SRI LANKA
Since July 1991, last amended in July 2024
Pillar Quantitative trade restrictions for ICT goods and online services |
Indicator Export restrictions on ICT goods or online services
Sri Lanka Telecommunications Act, No. 25 of 1991
Pursuant to Art. 21.1 of the Sri Lanka Telecommunications Act, No. 25 of 1991, the export of any telecommunication apparatus in Sri Lanka is prohibited unless carried out under the authority of a valid licence issued by the Telecommunications Regulatory Commission. As established in Art. 21.2, such licences are subject to conditions determined by the Commission, including the payment of a prescribed fee and compliance with specific restrictions. Under Art. 21.3, the Commission retains the power to revoke any licence for non-compliance with licensing conditions, failure to make required payments, or breach of applicable regulations.
Coverage Telecom equipment
SRI LANKA
Reported in 2016, last reported in 2024
Pillar Intermediary liability |
Indicator User identity requirement
Identity verification requirement for accessing public Wi-Fi networks
It is reported that an ICT Agency's decision requires the provision of a citizen’s national identity card number to access to public Wi-Fi hotspots.
Coverage Public Wi-Fi
Sources
- https://web.archive.org/web/20250526231908/https://freedomhouse.org/country/sri-lanka/freedom-net/2024
- https://web.archive.org/web/20250527180028/https://www.lankabusinessonline.com/sri-lanka-to-have-500-public-wi-fi-spots-before-end-2016/
- https://web.archive.org/web/20250527180115/https://www.icta.lk/projects-si/free-wi-fi-initiative?lang=si
- Show more...
SRI LANKA
Since July 2019
Pillar Intermediary liability |
Indicator User identity requirement
Subscriber SIM Cards (Subscriber Identification Modules - SIM) Regulations No. 01 of 2019
Under Section 3 of the “Subscriber SIM Cards (Subscriber Identification Modules - SIM) Regulations No. 01 of 2019”, every operator shall comply with the regulatory measures specified in Schedules I and II for the registration of SIM cards of retail and corporate subscribers, respectively. Under Schedule I, each operator must obtain a duly completed and signed application form from the retail subscriber, including the following mandatory details: national identity card number, permanent address, and new telephone number. Under Schedule II, each operator must ensure that the application is accompanied by a true copy of the certificate of business registration and a list containing the name, national identity card number or driving licence number or passport number, permanent address, and present address of the employees of the corporate subscriber who are obtaining connections under the corporate package.
In accordance with Schedules I and II of the "Subscriber SIM Cards (Subscriber Identification Modules – SIM) Regulations No. 01 of 2019", all licensed digital cellular mobile service providers are mandated to retain subscriber information and furnish such data to the relevant authorities upon request. Notably, the Regulations do not specify a specific retention period for this data.
In accordance with Schedules I and II of the "Subscriber SIM Cards (Subscriber Identification Modules – SIM) Regulations No. 01 of 2019", all licensed digital cellular mobile service providers are mandated to retain subscriber information and furnish such data to the relevant authorities upon request. Notably, the Regulations do not specify a specific retention period for this data.
Coverage Digital cellular mobile services
SRI LANKA
Reported in 2019, last reported in 2024
Pillar Content access |
Indicator Blocking or filtering of commercial web content
Reported government-ordered blockades of online services
Reports indicated that several independent and other websites were subject to access restrictions in 2024. In addition, in April 2022, the Telecommunications Regulatory Commission reportedly suspended access to various social media platforms in Sri Lanka at the Ministry of Defence's direction. The services affected included Facebook, YouTube, Twitter, Instagram, and WhatsApp. This suspension was lifted after 15 hours. A similar restriction was imposed in 2019, during which access to platforms such as Facebook, Facebook Messenger, Viber, Snapchat, and Instagram was blocked. Additionally, the use of the TunnelBear Virtual Private Network (VPN) was also restricted.
Coverage Websites, social media platforms and VPNs
Sources
- https://web.archive.org/web/20250526231908/https://freedomhouse.org/country/sri-lanka/freedom-net/2024
- https://web.archive.org/web/20250527004142/https://www.accessnow.org/press-release/sri-lanka-ensure-access-to-open-internet/
- https://web.archive.org/web/20250527004217/https://www.accessnow.org/sri-lanka-shutting-down-social-media-to-fight-rumors-hurts-victims/
- Show more...
SRI LANKA
Since February 2024
Pillar Content access |
Indicator Licensing schemes for digital services and applications
Online Safety Act, No. 9 of 2024
Pursuant to Sections 11(j) and 49(1)(b) of the Online Safety Act, websites providing social media functionalities to end-users in Sri Lanka are required to register to offer their services. The precise procedures for such registration will be prescribed through regulations enacted under the authority of the Act.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.
Coverage Social media
Sources
- https://web.archive.org/web/20250527234653/https://www.parliament.lk/uploads/acts/gbills/english/6311.pdf
- https://web.archive.org/web/20250605160606/https://www.newsfirst.lk/2024/02/02/understanding-sri-lanka-s-online-safety-act-what-you-need-to-know
- https://web.archive.org/web/20250605234159/https://www.themorning.lk/articles/Y6EtzyPsnSQGhvPjXU50
- Show more...
