New Comprehensive Data Privacy Law in Sri Lanka

Sri Lanka’s Personal Data Protection Bill, 2021 is a data protection and personal privacy law that was recently passed in February of 2022. Lawmakers within Sri Lanka began making strides toward passing a comprehensive data privacy law in 2019, which culminated in the enactment of the Personal Data Protection Bill, 2021 earlier this year. With this being said, the provisions of the law establish the requirements for the collection, processing, use, disclosure, and destruction of personal data within Sri Lanka. Moreover, the law also sets forth the punishments that businesses and organizations stand to face should they fail to adhere to the provisions of the law.

What is the scope and application of the law?

In terms of the scope and application of Sri Lanka’s Personal Data Protection Bill, 2021, the provisions of the law apply to “the processing of personal data and primarily to data controllers and processors, which includes any natural or legal person, public authority, non-governmental organization, agency, or any other body or entity established by or under written law. As such, the Draft Bill prescribes measures to protect the personal data of individuals held by banks, telecom operators, hospitals, and other personal data aggregating and processing entities. These entities will be required to collect personal data only for specified purposes and not for any other purpose that is incompatible with said purposes.”

What are the duties of data controllers and processors under the law?

Under Sri Lanka’s Personal Data Protection Bill, 2021, data controllers and processors that conduct operations within the country are responsible for abiding by a number of data protection principles when collecting and processing personal data obtained from citizens within said country. These data protection principles include:

• Personal data must be collected and processed in a manner that is both lawful and consistent with Section 5 of Sri Lanka’s Personal Data Protection Bill, 2021.
• Personal data may only be collected and processed for specific, legitimate, and explicit purposes, and may not be used for any other purpose.
• Data controllers and processors are responsible for ensuring that all personal data they collect or process is accurate and kept up to date where necessary.
• Data controllers and processors are responsible for limiting the period of retention in regards to all personal data that is collected and processed.
• Personal data must be collected and processed in a manner that is transparent.
• Data controllers and processors are responsible for ensuring the integrity and confidentiality of all personal data they collect and process.

What are the rights of Sri Lankan citizens under the law?

Under the provisions of Sri Lanka’s Personal Data Protection Bill, 2021, citizens within the country are entitled to the following rights as it concerns the protection of their personal data and privacy:

• The right to be informed- Data controllers and processors are required to provide data subjects with certain information when collecting and processing personal data obtained from Sri Lankan citizens, including the intended purposes for the data, as well as the contact information for the particular controller or processor, among other pertinent details.
• The right to access- Sri Lankan citizens have the right to request access to any personal data they have provided to a data controller or processor.
• The right to rectification- Sri Lankan citizens have the right to request that any personal data pertaining to them is rectified or completed if said data is found to be inaccurate or incomplete.
• The right to erasure- Sri Lankan citizens have the right to request that their personal data be erased.
• The right to object or opt-out- Sri Lankan citizens have the right to object to the collection or processing of their personal data.
• The right not to be subject to automated decision-making- Sri Lankan citizens have the right not to be subjected to data processing decisions that are made solely on the basis of automated processing.

What are the penalties for violating the law?

In terms of the enforcement of the law, Sri Lanka’s Personal Data Protection Bill, 2021 is enforced by the Ministry of Technology. To this point, the Ministry of Technology has the authority to impose the following sanctions and penalties against data controllers and processors that have been found to be in violation of the law:

• A monetary penalty of up to LKR 10 million ($46,918).
• A directive to cease and refrain from engaging in the act, omission, or course of conduct related to processing.
• A directive to perform certain actions that are necessary to rectify the situation, at the discretion of the Ministry of Technology.

While the nation of Sri Lanka had previously passed privacy legislation that was specific to certain sectors of industry within the country, Sri Lanka’s Personal Data Protection Bill, 2021 was passed to provide Sri Lankan citizens with a more comprehensive level of data protection. Furthermore, as the Constitution of the Democratic Socialist Republic of Sri Lanka 1978 does not provide said citizens with the fundamental right to privacy, legislation such as the Personal Data Protection Bill, 2021 was very much needed, as many other nations within the region of Southeast Asia have passed some form of privacy legislation as of 2022, including Thailand’s Personal Data Protection Act and Singapore’s Personal Data Protection Act.