What the 2025 Amendment Actually Changed — A Section-by-Section Breakdown

The Personal Data Protection (Amendment) Act, No. 22 of 2025, was certified on 30 October 2025. It is a short piece of legislation — just a few pages — but its effects are substantial. The Amendment makes surgical changes to thirteen sections of the original Act, and several of those changes fundamentally alter how the PDPA will work in practice.

This article is the reference document. It walks through every change, section by section, explaining what was modified, what it means, and who it affects. Bookmark this one. You will come back to it.

1. Commencement Provisions (Section 1)

What changed

The original Section 1 provided that Parts II through VI would come into operation on “such date as the Minister may appoint by Order published in the Gazette.” This was a single trigger: one Gazette notification, all substantive provisions commence at once.

The Amendment replaces this with a flexible mechanism. The new Section 1 allows the Minister to appoint different dates for different provisions or different purposes. Parts or individual sections can be brought into force independently.

What it means

This is the most structurally important change in the Amendment. It enables a phased commencement approach. The Authority can, for example, commence the data processing principles (Part II) first, giving organisations time to adjust their practices, before commencing the data subject rights (Part III) and the enforcement provisions (Part VI).

This is sensible regulatory design. It avoids the “big bang” problem where all obligations land simultaneously and overwhelm both regulators and regulated entities. It allows the Authority to sequence commencement based on institutional readiness, industry preparedness, and enforcement capacity.

But it also creates uncertainty. Until the Authority publishes a commencement roadmap — indicating which provisions will commence when — organisations cannot plan with precision. They know that obligations are coming; they do not know in what order or on what timeline.

Who it affects

Everyone. Every entity that falls within the scope of the PDPA is affected by how and when the substantive provisions are commenced. The phased approach is particularly relevant for large organisations that need to plan compliance programmes and allocate budgets across financial years.

2. Data Protection Management Programme (Section 12)

What changed

Section 12 of the original Act required controllers to implement a data protection management programme. The Amendment modifies the requirements for this programme, clarifying what it must include and aligning it with the broader amendments to the Act.

The changes ensure that the management programme reflects the amended provisions — particularly the updated cross-border transfer framework and the modified data protection impact assessment requirements.

What it means

The data protection management programme is the PDPA’s version of a compliance programme. It is the documented evidence that an organisation has systematically addressed its data protection obligations. The Amendment ensures that this programme aligns with the Act as amended, rather than the Act as originally enacted.

In practice, this means that any organisation developing a data protection management programme should work from the amended Act, not the original. Templates and frameworks developed before October 2025 may need to be updated.

Who it affects

All controllers — which means every organisation that determines the purposes and means of processing personal data. In practice, this is virtually every business, government agency, and non-profit that handles personal data.

3. Response Timelines for Data Subject Requests (Section 17)

What changed

Section 17 governs the timelines for responding to data subject requests — access, rectification, erasure, restriction, portability, and objection. The Amendment makes four changes to this section:

First, the response deadline is extended from 14 days to 21 days. The original 14-day timeline was widely criticised as unrealistic, particularly for large organisations processing high volumes of data across multiple systems. Twenty-one days is more aligned with international norms (the GDPR allows 30 days).

Second, a further extension of 21 days is permitted for complex or voluminous requests, provided the controller informs the data subject of the extension and the reasons for it within the initial 21-day period.

Third, the Amendment explicitly states that no fee may be charged for processing data subject requests. The original Act was ambiguous on this point. The Amendment removes the ambiguity: data subject requests must be processed free of charge.

Fourth, the Amendment provides that the controller may refuse to act on a request if it is manifestly unfounded or excessive, particularly if it is repetitive. This is a safety valve that protects controllers from abusive or vexatious requests.

What it means

The extended timeline is pragmatic. Fourteen days was simply too short for most organisations to locate, compile, and deliver all personal data held about a data subject, especially when that data is distributed across multiple systems, databases, and business units.

