29 May, 2023


A Study On The Implementation Of Data Protection Laws In Sri Lanka

By Aneeraz Samahon and Vihangi Liyanagamage

According to International Bank for Reconstruction and Development (World Bank) statistics, 34.113% of the Sri Lankan population in 2019 have used the internet[1] and it also states that only 328.441 per one million have the accessibility to a secure internet server in Sri Lanka.[2] Whereas, in the European Union 83.932% of their population are internet users while a staggering 50292.421  per one million has access to secure internet servers as per the 2019 World Bank statistics. Which is a comparative advancement of internet users and the availability of secure internet servers in the EU and Sri Lanka. Sri Lanka also falls into the 21% of countries that do not have a properly implemented data protection law out of the 107 countries recognised by the United Nations Conference on Trade and Development (UNCTAD) as of 2019.[3]

This research is focused on the implementation of personal data protection laws in Sri Lanka and the possible extractions to be made from the General Data Protection Regulation(GDPR).  It has been referred to throughout the article as it is evident that the European Union’s(EU) GDPR has had a remarkable impact within the Union. This further emphasizes the importance of the right to privacy and the protection of personal data and the correlation between them.

Data Protection and Personal Data

According to the GDPR, ‘personal data’ means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.[4]

Big data is a term that is used to describe large volumes of structured and unstructured data gathered by businesses continuously, which is also used as an analytical  tool for better carrying out of the business regularly.[5]

The requirement of data protection arises due to the existence of Personal Data and Big Data.[6] Protection of personal data is derived from the Fundamental Rights[7] of, Right to Privacy[8] and the right to protect personal data of individuals.[9]

Why do we need data protection laws?

As a society that is continuously becoming more open and technology driven, the need to protect the sensitive data that we provide to different individuals, businesses and the government entities are increasingly becoming more valuable and important. From our name, phone number being given to a business app to the photos we share with our friends on social media, they are all data that should be protected according to the owner of them.

However, the data that is being provided are mostly unprotected by the law despite the sensitivity and value they carry. These data are seemingly stripped away from the owner and transferred to the businesses according to company policies.

As we live in a society that is continuously identifying their rights and fighting for them, it is important to identify the right to privacy which is crucial in such a social media driven world and the existence of a solid law to maintain it is vital.

Existing laws related to data protection

Although the constitution has a provision for the accession of information by the general public, the constitution however does not explicitly mention the importance of privacy or the right to privacy in the constitution of Sri Lanka.

Nevertheless there are existing legislations in Sri Lanka in order to govern their respective areas regarding privacy and data protection as, the Intellectual Property Act No. 36 of 2003, Right to Information Act No. 12 of 2016, Computer Crime Act No. 24 of 2007, Banking Act No. 30 of 1988, Telecommunications Act No. 25 of 1991 and Electronic Transactions Act No.19 of 2006.

It is to be said that  none of the above mentioned legislations have not properly defined/addressed the term “data”, which further emphasizes the need of a law related to data protection to secure individuals’ privacy. It also goes without saying, currently the Sri Lankan law does not have a properly implemented branch regarding the protection of the data of individuals. However, Sri Lanka as a country that has continuously increasing internet users, the absence of a separate personal data protection Act has left a huge gap in the law, especially considering the 21st century.

The right to privacy has been undermined in Sri Lanka  currently as a mere delict while it is given much more importance in the European Union countries as a fundamental right. In the case of Nadarajah v Obeysekera[10] the invasion of privacy and the individuals right to personal space were respectively recognised as to be respected and to be secured [11]

Since the arenas of exposure for individuals have now expanded to the cyberspace, invasion of privacy as well as the right to personal space and other matters regarding protection of personal data and privacy should now be included in Sri Lankan law and be addressed with a new interpretation as on with the developments taken place throughout the past few years.


Throughout the research it was found that the government of Sri Lanka had taken a step forward related to the protection of data of individuals by bringing forth a Bill in 2019. Although the bill did not get to be added into the legal system in Sri Lanka, it should be mentioned that the provisions which had been included in it were quite impressive as the bill itself had the core strength similar to that of the EU’s General Data Protection Regulations.

