Sri Lanka’s Act is finalised with a stronger DPA

Graham Greenleaf analyses the first comprehensive data privacy law in South Asia.

Sri Lanka’s Personal Data Protection Act, No. 9 of 2022, was adopted (“certified”) on 19 March 2022, with final amendments passed without a vote.(1) The Act’s provisions will come into force between 18 and 36 months from that certification date, on a date to be gazetted by the Minister. The Minister must also gazette a date no later than this, from which the provisions concerning the data protection authority will be operational (s. 1).

Successive versions of a draft have been available for comment from the government since early 2019, and the changes between versions have been substantial. Sri Lanka thus becomes the first South Asian country to enact a comprehensive data privacy law, ahead of Bills still under consideration in India(2) and Pakistan.(3) This article concentrates on those aspects of the previous Bills that have been criticised,(4) asking whether the Act has addressed the issues raised.

Continue reading

International Report subscribers: please login to access the full article.

If you wish to subscribe, please see our subscription information.