The no-fee provision is significant. Under GDPR, controllers can charge a “reasonable fee” for manifestly unfounded or excessive requests. The PDPA takes a stricter approach: no fees, ever, for standard requests. The only remedy for excessive requests is refusal, not charging.

From a technology perspective, this means organisations need to invest in data subject request (DSR) handling systems that can locate and compile personal data within the 21-day window. For organisations with fragmented data landscapes — and in Sri Lanka, that is nearly everyone — this is a significant technical challenge.

Who it affects

All controllers. The timeline and fee provisions apply every time a data subject exercises their rights under the Act. Consumer-facing businesses with large customer bases will need to build or procure automated DSR handling systems. B2B entities with smaller numbers of data subjects may be able to manage manually, at least initially.

4. Automated Decision-Making (Section 18)

What changed

Section 18 deals with the right of data subjects not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. The Amendment adds two critical words to this section: “or significantly.”

The original Section 18 applied only to decisions based solely on automated processing. The Amendment extends it to decisions based solely or significantly on automated processing. This is a dramatic expansion of scope.

What it means

Under the original Act, an organisation could avoid the automated decision-making provisions by ensuring that a human was nominally involved in the decision process. The classic workaround: an algorithm generates a recommendation, a human rubber-stamps it, and the organisation claims the decision was not “solely” automated.

The addition of “or significantly” closes this loophole. If automated processing plays a significant role in a decision — even if a human is technically in the loop — the data subject has the right to not be subject to that decision, to obtain an explanation of the logic involved, and to challenge the outcome.

This has profound implications for AI deployment, credit scoring, insurance underwriting, recruitment screening, and any other context where algorithms influence decisions about individuals. We will examine this in detail in Part 7 of this series.

Who it affects

Any organisation that uses automated systems to make or influence decisions about individuals. Banks using credit scoring algorithms. Insurance companies using risk models. Employers using AI-assisted recruitment tools. E-commerce platforms using personalisation algorithms that determine pricing or availability. The scope is broad and the implications are significant.

5. Data Subject Appeals (Section 19)

What changed

Section 19 governs the right of data subjects to appeal decisions made by controllers regarding their data subject requests. The Amendment modifies the appeals process, clarifying the role of the Authority in adjudicating disputes between data subjects and controllers.

The key change is that the Authority’s role as an appellate body is more clearly defined. When a controller refuses to act on a data subject request, or when the data subject is dissatisfied with the controller’s response, the data subject can appeal to the Authority. The Amendment clarifies the process, timelines, and scope of the Authority’s review.

What it means

This creates a two-tier dispute resolution mechanism: first to the controller, then to the Authority. It is modelled on the GDPR’s complaint mechanism but adapted for Sri Lanka’s institutional context.

For controllers, this means that refusing a data subject request is not the end of the matter. The data subject can escalate, and the Authority can overrule the controller’s decision. This creates an incentive to handle requests properly the first time, because the reputational and administrative cost of an Authority review is significant.

Who it affects

All controllers, but particularly those that process large volumes of personal data and are therefore more likely to receive data subject requests. Financial institutions, telecoms operators, healthcare providers, and government agencies should pay particular attention.

6. Data Protection Officers (Section 20)

What changed

Section 20 of the original Act required certain organisations to appoint a Data Protection Officer (DPO). The Amendment modifies the DPO provisions in several important ways.

The definition of who can serve as a DPO is broadened. The original Act was relatively prescriptive about the qualifications and expertise required. The Amendment relaxes these requirements, recognising the practical reality that Sri Lanka does not have a large pool of qualified data protection professionals.

The Amendment also clarifies that a DPO can serve multiple organisations, and that the DPO function can be outsourced. This is critical for SMEs, which may not have the resources or the need for a full-time, dedicated DPO.

What it means

The DPO provision is one of the most practically challenging aspects of the PDPA, because the supply of qualified individuals is so limited. CICRA Campus graduated Sri Lanka’s first batch of certified Data Protection Officers in October 2025. There were a few dozen of them. The demand, when the PDPA commences, will be in the thousands.