Sri Lanka has a portal where the general public could complain about the issues they get to face on cyber platforms, namely the Computer Emergency Readiness Team (CERT) being the center for cyber security. It was mentioned in the latest issued activity report that the CERT  team has just 17 members to deal with  the matters reported to them in Sri Lanka, a country with a population over 20 million and over 34% of which are internet users. ‌

However‌ the CERT ‌was‌ ‌established‌ ‌to‌ ‌take‌ ‌measures‌ ‌to‌ ‌the‌ ‌matters‌ ‌related‌ ‌to‌ ‌threats‌ ‌occurring‌ ‌to‌ ‌the‌ ‌network‌ ‌systems of ‌individuals and ‌government‌ ‌via‌ ‌the‌ ‌internet.‌ There is ‌no‌ ‌authority‌ ‌nor‌ ‌a‌ ‌body‌ ‌where‌ ‌the‌ ‌individuals‌ ‌can‌ ‌trust on, about their ‌data‌ and their privacy they have disclosed is being ‌‌protected‌. Therefore a ‌need‌ occurs ‌for‌ ‌an‌ ‌active,‌ ‌an‌ ‌efficient‌ ‌independent‌ ‌criminal‌ ‌investigation‌ ‌authority‌ ‌to‌ ‌investigate‌ ‌crimes‌ ‌related‌ ‌to‌ ‌the inappropriate and unauthorised use‌ ‌of‌ ‌the‌ ‌personal data‌.‌

The current situation in the country is that in order for an individual’s privacy to be protected, through any of the way the processor and the data controllers requires the individual to pay a certain fee which seems absurd considering the fact that privacy is recognised as a basic human right.[12]    

As an example, though the VPN services are provided for the individuals to be protected when using a public network by providing a private network, still the applications do give a free service for a limited time period. And then they ask for the payments to be done restricting most wanted features for the protection of data. A data processor is an organization or an individual who deals with the provided personal data and does offer services and purpose based data provided to the data controller by a process of the data. As such the data controller decides the purposes the data processing should be done. The questions of ‘why’ and ‘how’ is being answered by the data controller.

When moving forward, it was identified; As per the GDPR the following Personal Data Protection Principles[13] make the processing of data lawful and transparent,

1. Lawfulness, fairness and transparency

2. Purpose limitation

3. Data minimization

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality

7. Accountability

The owner of the Personal Data gets rights from that and the processing being supervised at a national level. Taking this as an example, the suggested bill in Sri Lanka also included the above principles in Part I and section 12.[14]

With the many observations made, it is evident that the suggested bill on data protection in Sri Lanka used the GDPR of European Union, as a model for the future Bills and Acts with regard to data protection can make the necessary extractions and amendments to suit the current and future situations of Sri Lanka.

The Ministry of Digital Infrastructure and Information Technology (MDIIT) was the institution that was governing the data protection law in Sri Lanka till the end of the year 2020. However, it was an institution which changed its operations according to the government policies rather than a stable authority.

A Review of the Proposed Data Protection Bill in Sri Lanka

The proposed bill to be enacted in Sri Lanka in 2019 had put forward special provisions with regard to the protection of individuals data including the data provided to the banks, health sector, telecommunication sectors etc. The purpose oriented collection of data was required to have for such entities those who collect data. The purpose of collecting the data was required to be advised to the data objects.

As the bill was to be applied to the parties who provide supplies and services to the individuals in Sri Lanka, the services accessed via the internet by the individuals were to be subjected too. In that case, the Data Protection laws could have been utilized to where the individuals provide the information of their locations, private mobile numbers, email addresses, private addresses, name, bank details etc. to the online private corporations/services such as Uber, Pick me, Pizza Hut who then use those data for the advertisement, promotion purposes. the emails, the promoting SMSs, online ads appearing on the web browsers, location based SMSs for offers we get none other than a result of using our data which we provided at a time when we purchased goods or services for our sole purpose of getting a trustful, quality and a good service.

The data of the individuals who are the citizens of Sri Lanka was to be subjected to this law and the implementation of the data protection was to be applied extraterritorially. Which generally means, if we had enacted the laws proposed by the data protection bill, we could have got the protection for our data not only from the national wise threats but also from the international intervention in using the private details  we submit through the platforms[15].

