6 January 2020

Introduction To Digital Security Laws In Sri Lanka

Ikigai Law


Ikigai Law is an award-winning law firm with a sharp focus on technology and innovation-led businesses. We advise clients from high impact startups to mature market-leading companies and are often at the forefront of policy and regulatory debates for emerging business models. Our TMT practice is ranked by Chambers and we were named Boutique Law Firm of the Year in 2019 by Asian Law Business.
The Cyber Security Bill has been drafted to protect vital information and essential services from cyber attack.
Sri Lanka Technology


With over 4 billion people online 1, the internet has reshaped how we do business, communicate and conduct governance 2. As the digital economy evolves, digital security has taken on a distinct urgency. Governments face a complex array of cyber-security threats with the potential to significantly damage economic growth and infrastructure critical to essential services 3. This is especially true for countries in Asia, where unlike the West, internet expansion has risen amidst the internet revolution 4. Keen to leverage the benefits of the digital economy while preserving national security in a post-internet world, Asian states tend to adopt policies that are protectionist and less aligned with international standards 5.

Bangladesh leads the world in percentage of mobile malware İnfections 6 while Sri Lanka 7 and Nepal 8 have experienced a sharp rise in the number of cyber-security attacks Therefore, with the aim to address these vulnerabilities, Bangladesh passed the "Digital Security Act, 2018" 9 ("Digital Security Act"), while Sri Lanka has presented a "Cyber Security Bill" 10 ("Cyber Security Bill"), and a "Framework for Proposed Data Protection Bill" 11 ("Data Protection Bill"). Nepal recently enacted the "Individual Privacy Act, 2018" 12 ("Privacy Act") and formulated the "Information Technology Bill, 2075" ("IT Bill") 13. While each bill/act proposes to address concerns with digital security, they are still located within a broader IT regulatory ecosystem. The following paragraphs will briefly outline the regulatory framework within each country:

Sri Lanka

Subsequent to Sri Lanka's first 'Information and Cyber Security Strategy 2019-23'30 , the Ministry of Digital Infrastructure and Information Technology formulated the Cyber Security Bill31 and Data Protection Bill32 . The cross-sectoral bills form part of the drive to strengthen33 the regulatory framework dealing with emerging cyber-security and data protection challenges. If executed, both bills will supplement the existing Electronic Transactions Act, Payments Devices Frauds Acts, Telecommunications Act, Intellectual Property Act and Computer Crimes Act.

The Cyber Security Bill has been drafted to protect vital information and essential services from cyber attacks34 . It provides the government with power to establish a "Cyber Security Agency"35 , and also empowers the "Sri Lanka Computer Emergency Readiness Team"36 and "National Cyber Security Operations Centre"37 , all of whom aim to protect "Critical Information Infrastructure"38 .

The Data Protection Bill, released shortly after the Cyber Security Bill, aims to protect personal data and regulate its processing39 under the over-arching constitutional right to information40 and corresponding right to privacy41 . Further, it intends to enhance "consumer confidence and ensure growth of digital democracy and innovation"42 . It defines "personal data"43 , "special categories of data"44 , and lists principles concerning the processing and controlling of data 45. It also establishes a "Data Protection Authority"46, a body empowered to control the implementation of the Data Protection Bill and hear matters related to data protection.

Public consultations for both bills are still on-going, with the IT industry intent on addressing its concerns with the proposed legislation47 .


As South Asia becomes increasingly digitized, vital questions around the security of information arise. While each country has recognized the need for a robust digital security framework, problems are still abound. Larger issues stem from freedom of speech and surveillance concerns 67, and issues pertaining to strict regulation have also been raised by industry 68.

The next post in this series will delve further into the challenges faced by each regulatory regime. Additionally, it will attempt to chart a path that may negotiate these challenges, and provide recommendations for the same.

(This post has been authored by Vijayant Singh, Associate, with inputs from Nimisha Dutta, Counsel at Ikigai law)


1 Simon Kemp, digital in 2018: World's internet users pass the 4 billion mark, available at

2 Anmar Frangoul, 10 ways the web and internet have transformed our lives, CNBC, available at

3 Victoria A. Espinel, Cybersecurity threats defy national borders, so countries should collaborate, not clam up, South China Morning Post, available at

4 Centre for Long Term Cybersecurity, Asian Cybersecurity Features, available at

5 Victoria A. Espinel, Cybersecurity threats defy national borders, so countries should collaborate, not clam up, South China Morning Post.

6 Security Magazine, Which Countries Have the Worst and Best Cybersecurity? Available at

7 Roartech, Can Sri Lanka's Cyber Security Strategy Protect Us? available at

8 Kathmandu Post, 19 govt sites breached in latest cyberattack, available at

9 Bangladesh Digital Security Act, 2018 available at

10 Sri Lanka Cyber Security Bill, 2019, available at

11 Framework for Proposed Data Protection Bill, 2019, available at

12 Nepal Privacy Act, 2075 (2018), available at

13 Nepal Information Technology Bill 2075 (2018).

30 Information and Cyber Security Strategy, 2019-2023, available at

31 Sri Lanka Cyber Security Bill, 2019, available at

32 Framework for Proposed Data Protection Bill, 2019, available at

33 In 2017, Sri Lanka was rated with a 'maturing' performer under the Global Cybersecurity Index ("GCI"), receiving a rank of 71 amongst 193 countries. See: International Telecommunications Union, Global Cybersecurity Index 2017, available at

34 Section 2, Sri Lanka Cyber Security Bill, 2019.

35 Section 3, Sri Lanka Cyber Security Bill, 2019.

36 Section 15, Sri Lanka Cyber Security Bill, 2019.

37 Section 16, Sri Lanka Cyber Security Bill, 2019.

38 Section 18, Sri Lanka Cyber Security Bill, 2019.

39 Preamble, Framework for Proposed Personal Data Bill, 2019.

40 Article 14A, Constitution of Sri Lanka.

41 The constitutional right to privacy is carved out as an exemption to the right to information under Article 14A of the constitution of Sri Lanka.

42 Preamble, Framework for Proposed Personal Data Bill, 2019.

43 Section 53, Framework for Proposed Personal Data Bill, 2019.

44 Section 53, Framework for Proposed Personal Data Bill, 2019.

45 Part II, Framework for Proposed Personal Data Bill, 2019.

46 Part VII, Framework for Proposed Personal Data Bill, 2019.

47 Ruwandi Gamage, IT industry wants more say in Cyber Security Bill, available at

67 The Kathmandu Post, Everything you need to know about the Nepal government's new IT bill, available at; Sandaran Rubatheesan, Flaws in draft cybersecurity bill under review, available at; Rock Ronald Rozario and Stephan Uttom, Bangladesh's digital security act: old wine in new bottle? UCA News , available at

68 The Kathmandu Post, Everything you need to know about the Nepal government's new IT bill, available at; Ruwandi Gamage, IT industry wants more say in Cyber Security Bill, available at; S. Barik, Banladesh's Digital Security Bill can have a 'chilling effect on free speech': Asia Internet Coalition, available at

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More