Cross-Border Data Flows After the Amendment — What Sri Lanka’s IT Industry Needs to Know

Sri Lanka’s information technology and business process outsourcing sector employs approximately 90,000 people. It generates roughly $1.6 billion in annual export revenue. The government has set a target of $5 billion by 2030. Global enterprises like HSBC, Sysco LABS, and WNS operate major centres in Colombo, processing data that flows across borders every second of every day.

Every one of these operations depends on the ability to transfer personal data across national boundaries. Customer records flowing from London to Colombo for processing. Software development data moving between teams in multiple countries. Analytics workloads running on cloud infrastructure hosted in Singapore or Mumbai or Frankfurt.

The rules governing these flows just changed. The 2025 amendment to the Personal Data Protection Act rewrote the cross-border transfer provisions almost entirely. And the new rules are, on balance, very good news for the industry — provided you understand what they actually say.

What the Original Act Would Have Done

To understand why the amendment matters, you need to understand what it replaced.

The original PDPA, as enacted in 2022, borrowed its cross-border transfer framework from the GDPR. The default position was simple: you cannot transfer personal data outside Sri Lanka unless certain conditions are met. The primary mechanism was an adequacy decision — the Data Protection Authority would assess whether a destination country provided an “adequate” level of data protection, and transfers to that country would be permitted.

This sounds reasonable in theory. In practice, it would have been catastrophic for the IT industry.

The adequacy decision model requires a well-resourced, technically sophisticated data protection authority to conduct detailed assessments of foreign legal frameworks. The EU has been at this for over two decades and has issued adequacy decisions for only fifteen countries and territories. Sri Lanka’s Authority, newly established and still building capacity, would have needed years to produce its first adequacy decision.

And then there is the United States problem. The United States does not have a comprehensive federal data protection law. The EU has struggled for decades with the question of whether US data protection is “adequate” — resulting in Safe Harbor, then Privacy Shield, then the Data Privacy Framework, each one challenged and the first two struck down by the Court of Justice of the European Union. If the EU cannot resolve the US adequacy question cleanly, what chance would Sri Lanka have had?

The United States is, of course, the single most important destination for Sri Lanka’s IT export services. A framework that made transfers to the US practically impossible would have undermined the entire sector.

What the Amendment Changed

The 2025 amendment replaced the adequacy-based model with a tiered framework that is far more workable for an export-oriented IT sector.

Tier One: Compliance Plus Instruments

The primary pathway for cross-border transfers under the amended Act requires two things: first, the controller or processor must ensure compliance with the PDPA’s requirements in relation to the transferred data; and second, the transfer must be supported by an appropriate instrument — such as contractual clauses, binding corporate rules, or other mechanisms specified by the Authority.

This is a significant shift. Instead of requiring the destination country to have an adequate legal framework, it requires the transferring organisation to ensure that the data remains protected after transfer. The burden shifts from sovereign assessment to organisational accountability.

This model is closer to what the GDPR calls “appropriate safeguards” under Article 46 — and it is far more practical for an industry where data flows to dozens of countries simultaneously. A Sri Lankan IT company processing data for a US client does not need to wait for the Authority to assess the entire US legal framework. It needs a robust data processing agreement with its client that ensures the data will be protected to PDPA standards.

Tier Two: Standalone Exceptions

The amendment also provides standalone exceptions that permit transfers without the full Tier One mechanism. These include situations where the data subject has given explicit consent, where the transfer is necessary for the performance of a contract, where the transfer is necessary for important reasons of public interest, and where the transfer is necessary for the establishment, exercise, or defence of legal claims.

Of particular interest to the IT industry is the transit exception. Data that is merely transiting through a jurisdiction — passing through Sri Lanka on its way from one country to another, or being temporarily processed in Sri Lanka as part of a broader international workflow — is treated differently from data that is being permanently transferred to Sri Lanka for processing.

This matters enormously for cloud computing, content delivery networks, and distributed software development workflows where data may touch infrastructure in multiple countries as part of a single processing operation.

Public Authority Restrictions

The amended Act retains restrictions on cross-border transfers by public authorities, but these restrictions are now targeted rather than blanket. A public authority must not transfer personal data outside Sri Lanka except in specified circumstances — but these circumstances are defined more precisely, and the restrictions apply to public authorities specifically rather than to all organisations.

This is a sensible approach. Government data — citizen records, tax information, health data held by public hospitals — raises different sovereignty concerns than commercial data being processed under a services agreement. The amendment recognises this distinction.

Third Country Definition

The amendment also changed the definition of what constitutes a “third country” for transfer purposes. This is a technical change, but it matters. The original Act’s definition was broad enough to capture situations that did not genuinely involve a cross-border transfer risk. The amended definition is more precise, focusing on transfers where personal data is actually moved to a jurisdiction outside the Authority’s effective oversight.

Why This Matters for the IT Industry

Let me be direct about why these changes matter.

The bottleneck is removed. The original framework would have created a bottleneck at the Authority — every cross-border transfer arrangement would ultimately depend on the Authority issuing adequacy decisions or approving transfer mechanisms. The amended framework distributes responsibility to organisations themselves, which can move at industry speed rather than regulatory speed.

The model matches industry reality. The IT services industry does not transfer data to “countries.” It transfers data to specific organisations, under specific contracts, for specific purposes. The amended framework’s focus on organisational accountability rather than country-level assessment aligns with how the industry actually operates.

