The Court of Appeal’s order for Litro Gas, a state-owned downstream LP Gas operator, to disclose top executives’ remuneration in 2025 was a high-water mark for transparency. Judges accepted that salaries are “personal information” — but ruled that the public interest in how public funds are spent outweighs privacy concerns, especially at a state-owned enterprise.
That logic is embedded in the Right to Information (RTI) Act, which promises maximum disclosure, narrow exemptions and a sweeping public-interest override.
But this architecture is about to be tested. Sri Lanka’s Personal Data Protection Act (PDPA) — modelled on the EU’s General Data Protection Regulation (GDPR) — is moving towards full enforcement, with regulators drafting detailed rules.
It, too, contains a supremacy clause: in any conflict with other written law on personal data, the PDPA prevails.
In Brussels, where the EU has spent decades trying to square access to information with privacy, the equation looks very different. The way European institutions handle requests for documents offers a preview of the debates Sri Lanka will soon face.
The Litro dispute began in 2021 when a former employee asked the company for the monthly salaries and allowances of its chairman and other top managers, along with details of loans granted to them. Litro refused.
The RTI Commission not only held that Litro is a “public authority” under the RTI Act, and ordered disclosure of the salary information, stressing that the pay of senior officials in a state-linked company financed by the public cannot be treated as a private matter.
The company went to the Court of Appeal. In February 2024, the court upheld the Commission’s order. It accepted that salary data is personal information — but said public interest in transparency prevailed because public funds were involved. The court also underlined that the RTI Act has an overriding effect: where there is inconsistency with other written law, RTI prevails.
Sri Lankan courts have treated privacy as a relative exception. Personal information can be released if the public interest in disclosure outweighs the harm.
From interfering in the private domain, Sri Lanka is moving towards protecting it. More people are now assertive about private property, private affairs, and the right to be left alone.
In Brussels, personal data is an “absolute exception”. For the European Parliament, Council and Commission, public access to documents is governed by an exhaustive set of exceptions.
Myriam Gufflet, Head of Sector for Litigation and International Affairs, and Roberta Muraro, Transparency and Legal Officer at the European Data Protection Board (EDPB), based in Brussels, Belgium, say personal data protection is an absolute right in the European Union.
European institutions can refuse access to documents where disclosure would undermine “privacy and the integrity of the individual”, says Gufflet, citing provisions in the EU’s data-protection law.
The European Data Protection Board (EDPB), the body that ensures consistent application of the GDPR across the EU institutions, explained to visiting Sri Lankan journalists that this makes personal-data protection an absolute category in the access-to-documents regime.
When a document contains personal data, officials must carry out a concrete, individual examination and apply a kind of harm test. If disclosure risks undermining privacy or the “integrity of the individual”, that part of the document is withheld or redacted.
Media freedom and data protection can come into conflict. The starting point for the EDPB is that EU data-protection law is not an “absolute shield” for privacy. The GDPR explicitly requires member states to reconcile data-protection rights with freedom of expression and information, including for journalistic purposes.
Under this provision, national laws can grant wide derogations from key GDPR obligations when personal data is processed for journalism, academic, artistic, or literary purposes, provided this is necessary to protect media freedom and pluralism. But, as EDPB officials stressed, this is not a blanket “media privilege”.
The EDPB’s transparency officer also walked journalists through the EU’s access-to-documents regime. Some of the features will sound familiar to anyone who has used Sri Lanka’s RTI Act — and some will not.
1. Access is the rule, not the exception
Any person — including non-EU residents — can request documents held by EU institutions, in any format, without giving reasons. Most institutions keep a public register of documents and proactively publish major decisions; access requests are mainly for material that has not yet been published.
2. Strict timelines and no “vexatious” clause in the main law
The basic deadline is 15 working days to respond, extendable once. Officials admitted they “struggle” with this as the EU has grown. The regulation itself does not contain a provision on abusive requests. Instead, institutions are allowed — and encouraged — to contact applicants to narrow overly broad requests and find “fair solutions” that can be handled within the deadline.
Media freedom and data protection can come into conflict. The starting point for the EDPB is that EU data-protection law is not an “absolute shield” for privacy. The GDPR explicitly requires member states to reconcile data-protection rights with freedom of expression and information, including for journalistic purposes.
3. Absolute and relative exceptions
As in Sri Lanka, exceptions are exhaustively listed. Unlike in Sri Lanka, some — including privacy — are absolute; others are relative and must be weighed against public interest in disclosure. Relative exceptions are interpreted narrowly and are supposed to be time-limited: once the risk they protect against disappears (for example, when a negotiation ends), the document should become accessible.
Public-security and international-relations exceptions, for instance, are typically limited to terrorism, serious organised crime, the protection of key buildings, or the supply of essential commodities. Courts have held that the risk must be “reasonably foreseeable” and not purely hypothetical.
4. Who watches the balance?
In most EU countries, data-protection authorities supervise how the GDPR is applied in journalistic and FOI contexts. In some, media or press councils also play a role. Courts — at administrative, civil, or constitutional level — provide ultimate oversight, often insisting on a strict reading of exceptions and a detailed justification when access is refused.
For journalists, the message from the EDPB was clear: understand the legal framework, read guidance and case law, and challenge authorities when data-protection rules are used as a pretext to block legitimate transparency.
Sri Lanka’s legal landscape is more crowded than it was when the Litro case began. The RTI Act, in Section 4, says it prevails over any conflicting written law. The PDPA, in Section 3, says it prevails over any other written law “relating to the protection of personal data”.
Both regimes now claim to be supreme in case of conflict. Analysts have already warned that, read literally, the PDPA could tilt the balance away from RTI’s public-interest override in disputes involving personal data — precisely the category at stake in the Litro salaries ruling.
When the PDPA is fully operational, public authorities in similar disputes will almost certainly cite data-protection obligations as a reason to refuse disclosure – and point to Section 3 to argue that those obligations trump RTI.
The Litro salaries saga showed what Sri Lanka’s RTI framework can do when the stars align: a determined requester, a robust RTI Commission, and a Court of Appeal willing to put public interest above institutional discomfort.
The next big case may look similar on the surface — a request for named salaries, allowances, or payments to private actors from public funds. But by then, public authorities will have another powerful statute on their side, one that elevates the protection of personal data and claims supremacy in case of conflict.
Europe’s message to the Sri Lankan journalists who visited the EDPB was not that privacy always wins, or that freedom of information is doomed. It was that the balance must be carefully designed in law, applied case by case, and subjected to independent scrutiny.
If Sri Lanka can absorb that lesson – strengthening RTI’s public-interest override while building a credible data-protection authority that does not become a new excuse for secrecy – the Litro ruling may come to be seen not as an outlier, but as an early landmark in a more mature information-rights regime.