• Why SL's Constitution may already have the answer

Every morning, millions of Sri Lankans unlock their phones, tap their banking apps, scroll through social media, and book rides — generating a torrent of personal data with each interaction. Behind the screen, corporations harvest, analyse, and monetise that data at industrial scale. Governments surveil. Algorithms profile. Yet, few Sri Lankans pause to ask a deceptively simple question: Who owns this data? The answer, surprisingly, may already be written into the country's founding document.

Article 3 of the Constitution of 1978 declares, in unambiguous terms, that sovereignty is in the people and is inalienable. Drafted in an era of paper forms and analogue governance, those nine words were never intended to address cloud computing or artificial intelligence. But, constitutional principles, by their very nature, are not frozen in the moment of their drafting. They breathe and evolve with the society that they govern.

From ballots to bytes: Sovereignty in the digital age

Data is no longer merely information. In the 21st Century, it is economic power, political influence, and social currency rolled into one. The ability to predict a voter's behaviour, manipulate a consumer's choices, or expose an activist's identity all flows from the control of data. If sovereignty — real, meaningful sovereignty — belongs to the people, then, control over the data that those people generate must also, ultimately, belong to them.

This is not a radical reinterpretation. It is a logical extension of a principle already embedded in the constitutional text. Personal data is an expression of individual autonomy and dignity. It captures a person's health, finances, relationships, beliefs, and movements. Allowing that data to be exploited without consent or accountability is, in a very real sense, a dilution of the people's sovereignty. The Constitution, read purposively, does not permit such an erosion.

The State as the guardian, not the owner

Article 4 operationalises the abstract sovereignty of Article 3 by distributing it across the institutions of the State. Legislative power vests in Parliament. Executive power rests with the President. Judicial power belongs to the courts. Taken together, these provisions do not merely describe how the Government functions — they impose duties on each branch to protect and give effect to the people's sovereignty.

In the data context, this translates into a specific role for the State: not as the owner of citizens' data, but as its constitutional trustee. A trustee holds assets not for personal gain, but for the benefit of the beneficiary. Applied to data governance, the State is obligated to regulate the collection and processing of personal data, prevent its exploitation by powerful private actors, maintain control over cross-border data flows, and ensure transparency in any Governmental use of citizen information. This trusteeship model reframes the entire conversation. Data protection is not a policy preference or a technical compliance exercise. It is a constitutional obligation.

Parliament steps up: The PDPA of 2022

In 2022, Parliament took a significant step toward fulfilling that obligation when it enacted the Personal Data Protection Act (PDPA), No. 9 of 2022 — Sri Lanka's first comprehensive data protection statute. The Act establishes core principles that resonate directly with the constitutional framework. Data must be collected for specified, lawful purposes. It must be adequate, relevant, and proportionate to those purposes. It cannot be retained longer than necessary. Individuals must, in most circumstances, provide informed consent before their data is processed.

The legislation also addresses cross-border data transfers — a provision of particular constitutional significance. When personal data leaves Sri Lanka's territory, it risks falling beyond the reach of domestic law. The Act's restrictions on such transfers are, in essence, an assertion of national data sovereignty: a declaration that Sri Lankan citizens retain protections regardless of where their data travels. For a country historically vulnerable to the asymmetric power of multinational technology companies, this is not a trivial safeguard. It is a legislative expression of the people's inalienable sovereignty.

The courts as the last line of defence

Constitutional rights are only as strong as the courts willing to enforce them. Article 4 assigns to the Judiciary the responsibility of protecting fundamental rights (FR) — and here lies a creative, if as yet untested, legal frontier. The Constitution does not explicitly enumerate a right to privacy. Unlike India's Supreme Court, which in 2017, recognised privacy as an FR flowing from the right to life and personal liberty, Sri Lankan courts have not yet issued a comparable ruling.

Yet, the building blocks are present. Constitutional guarantees of equality, dignity, and freedom from arbitrary State action can, with careful legal reasoning, be used to protect individuals against egregious data violations. A citizen whose sensitive medical records are leaked by a State institution, or whose political communications are surveilled without lawful authority, has a plausible constitutional grievance — even without an express privacy clause. The courts have the tools. What is needed is the will, and the cases, to use them.

Cracks in the armour: Gaps that cannot be ignored

Acknowledging the constitutional framework's promise does not require ignoring its limitations. The absence of an explicit right to privacy remains the most significant structural gap. It leaves data protection arguments dependent on judicial creativity and inferential reasoning rather than clear textual authority, creating uncertainty that benefits those who wish to avoid accountability.

Executive power poses a distinct tension. Article 4's vesting of Executive authority in the President could, if unchecked, become a vehicle for State surveillance that undermines rather than upholds data sovereignty. Security-driven data collection, the interception of communications, and the expansion of national identity databases all carry real risks of abuse. The PDPA, moreover, is a young law in a developing regulatory environment. Its enforcement mechanisms are still being established, and the institutional capacity remains limited. Awareness among ordinary Sri Lankans of their data rights is low. Corporate compliance, particularly among smaller digital businesses, is inconsistent. The gap between the law on paper and the law in practice is, for now, wide.

There is also the uncomfortable reality of the global digital economy. Data localisation policies that restrict cross-border flows can conflict with trade obligations and discourage foreign investment. Balancing national data sovereignty against the economic benefits of digital integration is a genuine policy dilemma, not one that constitutional principles alone can resolve.

A constitutional promise waiting to be kept

Sri Lanka stands at a fork in its digital future. One path leads toward a landscape where data flows freely — but in one direction, from citizens to corporations and governments, with little accountability and less recourse. The other path leads toward a constitutional democracy that takes seriously the idea that sovereignty belongs to the people, including sovereignty over their digital selves.

The constitutional architecture, read through a modern lens, charts a clear course. Article 3 establishes that data, as an expression of individual autonomy, ultimately belongs to the people. Article 4 imposes on each branch of the State a duty to protect that belonging. The PDPA translates that duty into enforceable law. What remains is the harder work of implementation: stronger courts, better-resourced regulators, a more privacy-aware public, and lawmakers willing to close the gaps.

Sri Lanka's founders could not have foreseen a world of facial recognition, predictive algorithms, or data brokers. But, they understood something timeless: that power unchecked becomes power abused. The digital age has created new concentrations of power — over information, over behaviour, over identity. The Constitution, properly interpreted, is not silent on who should hold that power. It has always said: the people.

The writer is an attorney and a Senior Law Lecturer at the Colombo University

-------

The views and opinions expressed in this column are those of the author, and do not necessarily reflect those of this publication