Sri Lanka delays Personal Data Protection Act to allow more compliance time

The Sri Lankan Cabinet of Ministers has approved amendments to the Personal Data Protection Act (PDPA) No. 9 of 2022, granting a six-month extension before its enforcement.

The decision, made on February 19, 2025, follows recommendations from the Ministry of Digital Economy to strengthen regulatory capacity and provide both public and private sectors with more time to comply with the law.

The PDPA, the first law of its kind in South Asia, aims to protect citizens’ data rights while promoting digital growth and innovation. However, concerns raised by government and private sector stakeholders highlighted the need for additional time to upgrade human and technical infrastructure for full compliance.

Public sector entities, in particular, have requested greater flexibility in technology adoption, including AI systems, to match the private sector’s capabilities.

The original enforcement date of March 18, 2025, set by Extraordinary Gazette No. 2366/08 on January 8, 2024, will now be postponed by six months.

This extension ensures that government institutions, including provincial councils, local authorities, divisional secretariats, and Grama Niladhari divisions, have the necessary capacity to meet the law’s requirements.

Key amendments approved by the Cabinet include changes to Sections 17, 19, 20, 24, 26, 27, 53, and 56 of the PDPA. These revisions, prepared by the Ministry of Digital Economy in collaboration with the Data Protection Authority (DPA) and the Legal Draftsman’s Department, will soon be submitted to the Parliament of Sri Lanka for approval.

The Ministry has also announced plans to publish details of the amendments on its official website.

The extension and amendments aim to ensure the PDPA is effectively implemented, allowing all stakeholders to fully align with its requirements and contribute to a secure and innovative digital economy.