The World Bank in Sri Lanka: Financing the digital State, ignoring the dangers

In early March, I wrote to the Daily FT about the World Bank’s $50 million Sri Lanka Digital Transformation Project, based on the Project Information Document (PID) which is a preliminary summary released before formal Board approval. (See https://www.ft.lk/columns/Financing-the-framework-fleeing-the-fallout-World-Bank-financing-digitalisation-in-Sri-Lanka/4-789345)  I have since studied the Bank’s full Project Appraisal Document (PAD) from November 2025, which at 46 pages carries considerably more detail, and also gives far more cause for concern.

The PAD structures the project across three components. Component 1 ($39 million) builds core digital public infrastructure: a citizen and business portal, mobile SuperApp, digital credential locker, authentication and e-signature tools, a National Data Exchange (NDX) for Government interoperability, and a hybrid GovCloud solution, alongside training 300 digital champions across 75 agencies, citizen literacy programs in underserved communities, and the legal architecture for a proposed Digital Economy Authority. Component 2 ($8 million) targets $5 billion in IT exports by 2030 through an industry development strategy, an international accelerator for at least 100 startups with dedicated women-led tracks, and market access support in two to three priority markets. Component 3 ($3 million) covers project management. Key targets by December 2029 include 4 million individual users and 25,000 businesses on digitally enabled services, 50 Government systems connected to the NDX, and 50 services migrated to GovCloud, with gender-specific targets of 25 women-led startups completing the accelerator, 8 securing investment, and 150,000 women reached through the digital empowerment program.

Several of these ambitions are genuinely welcome, and are inextricably tied to the country’s post-2022 economic recovery. The commitment to participatory co-design, usability testing, and open consultations addresses a persistent gap, as does the provision of facilitated service desks in underserved communities: a practical acknowledgement that digital adoption cannot be assumed. Local language content in Sinhala and Tamil, accessibility provisions for persons with disabilities, and gender-disaggregated targets across both components signal an awareness of inclusion challenges that the Government’s own technocrats leading digitalisation have conspicuously ignored. The two citizen engagement indicators (a 75% satisfaction target and a participatory design benchmark) at least gesture towards accountability mechanisms the Government has shown no interest in establishing independently.

The problem is the distance between these gestures, and ground realities.

Take local languages. The PAD mentions multilingual design for the SuperApp and emphasises Sinhala, and Tamil content creation within the digital adoption subcomponent. But multilingual content appears nowhere as a disbursement condition or compliance mechanism. No results indicator measures whether the platforms actually function in Sinhala and Tamil. No requirement exists for trilingual publication of the project’s own governance instruments, procurement contracts, or technical specifications. I’ve repeatedly noted that Sri Lanka remains the only country I know of undertaking a comprehensive digitalisation program without any official documentation whatsoever (statement, framework, blueprint, explainer, video, infographic, podcast or article) in the languages spoken by the vast majority of citizens. The PAD treats this as a feature gap to be addressed through a subcomponent activity. It is in fact a structural exclusion by political choice, which the World Bank now finances without requiring its correction as a precondition for a single dollar of disbursement.

Through direct, personal experience I’ve documented how the Department for Registration of Persons - the institution administering the very national ID system the PAD calls a “valuable asset” for DPI development - operates exclusively in Sinhala for all verbal, in-person instructions. A Tamil woman next to me kept getting up every time an announcement was made, completely lost, until I calmed her down by explaining how things were proceeding, and asking the man shouting instructions to recognise there were those present who didn’t understand him. The World Bank assumes digital platforms can transcend this institutional culture, but it’s nonsensical to believe digital architectures built on enduringly racist, Sinhala-only public sector cultures magically become inclusive through technology alone.

The PAD’s treatment of rights, surveillance, and data protection may be its gravest failing. Astonishingly, like with the PID before it, the PAD classifies environmental and social risk as “Low.” Incredibly, it also marks the project’s impact on ‘Indigenous Peoples’ (i.e.,  the Veddas), and  ‘Historically Underserved Traditional Local Communities’ as “Not Currently Relevant.” A single sentence acknowledging data privacy as “an inherent risk” to be addressed through compliance with Government laws and international best practices constitutes the entire engagement with privacy and data protection for a project building a national data exchange linking Government databases, a digital locker storing citizens’ official documents, and digital authentication tied to biometric identity records.

The PAD completely ignores the Online Safety Act, the draft Prevention of State Terrorism Act’s historically unprecedented threats to privacy, and the irreconcilable contradictions between these instruments and the Personal Data Protection Act. Revealingly, the PAD makes no reference to Sri Lanka’s documented history of voter lists used during the 1983 Black July pogrom to identify, kill, torture, and burn Tamils - which is a violent history enduringly, and directly relevant to the data-sharing infrastructure this project finances. The document’s authors cite Estonia, Moldova, Singapore, South Korea, Ukraine, Jordan, Armenia, India, and Malaysia as reference points, yet none of these comparators is a post-war, multilingual, multi-ethnic society with Sri Lanka’s specific combination of draconian laws, documented use of civic registers for ethnic targeting, recent economic collapse, and a history of telecoms infrastructure weaponised against civilian populations (directly associated with individuals leading digitalisation). The “Lessons Learned” section draws on technical architecture, change management, and institutional readiness, but offers nothing on rights protection in conflict-affected societies, the dangers of centralised data systems in states with weak rule of law, or the specific risks of digital public infrastructure where intelligence services operate without effective legal constraints. The document cites no comparative lesson on trust-building or communications strategy from any jurisdiction.

The PAD’s treatment of an electronic national ID is technocratic in the extreme. It’s presented as a dataset awaiting digital migration rather than a contested political instrument in a post-war society where identity infrastructure carries ethnic markers, where communities in the North and East live under conditions of pervasive militarisation, and where families of the disappeared, the internally displaced, and plantation workers navigate complex, overlapping documentation regimes that no single digital identity can accommodate. The digital authentication solutions and digital locker the PAD proposes to build rest on this foundation. If the foundation encodes discrimination, the platforms, algorithms, and AI built atop it risk encoding discrimination invisibly, and pervasively. 

For a program impacting 4 million users (itself a mysterious figure pulled out of ether) in a society that hasn’t seen any systematic public consultation on digitalisation, the PAD’s satisfaction surveys, grievance mechanisms, and co-design workshops operate downstream of a trust deficit they cannot remedy. They address symptoms from low adoption to citizen confusion without confronting the root cause: a Government that is unable, and unwilling to tell citizens what it is building, in languages they understand, with safeguards they can scrutinise.

The World Bank, in sum, is financing the construction of a centralised digital State apparatus in a post-war society with documented ethnic targeting, operational surveillance legislation, militarised public institutions, and digitalisation led by aloof technocrats. It does so whilst classifying the environmental and social risk as “low,” providing no independent oversight mechanism, and requiring no trilingual documentation as a disbursement condition. The budget tells the story. Of the $50 million total, 78% goes to digital infrastructure (platforms, cloud, data exchange) while adoption and institutional capacity, which the World Bank itself identifies as the principal risks, receive a fraction of the funding. As I have noted earlier, without a reclassified risk rating, an independent human rights impact assessment, and binding conditions that no citizen must surrender biometric data to access Government services, what the World Bank risks funding is the architecture of a more efficient authoritarianism, beguilingly presented as economic development.

(The author holds a doctorate in social media and politics, and his research practice centres on the confluence of influence operations, disinformation, truth decay, and information integrity)