The enforcement of Sri Lanka’s Personal Data Protection Act (PDPA) has been delayed by six months due to concerns about public sector readiness.
The Ministry of Digital Economy confirmed the extension, stating that additional time is needed to ensure full compliance across all government levels.
Originally set to take effect on 18th of March 2025, the Act will now be enforced at a later date following amendments approved by the Cabinet of Ministers.
The delay responds to requests from stakeholders, particularly in the public sector, who need more time to strengthen their human and technical infrastructure to meet the enforcement requirements.
The government emphasized the importance of establishing a robust enforcement regime and a fully operational regulator before the Act comes into force.
The PDPA, South Asia’s first comprehensive data protection legislation, aims to safeguard citizens’ data rights while supporting the growth of the digital economy.
However, some public sector institutions have requested amendments to provide greater flexibility in technology choices, especially for adopting AI systems.
Since the PDPA applies to all levels of government, including Central Government, Provincial Councils, and Local Authorities, the government acknowledged the need for additional time to ensure adequate capacity for compliance.
The Cabinet has approved amendments to several sections of the Act, covering enforcement, data processing, and regulatory mechanisms.
The Ministry of Digital Economy, in consultation with the Data Protection Authority and the Legal Draftsman’s Department, will publish these amendments soon.
The revised legislation will be submitted to Parliament for approval to ensure the Act is fully operational with stronger oversight and broader industry adoption.
