In digital transformation, promoting innovation while establishing a strong regulatory framework is a challenge for Sri Lanka. With the country’s ambitious target for a $ 15 billion digital economy and a significant contribution expected from the Artificial Intelligence (AI) sector, the need for a strong regulatory framework has become stronger.
In an interview with The Sunday Morning Business, Research Fellow and Julius and Creasy Legal Consultant – Technology, Media, and Telecommunications Law Ashwini Natesan noted the country’s legal and regulatory priorities, highlighting the progress in digital governance, the challenges that remain, and the strategic steps required to build public trust and drive future growth in the digital economy.
Following are excerpts:
The Online Safety Act (OSA) of 2024 has drawn criticism for its potential impact on free expression. From a regulatory standpoint, how can Sri Lanka balance online harm mitigation with fundamental rights?
The process of reviewing the Online Safety Act is currently underway. A public notice was issued, inviting comments on both the act and the amendments published last year, and this is a welcome development.
Any legislative process is incomplete without public consultation, and one of the main criticisms of the original OSA was the lack of such consultation. Thus, I am pleased to see this new process includes it.
It’s important to understand that we have reached a point where some regulation of online harms is necessary. The internet is no longer just a space for entertainment but a primary medium for interaction. This also creates the potential for harm, allowing groups to gain momentum and coordinate large numbers of people to take harmful action.
This is why there is a global focus on regulating online harm and Sri Lanka is no exception. We understand the consequences of an unchecked online space, which leads us to seek regulation.
With that said, I believe a balanced approach is crucial because the online space is also where people express themselves freely. It is widely considered an area where minorities, members of the LGBTQIA+ community, and other vulnerable groups can voice their opinions.
While this has been changing in recent years, balancing freedom of expression with regulation remains key. I hope that the review will lead to amendments of key areas of concerns, including widely worded offences and powers of commission, to name a few.
Do you observe any gaps in Sri Lanka’s Personal Data Protection Act (PDPA) of 2022 in terms of the current implementation framework, especially compared to the General Data Protection Regulation (GDPR) or other international models?
The Personal Data Protection Act is a much-needed legislation, and Sri Lanka was the first in South Asia to pass a comprehensive enactment in 2022. Although the act is not yet in force, we can take comfort in the fact that it was passed.
However, one of the areas where I had hoped for a change was in the cross-border transfer of data and the requirement of an adequacy decision for public authorities. Nevertheless, that will be changing.
I am referring to a very important proposed amendment which, despite not having been passed yet, would remove the requirement for an adequacy decision for data transfers involving public authorities. I believe this is a vital change for an economy focused on digitisation.
I am also confident that further rules and regulations will be issued, and that this will lead to more clarity. I hope the rules/regulations in future will provide guidance on the use of personal data for public interest purposes, such as journalistic processing, and also address potential conflicts with disclosure of data under the Right to Information Act.
How prepared are Sri Lankan companies, especially Small and Medium-sized Enterprises (SMEs), to comply with the act?
Compliance with the PDPA is an ongoing process, not a one-time achievement. There is a cost involved and I understand this can be challenging for SMEs. Despite this, there is at least some awareness of the act. A few of the larger companies have already begun their compliance processes.
I also know that companies already regulated by other bodies, such as financial institutions regulated by the Central Bank of Sri Lanka or telecommunication operators regulated by the Telecommunications Regulatory Commission of Sri Lanka, have several compliance requirements in place. However, other entities without prior data protection regulations will have to start from scratch.
I believe these companies can achieve compliance if they begin the process. They should not be deterred by the scale of the task. Breaking compliance into manageable phases can be a great way to start the journey towards personal data protection compliance.
How necessary is the proper establishment of these regulatory frameworks to drive the digital economy forward?
The implementation of both acts are crucial. While the OSA’s new text is pending, the PDPA’s entry into force will be a key factor for data governance and personal data protection. For example, as Sri Lanka moves towards a unique digital identity, the PDPA will be critical in governing how personal data is used and processed.
A noteworthy aspect of the PDPA is that it applies to both Government and private organisations without having separate requirements for each of them. This means Government entities, which collect large amounts of personal data, must be careful in its handling. Having this legislation will go a long way in building public trust.
Regarding the OSA, I have repeatedly stated that public consultation must be a part of the legislative process. The public notice for comments on the Online Safety Act was open for a month, from 13 August to 13 September.
I hope that stakeholders, whether civil society organisations, think tanks, or individuals working in online safety, will participate. Public consultation is meaningless without public participation. I hope many people share their views, as this will help shape a law that is both inclusive and respectful of human rights.
