Advances in South Asian Data Privacy Laws: Sri Lanka, Pakistan and Nepal

(2019) Privacy Laws & Business International Report, 22-25

7 Pages Posted: 30 Mar 2020

Date Written: December 1, 2019


Five years ago, the only significant data privacy laws in South Asia (or SAARC, the South Asia Area of Regional Cooperation) were India’s new and extremely limited private sector law, and Nepal’s public sector law. The region’s data privacy protections were far more limited than in North-east Asia or the ASEAN countries. South Asia is now showing signs of catching up with the rest of Asia. Sri Lanka’s Personal Data Protection Bill is the focus of this article, but Bhutan and Nepal have enacted privacy laws, and Pakistan has a private sector Bill. Bangladesh, Afghanistan and the Maldives continue to be the states in the SAARC region where there are no significant developments.

The scope of Sri Lanka’s Bill is comprehensive in that it covers both the public and private sectors, and appears to have extra-territorial effect in similar terms to the EU GDPR (but in fact is more limited). Exceptions to the Bill seem broad, but are constrained in many ways. It does require lawful grounds for processing to take place at all, and goes on to contain many obligations of controllers, and rights of data subjects that are based on GDPR provisions (sometimes ‘watered down’ versions). Compulsory registration of controllers, required in a previous version of the Bill, has been removed, but appointment of DPOs may be required, as may data protection impact assessments (DPIAs) when constitution or other rights may be put at risk by processing. Many of the marquee rights of the GDPR are present in some form, including the ‘right to be forgotten’ and protections against automated processing, but not data portability. Data localisation requirements apply in the public sector, and export restrictions apply to the private sector, with a ‘white list’ and other exceptions. A data protection authority (DPA) must be appointed, but its independence is not guaranteed. Enforcement powers allow a lot of different interventions by the DPA, but the maximum fines (US$55,000) are trivial compared with the previous draft, and compensation is not mentioned. The article considers factors relevant to EU ‘adequacy’ and Convention 108+ accession.

Bhutan’s Information, Communications and Media Act of Bhutan 2018 gives the Kingdom a minimal data privacy law to increase its gross national happiness. Nepal enacted The Privacy Act 2018 but it is not a data privacy law because it does not include most of the set of basic principles shared by all such laws since 1980. However, there are many provisions in the Act to which private sector bodies operating in Nepal should pay careful attention in order to avoid prosecutions or compensation claims. Finally, Pakistan’s November 2019 revised version of its e-commerce policy promises a data protection law, but it is not clear that it is referring to the Personal Data Protection Bill, 2018 which was introduced to the legislature. That Bill only covers the private sector, and at best might meet most of the requirements of a ‘second generation’ law (based on the 1995 EU Data Protection Directive), but not the GDPR.

Keywords: data protection, privacy, South Asia, SAARC, Sri Lanka, Bhutan, Nepal, Pakistan, GDPR, Convention 108+

Suggested Citation

Greenleaf, Graham, Advances in South Asian Data Privacy Laws: Sri Lanka, Pakistan and Nepal (December 1, 2019). (2019) Privacy Laws & Business International Report, 22-25, Available at SSRN:

Graham Greenleaf (Contact Author)

Independent Scholar ( email )



Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics