Enabling Legal Environment
Digital Laws play a major role in use of ICT, as it provides the necessary legal environment for using electronic data and digital documents for official as well as personnel purposes and carrying out electronic transactions. Moreover, the activities that are detrimental for the use of Digital transactions should be regulated by Computer Crime laws. This page provides information and links related to Digital Laws which have been adopted in Sri Lanka.
Data Protection Act
Data protection rules have become an increasingly important legal regime in an information age where personal data has become a significant asset of many companies, especially those operating over the Internet. However, in a connected global economy, national data protection rules can be easily circumvented and protections granted to the citizens lost as data is transferred out of the jurisdiction. In an attempt to prevent such circumvention, the EU data protection regime contains provisions controlling the transfer of personal data to non-EU countries, such as Sri Lanka.
The Data Protection Legislation will be implemented in stages. The entire Bill will come into operation within a period three (03) years from the date the Speaker certifies the Bill. This would provide sufficient time for Government and private sector to take adequate steps to implement this legislation. The Data Protection authority is required to be established within 18 months.
Several obligations have been imposed by this legislation on those who collect and process personal data (“Controllers” and “Processors”) and whole new set of rights have been given to citizens under this new legislation, which are known as “Rights of data subjects”.
For instance, personal data could be collected only for a specified purpose and not for any other purpose that is incompatible with the said purposes. However, processing data in public interest, scientific or historical research will not be considered incompatible. Personal Data has to be processed in a manner to ensure appropriate security, including protection against accidental loss, destruction or damage.
Data subject (individuals) will have the right to withdraw his or her consent given to Controllers and will also have the right to rectify the data without undue delay. Further, the Data Subjects have been given the right to object to processing of their data. These rights of data subject can be exercised directly by the individuals with the Controller, who are required to respond within a defined time period and is obliged to give reasons for refusing to meet the request or reasons why the Controller would refrain from further processing the said data. The individual has a right of appeal against the decision of Controller to the Data Protection Authority.
Although the original Framework had provisions for the mandatory registration of Controllers, this requirement has been removed in the latest version. Instead, the Drafting Committee has deliberated and introduced specific and comprehensive transparency and accountability obligations on Controllers. The accountability obligations would require the Controllers to implement internal controls and procedures, known as a “Data Protection management Program”, in order to demonstrate how it implements the data protections obligations imposed under the Act.
The Legislation also prohibits Controllers who process personal data from sending unsolicited messages, unless the individuals have given express consent. Provisions have also been included to deal with relationships between controllers and third parties who process personal data on their behalf.
Importantly, administrative penalties have been introduced with a ceiling instead of fines calculated on the global turnover of the controllers.
The drafting Committee had also taken into account international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation and laws enacted in other jurisdictions such as United Kingdom, Singapore, Australia and Mauritius, Laws enacted in the State of California as well as the Indian Bill, when formulating the said draft Legislation.
Information and Communication Technology Agency, in partnership with other entities, conducted two rounds of stakeholder discussions. In addition, targeted group discussions were held with other stakeholder communities, including Bank Chief Information Officers, Health Informatics Unit of the Ministry of Health and representatives of the Right to Information Commission. In addition, the proposed legal framework was reviewed by an Independent Review Panel led by Hon. K. T. Chithrasiri, former Justice of the Supreme Court of Sri Lanka and Prof. Savithri Goonesekera.
The Data Protection Drafting Committee was led by Jayantha Fernando (Chair/ Convenor), and comprised Yamuna Ranawana and Thushari Vitharana (Legal Draftsman’s Dept), Kanchana Ambahawita and Niluka Herath (Central Bank of Sri Lanka), Sunali Jayasuriya (ICTA), Sanduni Wickramasinghe (Mobitel), Trinesh Fernando and Shenuka Jayalath (Dialog PLC).
Personal Data Protection Act No: 09 Of 2022
English Sinhala Tamil
Simplified Note on the Data Protection Act
Versions of the Data Protection Bill
Electronic Transactions Act
The most relevant legislation for use of ICT in government and establishment of e-government services is the Electronic Transactions Act No. 19 of 2006. The drafting of Electronic Transactions legislation was enabled through a joint Cabinet Memorandum of the Prime Minister, the Minister of Trade and Commerce and the Minister of Science and Technology. Consequently, on 22nd September 2004 the Cabinet of Ministers decided that legislation on Electronic Transactions should be prepared through the Legal Draftsman’s Department in conjunction with ICTA. The legislation was prepared by the Legal Draftsman with legal and policy inputs from ICTA and presented to Parliament on 7th March 2006. The Electronic Transactions Act was brought into operation with effect from 1st October 2007 (vide Gazette Extraordinary No. 1516/25 of 27th September 2007).