The Amendment’s relaxation of the DPO requirements is a pragmatic response to this supply gap. By allowing outsourced and shared DPOs, and by broadening the definition of who qualifies, the Amendment makes it possible for more organisations to meet the requirement without waiting for the professional pipeline to mature.

We will examine the DPO landscape in detail in Part 8.

Who it affects

Any organisation required to appoint a DPO under the Act. The specific criteria for mandatory DPO appointment include processing on a large scale, processing sensitive data, and being a public authority. But the broadened definition and outsourcing provisions affect the entire market for DPO services.

7. Data Protection Impact Assessments (Section 24)

What changed

Section 24 requires controllers to conduct a Data Protection Impact Assessment (DPIA) before processing that is likely to result in a high risk to the rights and freedoms of data subjects. The Amendment modifies the triggers for conducting a DPIA and adjusts the content requirements.

The changes align the DPIA provisions with the broader amendments, particularly the modified cross-border transfer framework and the expanded automated decision-making provisions. Where automated processing now has a broader scope (thanks to the “or significantly” addition), the DPIA requirements are correspondingly adjusted.

What it means

DPIAs are one of the most practically valuable exercises an organisation can perform. They force you to think systematically about what data you are processing, why, what the risks are, and how you are mitigating them. The Amendment’s changes ensure that DPIAs are calibrated to the Act as amended.

In practice, more processing activities will require DPIAs than under the original Act, because the expanded automated decision-making scope means more activities will cross the “high risk” threshold. Any organisation deploying AI or algorithmic decision-making should assume that a DPIA will be required.

We will provide a comprehensive practical guide to DPIAs in Part 10.

Who it affects

All controllers undertaking high-risk processing. This includes large-scale processing of sensitive data, systematic monitoring of public areas, automated decision-making with significant effects, and cross-border transfers to jurisdictions without adequate protection.

8. Risk Mitigation and Prior Consultation (Section 25)

What changed

This is perhaps the most dramatic change in the entire Amendment. The original Section 25 established a prior consultation framework. If a DPIA indicated that processing would result in a high risk that the controller could not mitigate, the controller was required to consult the Authority before commencing the processing. The Authority could then impose conditions, require changes, or prohibit the processing altogether.

The Amendment removes the prior consultation framework entirely.

In its place, the Amendment substitutes a risk mitigation obligation. Controllers must take measures to mitigate identified risks, but they are no longer required to obtain the Authority’s approval before proceeding. The consultation requirement is replaced with a documentation and mitigation requirement.

What it means

The original prior consultation mechanism was one of the most significant provisions in the Act. It would have given the Authority a veto power over high-risk processing activities. In theory, this was a strong safeguard. In practice, it was unworkable.

Consider the logistics. If every organisation in Sri Lanka that processes personal data in high-risk ways had to obtain prior approval from the Authority before commencing or modifying that processing, the Authority would have been overwhelmed instantly. The volume of prior consultation requests would have been unmanageable for a newly established regulator with limited staff and no established precedents.

The Amendment’s approach — shifting from prior consultation to risk mitigation and documentation — is more realistic. It places the responsibility on the controller to identify and mitigate risks, without requiring the Authority’s sign-off. The Authority retains the power to review, investigate, and enforce, but it is no longer a gatekeeper for every high-risk processing activity.

From a business perspective, this is a significant reduction in compliance burden. Prior consultation would have created delays, uncertainty, and a potential bottleneck that could have stifled innovation and normal business operations. The risk mitigation approach allows businesses to move forward while still being accountable for the risks they create.

Who it affects

Every organisation that would have been subject to the prior consultation requirement. This includes banks, insurance companies, healthcare providers, government agencies, technology companies, and any other entity engaged in high-risk processing. The burden reduction is most significant for organisations in innovation-intensive sectors where new processing activities are frequent.