In terms of AI adoption, do you see legal gaps around accountability, liability, and transparency in Sri Lanka’s adoption? What key aspects should be prioritised?
AI governance is crucial for AI adoption, although some may argue that regulation can stifle innovation. I disagree. I believe a strong AI framework requires strong governance.
A National AI Strategy was recently published, which I think is a very important first step. Similarly, the establishment of an advisory committee, even though it may not be functioning currently, is a positive effort towards both adoption and governance.
We must not forget the importance of governance while seeking to deploy and use AI. This doesn’t mean we should have stringent rules that make it impossible to use AI, as there are many benefits to be gained in sectors like education and healthcare. However, it is essential to balance these benefits with proper governance.
The other similarly evolving aspect is the regulatory framework regarding cybersecurity. With rising cybercrime incidents, how effective are Sri Lanka’s current digital governance frameworks in addressing cyberthreats, and where are the vulnerabilities?
The first step in addressing cybercrime is ensuring cybersecurity. This requires investing in both technology solutions and human resources. I believe this should be a main focal point, especially for State and public sector entities.
While I recognise that there are many capacity challenges, these can be overcome through public-private partnerships to build cybersecurity standards and digital trust in the country. This collaboration will significantly strengthen our ability to combat cyber threats. For instance, as a member of the Digital Trust Alliance (DTA), I wish to note that one of the key goals of the DTA is to support policymaking and work with the public sector to build a safer digital ecosystem.
What are your insights on a centralised technology regulator for Sri Lanka, given that oversight continues to be spread across multiple institutions?
Your point about a single centralised authority is interesting, but I don’t know if it’s feasible due to the different statutory requirements and existing functions of these authorities.
The primary issue is whether one authority has the expertise and capacity to handle such a wide range of issues. A more effective approach would be to improve coordination and cohesiveness among the existing authorities.
This can be achieved through a central entity, perhaps the subject ministry overseeing these bodies. This would ensure that their functions are coordinated and they can consult with one another when necessary.
An example where this coordination would be very beneficial is in balancing the protection of personal data and the disclosure of information under the Right to Information Act. The Data Protection Authority and the Right to Information Commission have roles that could potentially conflict, so working together to establish rules would help balance these interests.
Regarding our regulatory framework and aligning with the necessary global standards while still protecting our domestic interests and sovereignty, how much progress have we made in this regard?
It’s important to first assess which global standards we want to align with. As a developing country in the Global South, Sri Lanka must adapt these standards to its own cultural differences and unique needs. This is the first and most important step. As a developing economy, we should prioritise adapting global standards to suit our specific requirements.
The second point relates to balancing data sharing with data sovereignty, which is often considered a critical part of digital sovereignty. This isn’t just about storing data locally, but also about developing local solutions to ensure a certain level of capability within our country. Having locally developed solutions will be a significant step in supporting sovereignty, in addition to having laws that mandate local data storage.
In addition to these acts, especially the PDPA, what more is required from a regulatory standpoint to ensure public digital trust?
Building trust is possible through effective implementation. We can have many laws, but unless they are implemented effectively and without discrimination, we cannot gain public trust. This is a pivotal aspect. It’s not about having more laws and policies but about the effective implementation of existing ones.
Secondly, there is a need for policies to work together. Instead of creating new policies for an area, we should review and amend existing ones to ensure they function cohesively. I am speaking based on a research study on data governance we conducted at LIRNEasia, where I am a Research Fellow.
We found that Sri Lanka has no lack of governance policies in relation to data, but we need to ensure they don’t conflict with each other. This means new policies should be drafted with existing policies in mind. Therefore, effective implementation and ensuring policies work together are two basic points for building trust.
Looking ahead, what regulatory priorities should Sri Lanka focus on in the next five years to ensure trust, innovation, and investment in the digital economy?
AI governance will certainly be a priority, not just in the next five years but starting now. This will go a long way in paving the path for responsible AI use.
Secondly, moving towards a digital economy requires basic infrastructure. This includes fundamental elements like a unique digital ID and ensuring accessible digital public infrastructure.
Thirdly, any digital transformation requires clear communication and transparency in the process. This should also be an immediate priority, not a future one. These are the current priorities I would emphasise.
Other key points to address include the importance of data governance, the need to look at existing policies holistically, and the necessity for better coordination among existing agencies. These are crucial for ensuring coherence in implementation and clarity on how the system will work.
I am focusing on legal pathways to regulate technology, but I am not discounting other methods, such as platform-related remedies available through code for online safety. While my focus has been on the law, it is not the only way to regulate technology.