Digitalisation in the 2026 Budget: Key Questions

Photo courtesy of IPS

The government’s 2026 budget outlines an ambitious and costly digitalisation agenda, allocating over Rs. 30 billion for a sweeping technological overhaul of the state apparatus. While presented as a leap towards efficiency, transparent governance and a modern digital economy, roseate presidential and official narratives hide major problems anchored to secrecy, the lack of essential legal safeguards and the absence of meaningful independent oversight. The concern is that digitalisation, far from being a simple modernisation effort, and while delivering significant benefits to society, could also lay permanent foundations for a powerful state surveillance architecture, fundamentally altering the nature of citizenship for the worse.

Based on the proposals noted in the president’s speech on Friday, parliament faces key decisions around some of the largest ever investments in Digital Public Infrastructure (DPI), Digital Public Goods (DPG) and related Critical National Infrastructure (CNI) with tens of billions of rupees allocated for biometric identification systems, revenue tracking, immigration digitalisation, police data systems and financial transaction monitoring. The scope, speed and scale of this transformation is historically unprecedented yet MPs are being asked to approve funding without scrutinising bilateral agreements governing the technology powering these systems, without understanding who controls citizen data and without any meaningful oversight mechanisms to prevent abuse.

This is concerning on a number of fronts. DPI, alongside all of what’s more easily recognised as helpful for citizens, also creates harmful, permanent and invisible architectures of power and control that can be weaponised against opposition politicians, civil society and independent media. For example, once biometric databases connect to revenue systems, police networks, immigration records and financial transactions, future presidents and government inherit considerable turnkey surveillance capabilities that risk, without strong rights-based guardrails and democratic safeguards, turning the country into a digital panopticon. And yet, why does this government demand funding while refusing transparency? In attempting to do so what does it communicate, despite promises of vast societal benefits?

For example, modernising the Inland Revenue Department (IRD) through the RAMIS 3.0 system would be roundly welcomed by most but also creates concerns about data sharing without requisite legal requirements. The police digitalisation and immigration modernisation raise similar questions about what safeguards prevent police from accessing citizen data from multiple integrated systems, what independent oversight with enforcement powers will monitor violations and why these specifications remain unpublished before funding approval.

The budget confirms the Data Protection Authority (DPA) is now operational following passage of the Personal Data Protection Act (PDPA). However, the government is silent on the repeal or major revisions around the draconian, rights debilitating Online Safety Act (OSA). Available public drafts of the Anti-Terrorism Bill and Cybersecurity Bill also feature rights eroding, privacy invading sections that create irreconcilable, contradictory legal obligations making compliance impossible. These conflicting legal demands will also mean foreign investments will simply not materialise, especially from countries or regions with strict privacy regulations such as the European Union. The government has not explained how the DPA can enforce incoherent frameworks or committed to consolidating this legislative chaos. This appears particularly urgent given the significant allocation for next generation digital infrastructure covering artificial intelligence, cloud computing and data centres.

The catastrophic Lanka Government Cloud (LGC) failure in October was a masterclass in how not to handle a cyber-crisis and was defined by inchoate response mechanisms, contradictory, convoluted official explanations (sometimes from the same official speaking to different media saying wildly different things) and total impunity for those responsible. The government hasn’t published any detailed investigation report to date and instead relies as it always has on untrusted institutions and incompetent public officials to promise the public that all is well. And yet, parliament appears expected to approve billions for expanded cloud infrastructure. Additionally, the digital payment transformation raises questions about financial surveillance architecture. The budget waives service fees for government institution payments from January 2026 yet provides no safeguards preventing financial transaction data from being accessed by security services, shared with foreign technical partners or used for surveillance purposes. No legal frameworks govern retention, access and deletion of this comprehensive record of citizens’ financial activities.

The absence of any stress on Tamil and Sinhala communications around digitalisation appears particularly striking. Sri Lanka remains the first and only country the author knows of where digitalisation discourse isn’t available in the languages spoken by the majority of citizens. The budget contains no specific allocation for comprehensive public communications in Sinhala or Tamil explaining DPI architecture, foreign roles, data protections and rights safeguards. To date there’s no official statement, framework, blueprint, explainer, video, document or article from the government in Sinhala or Tamil explaining even the basics of digitalisation. This systematic exclusion, whether by design or callous insensitivity, impacts public trust. Without public trust, technical frameworks will flail and fail. Without public engagement and legitimacy, communities in the North, and East who continue to live in fear of a militarised state that monitors their movements, beliefs and speech will reject the benefits of digitalisation. Roseate promises and political narratives are poor substitutes for meaningful public consultation. The author has repeatedly stressed how Brazil’s digital public infrastructure experience demonstrated how government communications failures enabled disinformation campaigns to undermine public trust, derailing digitalisation. Sri Lanka replicates these exact failures through a communications vacuum, English only materials and technocratic opacity when international precedents clearly demonstrate the risks and dangers.

