Monitoring Data Subjects in Sri Lanka: Applicability of the Personal Data Protection Act

The Personal Data Protection Act, No. 9 of 2022 (PDPA) of Sri Lanka extends its applicability to data processing activities that involve monitoring the behavior of data subjects within Sri Lanka, even when the controller or processor is not established in the country.

Text of Relevant Provisions

PDPA № 9 Art.2(1b)(iv):

"(1) This Act shall apply to the processing of personal data—

(b) where the processing of personal data is carried out by a controller or processor who–

(iv) specifically monitors the behaviour of data subjects in Sri Lanka including profiling with the intention of making decisions in relation to the behavior of such data subjects in so far as such behaviour takes place in Sri Lanka."

Analysis of Provisions

The PDPA extends its territorial scope to include data processing activities that involve monitoring the behavior of data subjects in Sri Lanka, even when the data controller or processor is not established within the country. This provision is designed to ensure that the law protects Sri Lankan residents' personal data regardless of the geographical location of the entity processing their data.

The key elements of this provision are:

1. "specifically monitors the behaviour": This implies that the monitoring must be targeted and intentional, not incidental or passive.
2. "of data subjects in Sri Lanka": The provision applies only to monitoring activities directed at individuals physically present in Sri Lanka.
3. "including profiling": This clause expands the scope to include advanced data analysis techniques that create profiles of individuals based on their behavior.
4. "with the intention of making decisions": The monitoring must be conducted with the purpose of informing decisions about the data subjects.
5. "in so far as such behaviour takes place in Sri Lanka": This limits the scope to behaviors that occur within Sri Lanka's territorial boundaries.

It's worth noting that Article 2(2) of the PDPA empowers the Authority to further define the circumstances under which specific monitoring of data subjects may occur, potentially providing more detailed guidance on the application of this provision.

Implications

This provision has significant implications for businesses and organizations operating outside of Sri Lanka but engaging with Sri Lankan data subjects:

1. Global reach: Companies based outside Sri Lanka that monitor the behavior of Sri Lankan residents may fall under the jurisdiction of the PDPA, even if they have no physical presence in the country.
2. Online services: Websites, apps, and online platforms that track user behavior and are accessible to Sri Lankan users may need to comply with the PDPA if they specifically target or monitor Sri Lankan data subjects.
3. Profiling activities: Organizations engaged in profiling Sri Lankan individuals for purposes such as targeted advertising, market research, or risk assessment may be subject to the PDPA's requirements.
4. Decision-making processes: Companies using data from behavioral monitoring to make decisions about Sri Lankan individuals (e.g., for credit scoring, insurance underwriting, or employment screening) will need to ensure compliance with the PDPA.
5. Compliance challenges: Non-Sri Lankan entities may face challenges in understanding and implementing the PDPA's requirements, potentially necessitating local legal counsel or data protection expertise.
6. Cross-border data flows: Organizations monitoring Sri Lankan data subjects may need to establish mechanisms for lawful cross-border data transfers in compliance with the PDPA.