Sri Lanka online safety and personal data protection: Thoughts for our legislators towards bipartisan consensus

Enforcement mechanisms and alignment between laws remain critical challenges given that online safety is a growing concern in Sri Lanka

Strengthening transparency, independence, and enforceability, particularly around cross-border data, data subject rights, and oversight mechanisms, will be crucial if the PDPA is to serve its intended purpose in Sri Lanka’s evolving digital landscape. The compelling need now is an aware, bipartisan consensus, on this issue if we are to risk manage the individual, the many institutions, whether regulatees or regulators, licensees or licensors, and indeed the reputation of our country

While yet overseas, I was alerted to the parliamentary debate last week, in connection with amendments to our Personal Data Protection Act. The call from legislators who I have known for over two decades, was also because of my two-part series on Cyberattacks, WhatsApp hacks, comparative analysis of the legal, regulatory and emergency response infrastructure in jurisdictions such as in the United Kingdom, India, Australia, New Zealand and Japan. This article which I might call the 3rd in the series, on online safety and personal data protection, is clearly connected and will be the last in the series.

My purpose

My purpose, in keeping with the philosophy of the Thought Leadership Forum is to enhance awareness among a wide cross section of stakeholders but in particular policy planners, the offices of the legal draftsman, ministry of justice, attorney generals department and our legislators on the need to address this issue, as a matter of compelling national importance.

Depth, balance, maturity and up-to-date thoroughness

Yes, it has to be addressed with a sense of urgency but with depth, balance, maturity, a multi stakeholder perspective, and an up-to-date thoroughness. Given the availability of global benchmarks, which do not require us to reinvent the wheel, and resources which are available from multilateral and bilateral development partners, this is not too much an “ask” within the context of our national focus on digitisation, its merits, risks and necessary safeguards. Thus this brief article from the perspective of a layman in this sector, is intended to urge domain experts to facilitate, bipartisan dialogue and consensus, leading to legislative refinement in the spirit of safeguarding digital rights and promoting responsible innovation in Sri Lanka. Thus let’s look at the challenges even developed jurisdictions have had to experience.

A global reckoning for big tech platforms

In recent years, the world has witnessed a growing backlash against dominant technology platforms whose business models rely heavily on data extraction, algorithmic targeting, and global market dominance. Facebook, Google, and TikTok—three of the most influential digital companies—have all faced significant legal and regulatory challenges for violating user rights, breaching privacy laws, and distorting fair competition across various jurisdictions.

Facebook’s fall from grace:

The Cambridge Analytica scandal

One of the most notorious privacy breaches in tech history was the Cambridge Analytica scandal in 2018. Facebook allowed a political consulting firm to access personal data from up to 87 million users without their explicit consent. This data was allegedly used to manipulate voter behaviour in multiple elections, including the 2016 US presidential race. The US Federal Trade Commission (FTC) fined Facebook a record $ 5 billion in 2019, while the UK’s Information Commissioner’s Office imposed the maximum penalty of £ 500,000 under pre-GDPR rules.

Beyond one scandal:

Meta’s pattern of data privacy violations

Facebook’s troubles extended well beyond Cambridge Analytica. The company has been repeatedly fined under the EU’s General Data Protection Regulation (GDPR), including a € 265 million fine in Ireland in 2022 for failing to protect users’ data from being scraped and leaked online. The company has also been investigated in India for not acting swiftly on harmful content and misinformation. Allegations of algorithmic bias and the promotion of harmful content through Facebook’s News Feed further illustrate systemic problems in content governance.

Google’s antitrust troubles span continents

Google, the flagship of Alphabet Inc., has faced multiple antitrust lawsuits and penalties across the world. In the European Union alone, it has been fined over €8 billion in a series of cases between 2017 and 2019, including a € 2.42 billion fine for favouring its own shopping services in search results and a € 4.34 billion fine for using Android to strengthen its search dominance. The US Department of Justice and several states have also launched ongoing antitrust lawsuits aimed at breaking up its ad tech and search monopolies.

Google’s privacy breaches and exploitation of children’s data

Beyond competition issues, Google has been accused of violating user privacy and data protection laws, especially in its advertising business. One of the most controversial cases was a $ 170 million fine imposed by the FTC in 2019 for illegally collecting data from children on YouTube. European data regulators have also fined Google for failing to offer clear consent mechanisms for personalised ads, thereby breaching GDPR standards.