9. Cross-Border Data Flows (Section 26)

What changed

Section 26 of the original Act imposed strict restrictions on transferring personal data outside Sri Lanka. The default position was that cross-border transfers were prohibited unless one of several conditions was met: the receiving country had been determined to provide an adequate level of protection, or the controller had provided appropriate safeguards (binding corporate rules, standard contractual clauses, etc.), or a specific derogation applied.

The Amendment inverts the default. Under the amended Section 26, cross-border transfers are permitted unless the Authority specifically restricts them. The Authority can designate countries or territories to which transfers are restricted, but in the absence of such a designation, transfers may proceed.

What it means

This is a fundamental shift in the approach to cross-border data flows. The original Act followed the GDPR model: transfers are restricted by default, and you need a legal mechanism to enable them. The amended Act follows a more permissive model: transfers are permitted by default, and the Authority intervenes only where necessary to protect data subjects.

For Sri Lanka’s IT and BPO sector, this change is transformative. The sector earned approximately $1.6 billion in export revenue in 2025. Every one of these operations involves cross-border data flows. Under the original Act, each of these flows would have required a legal mechanism — adequacy determination, standard contractual clauses, or binding corporate rules. The administrative burden would have been enormous and, for many smaller operators, prohibitive.

The amended approach removes this burden while preserving the Authority’s ability to restrict transfers where specific risks exist. It is a pragmatic balance between data protection and economic reality.

We will examine the cross-border data flow framework in comprehensive detail in Part 6.

Who it affects

Every organisation that transfers personal data outside Sri Lanka. This includes IT and BPO companies serving international clients, multinational corporations operating in Sri Lanka, any organisation using cloud services hosted outside Sri Lanka, and businesses with international supply chains or partner networks. In practice, this is nearly every organisation of any significant size.

10. Solicited Messages (Section 27)

What changed

Section 27 deals with direct marketing and unsolicited communications. The Amendment modifies the provisions governing solicited messages — communications that the data subject has requested or consented to receive. The changes clarify the line between solicited and unsolicited communications and tighten the requirements for valid consent to receive marketing messages.

What it means

Part IV of the PDPA — which contains Section 27 — is going to be the most immediately disruptive provision for consumer-facing businesses in Sri Lanka. The Amendment’s changes to Section 27 ensure that the distinction between solicited and unsolicited messages is clear and that organisations cannot exploit ambiguity to continue spam-like practices.

The practical implication is that consent to receive marketing messages must be specific, informed, and revocable. Pre-ticked boxes, bundled consent, and buried opt-out mechanisms will not suffice. Organisations will need to rethink their marketing consent infrastructure from the ground up.

We will examine the direct marketing provisions in detail in Part 9.

Who it affects

Every organisation that engages in direct marketing — SMS, email, push notifications, voice calls. This includes telcos, banks, retailers, e-commerce platforms, real estate agents, insurance companies, and the vast ecosystem of digital marketing operators in Sri Lanka.

11. Penalties (Section 38)

What changed

Section 38 sets out the penalty framework for non-compliance. The Amendment modifies the penalty provisions, adjusting the structure while maintaining the maximum penalty of Rs. 10 million per contravention.

The key change is the introduction of a more graduated penalty structure. The original Act provided for penalties of up to Rs. 10 million for any contravention, without much differentiation based on severity. The Amendment introduces more nuance, allowing the Authority to calibrate penalties based on factors including the nature and gravity of the contravention, the degree of responsibility, the steps taken to mitigate damage, and any previous contraventions.

What it means

The headline penalty — Rs. 10 million — has not changed. But the Amendment’s graduated structure means that minor, first-time, good-faith failures will likely attract lower penalties than serious, repeated, negligent violations. This is important for compliance planning: organisations that demonstrate genuine efforts at compliance, even if imperfect, will be treated more leniently than those that ignore their obligations entirely.