The Electronic Transactions Act No. 19 of 2006 is based on the standards established by United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce (1996) and Model Law on Electronic Signatures (2001).
The act has been amended in 2017 to harmonize the Sri Lankan Electronic Transactions Legislation in line with the UN Electronic Communication Convention (UN ECC), the only international standard for e-Commerce legislation. Sri Lanka became the first country in South Asia and second country is Asia (after Singapore) to become a state party to UN ECC. During the drafting of the UN ECC, Sri Lanka was represented by ICTA and Legal Draftsman’s Dept.
The Amending Act No. 25 of 2017 will ensure greater legal certainty for e-Commerce and e-Business providers who wish to use Sri Lankan law as the applicable law and ensure international validity for electronic contracts. This will create greater trading opportunities for Sri Lankan SME’s with state parties to UN ECC. In addition, it would also bring clarity and predictability to the legal value of the use of electronic communications in cross-border trade with other Contracting States.
It will also ensure legal validity for other international legal instruments as well as cross border funds transfers, including enforceability of Foreign Arbitration Awards, enhancing the ability of Sri Lanka to fast track its move towards paperless trade facilitation through a single window platform. In the future Arbitration awards can be enforced in paperless form with ratification of UN ECC, creating an opportunity for Sri Lanka to be a hub for electronic commerce and business dispute resolutions and arbitrations. In addition, the new Legislation will improve trust and confidence and legal certainty for all types of business transactions using electronic means, thus improving competitiveness and ability to do business with greater efficiency.
Sri Lanka also has an advanced inter-bank payment and settlement system facilitating immediate bank to bank transfers carried out in a secure manner using electronic signatures. This is supplemented by two mobile payment licensed operators (Dialog’s “Ez-cash” and Mobitel’s M-cash), which facilitate mobile commerce and peer-to peer payment options (persons-to-person transactions). Recently, Central Bank of Sri Lanka formulated a mechanism for e-Commerce payment providers to use multiple payment options for e-Commerce/ Business transactions, within the current regulatory framework (eg:- recent approval for “Pay-Here”). These payment options can be used to enhance trade, commerce and business using the new Electronic Transactions Amendment.
Based on UN ECC, the Amendment Law defines the time and place of dispatch and receipt of electronic communications between contracting parties, tailoring traditional contract rules to transform into the digital era. The Amendment also allows for the enforceability of contracts entered into by automated message systems, formed without human interventions.
The amendment has also improved processes for delivery of Services by Government entities and Courts. For instance Section 8 of the Electronic Transaction Act has facilitated many Electronic Government Transactions and helped improve efficiency (Eg: eVisa at Department of Immigration and Emigration, e-Revenue Licenses at Department of Motor Traffic, payment of rates and taxes online at Municipal Councils etc.).
The new amendment will strengthen the existing provisions to move government transaction to the digital era, through the use of stronger and more secure electronic based authentication methods for all categories of Government transactions, including electronic tax filings, e-procurement and other revenue based transactions. These transformations could be done by formulating Regulations under the Electronic Transactions Act, based on the cross cutting provisions in the new Amendment.
The 2017 Amendment will also facilitate the use of biometrics based authentication technologies to ensure effectiveness of digital certificates and other forms Digital IDs. The new definition of “Electronic Signatures” in the amending law is broad and futuristic enough to cover all new forms of authentication methods in the digital era. The Amendment also provides a liberalized regime for the use of Electronic Signatures and a governance framework to ensure inter-operability between authentication technologies.
Another unique feature of the Amendment is that it facilitates electronic filing of any application, petition, plaint, answer, written submission or any other document in any Courts. This would enhance the ability to adopt e-filing in original Courts, which are not governed by Supreme Court and Appellate procedure Rules.
Based on this Act steps could now be taken by government organizations to provide services by electronic means as well as to retain data and information in electronic form.
The Convention aims to enhance legal certainty and commercial predictability where electronic communications are used in relation to international contracts. It addresses the determination of a party’s location in an electronic environment; the time and place of dispatch and receipt of electronic communications; the use of automated message systems for contract formation; and the criteria to be used for establishing functional equivalence between electronic communications and paper documents – including “original” paper documents – as well as between electronic authentication methods and hand-written signatures.
