The Rs. 10 Million Question — How the PDPA’s Penalty Regime Actually Works

Rs. 10 million per non-compliance. That is the headline number. Every article about the PDPA mentions it. Every conference presentation leads with it. Every compliance consultant uses it to sell their services.

Let us put that number in context.

Rs. 10 million is approximately $33,000 at current exchange rates. For comparison, the GDPR’s maximum penalty is €20 million or 4% of global annual turnover, whichever is higher. Under that regime, Meta was fined €1.2 billion in 2023 for transferring European user data to the United States. LinkedIn was fined €310 million. Uber was fined €290 million. The total value of GDPR fines across the European Economic Area has exceeded €5.8 billion across more than 2,200 enforcement actions.

By that standard, Rs. 10 million looks like a rounding error. A large Sri Lankan conglomerate could absorb it as a cost of doing business. A multinational operating in Sri Lanka might not even notice it on the balance sheet.

But that analysis misses almost everything about how the PDPA’s penalty regime actually works. The headline number is not the story. The story is the mechanism, the multipliers, the personal liability, and everything that happens alongside and around the fine itself.

How the Penalty Mechanism Works

The PDPA’s enforcement regime is not a simple fine-for-violation model. It is a multi-stage process that begins with investigation and escalates through directives, penalties, and ultimately criminal proceedings.

Section 35: Investigation and Directives

The process begins with the Authority conducting an investigation under Section 35. The Authority has broad investigatory powers — it can require the production of documents, compel attendance at hearings, and access premises. When an investigation identifies non-compliance, the Authority issues a directive. This directive can require the organisation to take specific corrective actions, cease specific processing activities, or comply with specific provisions of the Act.

This is important: the penalty is not for the original non-compliance. The penalty is for failing to comply with the Authority’s directive. This is a corrective model, not a punitive one. The Authority tells you to fix the problem. If you fix it, no penalty. If you don’t, then the penalty applies.

Section 38(1): The Rs. 10 Million Penalty

Section 38(1) provides that a person who fails to comply with a directive issued by the Authority is liable to a penalty not exceeding Rs. 10 million. This is a maximum, not a fixed amount. The Authority has discretion to impose a lower amount based on the circumstances. But the discretion cuts both ways — the Authority can also impose the full maximum for a single violation.

Section 38(2): The Doubling Provision

Here is where the arithmetic becomes uncomfortable. Section 38(2) provides that for a second or subsequent non-compliance, the penalty is doubled. This means the second violation attracts up to Rs. 20 million. The third, by reasonable interpretation, up to Rs. 40 million. The provision does not cap the escalation.

Per Non-Compliance Stacking

The Rs. 10 million limit is per non-compliance, not per investigation, not per year, and not per organisation. If an investigation reveals four distinct violations — failure to appoint a DPO, failure to maintain a processing register, failure to conduct a DPIA, and failure to honour a data subject access request — that is four non-compliances. Four directives. Potentially four penalties. Rs. 40 million for what might, from the organisation’s perspective, feel like a single compliance failure.

And if any of those violations involve repeat non-compliance, the doubling provision applies to each one individually.

Section 38(6): Personal Liability on Directors

This is the provision that should keep board members awake at night. Section 38(6) provides that where a non-compliance is committed by a body corporate and it is proved that the offence was committed with the consent or connivance of, or is attributable to the neglect of, any director, manager, secretary, or similar officer, that individual is also liable.

This is personal liability. Not corporate liability. Personal. The fine comes out of the director’s personal assets, not the company’s balance sheet. For a CEO or a board member of a large Sri Lankan company, the financial impact may be manageable. But the reputational impact of being personally named in a data protection enforcement action is a different calculation entirely.

The Magistrate Court Backstop

If an organisation still fails to comply after the penalty is imposed, the Authority can refer the matter to the Magistrate Court. This moves the matter from administrative enforcement to criminal proceedings. A criminal conviction for a data protection violation is a qualitatively different outcome from an administrative fine. It creates a criminal record. It can disqualify directors from holding office. It fundamentally changes the nature of the consequence.

Section 38(5): Regulatory Stacking

Section 38(5) provides that penalties under the PDPA are in addition to any penalties that may be imposed under other laws. This means that if your non-compliance also violates, say, CBSL banking regulations or TRCSL telecommunications requirements, you face penalties under both regimes. The PDPA penalty does not absorb or replace other regulatory penalties. They stack.

