Sri Lanka PDPA
Personal Data Protection Act 2022 (Act No. 9 of 2022)
Sri Lanka's comprehensive data protection law - first in South Asia. Establishes human review rights for automated decisions and DPIA requirements for high-risk processing.
Jurisdiction
Sri Lanka
LK
Enacted
Mar 22, 2022
Effective
Jan 1, 2024
Enforcement
Data Protection Authority of Sri Lanka
Phased implementation - first comprehensive law in South Asia
What It Requires
Who Must Comply
This law applies to:
- • Data controllers and processors in Sri Lanka
- • Entities processing data of Sri Lankan residents
- • Automated decision-making systems
Capability triggers:
Who bears obligations:
Safety Provisions
- • Human review for automated decisions
- • Data Protection Impact Assessment for high-risk processing
- • Data Protection Officer for certain entities
- • Breach notification required
- • Cross-border transfer restrictions
Compliance Timeline
Jul 17, 2023
Part V effective - Data Protection Authority established
Dec 1, 2023
Parts VI, VIII, IX, X effective
Mar 14, 2025
Original March 18 enforcement date repealed - delayed 6 months
Sep 18, 2025
Full enforcement expected (Parts I, II, III, VII) pending final gazette
Enforcement
Enforced by
Data Protection Authority of Sri Lanka
Penalties
LKR 10M
Fines up to LKR 10 million
Quick Facts
- Binding
- Yes
- Mental Health Focus
- Yes
- Child Safety Focus
- No
- Algorithmic Scope
- Yes
Why It Matters
Sri Lanka's PDPA sets precedent for South Asia with human review requirements for automated decisions directly impacting AI chatbot risk assessments.
Recent Developments
First comprehensive data protection law in South Asia; phased implementation from 2024
Cite This
APA
Sri Lanka. (2022). Personal Data Protection Act 2022 (Act No. 9 of 2022). Retrieved from https://nope.net/regs/lk-pdpa-2022
BibTeX
@misc{lk_pdpa_2022,
title = {Personal Data Protection Act 2022 (Act No. 9 of 2022)},
author = {Sri Lanka},
year = {2022},
url = {https://nope.net/regs/lk-pdpa-2022}
} Related Regulations
Brunei PDPO
Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.
India DPDP Act
STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.
Indonesia PP 17/2025
Indonesia's comprehensive child online protection regulation establishing age-appropriate design requirements for electronic systems accessible to children. Most granular age classification globally (5 groups). Requires risk assessments, privacy-by-default, parental consent, DPIAs, and prohibits data profiling of children. First of its kind in Asia and Global South.
Nepal AI Policy
Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.
Pakistan AI Policy
Pakistan's national AI roadmap establishing six strategic pillars: AI Innovation Ecosystem, Awareness and Readiness, Research and Development, Infrastructure, Governance, and International Cooperation. Creates National AI Fund (NAIF), Centres of Excellence in 7 cities, and targets training 200,000 individuals annually.
Myanmar Cybersecurity Law
Myanmar's cybersecurity law requiring platforms with 100,000+ users to register and imposing data retention requirements. Enacted post-2021 coup with uncertain enforcement.