Digital Signature and Authentication Regime
With the rapid adoption of Digital Commerce and the introduction of e-government in the country, it is expected that electronic transactions will grow substantially in the coming years. However, this also raises the probability of identity theft, financial fraud and other Cyber security breaches resulting in the loss of trust and confidence in Digital Transactions.
To address aforesaid it is necessary to establish a national framework which defines legal, administrative and technical regulations for granting, managing and enforcing the use of digital certificates to establish the identities of those who originate e-services with the intention of minimizing fraud. The Electronic Transactions Act No, 19 of 2006 gives provides legal recognition for Electronic Signatures – including Digital certificates.
The use of Electronic Signatures through technologies such as “Digital Certificates” enables users to achieve confidentiality and integrity using the public key cryptosystem and hash function. The issuing of digital certificates are done through duly recognized certificate service providers (or Certifications Service Providers – “CSP”s), as per the provisions of the Electronic Transactions Act No. 19 of 2006 (as Amended).
The National Certification Authority (NCA) is the overall governance as well as the standard setting body functioning under the aforesaid Act, which is required for the smooth and effective functioning of Certification Service Providers (CSPs). Chapter IV of the Electronic Transactions Act No. 19 of 2006 provides for the establishment of a nationally recognized body to perform the function of the NCA.
By Order published in the Gazette on 24th September 2013 ICT Agency of Sri Lanka was designated as the NCA. ICTA is primarily responsible for the implementation of the Act and the Sri Lanka CERT (which functioned earlier as a subsidiary of ICTA) was authorized by ICTA to carry out the operational functions of NCA. Equipment and software for the establishment of NCA was purchased by ICTA under the “e-Sri Lanka Development Program”.
The NCA Task Force was established in 2011 jointly by ICTA and the Central Bank of Sri Lanka and was Co-chaired by Director/ Legal Advisor ICTA and an Asst Governor Central Bank.
On 1st August 2018, Sri Lanka CERT was established as a separate Legal entity under the Ministry. Thereafter the operations NCA was transferred from ICTA to Sri Lanka CERT. Consequently, by Gazette Extraordinary, 2147/58, dated 30th October 2019, Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) has been designated as the Certification Authority under section 18 of the above Act to perform the functions of the NCA.
Under Electronics Transactions (Amendment) Act, No. 25 of 2017 – the Task Force is required to established to manage and administer the National Certification Authority (NCA), having regard to the qualifications and experience as well as the need to represent relevant stakeholders, with the objective of ensuring its proper administration. This Task Force is independent of the Operations of NCA.
To enhance the operations of NCA and make sure that certificates issued under NCA are recognized internationally, including with web browser vendors (Browser forum), NCA seeking to be WebTrust standard certified and the Root Certificate was launched on 14th February 2020
Electronic Transaction Act Regulations 1
Electronic Transaction Act Regulations 2
Electronic Transaction Act Regulations 3
More details on National Certification Authority
Computer Crimes Act
The Computer Crimes Act No. 24 of 2007 provides for the identification of computer crimes and stipulates the procedure for the investigation and enforcement of such crimes. The Bill was presented in Parliament and debated on 23rd August 2005 and thereafter extensively revised by the Parliamentary Standing Committee “B”. It was enacted as legislation in May 2007 and certified by the Speaker of Parliament on 9th July 2007.
The basis of the Computer Crimes Act No. 24 of 2007 is to criminalize attempts at unauthorized access to a computer, computer programme, data or information. It also contains a provision to deal with unauthorized use of computers regardless of whether the offender had authority to access the computer.
The Act creates offences for unauthorized modification, alteration or deletion of information and denial of access, which makes it an offence for any person to program the computer in such a manner so as to prevent authorized persons from obtaining access. Other offences sought to be created under the proposed Act include causing damage or harm to the computer by the introduction of viruses and logic bombs etc, unauthorized copying of information, unauthorized use of computer service and interception of a computer programme, data or information while it is been transmitted from one computer to another.
The Act introduces a new regime for the investigation of offences. Provisions have been made in the Act to designate a panel of ‘Experts’ to assist the Police in the investigation of computer crime offences.
On September 1, 2015, the Council of Europe Convention on Cybercrime (ETS 185 of 2001), often referred to as the “Budapest Cybercrime Convention”, or “Cybercrime Convention” in short, entered into force in Sri Lanka. This is a historic achievement, because Sri Lanka becomes the first country in South Asia (and only the second Asian country, after Japan) to become a state party to this Convention. Philippines and Singapore are yet to complete the accession procedure, although they attend the Convention Committee as observer and ad-hoc observers, respectively.