The budgetary allocations for innovation and AI development provides funding for projects, foreign training scholarships and university facilities yet ethical frameworks, bias auditing mechanisms grounded in our socio-economic, cultural and political realities, transparency requirements and accountability structures governing deployment remain absent from policy documents. AI carries documented potential to amplify existing systemic discrimination against Tamil, Muslim and other minorities yet safeguards appear entirely absent and unconsidered, illuminating how for the technocrats in charge fundamental rights, protections are unimportant.

The allocations for divisional secretariat digitalisation and the e-Grama Niladhari project create concerns about potential surveillance infrastructure at implementation level. Divisional secretariats handle birth certificates, identity documents, land records and welfare programme eligibility yet data sharing protocols connecting these systems to biometric identification, revenue tracking, police databases and intelligence services remain unclear. No consent mechanisms appear to govern citizens’ data being accessed across systems and no legal frameworks limit function creep from service delivery to comprehensive surveillance. Training ensuring Grama Niladhari officers understand data protection obligations (especially under the PDPA), audit mechanisms monitoring their access to sensitive information, penalties for misuse and safeguards preventing local officials from sharing citizen data for partisan purposes all appear absent.

The railway service digitalisation introduces electronic access passes for passengers, raising questions about transport surveillance architectures. Retention periods governing travel data remain unspecified as do frameworks protecting citizens from surveillance through their use of public transportation. Across all digitalisation allocations, the percentage of funding flowing to foreign technical partners versus domestic capacity building stays concealed as do specifications about which foreign entities are involved in each programme, what access they have to Sri Lankan data and what legal frameworks govern their operations.

The budget establishes the Digital Economy Authority and Data Protection Authority but provides no independent oversight body with powers to investigate violations, compel testimony, impose penalties and provide citizen redress. What specific accountability mechanism with enforcement powers will monitor implementation and will it be established before biometric data collection begins or only after violations occur? For example, the Treasury revenue and expenditure system rollout to all expenditure units creates potential for comprehensive surveillance of government spending that could be weaponised against opposition politicians, MPs and potentially even impact and extend to private industry, civil society organisations and independent media platforms.

Sri Lanka’s digitalisation presentations also, tellingly, ignore international best practices. The Freedom Online Coalition published principles in October 2025 for rights respecting digital public infrastructure. The principles emphasise that technology development must prioritise human rights, ensure everyone can meaningfully access digital services regardless of background or circumstances, and maintain strong privacy protections alongside clear accountability measures. They stress transparency in how systems operate and collect data, call for sustainable and resilient infrastructure, and insist on collaborative approaches that include civil society and affected communities in decision-making. 27 countries signed the statement, signalling shared concern about risks that poorly designed digital infrastructure poses to democratic rights and social inclusion. However, the digitalisation promised, proposed and promoted in the 2026 budget speech by the president systematically violates these principles through secrecy, lack of oversight, absence of redress mechanisms, inadequate data protection safeguards, surveillance architecture without judicial oversight, systematic linguistic exclusion, technology first rather than human-centred approach, zero meaningful consultation, closed decision making, rights not embedded by design, opaque procurement and vendor lock in risks. The government proceeds without even responding to a March 2025 civil society open letter by the Collective for Social Media Declaration network addressing digitalisation secrecy, online harm regulations, media freedom and privacy concerns, fundamental questions about India’s role in the e-NIC infrastructure, data protection frameworks, foreign access and surveillance safeguards.

The technical complexity around digitalisation with a myriad of narratives, programmes, projects, initiatives, institutions and frameworks is intimidating and perhaps by design. Core questions, however, remain straightforward. Citizens may not understand biometric authentication protocols but can immediately, and intuitively grasp why secret agreements governing their personal information violate democratic principles. Parliament must decide whether to approve billions for DPI foundations that create permanent surveillance capabilities without transparency, without safeguards, without oversight and without any meaningful public consultation.

These are not questions or concerns that can be ignored. Sri Lanka desperately needs rights-based digitalisation architectures to more fully realise our democratic potential. But digitalisation’s fundamentals, as they stand today, risk creating perturbing, pervasive, permanent surveillance architectures ripe for weaponisation. This is unfortunate and undermines what the president, government and foreign partners, including regional allies willing to support our democratic transformation seek to achieve. Especially after the 2022 aragalaya’s clarion call for system change, rights-based frameworks and democratic policies matter beyond personal promises, partisan affiliation and the love of specific individuals temporarily in power. The government must commit to international democratic standards on privacy, transparency, rights and accountability and realise that to truly achieve digitalisation’s benefits for country, much more needs to be done.