Quick Overview
Sri Lanka is enhancing its digital governance capabilities through privacy reform, digital identity programmes, and public-sector modernisation. While there is no single law dedicated to automated systems, the country is actively strengthening foundations for responsible data use and citizen protection. Its strategy is tied closely to improving public services, digital inclusion, and trust in government platforms.
What's Changing
- Sri Lanka is modernising its privacy and data protection framework through the Personal Data Protection Act (PDPA, 2022) — the country’s first comprehensive data-rights law.
- The Information and Communication Technology Agency (ICTA) is driving digital-government reform and responsible data practices.
- Key systems, including digital identity, public-service delivery, and health information platforms — are being expanded with clearer guidance on transparency and accountability.
- National discussions are underway about fairness, bias prevention, and explainability in public-sector analytics.
International partnerships with UNDP, World Bank, and regional digital initiatives are shaping emerging standards.
Who's Affected
- Government agencies deploying digital public services.
- Financial services, telecoms, and insurers using analytics on citizen data.
- Startups working on education, logistics, and public-health tools.
- International firms processing Sri Lankan user data or supporting state platforms.
Core Principles
- Privacy: Strong protections for personal data under the PDPA.
- Accountability: Public institutions must document purpose, data flows, and safeguards.
- Transparency: Citizens should understand how digital systems make decisions.
- Fairness: Systems should support equitable development and avoid discriminatory outcomes.
- Digital readiness: Governance frameworks evolve alongside national digital transformation.
What It Means for Business
- Companies operating in Sri Lanka should ensure compliance with the PDPA by reviewing consent processes, storage practices, and data-access rights.
- Public-sector procurement increasingly expects transparency documentation and responsible system design.
- Organisations using analytics should prepare fairness assessments and explainability notes, particularly in regulated services.
- Early alignment strengthens credibility as the governance ecosystem matures.
What to Watch Next
- Implementation of the PDPA’s enforcement timeline.
- Algorithmic transparency guidance for public-sector projects.
- New standards for digital identity governance.
- Deeper collaboration with India, Bangladesh, and ASEAN on data transfer frameworks.
← Scroll to see full table →
| Aspect | Sri Lanka | India | Bangladesh |
|---|---|---|---|
| Approach Type | Privacy law + digital governance | Rights-based with sector rules | Digital strategy + privacy updates |
| Legal Strength | Moderate | Strong | Emerging |
| Focus Areas | Digital identity, privacy, public services | Privacy, fairness, inclusion | Digital access, inclusion |
| Lead Bodies | ICTA, Ministry of Technology | MeitY, RBI, IRDAI | ICT Division, Digital Bangladesh |
Local Resources
Related coverage on AIinASIA explores how these policies affect businesses, platforms, and adoption across the region. View AI regulation coverage
This overview is provided for general informational purposes only and does not constitute legal advice. Regulatory frameworks may evolve, and readers should consult official government sources or legal counsel where appropriate.