Though we have several laws formed related to the computer crimes via the Computer Crimes Act[16], Electronic Transactions Act[17] which deals with the offences recognized under the act, it is to be mentioned that  there was no definition provided for the term ‘data’ in them but the proposed Bill of Data protection did.

The use of data is to be notified when the commission of offences recognized under the act are being noticed. It is providing that no law has a complete authority to deal with the use of data of the individuals unless those are being used to commit a crime under specific acts.

Impacts of implementing personal data protection laws


Individuals will be protected from the exploitation of big data from businesses as well as protection from other individuals however large or small scale it is. Personal data which are provided for the databases and to data processors will be trusted with the imposition of data protection rules and regulations. Individuals will be getting more privacy rather than getting their provided information being shared within several sources or persons for their own benefit.

Economy and the businesses

Data protection laws will restrict the businesses earning profits by selling, using, sharing the client’s, customer’s data without their consent. That is to say, with an implementation of data protection laws, it will impose several limitations on certain businesses, especially small and medium enterprises(SME), by preventing the use of data they have gathered, without the consent of the owners of the data. The negative impacts of the personal data protection laws for the business field is that, in the blooming businesses, the investors have a possibility of getting discouraged due to not having the autonomy over the data collections, bases they lay their hands on to grow their businesses.

While on the other hand, having personal data protection laws carries an opportunity for the economy to have strong businesses with strong bargaining power. The bargaining power and the strength carried in the foreign business contracts, affairs can be blown out showing that we own our own laws regarding data protection laws so that they too have obligation in obeying those. Main reason behind this is, almost all the EU based businesses, contracts approach to the third world countries and the developing countries with their General Data Protection Regulations requiring the host country businesses to protect their citizen’s data included in the business practice and are neglecting the host state’s personal data protection as not having a particular binding law for them to impose on the home states businesses.

The businesses which earn profits by selling, sharing the data information with the other businesses/organizations or to any other entities may lose their profits with the implementation of such data protection law. Additionally,  a loyal customer base can be made for the business who could assure the protection of data provided by the customers as well.


Not with regard to the development statues we hold in the economy, in the political, social or environment ; as the usage of the information technology arose the internet has become the most important element in daily lives of ours. Along with the increasing number of internet technology use, the number of crimes paired with the technology too has shown its increment ever since the technology appeared in business, educational, social paths.

The problem of not having an online monitoring system may be the main cause of the crimes occurring because, if we had an online monitoring system to monitor the activities done via internet technology we could at least reduce the amount of crimes planned or done via the platform. As having an online monitoring system, is it to have a sensitive system to the data transmitted or used stating violence, harassment, terrorist actions etc.


‌For the data‌ ‌protection‌ ‌laws‌ ‌to‌ ‌be‌ ‌implemented, so the ‌breach‌ ‌of‌ right to privacy to be recognised as ‌a‌ ‌crime‌ ‌and also data protection to be recognized as a fundamental right in Sri Lanka under the constitution. As per the international standards the right to privacy has been recognised as a basic human right[18]. And in this digital era it is highly significant, though the local authorities do not seem to believe in the importance of it as such .

Giving major or full control of the data to the rightful owner; the individual. Taking the GDPR as a ground for improvements in this arena, the data protection should be entrusted in the hands of the individuals which makes them the data controllers of their respective provided data. The article 28 of the GDPR further states that the data processing should be done as per the controller’s wishes by the processors even if they possess the data with the consent of the controller. Further, it requires the consent of the controller to be either in written or electronic.

An independent national authority to monitor and access the legal matters regarding online and offline data protection of individuals should be established by the government with ease of contacting and efficient management of breach of privacy situations with the necessary legal and technical knowledge.


A need for data protection laws in Sri Lanka has been continuously increasing showcasing the importance of matters related to the protection of privacy and data of individuals as well as other entities. With the emerging high usage of technology in the Covid-19 pandemic as almost all of the social, educational, local businesses are handled via the internet the number of crimes also being reported in high numbers according to the CERT reports. It is therefore clear that the government’s attention in the implementation of data protection laws in Sri Lanka should be focused on especially at a highly digital time like now.