We will examine the penalty regime comprehensively in Part 11, including an analysis of whether Rs. 10 million is actually a meaningful deterrent (spoiler: it depends on what you think the real risks are).

Who it affects

Every entity within the scope of the Act. The graduated structure is particularly relevant for organisations developing compliance programmes: it creates an incentive to demonstrate effort and good faith, even if full compliance is not yet achieved.

12. Guidelines Power (New Section 51A)

What changed

The Amendment introduces a new Section 51A that explicitly grants the Authority the power to issue guidelines. While the original Act gave the Authority various regulatory powers, the explicit authority to issue guidelines was not clearly articulated.

What it means

This is more important than it appears. In data protection regulation, guidelines are where the rubber meets the road. The Act itself sets out principles and obligations in general terms. Guidelines translate those principles into practical, actionable guidance for specific sectors, activities, and scenarios.

The explicit guidelines power means the Authority can issue guidance on, for example: what constitutes adequate security measures for different sectors; how to conduct a DPIA; what qualifies as a legitimate interest; how to implement consent mechanisms; what the Authority considers best practice for data breach notification.

For practitioners, this is excellent news. Guidelines provide the interpretive framework that makes compliance achievable. Without them, organisations are left to interpret the Act’s broad principles on their own, with no certainty about whether their interpretation aligns with the Authority’s expectations.

Who it affects

Everyone within scope. Guidelines will be the primary mechanism through which the Authority communicates its expectations and provides practical compliance assistance. Every organisation subject to the PDPA should monitor the Authority’s publications for guidelines relevant to their sector and activities.

13. Definitions (Section 56)

What changed

Section 56 contains the definitions used throughout the Act. The Amendment modifies several definitions, most notably:

Public authority. The definition of “public authority” is narrowed. The original definition was broad, potentially encompassing entities that exercise public functions but are not traditional government bodies. The Amendment tightens this, limiting “public authority” to more clearly defined categories of government entities and bodies established by statute.

Data Protection Officer. As discussed under Section 20 above, the definition of who can serve as a DPO is broadened, reflecting the practical need for flexibility in a market with limited specialist supply.

What it means

Definitions matter enormously in legislation. They determine the scope of obligations, the boundaries of rights, and the applicability of specific provisions.

The narrowing of “public authority” means that some entities that might have been classified as public authorities under the original Act — and therefore subject to specific PDPA obligations applicable to public authorities — may now fall outside that category. This affects obligations such as the mandatory appointment of DPOs, restrictions on certain legal bases for processing, and the application of specific transparency requirements.

The broadening of the DPO definition, conversely, expands the pool of eligible individuals and creates more flexibility in how organisations structure their DPO function.

Who it affects

The public authority definition change primarily affects government entities, statutory bodies, and organisations that exercise public functions. The DPO definition change affects all organisations required to appoint a DPO, and the emerging market for DPO services and training.

Putting It Together

Taken as a whole, the 2025 Amendment reflects a regulator and legislature that has learned from the experience of other jurisdictions and from Sri Lanka’s own circumstances. The changes are pragmatic, not ideological. They address real problems — the inflexible commencement mechanism, the unworkable prior consultation requirement, the too-strict cross-border transfer regime, the too-short response timelines, the too-narrow DPO definition — without abandoning the Act’s fundamental principles.

The six core obligations remain: lawful processing, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. The data subject rights remain: access, rectification, erasure, restriction, portability, and objection. The penalty framework remains, with its Rs. 10 million maximum. The Data Protection Authority remains, with its supervisory and enforcement powers.

What has changed is the how, not the what. The Amendment makes the PDPA more implementable, more proportionate, and more responsive to Sri Lanka’s economic and institutional realities. It does not weaken the Act; it strengthens it, by making it more likely to be effectively implemented and enforced.

In Part 4, we turn from the law itself to one of its most critical practical challenges: consent. Specifically, why the consent mechanisms that most Sri Lankan businesses currently use are not just inadequate — they are actively harmful to the cause of data protection.