Sri Lanka PDPA
Personal Data Protection Act 2022 (Act No. 9 of 2022)
Sri Lanka's comprehensive data protection law - first in South Asia. Establishes human review rights for automated decisions and DPIA requirements for high-risk processing.
Jurisdiction
Sri Lanka
Enacted
Mar 22, 2022
Effective
Jan 1, 2024
Enforcement
Data Protection Authority of Sri Lanka
Phased implementation - first comprehensive law in South Asia
DataGuidance Sri Lanka OverviewWhy It Matters
Sri Lanka's PDPA sets precedent for South Asia with human review requirements for automated decisions directly impacting AI chatbot risk assessments.
Recent Developments
First comprehensive data protection law in South Asia; phased implementation from 2024
At a Glance
Applies to
Who Must Comply
- Data controllers and processors in Sri Lanka
- Entities processing data of Sri Lankan residents
- Automated decision-making systems
Safety Provisions
- Human review for automated decisions
- Data Protection Impact Assessment for high-risk processing
- Data Protection Officer for certain entities
- Breach notification required
- Cross-border transfer restrictions
Compliance & Enforcement
Key Dates
Jul 17, 2023
Part V effective - Data Protection Authority established
Dec 1, 2023
Parts VI, VIII, IX, X effective
Mar 14, 2025
Original March 18 enforcement date repealed - delayed 6 months
Sep 18, 2025
Full enforcement expected (Parts I, II, III, VII) pending final gazette
Penalties
LKR 10M
View on map
Sri Lanka
Focus Areas
Cite This
APA
Sri Lanka. (2022). Personal Data Protection Act 2022 (Act No. 9 of 2022).
Related Regulations
Brunei PDPO
Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.
India DPDP Act
STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.
Indonesia PP 17/2025
Indonesia's comprehensive child online protection regulation establishing age-appropriate design requirements for electronic systems accessible to children. Most granular age classification globally (5 groups). Requires risk assessments, privacy-by-default, parental consent, DPIAs, and prohibits data profiling of children. First of its kind in Asia and Global South.
China CSL Amendments
First major revision of China's foundational Cybersecurity Law since 2017. Introduces formal AI governance provisions, significantly increases penalties, and expands extraterritorial application to all cybersecurity violations.
AU National AI Plan
National AI policy roadmap replacing previously proposed mandatory AI guardrails. Focuses on leveraging existing legal frameworks rather than new mandatory requirements. Establishes the Australian AI Safety Institute (AISI) to monitor, test, and share information on AI risks and harms.
India AI Governance Guidelines
Voluntary AI governance framework built on seven core principles ('sutras'): Trust, People First, Innovation over Restraint, Fairness & Equity, Accountability, Understandable by Design, and Safety/Resilience/Sustainability. Establishes AI Governance Group, AI Safety Institute, and Technology & Policy Expert Committee.
Last updated January 22, 2026. Verify against primary sources before relying on this information.