TikTok, the spectre of surveillance and youth exploitation

TikTok, owned by China-based ByteDance, has faced serious allegations related to children’s privacy violations and national security risks. In 2019, the US fined TikTok $ 5.7 million for collecting personal data from users under 13 without parental consent. In 2023, the UK’s Information Commissioner’s Office (ICO) fined the platform £ 12.7 million for similar violations. Governments around the world, including the European Union and several US states, have raised concerns over TikTok’s opaque data practices and potential links to the Chinese government.

A digital cold war:

National bans and geopolitical scrutiny

India became the first major country to impose a full ban on TikTok in 2020, citing national security concerns after a border clash with China. Several Western governments have since barred the app from official devices. TikTok’s content moderation practices have also come under fire for suppressing political speech, particularly content critical of the Chinese government or content related to LGBTQ+ rights and minority issues.

A pattern of algorithmic harm and regulatory gaps

All three companies—Facebook, Google, and TikTok—have faced criticism for their use of opaque algorithms that amplify divisive, harmful, or addictive content. These platforms have profited from engagement-driven models that prioritise virality over accuracy, often undermining democratic processes and mental health. Yet, in many jurisdictions, legal and regulatory frameworks remain fragmented or outdated, unable to fully hold these digital giants accountable.

A call for stronger oversight and global “Digital Ethics”

The recurring pattern of violations shows that tech companies often act only in response to penalties or a public backlash, not from a proactive commitment to ethics. The need for global cooperation on data protection, antitrust enforcement, and online safety has never been more urgent. Countries like the EU and India are setting examples through robust legislation (GDPR and India’s DPDPA).

Sri Lanka

It is against this background that I have been keeping abreast of Sri Lanka’s Online Safety Act and the Personal Data Protection Act. Yes we can pat ourselves on the back for these initiatives. However, implementation and execution must not be delayed or diluted. Enforcement mechanisms and alignment between laws remain critical challenges given that online safety is a growing concern in Sri Lanka, especially with the increasing prevalence of cybercrimes and digital threats. Let’s look at what we have on ground.

The Online Safety Act

Enacted on 1 February 2024, the Online Safety Act (No. 9 of 2024) establishes the Online Safety Commission, a five-member body responsible for regulating harmful digital content. The Act aims to combat cybercrimes such as data theft, child abuse, and online fraud. It also holds social media platforms accountable for illegal content posted by users. However, the Act has faced criticism from human rights groups and opposition politicians who argue that it could suppress freedom of speech.

Personal Data Protection Act

Complementing the Online Safety Act, the Personal Data Protection Act (No. 9 of 2022) was enacted to regulate the processing of personal data and strengthening the rights of data subjects. The Act establishes the Data Protection Authority, which oversees compliance and enforces penalties for non-compliance. While parts of the Act have come into effect, the implementation of certain provisions has been postponed pending further government announcements.

Sri Lanka CERT|CC Initiatives

The Sri Lanka Computer Emergency Readiness Team | Coordination Centre (CERT|CC) plays a pivotal role in promoting online safety.

CERT’s initiatives include:

• Educational resources: Providing information on safe internet use, protecting against scams, and understanding cyber threats.
• Reporting mechanisms: Offering channels for the public to report cyber incidents and seek assistance.
• Awareness campaigns: Conducting workshops and seminars to educate various stakeholders about cybersecurity best practices.

Parental controls and youth safety

With the rise in internet usage among children and teenagers, ensuring their safety online has become paramount. Experts recommend starting with securing the home Wi-Fi router to block inappropriate websites. However, tech-savvy children can sometimes bypass these restrictions, highlighting the need for ongoing supervision and open communication between parents and children.

Amendments to our legislation

Amendments were made in August 2024, to our Online Safety Act, but critics argue they left core issues—such as vague terminology, excessive platform obligations, and lack of oversight—substantially unresolved. The next steps of the Government remain unclear but domain experts, relevant Governmental authorities, departments, ministries and indeed legislators – people’s representatives from all political parties – can engage their minds to determine whether what I summarise below, yet has merit and if so, to proactively initiate necessary actions.

Perceived and real deficiencies in our Online Safety Act – concerns expressed by many

nLimited scope on data privacy: The Act lacks a comprehensive data privacy framework and does not govern user consent, data collection, or cross-border data transfers.

nOverlap and confusion with PDPA: Delayed enforcement of the PDPA and undefined coordination between the Online Safety Commission and Data Protection Authority risk fragmented regulation.

nVague definitions and ambiguities: Broadly defined terms risk arbitrary enforcement and suppression of legitimate speech.

