Skip to content
Sri Lanka Foundation – SLF

Legal Guidelines

Data Protection Act

Data protection has become crucial in the digital age, especially with global data flows that can bypass national regulations. To address this, the EU restricts data transfers to non-EU countries like Sri Lanka unless adequate protections are in place.

Sri Lanka’s new Data Protection Legislation, influenced by global best practices (including the EU GDPR), will be implemented in phases over three years. A Data Protection Authority will be established within 18 months.

The law introduces obligations for data “Controllers” and “Processors” and grants rights to individuals (“data subjects”). These rights include consent withdrawal, data correction, objection to processing, and the right to appeal a Controller’s decision.

Key features:

  • Data must be collected for specific, compatible purposes.
  • Security measures are mandatory to protect data.
  • Controllers must establish a Data Protection Management Program to demonstrate compliance.
  • Unsolicited messages are banned unless consent is given.
  • Administrative penalties are imposed with capped fines (not based on global turnover).

While the original requirement for mandatory registration of Controllers was removed, strong accountability and transparency obligations have been added.

The legislation was shaped through stakeholder consultations and reviewed by an Independent Panel. The drafting committee included representatives from legal, financial, telecom, and ICT sectors.

Personal Data Protection Act No: 09 of 2022

Download in Sinhala
Download in English
Download in Tamil

Electronic Transactions Act

Electronic Transactions Act No. 19 of 2006 (Sri Lanka)

Origin and Basis:

  • Drafted following a joint Cabinet Memorandum (2004) and presented to Parliament in March 2006.
    Came into force on 1st October 2007.
  • Based on UNCITRAL Model Laws: Electronic Commerce (1996),Electronic Signatures (2001)

Purpose:

  • Provides legal recognition to electronic contracts, records, and signatures.
  • Facilitates e-government services and digital transformation of public services.

2017 Amendment (Act No. 25 of 2017)

Alignment with International Standards:

  • Harmonized with the UN Electronic Communications Convention (UN ECC).
  • Sri Lanka:
  • First in South Asia and second in Asia (after Singapore) to ratify UN ECC.
  • Contributed to the drafting via ICTA and the Legal Draftsman’s Department.

Key Enhancements:

  • Ensures legal certainty for e-commerce and cross-border trade.
  • Enables use of electronic communications in contract formation, including via automated systems.
  • Recognizes time and place of dispatch/receipt of electronic messages.
  • Supports paperless trade, digital authentication, and e-filing in courts.
  • Enables biometrics-based authentication and a broader, future-proof definition of electronic signatures.
  • Facilitates electronic government transactions, such as:
    • eVisa, e-Revenue Licenses, online tax payments, etc.

Download Electronic Transaction Act
Download Electronic Transaction Act Regulations 1
Download Electronic Transaction Act Regulations 2