Legal Challenges in Achieving a Business-Oriented Data Protection Ecosystem in Sri Lanka

Abstract

Data protection refers to the safeguarding and preservation of data from corruption, loss, compromise, or misuse. At the heart of this concept lies the data subject, individuals whose personal information forms the foundation of the data protection framework. In today’s rapidly evolving digital landscape, the data ecosystem has expanded significantly, driven by cloud computing, mobile applications, social media, and digital platforms. As a result, consumer and employee data are now collected, analyzed, stored, and shared on an unprecedented scale, increasing the need for robust data protection mechanisms. Simultaneously, tolerance for service interruptions or data breaches has declined sharply.A data protection ecosystem encompasses a comprehensive framework of legal policies, technologies, and best practices that ensure the lawful and secure handling of personal and sensitive data. Despite numerous sector-specific data protection regulations worldwide, many still lack a clear legal definition of ‘data’. In Sri Lanka, the urgency for a comprehensive data protection framework has grown alongside increasing digitalization and internet connectivity. Prior to 2022, the country lacked clear legal provisions on data protection. This gap was partially addressed through the enactment of the Personal Data Protection Act No. 09 of 2022. However, the Act has been criticized for ambiguous provisions that may hinder technology-driven entrepreneurship and deter foreign investment.This research explores the legal and practical challenges Sri Lanka faces in establishing an effective data protection ecosystem. It employs doctrinal and comparative methodologies to analyze the Personal Data Protection Act No. 09 of 2022, benchmarked against international standards such as the EU’s General Data Protection Regulation (GDPR). Drawing on expert insights and stakeholder feedback, this study offers targeted recommendations to develop a more coherent, business-friendly legal regime. Ultimately, it argues that a transparent, comprehensive, and impartial data protection framework is essential for attracting foreign direct investment in ICT-based industries.