Cyber Law at Sri Lanka
Sri Lanka has a developing and increasingly complex cyber law landscape, driven by the need to combat cybercrime, protect data, and regulate online content. It's an area of active legislative change, and some recent laws have drawn international scrutiny regarding human rights concerns.
Here's an overview of key aspects of cyber law in Sri Lanka:
1. Computer Crimes Act, No. 24 of 2007:
This is the foundational legislation for combating cybercrime in Sri Lanka. It criminalizes a range of computer-related offenses.
Key Offenses Covered:
Unauthorized Access: Gaining unauthorized access to a computer, computer system, program, data, or information.
Access with Criminal Intent: Unauthorized access with the intention of committing another offense.
Unauthorized Modification: Altering, deleting, or corrupting data without lawful authority.
Harm to National Security: Computer activities that endanger national security, public order, or the economy.
Illegal Interception: Intercepting communications or electromagnetic emissions from computers.
Misuse of Devices: Prohibiting the sale or use of devices or software designed to commit cybercrimes.
Unauthorized Disclosure: Penalizing the sharing of access credentials or protected data.
Attempts, Abetment, and Conspiracies: Covers preparatory and collaborative acts.
Extraterritorial Jurisdiction: The Act's provisions can apply even if the offense is committed outside Sri Lanka, or if the affected computer or loss/damage is outside Sri Lanka but impacts a Sri Lankan entity or resident.
Investigative Powers: Outlines procedures for investigating offenses, including search and seizure powers (with warrants, and sometimes without in emergencies for data preservation) and the appointment of experts to assist.
Jurisdiction: The High Court has exclusive jurisdiction over offenses under this Act.
2. Personal Data Protection Act, No. 9 of 2022 (PDPA):
This is a landmark law, making Sri Lanka the first South Asian country to enact independent, comprehensive personal data protection legislation. It aims to align Sri Lanka's data protection regime with international standards. The PDPA is being implemented in phases:
Effective Dates:
Part V (Establishment of the Data Protection Authority): Came into effect on July 17, 2023.
Parts VI, VIII, IX, and X (Director-General, Fund of the Authority, Miscellaneous, Interpretation): Came into effect on December 1, 2023.
Parts I, II, III, and VII (Core Principles, Data Subject Rights, Obligations of Controllers/Processors): Are set to come into effect on March 18, 2025. This means many of the operational requirements for businesses are becoming fully active now.
Scope: Applies to the processing of personal data:
Wholly or partly within Sri Lanka.
By controllers or processors domiciled or established in Sri Lanka.
Related to the offering of goods or services to data subjects in Sri Lanka.
Involving the monitoring of data subjects' behavior in Sri Lanka.
Key Principles of Processing: Emphasizes lawful, fair, transparent, purpose-limited, proportionate, accurate, and secure processing of personal data.
Data Subject Rights: Grants individuals rights including:
Right of access to personal data.
Right to rectification (correction).
Right to erasure ("right to be forgotten").
Right to object to processing.
Right to withdraw consent.
Right to review automated decision-making.
Obligations for Data Controllers and Processors: Includes ensuring lawful processing, implementing data protection management programs, conducting data protection impact assessments (in certain cases), appointing Data Protection Officers (under specific circumstances), and notifying the Data Protection Authority and affected individuals of personal data breaches.
Cross-Border Data Transfers: Regulates the transfer of personal data outside Sri Lanka, requiring adequate protection measures or specific conditions to be met.
Data Protection Authority (DPA): Established under the PDPA to regulate personal data processing, protect individuals' privacy, and enforce the Act.
Penalties: The DPA can impose penalties for non-compliance, including fines (up to ten million rupees for a first instance, with higher penalties for subsequent violations).
3. Online Safety Act, No. 9 of 2024 (Effective February 1, 2024):
This is the most recent and controversial piece of cyber legislation in Sri Lanka. It aims to regulate online content and prevent the use of online accounts for "prohibited purposes."
Key Provisions:
Establishes an Online Safety Commission (five members appointed by the President) to oversee and enforce the Act.
Empowers the Commission to identify and declare "prohibited statements" made online and prevent the use of online accounts for "prohibited purposes."
Makes social media platforms (such as Facebook, Google, Twitter) potentially liable for content deemed "illegal" by the Commission.
Proposes to make posting content deemed "illegal" by the Commission an offense.
Prohibited Statements and Purposes: The Act aims to prohibit online communication of certain statements of fact and prevent the use of online accounts for prohibited purposes, including those deemed to:
Cause public disorder, incite violence, or promote hatred.
Defame or insult.
Involve fraud or illegal transactions.
Undermine national security or public order.
Controversies: The Act has faced strong criticism domestically and internationally from human rights organizations, civil society groups, and international bodies who argue that it:
Suppresses Freedom of Speech: Grants broad powers to the Online Safety Commission, potentially allowing arbitrary censorship and stifling dissent.
Lack of Independence: Concerns about the independence of the Commission, which is appointed by the President.
Vagueness: Critics argue that terms like "prohibited statements" are vaguely defined, leading to potential misuse.
Criminalization of Content: The Act makes posting certain content a criminal offense, raising concerns about criminalizing legitimate expression.
4. Electronic Transactions Act, No. 19 of 2006 (as amended by Act No. 25 of 2017):
This Act provides the legal framework for electronic transactions, recognizing the legal validity of electronic contracts, data messages, and electronic signatures.
Objectives: To facilitate domestic and international electronic commerce, eliminate legal barriers, establish legal certainty, and promote public confidence in digital transactions.
Legal Recognition: Grants legal validity to electronic documents, records, and communications.
Electronic Signatures: Provides for the legal recognition and use of electronic signatures and a framework for Certification Authorities.
Admissibility of Electronic Evidence: Establishes rules for the admissibility of electronic evidence in court.
5. Cybersecurity Strategy:
Sri Lanka has developed national cybersecurity strategies. A second five-year National Cyber Protection Strategy for 2025-2029 was recently approved by the Cabinet of Ministers (as of July 2025). This strategy, developed by Sri Lanka CERT, aims to reinforce legal and regulatory frameworks, enhance cyber readiness, improve incident response capabilities, and foster international and domestic cooperation. It builds on the previous 2018-2023 strategy.
6. Proposed Cybersecurity Act:
A dedicated Cybersecurity Bill has been in the works for several years, facing delays and revisions. As of mid-2025, it is reportedly nearing its final stages before submission to the President.
Aims: To ensure the effective implementation of the National Cyber Security Strategy, prevent and respond to cyber threats, establish a Cyber Security Regulatory Authority (CSRA), and empower an institutional framework.
Concerns: Similar to the Online Safety Act, there have been concerns from experts and civil society regarding its scope, potential for overreach, and implications for digital rights and governance, including debates about whether there should be separate military and civilian cyber laws. The proposed dissolution of Sri Lanka CERT and its incorporation under the new CSRA also raised "maker-checker" conflict of interest concerns.
Overall Context and Challenges:
Sri Lanka's cyber law landscape is characterized by:
Rapid Development: New laws and amendments are being introduced frequently.
Dual Focus: Balancing the need for national security and combating cybercrime with protecting individual rights and privacy.
International Scrutiny: Some recent laws, particularly the Online Safety Act, have drawn significant international criticism over concerns about freedom of expression and human rights.
Implementation Challenges: The effective implementation and enforcement of these new laws, especially the PDPA, require significant capacity building and public awareness.
Businesses and individuals operating in Sri Lanka's digital space need to stay updated on these evolving laws and regulations and seek local legal advice to ensure compliance.
RELATED Blog
0 comments