Sri Lanka’s Data Protection Authority Progresses in Finalizing Regulations to Protect Citizens’ Personal Data Rights



Sri Lanka Data Protection Authority’s Chairman, Arjuna Herath, has announced the imminent finalization of rules and regulations crucial for overseeing the protection of citizen rights within both public and private sector entities involved in personal data processing.

This initiative, emphasized in the preamble of the Personal Data Protection Act, aims to not only ensure compliance but also foster an environment conducive to digital economic growth and innovation.

Following the issuance of an extraordinary gazette notification for the Personal Data Protection Act No. 9 of 2022 by the President, and in accordance with constitutional provisions vested in the Minister of Technology, Part V of the Act will be enforced starting July 2023. This will empower the President to appoint the Chairman and Board of Directors for the Authority.

In October 2023, subsequent to the appointment of the chairman and board of directors, the Authority commenced operations as the governing body responsible for regulating citizen rights protection in personal data processing across sectors.

By virtue of the latest gazette notification, the Personal Data Protection Act is slated for full enforcement effective March 18, 2025. Additionally, provisions concerning the ‘Use of Personal Data for the Dissemination of Unsolicited Messages’ will be activated within a timeline spanning 24 to 48 months from the date of the Act’s certification.

Sections VI, VIII, IX, and X of the Act, scheduled for implementation from December 1, 2023, entail the establishment of the Authority’s Fund and the formulation of recruitment regulations for key personnel, facilitating the transition to full operational status.

Moreover, the gazette notification empowers the Authority to conduct awareness activities and execute recruitment procedures for key personnel through transparent and competitive means, further bolstering institutional infrastructure and capacity development.

Looking ahead, the Data Protection Authority aims to engage stakeholders in crafting policy frameworks and regulations, with plans to unveil these initiatives in the latter half of 2024 and early 2025.


Sri Lanka’s Data Protection Authority is finalizing rules and regulations to protect citizen rights in personal data processing. The President has issued a gazette notification for the Personal Data Protection Act No. 9 of 2022, which will be enforced starting July 2023. The Authority will be responsible for regulating citizen rights protection in personal data processing across sectors. Full enforcement of the Act is set for March 18, 2025, and provisions concerning unsolicited messages will be activated within 24 to 48 months. The Authority aims to engage stakeholders and unveil policy frameworks and regulations in 2024 and 2025.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.