Thursday Jan 08, 2026
Thursday Jan 08, 2026
Wednesday, 7 January 2026 06:32 - - {{hitsCtrl.values.hits}}
|
Supreme Court Judge Arjuna Obeyesekere |
|
Data Protection Authority Chairman Rajeeva Bandaranaike
|
Sri Lanka’s digital economy is advancing faster than the trust architecture required to sustain it, creating a growing risk to adoption, confidence and long-term economic value, Supreme Court Judge Arjuna Obeyesekere said yesterday.
Delivering the keynote address at the 2nd National Data Protection Symposium organised by the Bar Association of Sri Lanka, Justice Obeyesekere said the country had moved from preparing for a digital economy to operating within one, even as public confidence in how personal data is governed remains fragile.
“In 2022, this law represented hope. In 2026, it represents urgency,” he said, referring to Sri Lanka’s Personal Data Protection Act. What was once a future-oriented framework is now a live economic necessity, he added.
Sri Lanka, he said, is already experiencing a rapid shift in everyday economic behaviour. QR codes have replaced printed material, mobile wallets are becoming more common than physical cash, know-your-customer processes have moved from paper to pixels, and real-time transfers and platform-based commerce are now routine.
“These are no longer emerging tools. They are the layers of everyday life,” Obeysekere said.
Yet trust, he warned, does not automatically follow technological adoption. “Digital trust does not begin with the technology in my hand. It begins with whether I feel confident, protected and in control of what happens next.”
The Government has roadmap to unlock Sri Lanka’s digital potential which will create $ 15 billion in value in ten years.
He argued that trust in a cash-light economy is rooted in data sovereignty. “People choose to transact digitally not because they must, but because they trust the system,” he said, adding that once individuals feel they have lost control over their identity or personal information, efficiency becomes irrelevant.
“The moment that sovereignty is lost, speed becomes irrelevant, because trust collapses,” he said. “Connectivity moves data, but trust moves people.”
Obeysekere described privacy as a central layer of the digital economy rather than a regulatory burden. “Privacy is not the cost of growth. It is the pre-condition for growth,” he said, warning that without credible assurances, connectivity can generate fear rather than progress.
He stressed that legislation alone does not create confidence. “A law does not create trust. A policy alone does not create confidence,” he said. Trust, he argued, is built through lived experience, when people understand what data is collected, why it is collected, and how decisions affecting them are made.
In a cashless economy, he noted, trust becomes tangible at every authentication, transaction and algorithmic decision. When systems operate without transparency or accountability, they can scale harm as efficiently as they scale revenue.
The judge also cautioned that intelligent systems are increasingly making decisions that affect people’s lives, from access and pricing to scrutiny and delay. While such systems may be efficient, he said the central question is risk. “When systems operate without transparency, without accountability, they can scale harm as efficiently as they scale revenue.”
Turning to artificial intelligence, Obeysekere said the PDPA provides a strong foundation but is not sufficient on its own in an AI-driven economy. “Trust in an AI economy depends not only on how data is handled. It depends on how decisions are made,” he said.
“AI systems do not just store data. They infer, predict, classify and decide,” he said, adding that affected individuals are more likely to ask whether they were treated fairly than whether their data was collected lawfully.
He pointed to unresolved questions around accountability when algorithms misbehave, responsibility for automated decisions, and governance when AI systems operate across borders. These issues, he said, test the limits of existing regulatory frameworks.
Against this backdrop, Obeysekere underscored the importance of operationalising the Data Protection Authority, established in law in 2023. Enforcement, he said, must be timely, consistent and fair if compliance is to be meaningful and confidence is to scale.
At the organisational level, he said basic data governance must become non-negotiable. “If an organisation cannot see where a data element lives, who can access it and for what purpose, then it does not control its data,” he said.
He acknowledged that breaches and system failures are inevitable in any digital economy. The defining issue, he said, is how institutions respond when things go wrong, noting that trust collapses not only when systems fail but when responses lack understanding and accountability.
Concluding, Obeysekere said Sri Lanka’s digital future will be defined by how it governs technology rather than how quickly it deploys it. “A nation does not unlock the full power of technology by installing it, but by governing it wisely,” he said, adding that the success of the digital economy should ultimately be measured by how confident people feel in using it.
That challenge, Obeysekere suggested, cannot be met by the courts or the law alone.
Setting out how Sri Lanka intends to move from principle to practice, Data Protection Authority Chairman Rajeeva Bandaranaike said the next phase of the country’s digital journey must focus on implementation, capacity building and trust creation across the ecosystem.
Addressing the same forum, Bandaranaike said personal data has become one of the most valuable currencies of the digital economy, carrying both opportunity and risk. “Every time you click, every time you swipe, every time you say ‘I agree’, it quietly tells a story about yourself,” he said, underscoring why privacy can no longer be treated as a purely personal concern.
“In the digital age, privacy is not just a personal right. It has become a public responsibility,” he said, noting that digitalisation can modernise public services and drive economic growth, but also exposes societies to risks such as identity theft, data breaches, exclusion and discrimination.
Bandaranaike stressed that data protection should not be viewed as anti-innovation. When data is handled responsibly, he said, it enables the safe development of technologies such as artificial intelligence, machine learning and big data without undermining individual rights. “Data protection is not anti-innovation. It enables sustainable and ethical innovation,” he said.
He pointed out that Sri Lanka’s Personal Data Protection Act No. 9 of 2022 provides a comprehensive framework governing the processing of personal data, building on existing legal protections and international obligations. However, the credibility of the regime, he said, will depend on how effectively it is operationalised.
Outlining priorities for the Data Protection Authority, Bandaranaike said the immediate focus is on setting up and staffing the institution, building internal capacity and rolling out awareness programmes for data subjects and organisations. He added that accessible complaint-handling mechanisms and clear guidance for emerging technologies, including AI, biometrics and surveillance tools, will be central to the Authority’s mandate.
He also indicated that enforcement will be balanced with readiness across the ecosystem. The effective date of the Act, he said, will be announced in due course, with consideration given to phased implementation to allow both public and private sector organisations to adapt.
“Readiness is not only about safeguarding the rights of individuals. It is also about ensuring that organisations are prepared,” Bandaranaike said, highlighting the need for training, sector-specific guidance and institutional capacity building.
Looking ahead, he said the Authority aims to operate as a modern, professional regulator, supported by digital systems that allow organisations to engage with it online, and strengthened through collaboration with international agencies to bring global expertise into Sri Lanka.
Concluding, Bandaranaike said data protection must be seen as a strategic pillar of the digital economy rather than a regulatory formality. “It defines the credibility and sustainability of our digital ecosystem,” he said, calling for a shared commitment to embed privacy by design and transparent, ethical practices as Sri Lanka accelerates its digital transformation.
He urged stakeholders to view trust as a collective responsibility, noting that sustained confidence in digital systems will depend not only on enforcement but on awareness, readiness and responsible use of personal data across the economy.
The 2nd National Data Protection Symposium organised by the Bar Association of Sri Lanka brought together nearly 30 speakers and over 200 participants at Cinnamon Life at City of Dreams. The symposium covered a wide range of issues, including key rights and obligations under Sri Lanka’s Data Protection Act, the statutory role and accountability of Data Protection Officers, institutional readiness for compliance and governance frameworks, embedding a privacy culture in organisations and public institutions, data protection in the age of artificial intelligence, managing privacy risks in digital transactions and e-commerce, safeguarding startups and SMEs in an AI-driven economy, and the ethical boundaries of automated decision-making.
– Pix by Ruwan Walpola
