In a significant milestone for data protection in South Asia, Sri Lanka’s Personal Data Protection Act No. 9 of 2022 (‘PDPA’) has been making strides toward full implementation. The act, certified by the Speaker on March 19, 2022, aims to safeguard personal data held by various entities, including government bodies, banks, telecom operators and hospitals.

This legislation, the first of its kind in South Asia, was developed through a transparent process, with draft versions made available for public comment since June 2019. The PDPA is set to be implemented in phases, with Part V brought into operation through a gazette notification on July 21, 2023. This crucial step allowed the government to appoint the Board of Directors, comprising seven individuals with expertise in engineering, accounting/finance, law and regulatory affairs.

Leading the Board of Directors is Arjuna Herath, a Senior Chartered Accountant and former Consulting Leader of Ernst & Young in Sri Lanka and the Maldives. Other notable members include Attorney-at-Law and Former State Counsel Nisith Abeysooriya, President’s Counsel Saumya Amarasekera, Digital Law Expert & Chair of the PDPA drafting Committee Jayantha Fernando, Additional Secretary to the President Dr. Sulakshana Jayawardana, ISO Lead Auditor and Technology Management specialist Bimsara Seneviratne and Electronics Engineer and Digital Strategy specialist Shehan Wijetilaka.

The PDPA assumes paramount importance in light of the government and private sector’s digital strategies, along with global privacy law developments. It is expected to attract investment and promote the digital economy, aligning with the National Digital Strategy and the Sri Lanka Unique Digital Identity (SL-UDI) project.

President Ranil Wickremesinghe highlighted the need for data protection in his November 2022 Budget Speech, promising the establishment of the Data Protection Authority in 2023. This independent regulator will collaborate with various sectoral regulators to ensure the proper governance of personal data.

Currently, the Board of Directors is in the deliberation and planning phase for the creation of the Data Protection Authority. The first step involves recommending the operation of Part VIII (Fund of the Authority) and Part IX of the Act to design the organizational framework, recruitment procedures and roles of key officers, including the Director General.

To meet the Act’s enforcement deadline of March 19, 2025, the Authority plans to formulate policy frameworks and regulations. It will hold public consultations and engage with advisory committees representing key sectors of the economy and other stakeholders to ensure comprehensive and effective data protection measures.

The Authority is set to commence public consultations and awareness campaigns once it has the necessary capacity, a process expected to take several months. Sri Lanka is on its way to establishing a robust framework for personal data protection in the digital age, making strides toward safeguarding citizens’ privacy and promoting trust in the digital ecosystem.