The competitive signal is right. Sri Lanka is competing with India, the Philippines, Vietnam, and Eastern Europe for IT services business. A cross-border transfer framework that creates friction and uncertainty would have been a competitive disadvantage. The amended framework signals that Sri Lanka is serious about data protection and serious about being a viable destination for international IT services.

Cloud computing becomes straightforward. Under the original framework, using cloud infrastructure hosted outside Sri Lanka would have required navigating the cross-border transfer provisions for every workload. The amended framework’s more practical approach means that a Sri Lankan company using AWS, Azure, or Google Cloud does not face an existential compliance challenge simply because the data centre is in Mumbai or Singapore.

The Open Questions

The amendment fixed the architecture. But several important implementation questions remain unanswered.

What instruments will the Authority recognise? The amended Act permits transfers supported by “appropriate instruments” but does not specify what those instruments are. Will the Authority publish standard contractual clauses, like the EU? Will it recognise binding corporate rules? Will it accept industry codes of conduct as sufficient? These details will be specified in subsidiary instruments, and the industry needs them sooner rather than later.

What does “ensure compliance” actually mean? The obligation to “ensure compliance” with the PDPA in relation to transferred data is clear in principle but ambiguous in practice. Does it mean the receiving organisation must comply with the PDPA directly? Or does it mean the transferring organisation must take reasonable steps to ensure equivalent protection? The difference matters enormously — particularly when the receiving organisation is in a jurisdiction with its own data protection framework.

How do the standalone exceptions interact? Can a transfer rely on multiple exceptions simultaneously? If a transfer is covered by explicit consent and a contractual clause, does one take priority? What happens if consent is withdrawn but the contractual basis remains? The interaction between these pathways is not fully specified.

What happens in the interim? The Authority has not yet published guidance on cross-border transfers. No standard contractual clauses exist. No approved codes of conduct have been issued. Companies that are transferring data today — which is every IT company in the country — are operating in a guidance vacuum. They know the rules have changed, but they do not yet know exactly how to comply with the new rules.

What Companies Should Do Now

The framework is in place. The details are pending. But that does not mean companies should wait. There are concrete steps that every IT and BPO company in Sri Lanka should be taking right now.

Audit Your Data Flows

Map every cross-border data transfer your organisation makes. Identify the origin, the destination, the categories of personal data involved, the purpose of the transfer, the legal basis you are relying on, and the safeguards currently in place. Many organisations will discover data flows they did not know existed — particularly in cloud computing, SaaS tools, and third-party analytics services. You cannot comply with transfer rules you do not know apply to you.

Upgrade Your Data Processing Agreements

Every contract with a foreign client or vendor that involves personal data should be reviewed and updated. At minimum, your DPAs should include specific provisions addressing PDPA compliance, data subject rights obligations, security measures, breach notification procedures, sub-processor restrictions, and data return or deletion obligations at the end of the engagement. Do not wait for the Authority to publish standard contractual clauses. Build robust DPAs now that can be adjusted later when official templates become available.

Conduct Transfer Impact Assessments

For high-risk transfers — particularly transfers involving sensitive personal data, large volumes of data, or data flowing to jurisdictions with limited data protection frameworks — conduct a Transfer Impact Assessment. Evaluate the legal framework in the destination country, the specific risks to data subjects, and the supplementary measures needed to mitigate those risks. This practice, borrowed from the European Data Protection Board’s guidance, will almost certainly become expected practice under the PDPA.

Build Your Documentation

The amended Act’s accountability principle means that organisations must be able to demonstrate compliance, not merely assert it. Build documentation that shows your transfer impact assessments, your contractual safeguards, your data flow maps, your risk assessments, and your decision-making processes. When the Authority starts asking questions — and it will start asking questions — the organisations with comprehensive documentation will be the ones that answer quickly and confidently.

Engage with the Authority

The Data Protection Authority is still building its approach to cross-border transfers. This is an opportunity, not an obstacle. Engage with consultations. Submit comments on draft guidance. Share industry perspectives on what works and what does not. The Authority needs industry input to develop practical, workable guidance — and the organisations that engage early will have the greatest influence on the framework that emerges.

Position Compliance as a Selling Point

Here is the most important piece of advice: stop treating data protection compliance as a cost. Start treating it as a competitive advantage. International clients — particularly those from the EU, the UK, and increasingly from jurisdictions across Asia-Pacific — are actively looking for service providers who can demonstrate robust data protection practices. A Sri Lankan IT company that can show comprehensive PDPA compliance, documented transfer safeguards, and a mature privacy programme is more attractive than a competitor that cannot.

The $5 billion target is not going to be reached by being the cheapest option in the market. It will be reached by being the most trusted. And trust, in the data economy, is built on demonstrable data protection.

The 2025 amendment gave Sri Lanka’s IT industry something it desperately needed: a cross-border data transfer framework that is workable, practical, and aligned with how the industry actually operates. The adequacy-decision bottleneck is gone. The organisational accountability model is in place. The competitive signal is positive.

But frameworks do not implement themselves. The gap between the amended Act’s architecture and the operational reality on the ground is still enormous. Standard contractual clauses need to be published. Guidance needs to be issued. Industry practices need to be developed and shared.

The framework is right. The clock is ticking. Now we need the details.