This report on data governance in Sri Lanka is part of the “Harnessing Data for Democratic Development in South and Southeast Asia” (D4DAsia) project, which aims, inter alia, to create and mobilize new knowledge about the tensions, gaps, and evolution of the data governance ecosystem, taking into account both formal and informal policies and practices. This report is also part of a broader comparative effort that includes case studies from India, Indonesia, Nepal, South Korea, Thailand, and the Philippines. The report provides contextual information about Sri Lanka’s constitutional and governance framework and discusses laws and policies that promote openness or access to data, as well as those that facilitate interoperability or cross-border data transfers. It also examines the opposite; laws, policies, and practices that restrict openness or access to data. The report emphasizes the significance of data governance in shaping Sri Lanka’s digital future. 
This report on data governance in Sri Lanka is part of the “Harnessing Data for Democratic Development in South and Southeast Asia” (D4DAsia) project, which aims, inter alia, to create and mobilize new knowledge about the tensions, gaps, and evolution of the data governance ecosystem, taking into account both formal and informal policies and practices. This report is also part of a broader comparative effort that includes case studies from India, Indonesia, Nepal, South Korea, Thailand, and the Philippines. The report provides contextual information about Sri Lanka’s constitutional and governance framework and discusses laws and policies that promote openness or access to data, as well as those that facilitate interoperability or cross-border data transfers. It also examines the opposite; laws, policies, and practices that restrict openness or access to data. The report emphasizes the significance of data governance in shaping Sri Lanka’s digital future. 
On 15 October 2025, the Asian Development Bank’s Serendipity Knowledge Program (SKOP) hosted a high-level event on Digital Transformation, Cybersecurity, and Data Protection for Digital Economy Development in Sri Lanka. Professor Rohan Samarajiva, Chair of LIRNEasia, participated as a panelist in the discussion on the need for a security-first and privacy-respecting culture from schools to workplaces, including government institutions. The other panelists were Shariffah Rashidah binti Syed Othman (Commissioner of Personal Data Protection, Department of Personal Data Protection, Ministry of Digital, Malaysia), Rajeeva Bandaranaike (Chairman, Data Protection Agency, Sri Lanka), and Avanthi Colombage (Country Manager, Visa Sri Lanka). The panel, moderated by Antonio Zaballos (Director of the Digital Sector at ADB), explored challenges, opportunities, and priorities in creating a resilient digital economy. The SKOP event provided a platform to share international best practices and innovative solutions, advancing dialogue on a secure and trusted digital economy in Sri Lanka. 
The Forum on Data Governance in Thailand, held on Tuesday, August 5, 2025, at the Sigma Room (6th floor), Pullman King Power Bangkok, brought together experts from government agencies, academia, and private organizations to exchange their knowledge, perspectives, and experiences on data policymaking and the design of data governance systems in Thailand. The forum was hosted by LIRNEasia (an independent think tank working across the Asia Pacific), in collaboration with the Department of International Studies at Hankuk University of Foreign Studies (Republic of Korea), Privacy Thailand, and the Institute of Public Policy Studies (IPPS), Thailand. Funding support was provided by the International Development Research Centre (a Crown Corporation of the Government of Canada). The Forum explored the inherent tensions that arise in governing data in light of competing interests and policy objectives – that of collecting, storing, using and sharing data to support development and growth objectives, and of protecting privacy and other human rights that are vital but can be violated through the release of data. LIRNEasia and affiliated researchers explored such tensions as well as the practical ways these tensions are resolved across seven countries – Thailand, India, Indonesia, Sri Lanka, Nepal, Pakistan and the Philippines. 
This report is part of the Data for Development project which aims, inter alia, to create and mobilize new knowledge about tensions, gaps, and the evolution of the data governance ecosystem taking into account formal and informal policies and practices. This regional synthesis report explores the intricate web of data governance systems and their potential to contribute to more democratic and inclusive societies. It examines the tensions that arise between various data-related policies, such as personal data protection, competition law, open data initiatives, cybersecurity measures, and AI and innovation strategies. While developed countries may have mechanisms to address these conflicts, many nations in South and Southeast Asia face significant hurdles in creating and implementing effective data governance frameworks. The report seeks to uncover the unique challenges faced by countries in the region, including opaque policy-making processes, limited stakeholder participation, and policies that may not always align with local contexts or implementation capacities.
On May 23rd 2019, the Government of Sri Lanka posted the Draft Cyber Security Bill on the SL CERT website and invited public comments/input. LIRNEasia submitted comments in response to the SL CERT’s request. Our written comments submitted on 5th June 2019 are available through the link below Comments on the Cyber Security Bill – Sri Lanka 2019 Subsequently in August 2023, the Government of Sri Lanka posted an updated version of the Cyber Security Bill and invited public comments. LIRNEasia once again submitted written comments on 18th August 2023, which can be accessed here. Comments on the Cyber Security Bill – Sri Lanka 2023 The report below analyses the extent to which the input submitted by LIRNEasia in 2019 has been taken into account in the updated (August 2023) version of the proposed Bill
In his publication ‘International in scope and interdisciplinary in approach’, LIRNEasia’s chair Rohan Samarajiva addresses new media’s impact on societies bound by it and the policy implications that emerge as a product of the same within the three spheres of data protection, data localization and cybersecurity. He highlights the continuous need for interdisciplinary research and reflection on social implications of new media. The open access journal article can be accessed here
This report is to evaluate the impact of interventions (written comments on the draft bill during the stakeholder consultation) by LIRNEasia on the Personal Data Protection Act, No. 9 of 2022, which was passed by the Parliament of Sri Lanka on 9th of March 2022. The report also provides details of media coverage of LIRNEasia interventions on the Act.
Can nation states, especially those in the Global South effectively regulate Global Tech Companies? Should they try? Why is it important to separate the data localization issue from data protection? GDPR is not fully enforceable even in Europe; should it be the model for countries in the Global South?
LIRNEasia's Ramathi Bandaranayake conducted the research for Sri Lanka as part of the Global Data Barometer Survey, the results of which are now public.
Data protection is considered an esoteric subject, but affects the entirety of the modern economy, ranging from a home-based cake supplier who maintains a list of customers, their preferences and contacts, to a multinational insurance company.
"Data protection is considered an esoteric subject, but it can have powerful effects in the emerging digital economy. Depending on the success of digitalisation efforts, pretty much every organization may fall within the scope of data protection regulation. Few developing countries have enacted data protection legislation. There may be lessons to be drawn from the Sri Lankan effort."
“Sri Lanka has wellcrafted laws but rarely are they implemented satisfactorily. If the regulator is underresourced, little more than ticking the boxes so that Sri Lanka will pass the EU’s adequacy test is likely to be achieved, and even that is uncertain. The best law is not one that is optimal in a technical sense, but one which is most appropriate for the local conditions”
An Expert Round Table discussion on “Data Protection in an Interconnected World” was held on the 28th of June 2021, as the first of a series of discussions under the theme of “Frontiers of Digital Economy”
I have been teaching regulation since the 1980s, using all kinds of text books and articles. Since around 2000, I was deeply engaged in training regulators all over the world. It was thus not a big deal to respond to a request to write an overview or pull together a bibliography. But what I found most useful was a question from a colleague about the one article/book I would say was central to understanding regulation. Not ten, not five, but one.
This document is intended to understand the extant policy context in relation to healthcare data protection, providing international comparisons, and raise important questions for Sri Lanka to consider in relation to data protection, albeit within a narrow sector specific scope.
LIRNEasia comments on the proposed Cyber Security Bill for Sri Lanka - 2019