Sri Lanka nods Personal Data Protection Act amendments

The amendments to Sri Lanka’s Personal Data Protection Act (PDPA) mark a major step towards establishing a world-class, innovation-friendly regulatory environment for personal data protection, Dr. Hans Wijayasuriya, chief adviser to the President on Digital Economy, said.

“In particular, the amendments allow for greater flexibility in cross-border data flows, empowering institutions to make judgment-based decisions on where and how data is stored and processed. For example, organizations can now choose between resident, sovereign or public cloud facilities based on the sensitivity and security classification of data,” Dr. Wijayasuriya told Biometric Update.

This means that public and private sector data controllers can make case-specific choices with respect to storage and computing, balancing data sensitivity, storage and computing costs, and access to AI capabilities. Specifically on AI, the revised PDPA clarifies the permissible use of cloud platforms for processing, strengthens constitutional rights to challenge bias or discrimination, and defines procedures for seeking remedies against automated decision-making, he clarified.

Other notable enhancements include provisions for the Regulator to issue sector-specific guidelines, define timelines for responding to subject requests, and adopt a phased implementation approach to enhance the operational efficacy of the Data Protection Authority (DPA).

Following final approval of the PDPA as amended, the immediate priority is to establish the DPA as a fully-fledged regulator with expert skills across data stewardship and governance, policy, regulation, and enforcement, Dr Wijayasuriya said. An announcement will be made shortly, seeking applications for a Director General and Senior Management team.

The law will become fully operational once the DPA is staffed and functional. As seen in jurisdictions such as the EU, Malaysia, Singapore, and the Philippines, PDPA frameworks evolve.

Alongside building awareness and compliance in the private sector, the Government of Sri Lanka is committed to ensuring that Ministries, Departments, and Local Authorities are equipped with the necessary capacity and training to implement privacy and data protection measures in full compliance with the PDPA.

The PDPA is South Asia’s first comprehensive data protection legislation designed to safeguard citizens’ data rights and foster digital economy growth.

Addressing the issue of security, Dr. Wijayasuriya noted that fundamental security and control measures come first and that this can be subject to a proportionate assessment of risk and granular data in use.

DPA Acting Director General Waruna Sri Dhanapala explained that for government sector personnel data management, cross-border data flows will have some sort of freedom. “With this Act, there will be more choices for public sector personnel data controllers to procure cost-effective technological solutions.”

Article Topics

cross-border data sharing  |  data privacy  |  data protection  |  digital ID  |  legislation  |  regulation  |  Sri Lanka