Sri Lanka’s Data Protection Authority currently faces recruitment issues, though positions in its topmost layers have been filled, Digital Economy Minister Eranga Weeraratne said in a Meta post made on his official page, on Tuesday (3).
“The Data Protection Authority was established in August of 2023, which by now has a Chairperson and a Board of Directors, however in terms of human resources, there has been a delay in recruitment. It is now in the process of recruiting persons,” Weeraratne said in a video post.
The Data Protection Authority (DPA) was established in August of 2023, under Sri Lanka’s Personal Data Protection Act’s (PDPA) No. 9 2022, to continuously monitor and regulate personal data processing and privacy.
Sri Lanka anticipated the full operationalisation of the PDPA on 18 March, but the process was advanced by another six months, due to what the government termed as infrastructure and expertise gaps in the public sector.
Industry persons have been raising the alarm over the Data Protection Authority’s lack of function, following the appointment of the new government, particularly due to its standstill in publishing of directives on its website, and the absence of public consultations.
“There were certain inadequacies in this Act. When it came to new technology, there were a few contradictions to incorporating new technology, such as AI, within the Act. There were certain changes that needed to be made,” Weeraratne explained.
On 28 May, Member of the Parliament D. A. Janaka Senarathna said in a video published on the Sri Lanka Parliament official YouTube site that an amendment bill with 13 amendments was to be submitted to parliament on 3 June.
On Tuesday, Urban Development Minister Anura Karunathilaka opened the discussion over the amendments in parliament by stating that the Act was to be amended to incorporate AI concerns, strengthening the right to erasure of personal data, and incorporating investment-friendly regulation of cloud computing.
The Minister of Digital Economy added: “One of the main initiatives done by this government is digitalisation. When moving towards digitalisation there is a need to store data of persons on databases. What this Act does is provide the right directives to follow in maintaining these databases of information, and to establish what can be done with the information.”
In 2025 alone two government offices have faced cyber-attacks, one of which was the Sri Lanka Pensions Department’s website ransomware attack. This incident exposed the data of pension beneficiaries, such as national identification numbers, bank account details, and personal records.