The Sri Lankan Parliament has passed the Personal Data Protection Bill without a vote after multiple revisions. Legislators and others expressed worries over the proposed Data Protection Authority's influence on individuals' privacy and independence. At the same time, media organisations argued the measure might prohibit media from utilizing personal data while reporting, infringing on journalists' rights. Before implementing the changes, Justice Minister Ali Sabry stated that the law was essential, adding that "perfect legislation does not exist."

The Act in itself contains various provisions for the safeguard of the individual's data. It also specifies that a designated public corporation, statutory body or any other institution established by or under any written law and controlled by the government be set up and known as the “Data Protection Authority of Sri Lanka”. Currently, the data matters are being handled by the Ministry of Technology of Sri Lanka. It also talks the processing of the data and also lays down obligations
for the Controller.

"While this act does provide a number of rights for individuals or as they are referred to in the act as “data subjects” it does not have as comprehensive reach as it should, nor are the fines that stringent," says Govind Chaturvedi, a trademark, social media law, and data expert. "It allows for the right to erasure but the right to be forgotten is not mentioned. Hence, while the law is well enunciated in certain aspects, it lacks to provide the broad overview of protection that it should.  It will give the citizens of Sri Lanka to contest the right of privacy, but I see concerns of more complex problems in regard to substrata’s of data protection flaring up. "

He adds that as times change and data becomes more valuable the government will enact policies to safeguard it, but the citizens also need to do their own due diligence like they need to be aware of the data they are sharing with mobile applications, websites, social media websites, among others.