Budapest Cybercrime Convention is the only International Treaty that facilitates international cooperation and gives countries the ability to obtain electronic evidence stored on computer systems and networks in another country. The Convention greatly enhances the gathering of electronic evidence, as well as the investigation of cyber laundering and other serious crimes. Accession to this Convention significantly enhances the ability of Sri Lanka to carry out successful investigations of cybercrime offences, by gathering electronic evidence from state parties to the Convention. It will also help in law enforcement and judicial cooperation at international level, while ensuring adherence to human rights safeguards in the investigation process, a hallmark of this convention, made applicable amongst all parties to this Treaty.
Sri Lanka’s accession to this Convention was the fastest in the Council of Europe. This was possible due to the provisions contained in the Computer Crimes Act No. 24 of 2007 and several policies adopted in recent times, aligned with the Convention. Prior to Sri Lanka’s accession, there was an assessment of our country’s cybercrime legislative framework. The assessments carried out by the Council of Europe focused on the manner in which Computer Crimes offences were investigated (especially under the Computer Crimes Act and applicable procedural law). One key assessment was the adequacy of safeguards to match the Council of Europe standards. Sri Lanka was found to have safeguards consistent with the Convention standards and the “unanimous approval” of all state parties was obtained before Sri Lanka could be invited to Accede to the Convention.
Cyber Security Act
The objectives of the proposed Cyber Security Act is to ensure the effective implementation of the National Cyber Security Strategy in Sri Lanka, prevent, mitigate and respond to cyber security threats and incidents effectively and efficiently, set up the Cyber Security Agency of Sri Lanka and to empower the institutional framework to provide a safe and secure cyber security environment; and protect the Critical Information Infrastructure.
The Act has provision for the setting up of a Cyber Security Agency which shall be the apex and executive body for all matters relating to cyber security policy in Sri Lanka and shall be responsible for the implementation of the National Cyber Security Strategy of Sri Lanka.
The Agency will take steps to implement the National Cyber Security Strategy of Sri Lanka including preparation and execution of operational strategies, policies, action plans, programs and projects, develop security standards for the government, facilitate the adoption of the policies and standards in government institutions and other sectors and prescribe an assessment framework and criteria to assess cyber security policies and standards, identify and designate Critical Information Infrastructure (CII) in the government and other sectors.
The Act also provides provisions to develop strategies and plans for the protection of CII in consultation with the owners of CII in consultation with stakeholders, act as the central point of contact for cyber security in Sri Lanka, and provide advice to government institutions and other sectors in respect of cyber security matters, act as the interface for the multi-directional and cross-sector sharing of information related to cyber threat indicators, defensive measures, cyber security risks, incidents, analysis and warnings in relation to cyber security for government institutions.
To assist in curricular and skills development relating to cyber security, including the development of cyber security industry standards, ensure the availability of competent and highly skilled professionals in the cyber security domain, coordinate the conduct of sectoral cyber security drills from time to time to improve overall cyber security readiness, establish or designate institutions, units or any other entity to assist the Agency in the performance and discharge of its duties, set up and authorise sectoral computer emergency readiness teams in various sectors based on the critical importance of a particular sector, request the submission of reports or returns from the owners of the designated CIIs and other government institutions which includes information relating to compliance with the cyber security assessment and information relating to the steps taken to protect their CIIs.
Intellectual Property Rights (IPR)
As regards the protection of intellectual property rights (IPR), the Intellectual Property Act no. 36 of 2003 replaced the Code of Intellectual Property Act no. 52 of 1979. The IP Act of 2003 contains several new features in relation to the protection of software, trade secrets and integrated circuits. (Refer Sections 0204 and 0205 of this document for detail)
Below acts, regulations, circulars, guidelines are related to eLaws and policies of Sri Lanka government
- Information and Communication Technology Act No.27 of 2003
- Intellectual Property Act No. 36 of 2003 (Sections related to Copyright)
- Electronic Transactions Act No. 19 of 2006
- Computer Crimes Act No. 24 of 2007
- Payment And Settlement Systems Act, No. 28 of 2005
- Payment Devices Frauds Act No.30 of 2006
- Mobile Payment Guidelines – 13_mobile_payment_2011_1e
- Mobile Payment Guidelines – 14_mobile_payment_2011_2e
- Electronic Payments to Government Institutions PF447E
- Electronic Payments by Government Institutions 02_2013E
- Use of Electronic Documents and Electronic Communication for Official Use -Circular
- Use of E-Mail and ICT in general in Government Business