The Personal Data Protection Act No. 9 of 2022 of Sri Lanka (the “PDPA”) which is inspired by the European Union’s GDPR, was passed by the Parliament of Sri Lanka in 2022, allowing for grace periods prior to the same being brought into operation. Accordingly, a majority of the PDPA was slated to become operational on 18th March 2025.
However, the Ministry of Digital Economy on 24th February 2025 issued a media release followed by a second media release on 18th March 2025, which inter alia noted that the Cabinet of Ministers has granted approval for a bill to be drafted to amend the PDPA, including its provisions on the operational dates thereof, providing for an extension of not less than 6 months prior to the law becoming operational.
Accordingly, the Minister of Digital Economy of Sri Lanka has, on 27th March 2025, published, by way of a gazette notification, a bill to amend certain provisions of PDPA (the “Amendment Bill”), including the operational dates thereof.
The said Amendment Bill is yet to be passed by the Parliament of Sri Lanka.
Some of the salient amendments to the PDPA as set forth in the Amendment Bill are as follows.
Operational Date (Section 1):
- All the provisions of the Act (except for Parts V, VI, VIII, IX and X which are already in operation), will come into operation on such date or dates as the Minister may appoint, by Order published in the Gazette.
- This amendment repeals the previous provision which required grace periods to be provided prior to the relevant parts of the PDPA being brought into operation.
- Therefore, Parts I, II, III, IV, VII may be brought into operation on a date after the Amendment Bill is passed by the Parliament of Sri Lanka.
- However, according to the aforesaid recent media releases from the Ministry of Digital Economy, the Cabinet of Ministers has decided to extend the enforcement date of the PDPA by at least six months. The exact start date for this six-month extension has not been specified.
- Therefore, a potential outcome that may be expected is that the PDPA may be brought into operation upon the expiry of at least 6 months from the date the new gazette is to be issued once the proposed Amendment Bill becomes law.
- Thus, although it cannot be said with certainty, controllers and processors may expect the said parts of the PDPA to become operational towards the tail end of 2025.
Timeframe to respond to data subjects’ requests (Section 17)
- The previous time period of 21 working days from the date of the request has been replaced by 1 month from the date of receipt of the request.
- If a controller needs more time to respond to a request, such controller is permitted to extend the response period for a further period of 2 months (without exceeding 3 months from the date of the receipt of the request).
- If such an extension is needed, a controller is required to inform the data subject before the expiry of the initial 1-month response period.
- These amendments not only provide for extensions for the time period to respond to a data subject’s request but also permit controllers to act on such a request from the date of the actual receipt of the request.
Data Protection Impact Assessments (“DPIAs”) (Section 24)
- The controller is no longer required to submit all its DPIAs to the Data Protection Authority (“DPA”).
- Such submission of DPIAs is required to be made only where the DPA requests for the same.
Measures to mitigate risks identified in DPIAs (Section 25)
- The mandatory requirement previously imposed on controllers to seek consultation from the DPA, where a controller is not able to mitigate risks of harm to the data subjects pursuant to carrying out a DPIA, has been removed. This amendment seemingly leaves it to the discretion of the controller to consult the DPA in such instance.
- The amendments also clarify that now a controller is mandatorily required to consult the DPA only where a DPIA is to be carried out in relation to processing activities pertaining to national security, public order and public health.
Cross Border Data Flow (Section 26)
- Any controller or processor that wishes to engage in cross-border data flow may do so where:
- (a) they are able to comply with Parts I, II, and Sections 20 to 25 of Part III of the PDPA; and
- (b) upon adopting a specified instrument (specified by directives issued by the DPA) to ensure binding and enforceable commitments of the recipients in the third country to ensure appropriate safeguards to the rights of the data subjects and remedies available under the PDPA.
- However, a transfer that constitutes only a transit of personal data is exempted from having to satisfy conditions (a) and (b) above.
- Accordingly, the Minister will not prescribe any adequate countries for cross border data flow (as provided in the current version of the law). Controllers and processors will, therefore, have to carry out their own assessment in relation to the adequacy of the laws in the third country that would allow them to comply with (a) above.
Definition of Data Protection Officer (DPO) (Section 56)
A DPO is defined to include a third party who is not directly employed by a controller or processor, but fulfils the responsibilities of a DPO, allowing controllers and processors to outsource the function of the DPO.
Authors
Shanaka Gunasekara
Partner
Thamodi Withanachchi
Senior Associate