Financial Crime World

SRI LANKA INTRODUCES COMPREHENSIVE DATA PRIVACY LAWS FOR FINANCIAL INSTITUTIONS

The Sri Lankan government has taken a significant step in protecting personal data by introducing the Personal Data Protection Act, No. 9 of 2022, which was passed with amendments on March 9, 2022 and endorsed on March 19, 2022.

Key Provisions of the Personal Data Protection Act

  • The Data Protection Authority of Sri Lanka will be responsible for regulating and enforcing data protection practices in the country.
  • The Authority is yet to be established but its designation has been confirmed under Part V of the Act which came into effect on July 17, 2023.

Comprehensive Framework for Protecting Personal Data

The Personal Data Protection Act establishes a comprehensive framework for protecting personal data, providing rights to data subjects and imposing obligations on controllers and processors. Key provisions include:

  • Developing a data protection management program: Financial institutions must develop a data protection management program to ensure compliance with the Act.
  • Restrictions on using personal data for direct marketing purposes: The law prohibits the use of personal data for direct marketing purposes without explicit consent.

Addressing Cross-Border Data Transfers

The law also addresses cross-border data transfers, which have implications for financial institutions that intend to process personal data outside of Sri Lanka. The Act requires such institutions to comply with specific conditions to ensure the safe transfer of personal data.

Implementation and Timeline

The implementation of the Personal Data Protection Act is a significant step towards strengthening data protection in Sri Lanka. With Parts VI, VIII, IX, and X coming into effect on December 1, 2023, financial institutions are now required to adhere to these provisions to avoid any potential penalties or fines.

As Part I, II, III, and VII of the Act is set to come into effect on March 18, 2025, it is essential for financial institutions to be aware of their obligations under the new law and to take necessary steps to ensure compliance. The establishment of the Data Protection Authority will further enhance the enforcement of data protection practices in Sri Lanka, providing a robust framework for protecting personal data.