• Insufficient institutional independence and capacity: Concerns about political influence, limited resources, and undefined procedural safeguards hinder fair enforcement.
• Weak User Redress Mechanisms: The Act lacks clear appeal processes, independent review, and judicial oversight.
• Absence of explicit protections for vulnerable groups: Broader protections beyond child abuse are absent, especially for other at-risk populations.
• Inadequate measures against platform manipulation: The law does not mandate transparency in algorithmic content delivery or targeted ads.
• Limited international cooperation provisions: The Act has minimal mechanisms for cross-border collaboration or enforcement.

Perceived and real deficiencies in our Personal Data Protection Act – concerns expressed by many

• Independent oversight

The President appoints members of the Data Protection Authority (DPA) without a clear, independent vetting process. The risk to individuals, is the potential politicisation of a regulatory body that should remain independent.

• Recourse

There is concern that individuals may not have a neutral recourse mechanism when their data rights are violated.

• Public trust

The deficiencies of the Act may undermine public trust in the enforcement of the Act.

• Cross-border transfers

There may be ambiguities around Cross-Border Transfers, leading to the risk of executive discretion in determining safe and eligible jurisdictions for data transfer. The risk to individuals is that data could be transferred to countries with weaker data protection laws.

• Legal certainty

There is apparent legal uncertainty for individuals about where their data is stored and protected.

• Data subject rights

Data subject rights may be diluted given that, if fees are excessive it will deter individuals from exercising rights such as access, rectification, or deletion.

• Subjective judgment of data controllers

The Act may place subjective judgment in the hands of data controllers, potentially leading to abuse.

• Impact assessments

The standards for Security and Impact Assessments are said to be vague. The regulations regarding Data Protection Impact Assessments (DPIAs) lack clarity and has the potential to be diluted in implementation.

• Appointment of Data Protection Officers (DPOs)

There is said to be lack of clarity regarding the obligations on the part of organisations in appointing DPOs. Relevant criteria should be precisely defined. Organisations may avoid accountability mechanisms, reducing internal oversight and guidance on data protection compliance.

• Broad executive discretion without judicial oversight

There is a centralisation of significant discretionary power within the Ministry and the President. Decisions on adequacy, exemptions, or enforcement could be arbitrary. Individuals have fewer safeguards or remedies if these decisions adversely affect their data rights.

• Implementation delays

Delays or staggered implementation of the Act will dilute urgency and consistency in upholding data protection standards. In the transition period, public and private entities may continue operating without adequate safeguards, leaving a legal vacuum where data subjects are unprotected during the transitional period.

Many believe that unless the above mentioned issues are addressed, the law risks becoming “compliance-oriented” – that is favouring institutional convenience rather than “rights-oriented”, that is centred on individual privacy.

Strengthening transparency, independence, and enforceability, particularly around cross-border data, data subject rights, and oversight mechanisms, will be crucial if the PDPA is to serve its intended purpose in Sri Lanka’s evolving digital landscape.

The compelling need now is an aware, bipartisan consensus, on this issue if we are to risk manage the individual, the many institutions, whether regulatees or regulators, licensees or licensors, and indeed the reputation of our country.

Personal thoughts, reflections and reminiscences

When we opened the economy in 1977, and transitioned from a closed, inward, insular nation, to an open, outward looking one, we were poised to be the leader of South Asia. Let us not be the laggard. 

The generation we brought into this world is watching and we owe them this much and more. That generation includes my son and his next generation – my granddaughter who turned an enjoyable two, just 10 days ago and are of course naturally asleep, together with their respective mothers, as I let my fingers do the walking at 5 a.m., on this ordinarily cold and rainy but now sunny Sunday morning, while holidaying in North Wales in a cosy Airbnb-nestled between the coast on one side, rugged rolling hills on the other, scenic beauty all round and seagulls aplenty, calling out to me to step out for a walk, so that I will not miss this morning of the day.

I will now head out to a walk and will as always, reflect upon those warm and inspiring mornings of my life, in a small but beautiful, remote village in that deep southern hinterland of Hambantota, in that land like no other – Sri Lanka, a country, with so much abundant potential, but yet punching below its weight class, while sitting on a gold mine, blessed with so much, we have for too long, trifled with.

Nevertheless, I shall remain optimistic. As Bill Clinton said in his state of the union address, the country should be guided more by aspirations for the future than by nostalgia or fear of the past, and I quote “If our dreams are longer than our memories, we shall forever be young. That is our Destiny, This is our Moment.”