For organisations in regulated sectors — banking, insurance, telecommunications, healthcare — this creates a multiplier effect. A data protection violation in a bank could attract penalties from the Data Protection Authority and the Central Bank. A violation in a telco could attract penalties from the Authority and TRCSL. The total exposure is the sum of all applicable regimes.

What the Authority Considers

Section 39 sets out eight factors that the Authority must consider when determining the amount of a penalty. These factors are significant because they tell you, in advance, exactly what the Authority will be looking at — and therefore exactly what you should be preparing for.

1. The nature, gravity, and duration of the non-compliance. A one-off, quickly corrected violation will be treated differently from a systematic, long-running failure. The more serious the violation and the longer it persisted, the higher the penalty.

2. The actions taken to mitigate the damage suffered by data subjects. Did you try to fix the harm? Did you notify affected individuals? Did you offer remediation? Or did you ignore the problem and hope nobody noticed?

3. The degree to which a data protection management programme was in place and effective. This is the compliance programme factor. If you had a genuine, functioning DPMP and the violation occurred despite reasonable efforts, the Authority will take that into account. If you had no programme at all, that will also be taken into account — in the other direction.

4. The degree of cooperation with the Authority. Organisations that cooperate with investigations, provide information promptly, and engage constructively with the Authority will receive more favourable treatment than those that obstruct, delay, or prevaricate.

5. The categories of personal data affected. Violations involving special categories of data — health data, biometric data, genetic data, data relating to criminal convictions, ethnic or religious data — will attract higher penalties than violations involving less sensitive data.

6. The manner in which the non-compliance was discovered. Was it self-reported by the organisation? Discovered through a data subject complaint? Found during a routine audit? Or exposed by a media report or whistleblower? Self-reporting is viewed more favourably. Being caught after trying to conceal is viewed much less favourably.

7. Any previous non-compliances. First-time offenders receive more lenient treatment. Repeat offenders do not. This factor interacts with the Section 38(2) doubling provision to create a compounding effect for organisations that fail to learn from their mistakes.

8. The financial benefits gained as a result of the non-compliance. If your violation was profitable — if you saved money by not investing in compliance, or made money by processing data you should not have been processing — the Authority will consider those benefits when setting the penalty. The penalty should, at minimum, eliminate the financial incentive for non-compliance.

Why Rs. 10 Million Is Not the Real Penalty

The fine is the most quantifiable consequence. It is also, for most organisations, the least consequential. The real penalties are the things that come alongside it.

The Reputational Penalty

The PDPA contains no confidentiality provision for enforcement actions. When the Authority issues a directive, imposes a penalty, or refers a matter to court, there is nothing in the Act that prevents this information from becoming public. And in Sri Lanka’s media environment, it will become public.

Imagine the Daily FT headline: “[Major Bank] Fined Rs. 10 Million for Data Protection Violations.” Imagine the Sunday Times investigation that follows. Imagine the social media amplification. In a market as small as Sri Lanka — where everyone in the business community knows everyone, where reputation is currency, where a single negative news cycle can shift customer behaviour — the reputational cost of a publicised enforcement action dwarfs the financial penalty.

For consumer-facing businesses, the reputational penalty is existential. Customers who learn that a company mishandled their personal data will leave. Not all of them, but enough. And in competitive markets — banking, telecommunications, retail — they have alternatives. The competitor who was not fined becomes the safer choice.

The Operational Penalty

The Authority’s directive power under Section 35 includes the ability to order an organisation to cease processing. This is the cease-and-desist power, and it is far more disruptive than any fine.

If the Authority determines that a particular processing activity violates the PDPA and orders you to stop, you must stop. If that processing activity is core to your business — a customer database, a marketing platform, a credit scoring system, an HR system — stopping it has immediate operational consequences. You cannot serve customers. You cannot process transactions. You cannot make decisions. Your business, or a significant part of it, grinds to a halt.

The cost of operational disruption — lost revenue, contract breaches, supply chain failures, employee idle time — will, for most organisations, exceed Rs. 10 million within days or weeks.

The Litigation Penalty

Section 35(2)(c) gives the Authority the power to direct an organisation to compensate data subjects who have suffered damage as a result of non-compliance. This is a directing power, not a recommendation. If the Authority determines that data subjects have been harmed, it can order the organisation to pay compensation.

