The Hon. Kathiravelu Shanmugam Kugathasan

¶ 01 As amended, prior consultation with the DPA on unmitigated risks is removed, and subsections (2) to (6) of section 25 are deleted. For cross-border transfers, the amended section 26 allows transfers by non-public controllers or processors if they ensure compliance with the Act in the destination and rely on safeguards, explicit consent, contracts, legal claims, public interest or emergencies as identified by the DPA.

¶ 02 A new section 51A allows the DPA to issue guidelines, including for the data protection management program under section 12.

¶ 03 The definition of public authority is narrowed by excluding state corporations and companies, while ministries, departments, provincial councils and local authorities remain.

¶ 04 These changes streamline bureaucracy, strengthen privacy, restructure responses to data subject rights, align with international transfer regimes and provide clarity to investors. Yet concerns remain on DPA capacity, transparency to Parliament, independence, cross-border protections, handling of sensitive data in national systems, fairness and accessibility of enforcement, implementation timelines, and coordination with ICTA, TRC and other regulators. The Minister should clarify these.

¶ 05 Countries differ in personal identifiers—Canada’s SIN, the US SSN, EU GDPR’s broad definition, and India’s Aadhaar—offering lessons for Sri Lanka to protect citizens while enabling digital progress. I conclude urging incorporation of global best practices.