The Act was passed by the Parliament of Sri Lanka in 2022[2] to address the growing need for data protection in the digital age.

The Act grants several rights to data subjects, including: Key obligations include: The Act regulates the transfer of personal data outside Sri Lanka, requiring adequate protection measures or specific conditions to be met.

The Act empowers the Authority to impose penalties for non-compliance: The Authority considers several factors when determining penalties, including the nature and duration of the violation, the number of data subjects affected, and any actions taken to mitigate damages.

The Personal Data Protection Act represents a significant step in Sri Lanka's digital governance framework.

The Act is expected to enhance trust in digital transactions and services while promoting responsible data handling practices across public and private sectors.