But the more significant litigation risk comes from the precedent this creates. A finding of non-compliance by the Authority — particularly one upheld on appeal — creates a foundation for private litigation. Data subjects who have been affected can point to the Authority’s findings as evidence of wrongdoing. In sectors with large numbers of affected individuals — banking, telecommunications, healthcare — this creates the conditions for what is effectively a class action. Not formally, perhaps, since Sri Lanka’s civil procedure does not have a developed class action mechanism. But practically, a finding affecting millions of customers creates the template for thousands of individual claims.

The Court of Appeal Pathway

An organisation that is penalised by the Authority has the right to appeal to the Court of Appeal. The appeal must be filed within 21 days. But there is a catch: the appellant must deposit the full penalty amount as a condition of appeal. This means that even if you intend to challenge the penalty, you must pay it upfront.

The burden of proof on appeal rests with the appellant. You are not challenging whether the Authority made an error. You are demonstrating that the Authority’s decision was unreasonable, irrational, or procedurally unfair. The Court of Appeal will give significant deference to the Authority’s expertise on data protection matters. Winning on appeal is not impossible, but it is difficult, expensive, and public.

What the First Enforcement Action Will Look Like

Every data protection authority in the world follows a similar pattern when it begins enforcement. The GDPR provides the clearest precedent.

The pattern is one of escalation. Initial enforcement actions tend to target clear-cut, well-publicised violations by well-known organisations. The purpose is not revenue generation — it is deterrence. The Authority needs to demonstrate that it is willing and able to use its powers. It needs to create a precedent that makes other organisations take compliance seriously.

In Europe, the early GDPR enforcement actions targeted Google (France, €50 million for lack of transparency and valid consent), British Airways (UK, £20 million for a data breach affecting 400,000 customers), and Marriott (UK, £18.4 million for a breach affecting 339 million guests). These were chosen because the violations were clear, the organisations were well-known, and the public interest was obvious.

Sri Lanka’s Authority will likely follow the same playbook. The first enforcement action will be against an organisation that is large enough to make headlines, with a violation that is clear enough to be indefensible, and in a sector that affects enough consumers to generate public interest. A major data breach at a bank. A systematic privacy violation at a telco. An egregious case of unsolicited marketing by a well-known brand.

The trajectory will be compressed. The GDPR took approximately two years from commencement to significant enforcement. Sri Lanka’s Authority, benefiting from international precedent and pressure from the international community (particularly in the context of adequacy determinations), may move faster. The smart assumption is that meaningful enforcement will begin within 12 to 18 months of substantive commencement.

What You Should Do

Build a defensible compliance programme. Section 39’s factors tell you exactly what the Authority will assess. The most controllable factor is the third one: the degree to which a data protection management programme was in place and effective. You cannot control whether a breach occurs. You can control whether you had reasonable measures in place to prevent it and to respond when it happened. Build the programme. Document it. Test it. Improve it. Make it real, not performative.

Ensure board-level awareness. Section 38(6) creates personal liability for directors. This means data protection is not a compliance department problem. It is a board-level governance issue. Every board member needs to understand the PDPA’s requirements, the organisation’s compliance status, and their personal exposure. If you are a director and you have never been briefed on the PDPA, demand a briefing. If you are a compliance officer and you have never briefed the board on the PDPA, request the agenda item. Personal liability concentrates minds wonderfully.

Plan for incidents. The question is not whether you will have a data protection incident. The question is when. When it happens, the Authority will assess how you responded. Did you have an incident response plan? Did you activate it promptly? Did you notify affected individuals? Did you cooperate with the investigation? Did you take steps to mitigate the harm? The difference between an organisation that responds well to an incident and one that responds badly can be the difference between a warning and the maximum penalty.

Don’t hide violations. Section 39’s sixth factor — how the non-compliance was discovered — creates a strong incentive for self-reporting. An organisation that discovers a violation and reports it to the Authority voluntarily will be treated more favourably than one that conceals it. The cover-up, as always, is worse than the crime. If you find a problem, fix it and report it. The penalty for honesty is almost always lower than the penalty for concealment.

The question isn’t whether Rs. 10 million is scary. The question is whether everything that comes with it is. It is.