yet been brought into force.

When Part IV takes effect, controllers using personal data for marketing must provide clear details on how data subjects can opt out of receiving further messages, free of charge. The opt-out mechanism must be available both at the time of initial data collection and in every subsequent message sent.

Businesses that conduct direct marketing to Sri Lankan consumers should prepare their consent and opt-out mechanisms now to be ready when Part IV's commencement date is announced.

Sector-Specific Data Protection Laws

Before the PDPA, Sri Lanka relied on sector-specific legislation to address data handling obligations. These laws remain in force and operate alongside the PDPA framework.

Computer Crimes Act No. 24 of 2007

This Act addresses unauthorized access to computer systems, data interception, and cybercrime. It provides criminal penalties for unauthorized data access but does not create a comprehensive data protection regime.

Banking Act No. 30 of 1988 and Financial Consumer Protection Regulations

The Banking Act imposes confidentiality obligations on licensed banks. The Financial Consumer Protection Regulations No. 1 of 2023, published on August 9, 2023, introduced obligations substantially similar to the PDPA for the protection of personal information of financial consumers. This regulation is currently in force for the financial sector.

Right to Information Act No. 12 of 2016

This Act establishes a constitutional right of access to information held by public authorities. Article 14A of the Constitution provides the right's foundation. Privacy considerations operate as a limitation on access rights under this framework -- government agencies can withhold personal information where disclosure would invade individual privacy.

Electronic Transactions Act No. 19 of 2006

This Act governs the legal recognition of electronic records and signatures but does not address data protection comprehensively.

Telecommunications Act No. 25 of 1991

The Telecommunications Act imposes confidentiality obligations on telecommunications operators regarding communications and subscriber data.

Comparison to Regional Data Protection Frameworks

Sri Lanka's PDPA was the first comprehensive data protection law in South Asia. Since its passage, the region has seen significant legislative activity.

India's Digital Personal Data Protection Act 2023 was enacted in August 2023, with the DPDP Rules 2025 published for comment in January 2025. India's framework also features phased implementation, a Data Protection Board, and consent-based processing requirements.

Bangladesh's Personal Data Protection Ordinance 2025 represents the region's most recent addition, establishing a Data Protection Commission and a framework modeled on similar global standards.

Both the Indian and Sri Lankan frameworks share GDPR-inspired architecture -- consent requirements, data subject rights, controller obligations, breach notification. Sri Lanka's fixed monetary penalty caps contrast with India's financial penalty regime that can reach up to 250 crore rupees for specific violations. For organizations operating across South Asia, compliance planning should address each jurisdiction separately given the different enforcement timelines and regulatory maturity levels.

Practical Compliance Steps for Organizations

Although Sri Lanka's substantive PDPA provisions are not yet in force, the enforcement date will be set by ministerial gazette order with no legislative requirement for advance notice. Organizations should use the current window to build their compliance programs.

Map Your Data Processing Activities

Conduct a comprehensive data audit to identify all personal data your organization collects, processes, and stores relating to individuals in Sri Lanka. Document the lawful basis for each processing activity and the purpose for which data was collected.

Assess Data Protection Officer Requirements

Determine whether your organization meets the threshold for mandatory DPO appointment. Review the DPA's draft regulatory guidance on DPO qualifications. Even where appointment is not mandatory, having a designated privacy lead is considered best practice. See DPO requirements by country for a global comparison.

Update Privacy Notices and Consent Mechanisms

Ensure your privacy policies clearly describe the purposes of processing, the lawful basis relied upon, data subject rights, retention periods, and cross-border transfer mechanisms. Review direct marketing consent mechanisms to prepare for Part IV compliance.

Establish Breach Response Procedures

Implement internal procedures for detecting, investigating, and reporting data breaches within the 72-hour notification window. Assign clear roles and responsibilities and conduct tabletop exercises. Monitor the DPA website for finalization of the draft breach notification rules.

Review Cross-Border Data Transfers

Audit all transfers of personal data outside Sri Lanka. Evaluate cloud provider choices in light of the 2025 amendment's new flexibility. Implement appropriate safeguards such as binding corporate rules or standard contractual clauses for transfers to countries without adequacy decisions.

Conduct Data Protection Impact Assessments

For processing activities that involve large-scale profiling, systematic monitoring, or sensitive personal data, conduct DPIAs now. Document risks and mitigation measures so that compliance is demonstrable from day one of enforcement.

Monitor DPA Guidance

The DPA is finalizing guidelines on DPMP, DPO requirements, breach notification, data classification, and sector-specific rules. Follow the DPA's website and subscribe to gazette notifications for the ministerial order setting the enforcement commencement date.

This article provides general information about Sri Lanka's data privacy laws and does not constitute legal advice. Data protection requirements change frequently, and enforcement priorities evolve as the DPA issues new guidelines. Consult with a qualified attorney licensed in Sri Lanka for guidance specific to your situation.