An introduction to Privacy Law in Sri Lanka

This article seeks to identify the basic concepts on the laws relating to privacy in Sri Lanka while examining its upcoming and latest developments utilizing recent case law.

Sri Lanka is a jurisdiction in which the protection of privacy is greatly undermined due to the absence of the right to privacy in the fundamental rights chapter of the Constitution of the Democratic Socialist Republic of Sri Lanka (1978).

However, privacy considerations within the context of restrictions to the right of access to information are stated in Article 14A of the revised Constitution (as amended in 2015). 

Nevertheless, in Sri Lanka, the right to privacy is protected as an action delict within the notion of actio iniuriarum and further the Sri Lankan courts have recognized the notion of privacy in limited instances, as seen in Nadarajah v Obeysekera [52 NLR 76], in which the notion of ‘invasion of privacy’ was examined, and where it was identified that the right of individuals to personal space exists.

Further, cases such as In Chinnappa et al. v Kanakar et al (13 NLR 157), Abraham v Hume (52 NLR 449), A.M.K Azeez v W.T Senevirathne (SI Police) (69 NLR 209), Hewamanna v Attorney General (1999) ICHRL, Sinha Ratnatunge v State [2001] 2 Sri L.R. 172 examined the concept of privacy of the home (spatial privacy) and has highlighted the importance of the individual’s right to privacy.

Thus, the approach of the Sri Lankan judiciary towards the concept of privacy, illustrates that while the privacy of the home has been recognized in numerous instances, other aspects of privacy have been neglected.

As a result, on March 19th, 2022, Sri Lanka enacted the Personal Data Protection Act, No. 9 of 2022 (PDPA) becoming the first South Asian country to enact a comprehensive privacy legislation and thus being the principal legislation that currently deals with personal data protection in Sri Lanka.

For the large part of the act is modeled after the General Data Protection Regulations (GDPR) in the EU, filing a extensive-felt gap in the area of information privacy in Sri Lanka

In addition to the recently ratified PDPA, there are several data protection-enabled legislation that are industry-specific including the Intellectual Property Act No. 36 of 2003, Banking Act No. 30 of 1988, Computer Crime Act No. 24 of 2007, Right to Information Act No. 12 of 2016, Telecommunications Act No. 25 of 1991 and Electronic Transactions Act No.19 of 2006.

Besides, a draft for an Act, known as the Cybersecurity Bill (2019) in order to provide a complete outline to prevent cybersecurity threats and incidents effectively and to protect critical information infrastructure, was introduced under the National Cyber Security Strategy (2019-2023.