Sri Lanka’s Digital Law and Privacy Landscape

Photo courtesy of Tectera

Think about a closed community with high security where management is obsessed with the conduct of people who live there. They have a system where they hire security teams to monitor the streets, ready to arrest anyone who uses prohibited terms or someone who shares a false report in the public areas. Meanwhile, the digital back gates of the community where their principal databases are left unsupervised, allowing third party contractors to copy and sell the personal data like private house keys, identity records or even medical records. All because the management was so focused on the streets not the vaults.

This is the current situation in Sri Lanka in the context of digital governance. We have a solid system in place that governs the individual but we are just starting to build the infrastructure that protects the data of the individual. Because of this dispersity, a citizen may face immediate legal actions taken against them for simply making an online statement while a giant global tech company may face comparatively minimum charges for even a massive breach of personal data.

To analyse this matter, it is important to define key terminologies.

• Online safety – protecting users against harmful content, for example harassment, child abuse or any type of prohibited statements.
• Data protection – the legal framework that governs the collections, storage and usage of personal data.
• Data sovereignty – digital data is governed according to the laws of the country where it is acquired. The digital border ensures that Sri Lankan laws are applied to the citizen’s data of the country.

The newly introduced Online Safety Act (OSA) is the primary governing legislation of online safety where data protection is controlled by Personal Data Protection Act (PDPA).

Europe’s General Data Protection Regulation (GDPR) is the gold standard recognised for governing how organisations handle personal data. It is based on the idea that privacy is a fundamental human right. GDPR places strict guidelines on organizations that collect or use personal data and those that violate this legislation may face sanctions up to four percent of their global annual sales, which makes even the biggest tech companies consider compliance seriously. The PDPA is heavily influenced by the GDPR and includes several similar concepts like data minimisation, collecting just the data that is required for a given reason and purpose limitation which controls how gathered data can be used. However, occurring enforcement of the PDPA is currently evolving and the regulatory structure is causing delays in implementation.

The PDPA was originally enacted in 2022; its full enforcement period has been stretched by the Personal Data Protection (Amendment) Act of 2025. This delay mirrors the issues in the digital governance landscape, the gap between legislation and fulfillment. One major concern is the severity of the charges possible under the PDPA. The law limits the fines to Rs. 10 million per violation. Although this amount could be significant in local legislative context, it is still minor in comparison to the GDPR’s penalty method. The Sri Lankan framework might not provide enough compliance from the big tech companies that operate in the country.

The introduction on OSA alongside the PDPA has caused a regulatory challenge because of how the two laws control the individual online activity and the digital platforms that uses data. The OSA is concerned with governing online content as well as the individuals who post it. The Online Safety Commission has the right to identify certain online content as prohibited statements, which they have not legally defined, and order platforms to delete it within a specific timeframe. Individuals who have published the content could face criminal prosecution, including enormous fines and imprisonment for up to five years. Analysts say that the Act’s definition could be read widely, hurting legitimate critics, parody or journalism if enforcement isn’t carefully aligned with free speech guarantees.

Contrary to this, the legislation procedures that control firms and digital platforms continue to take longer to implement. The PDPA assigns accountability to entities known as data controllers and they include technological firms and organizations that collect and analyse personal information. The procedural framework necessary to enforce the law, specifically the Data Protection Authority, has only begun to emerge. This gap creates a regulatory challenge. Yet an individual user could have immediate legal penalties for making an online statement according to OSA, major digital platforms that collect, store and process an immense quantity of the user data might face limited or differed liability for systemic problems such as data breaches, faulty safeguards or insufficient moderation procedures specially in local languages.

Although various digital laws have been enacted, the digital governance architecture continues to have gaps and structural problems. One of the frequent complaints is the uncertainty present in certain legal definitions. The OSA uses vague phrases like prohibited statements that lack clear and exact legal definitions. Law professionals and civil society groups, notably Sri Lanka’s Human Rights Commission, have expressed concern that the unclear phrasing may result in contradictions with constitutional guarantees for free expression. Another difficulty is the technology gap between regulations and today’s digital environment. Whereas the Computer Crimes Act of 2007 was a crucial first step in fighting cybercrime, it was written several years before the increasing popularity of massive database ecosystems, algorithmic moderation and AI-driven harassment. As a result, the law fails to appropriately handle modern risks such as planned privacy breaches, large scale network corruption and cross border data misuse.

In addition to legal definitions and technological limitations, there are concerns about institutional independence and monitoring. The Online Safety Commission founded under the OSA is a body where members are selected by executive authorities, prompting questions about the commission’s ability to maintain neutrality in politically sensitive circumstances. To create a more secure and balanced digital environment, governance must progressively transition away from a paradigm that penalises individual users and towards one that lays greater responsibilities on the business and infrastructure that run these platforms. This involves tightening corporate responsibility standards so that global technology businesses operating in Sri Lanka acquire stronger safeguards including local language moderation, enhanced transparency in automated decision making and safer archiving procedures. Current legislation must be aligned to ensure that separate laws do not mistakenly contradict one another. Certain elements such as those requiring platform login verification may contradict with the privacy by design principals underlined in PDPA.

The digital governance system has arrived at a major crossroad. The country already has several significant legislative foundations, including Computer Crimes Act that addresses cybercrime, the PDPA that governs personal data protection and the OSA that addresses dangerous online content. Unfortunately, having several rules does not guarantee an online environment that is safe if gaps exist among them. True data sovereignty extends beyond hoisting data under national boundaries; it involves a governance framework that protects both citizens and institutions through explicit, balanced and enforceable legislation.

As the technological economy and online community expands, the issue will be to create a framework in which people may participate securely and freely while guaranteeing that the platforms that handle their data remains open, held accountable and subject to effective monitoring.