Financing the framework, fleeing the fallout: World Bank financing digitalisation in Sri Lanka

World Bank Senior Digital Specialist Anna Metz

 GovTech CEO Sanjaya Karunasena

On 11 February, I joined an executive briefing on the $50 million Sri Lanka Digital Transformation Project, financed by the World Bank and implemented by GovTech Sri Lanka. World Bank Senior Digital Specialist and Task Team Leader for the project Anna Metz spoke at the meeting, as well as GovTech CEO Sanjaya Karunasena, who outlined the Government’s broader digital ambitions. I asked two questions. Despite sustained, and significant issues with sound for participants attending the meeting virtually, neither received an adequate answer.

The first concerned the project’s environmental and social risk classification. The World Bank’s own Project Information Document (PID) rates this as “low.” I wanted to know what specific assessment methodology justified this classification for a project building national data exchange and biometric identity infrastructure in a post-war society rife with militarisation, and whether the assessment incorporated Sri Lanka’s ongoing, and history of state surveillance violently targeting Tamil-speaking communities in the North and East. The second question addressed language. The PID references the “creation of local language content” within a digital literacy sub-component, yet Sri Lanka’s digitalisation programme remains the first ever, and only national digital transformation programme in the world proceeding at pace without any local language documentation. I asked whether the Bank would require simultaneous trilingual publication of all project-related documents, citizen-facing platforms, and public consultation materials in Sinhala and Tamil as a condition of disbursement, and how compliance would be independently verified.

Environmental and social risk classification

The presentations, and responses were instructive in their evasion. Metz repeatedly emphasised that the project originates from the Government’s own strategy and priorities, that the Bank plays a “financing role, advisory role, oversight role,” and that GovTech implements. She used this formulation no fewer than four times during the briefing. The distancing language constructs a form of structural deniability: if the Digital ID system or the National Data Exchange raises human rights concerns, the Bank can point to the Government as the decision-maker, despite the Bank financing the very platforms that make centralised surveillance architecturally possible (under any future Government or president). 

What Metz chose not to mention proved as revealing as what she said. Her presentation covered a so-called ‘Super App’, the National Data Exchange, GovCloud, Government collaboration tools, digital adoption programs, institutional enablers, and the startup ecosystem. Not a single slide or verbal reference addressed human rights, data protection, privacy safeguards, or the Digital ID system. The entire PID document itself contains no mention of rights whatsoever. For a project that will centralise biometric data, link revenue, police, immigration, and financial records through a national data exchange, and roll out a citizen-facing super app to a target of apparently four million users in the next couple of years, the absence can be read as a strategic choice.

Govtech’s CEO Karunasena, by contrast, went considerably further than the PID’s hedged language. He described biometric registration at birth, with children’s biometrics maturing at age five and a fully-fledged Digital ID issued upon school entry. He spoke of a sandbox environment where banks and telecommunications companies already integrate with Digital ID APIs. He envisioned a country that is “paperless, cashless, and presence less” – a framing that predicated efficiency but, in a society still contending with the violent, and deeply discriminatory structural legacies of a 30-year civil war, could also be read as a blueprint for surveillance by default, if not by design. When biometric databases linking revenue, police, immigration, and financial systems proceed without meaningful public consultation, or any rights-based guardrails, what risks emerging is a pervasive digital panopticon disguised as development frameworks.

4 million user target 

The four million user target is also interesting in its lack of any discernible grounding or context. Why four, and not three, or five? How was this figure arrived at? Speaking in November 2025, UNDP Country Economist Dr. Vagisha Gunasekara spoke of Sri Lanka’s digital divides, and painted a starkly different picture from the World Bank’s roseate projections: 39% of households remain offline, a 34% gender gap persists in internet use, and only 7% of persons with disabilities access the internet compared to 24% of the general population. To promise four million users of digital Government services by 2029 without first addressing these structural exclusions is to build a system that will, by its very architecture, only best serve those already connected whilst deepening the marginalisation of those who are not. Significant violence will inevitably be result. The PID’s own data acknowledges that only 51% of individuals actively use the internet and only 55% have made or received a digital payment. Digital literacy, the Bank concedes, remains a barrier. The question the PID does not ask – and the briefing did not address – is what happens to the 49% left outside the system when Government services migrate entirely online, as GovTech’s CEO presented.

Human rights safeguards

We aren’t alone in facing these questions regarding digitalisation, and its financing. Amnesty International’s Algorithmic Accountability Lab, and the Digital Rights Foundation raised similar alarm about Pakistan’s Digital Economy Enhancement Project, warning that Bank-funded DPI without human rights safeguards risks enabling surveillance and exclusion. The NYU Centre for Human Rights and Global Justice’s primer on the World Bank’s role in promoting digital ID documents a pattern: the Bank promotes Aadhaar-inspired identity systems across the Global South without adequate safeguards, replicating known harms at scale. An open letter by Access Now to the World Bank as far back as September 2022 demanded an independent rights-based assessment of the Bank’s digital ID portfolio, a temporary moratorium on new ID investments, and meaningful civil society engagement. The same model, the same financing architecture, the same hedged language, the same structural deniability, now operates in Sri Lanka.

Environmental and social risks

To wit, the World Bank’s own Environmental and Social Framework provides the standard against which this project should be judged, and by which it fails. The framework explicitly requires borrowers to assess and manage environmental and social risks throughout the project life cycle, proportionate to the nature and scale of the project. It requires consideration of risks to disadvantaged and vulnerable groups. It demands assessment of contextual risks – a provision directly applicable to Sri Lanka’s post-war, militarised context where the security apparatus asymmetrically surveils, and impacts Tamils, Muslims, and other minorities. The Prevention of Terrorism Act (PTA) remains operational, the draconian Online Safety Act (OSA) is still in our statute books, and the proposed Prevention of State Terrorism Act (PSTA) is far worse than the existing PTA, especially around digital surveillance. Given this well-known socio-technological, historical, and political context, a national data exchange linking Government databases and a biometric identity system constitute high-risk infrastructure by any reasonable assessment. To classify this project as “low” risk is a failure of the Bank’s own due diligence.

Sri Lanka deserves better

In meetings offline across the country over the past year, I keep stressing that I have zero objection to digitalisation done right, and that it is vital for Sri Lanka – even beyond economic imperatives. What I object to is the pretence by donors that building biometric databases, national data exchanges, and centralised service platforms in a country with Sri Lanka’s political history constitutes a low-risk enterprise. The World Bank knows better. Its own frameworks demand better. The communities in the North and East who have lived under the jackboot of militarisation, and surveillance deserve better. If the World Bank is serious about its own Environmental and Social Framework, it should reclassify this project’s risk rating, commission an independent human rights impact assessment, require trilingual documentation as a disbursement condition, and ensure that no citizen is compelled to surrender biometric data to access Government services. Anything less is to, as I have written in the past, risk the entrenchment of a more efficient authoritarianism dressed in the language of economic development, and digitalisation.

(The author has a PhD in Social Media and Politics from the University of Otago and is Sri Lanka's first TED Fellow. He counts over 20 years’ experience in peace building, civic media, and digital security. He is also the founder, and former editor of Groundviews, Sri Lanka's first, and award-winning citizen journalism website)