Sri Lanka Data Protection Authority Moves towards Finalizing Regulations to Safeguard Citizens’ Rights in Personal Data Handling
Sri Lanka Data Protection Authority’s Chairman, Arjuna Herath, has announced the imminent finalization of rules and regulations crucial for overseeing the protection of citizen rights within both public and private sector entities involved in personal data processing.
This initiative, emphasized in the preamble of the Personal Data Protection Act, aims to not only ensure compliance but also foster an environment conducive to digital economic growth and innovation.
Following the issuance of an extraordinary gazette notification for the Personal Data Protection Act No. 9 of 2022 by the President, and in accordance with constitutional provisions vested in the Minister of Technology, Part V of the Act will be enforced starting July 2023. This will empower the President to appoint the Chairman and Board of Directors for the Authority.
In October 2023, subsequent to the appointment of the chairman and board of directors, the Authority commenced operations as the governing body responsible for regulating citizen rights protection in personal data processing across sectors.
By virtue of the latest gazette notification, the Personal Data Protection Act is slated for full enforcement effective March 18, 2025. Additionally, provisions concerning the ‘Use of Personal Data for the Dissemination of Unsolicited Messages’ will be activated within a timeline spanning 24 to 48 months from the date of the Act’s certification.
Sections VI, VIII, IX, and X of the Act, scheduled for implementation from December 1, 2023, entail the establishment of the Authority’s Fund and the formulation of recruitment regulations for key personnel, facilitating the transition to full operational status.
Moreover, the gazette notification empowers the Authority to conduct awareness activities and execute recruitment procedures for key personnel through transparent and competitive means, further bolstering institutional infrastructure and capacity development.
Looking ahead, the Data Protection Authority aims to engage stakeholders in crafting policy frameworks and regulations, with plans to unveil these initiatives in the latter half of 2024 and early 2025.