The Sri Lankan government has approved amendments to the Personal Data Protection Act (PDPA) No. 9 of 2022, postponing its enforcement by six months to allow more time for stakeholders to align with regulatory requirements. The decision, taken by the Cabinet of Ministers on February 19, follows concerns from public and private sector institutions regarding compliance readiness and the need for a fully operational Data Protection Authority (DPA).  

The PDPA, the first legislation of its kind in South Asia, was set to come into effect on March 18, 2025. However, the government has recognized the necessity of additional time for capacity building, particularly within the public sector, which requires improved infrastructure and expertise to fully comply with the law.  

The amendments aim to strengthen the implementation of the landmark legislation, ensuring that Sri Lanka’s digital economy benefits from robust data protection while allowing organizations to adopt advanced technologies, including artificial intelligence. The Ministry of Digital Economy stated that the changes incorporate feedback from various stakeholders, including government bodies, private enterprises, and technology experts, following consultations on the Draft Rules, Regulations, Directives, and Guidelines published by the DPA.  

Minister of Digital Economy Waruna Sri Dhanapala emphasized the need for a well-prepared enforcement strategy. “Recognizing the importance of a future-ready regulatory framework, we have taken the necessary steps to ensure both public and private sectors can effectively adopt digital strategies while safeguarding citizens’ rights,” he stated.  

One of the main reasons for the delay is the challenge faced by public sector entities in adapting to the new law. While private organizations have had greater flexibility in integrating digital compliance solutions, many government institutions have requested amendments to allow more time to enhance human and technical resources. This includes the adoption of AI-driven data protection mechanisms, which require careful regulatory oversight.  

Given that the PDPA applies at all levels of government, from central administration to provincial and local authorities, officials stressed the need for a phased approach to implementation. The extension will allow for additional training, infrastructure improvements, and standardized compliance frameworks across all sectors.  

The amendments approved by the Cabinet include changes to key sections of the PDPA, specifically Sections 17, 19, 20, 24, 26, 27, 53, and 56, which were drafted in consultation with the DPA and the Legal Draftsman’s Department. The government will now submit the proposed amendments to Parliament for approval, with the Ministry of Digital Economy expected to publish the final amendments online in the coming weeks.  

Need Help?

If you’re concerned or have questions about how to navigate the AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight and ensure you’re informed and compliant.