[1]’Individuals Using The Internet (% Of Population) – Sri Lanka | Data‘ (Data.worldbank.org, 2021) <https://data.worldbank.org/indicator/IT.NET.USER.ZS?locations=LK> accessed 23 February 2021.

[2] ‘Secure Internet Servers (Per 1 Million People) – Sri Lanka | Data’ (Data.worldbank.org, 2021) <https://data.worldbank.org/indicator/IT.NET.SECR.P6?end=2019&locations=LK&start=2010&view=chart> accessed 1 March 2021.

[3] Nuwanthi Senaratne, ‘The Growing Need For Privacy And Data Protection In Sri Lanka‘ (Sri Lanka News – Newsfirst, 2020) <https://www.newsfirst.lk/2020/01/13/the-growing-need-for-privacy-and-data-protection-in-sri-lanka/> accessed 8 March 2021.

[4]  ‘Art. 4 GDPR – Definitions – GDPR.Eu‘ (GDPR.eu, 2021) <https://gdpr.eu/article-4-definitions/> accessed 24 February 2021.

[5]  ‘Big Data: What It Is And Why It Matters‘ (Sas.com, 2021) <https://www.sas.com/en_us/insights/big-data/what-is-big-data.html> accessed 1 March 2021.

[6] Fundamentals Science and others, ‘Fundamentals Of Clinical Data Science | Pieter Kubben | Springer’ (Springer.com, 2019) <https://www.springer.com/gp/book/9783319997124> accessed 2 March 2021.

[7] Charter of Fundamental Rights of European Union.

[8] Article 7 of the Charter of Fundamental Rights of European Union.

[9] Articles 1,2 and 3 ‘GDPR Archives – GDPR.Eu’ (GDPR.eu, 2021) <https://gdpr.eu/tag/gdpr/> accessed 24 February 2021.

[10] 52 NLR 76 (1971)

[11] Manjula Sirimane and Nadine Puvimanasinghe, ‘Sri Lanka – Data Protection Overview‘ (DataGuidance, 2020) <https://www.dataguidance.com/notes/sri-lanka-data-protection-overview> accessed 5 March 2021.

[12]  ‘Universal Declaration Of Human Rights‘ (Un.org, 2021) <https://www.un.org/en/universal-declaration-human-rights/#:~:text=No%20one%20shall%20be%20subjected%20to%20arbitrary%20interference%20with%20his,against%20such%20interference%20or%20attacks.> accessed 1 March 2021.

[13]  ‘Art. 5 GDPR – Principles Relating To Processing Of Personal Data – GDPR.Eu‘ (GDPR.eu, 2021) <https://gdpr.eu/article-5-how-to-process-personal-data/> accessed 24 February 2021.

[14] Manjula Sirimane and Nadine Puvimanasinghe, ‘Sri Lanka – Data Protection Overview‘ (DataGuidance, 2020) <https://www.dataguidance.com/notes/sri-lanka-data-protection-overview> accessed 5 March 2021.

[15] Manjula Sirimane and Nadine Puvimanasinghe, ‘Sri Lanka – Data Protection Overview‘ (One trust Data Guidance, 2020) <https://www.dataguidance.com/notes/sri-lanka-data-protection-overview> accessed 3 March 2021.

[16] No 24 of 2007

[17] No 19 of 2007

[18]’Universal Declaration Of Human Rights‘ (Un.org, 2021) <https://www.un.org/en/universal-declaration-human-rights/#:~:text=No%20one%20shall%20be%20subjected%20to%20arbitrary%20interference%20with%20his,against%20such%20interference%20or%20attacks.> accessed 1 March 2021

*Aneeraz Samahon and Vihangi Liyanagamage – 3rd year undergraduates of the Faculty of Law, General Sir John Kotelawala Defence University, Ratmalana, Sri Lanka

Print Friendly, PDF & Email

No comments

Sorry, the comment form is closed at this time.

Leave A Comment

Comments should not exceed 200 words. Embedding external links and writing in capital letters are discouraged. Commenting is automatically disabled after 5 days and approval may take up to 24 hours. Please read our Comments Policy for further details. Your email address will not be published.