Sri Lanka PDPA

Personal Data Protection Act 2022 (Act No. 9 of 2022)

Sri Lanka's comprehensive data protection law - first in South Asia. Establishes human review rights for automated decisions and DPIA requirements for high-risk processing.

Jurisdiction

Sri Lanka

Enacted

Mar 22, 2022

Effective

Jan 1, 2024

Enforcement

Data Protection Authority of Sri Lanka

Phased implementation - first comprehensive law in South Asia

DataGuidance Sri Lanka Overview

Why It Matters

Sri Lanka's PDPA sets precedent for South Asia with human review requirements for automated decisions directly impacting AI chatbot risk assessments.

Recent Developments

First comprehensive data protection law in South Asia; phased implementation from 2024

At a Glance

Applies to

AI CompanionMental Health AppGeneral Chatbot

Requires

Transparency User Rights Data Minimization

Who Must Comply

Data controllers and processors in Sri Lanka
Entities processing data of Sri Lankan residents
Automated decision-making systems

Obligations fall on:

Safety Provisions

Human review for automated decisions
Data Protection Impact Assessment for high-risk processing
Data Protection Officer for certain entities
Breach notification required
Cross-border transfer restrictions

Compliance & Enforcement

Key Dates

Jul 17, 2023

Part V effective - Data Protection Authority established

Dec 1, 2023

Parts VI, VIII, IX, X effective

Mar 14, 2025

Original March 18 enforcement date repealed - delayed 6 months

Sep 18, 2025

Full enforcement expected (Parts I, II, III, VII) pending final gazette

Penalties

LKR 10M

Primary Source

DataGuidance Sri Lanka Overview

https://www.dataguidance.com/

View on map

Sri Lanka

Focus Areas

Mental health & crisis

Algorithmic accountability

Cite This

APA

Sri Lanka. (2022). Personal Data Protection Act 2022 (Act No. 9 of 2022).

Related Regulations

In Effect BN

Brunei PDPO

Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.

In Effect IN

India DPDP Act

STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.

In Effect ID

Indonesia's comprehensive child online protection regulation establishing age-appropriate design requirements for electronic systems accessible to children. Most granular age classification globally (5 groups). Requires risk assessments, privacy-by-default, parental consent, DPIAs, and prohibits data profiling of children. First of its kind in Asia and Global South.

In Effect CN

China CSL Amendments

First major revision of China's foundational Cybersecurity Law since 2017. Introduces formal AI governance provisions, significantly increases penalties, and expands extraterritorial application to all cybersecurity violations.

In Effect NP

Nepal AI Policy

Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.

In Effect PK

Pakistan AI Policy

Pakistan's national AI roadmap establishing six strategic pillars: AI Innovation Ecosystem, Awareness and Readiness, Research and Development, Infrastructure, Governance, and International Cooperation. Creates National AI Fund (NAIF), Centres of Excellence in 7 cities, and targets training 200,000 individuals annually.

All regulations Check if this applies to you

Last updated January 22, 2026. Verify against primary sources before relying on this information.