SRI LANKA
Reported in 2011, last reported in 2025
Pillar Content access |
Indicator Licensing schemes for digital services and applications
Registration requirements for news websites
It is reported that news websites are required to register with the Ministry of Mass Media of Sri Lanka under the Cabinet Decision No. 12/1037/37/019-1 of 13.08.2012 (however, this decision is not available online). According to the "Procedure of Registration of Websites", applications are subject to review by a panel appointed by the Secretary of the Ministry of Mass Media.
Coverage News websites
Sources
- https://web.archive.org/web/20250526231908/https://freedomhouse.org/country/sri-lanka/freedom-net/2024
- https://web.archive.org/web/20260321024700/https://www.media.gov.lk/images/pdf_word/2021/web_application_new_2021.pdf
- https://web.archive.org/web/20260321024317/https://www.media.gov.lk/images/pdf_word/2018/procedure-of-registration-of-websites.pdf
- https://web.archive.org/web/20260321024532/https://media.gov.lk/application-form-for-news-casting-websites-registration
- https://web.archive.org/web/20160316135146/http://adaderana.lk/news.php?nid=34412
- https://web.archive.org/web/20251208040730/https://srilankabrief.org/prior-registration-required-for-new-websites/#:~:text=%28Srilankamirror%29%20%E2%80%93%20Registration%20is%20required%20of%20new,re...
- Show more...
SRI LANKA
Reported in 2012, last reported in 2025
Pillar Content access |
Indicator Licensing schemes for digital services and applications
Reported licensing requirements
It is reported that Voice over Internet Protocol (VoIP) is currently not permitted in Sri Lanka. However, the Telecommunications Regulatory Commission of Sri Lanka (TRCSL) has established a list of categories of users, customers, and clients who are eligible to apply for an exemption. These include licensed public switched telephone network (PSTN) operators and their affiliates, authorised call centres and business process outsourcing (BPO) operators, as well as customers engaged in international logistics, international banking, information technology, and software development and support services, along with licensed internet service providers.
Coverage Voice over Internet Protocol (VoIP)
Sources
- https://web.archive.org/web/20260313145522/https://www.trc.gov.lk/pages_e.php?id=121
- https://web.archive.org/web/20250606024709/https://oxfordbusinessgroup.com/reports/sri-lanka/2019-report/economy/targeted-approach-efforts-to-expand-infrastructure-and-improve-digital-literacy-are-lay...
- https://web.archive.org/web/20250606024527/https://satrc.apt.int/wp-content/uploads/2022/10/SATRC-SAPIII-03_SATRC_VoIP_Issues.pdf
- Show more...
SRI LANKA
N/A
Pillar Content access |
Indicator Licensing schemes for digital services and applications
Reported licensing requirements
The Telecommunications Regulatory Commission of Sri Lanka lists Virtual Private Network (VPN) services among those licensed in the country. However, the regulatory text mandating the license has not been identified.
Coverage VPN services
SRI LANKA
N/A
Pillar Content access |
Indicator Licensing schemes for digital services and applications
Reported licensing requirements
The Telecommunications Regulatory Commission of Sri Lanka lists e-mail services among the services that have been licensed in the country. However, the regulatory text mandating the license has not been identified.
Coverage E-mail services
SRI LANKA
N/A
Pillar Content access |
Indicator Licensing schemes for digital services and applications
Reported licensing requirements
The Telecommunications Regulatory Commission of Sri Lanka lists data processing services related to the air transport industry among the services licensed in the country. However, the regulatory text mandating the license has not been identified.
Coverage Data processing services related to air transport industry
SRI LANKA
N/A
Pillar Domestic data policies |
Indicator Framework for data protection
Lack of comprehensive legal framework for data protection
Sri Lanka does not currently operate a comprehensive personal data protection regime. Instead, data protection is addressed through a range of sector‑specific legislative instruments, including the Computer Crimes Act No. 24 of 2007, the Banking Act No. 30 of 1988, the Electronic Transactions Act No. 19 of 2006, the Right to Information Act No. 12 of 2016, the Telecommunications Act No. 25 of 1991, the Financial Consumer Protection Regulations No. 1 of 2023, and Special Direction No. 91. In recognition of this regulatory gap, the Personal Data Protection Act has been enacted; however, to date, no definitive commencement date has been announced.
Coverage Horizontal
SRI LANKA
Since July 2007
Pillar Domestic data policies |
Indicator Requirement to allow the government to access personal data collected
Computer Crime Act, No. 24 of 2007
Section 18.2 of the Computer Crime Act confers authority upon a designated expert or police officer to obtain information—such as subscriber details and traffic data—held by a service provider, and to intercept wire or electronic communications without a warrant, provided that the following conditions are met: (i) the investigation must be conducted with urgency; (ii) there exists a substantial risk that evidence may be lost, destroyed, altered, or rendered inaccessible; and (iii) the preservation of confidentiality is necessary.
For the Act, the term "expert" denotes a public officer possessing the requisite qualifications and experience in electronic engineering or software technology, who is appointed by the Minister responsible for science and technology, in consultation with the Minister of Justice, through an order published in the Gazette. The term "service provider" encompasses any public or private entity that enables its clients to communicate via a computer system, as well as any entity that processes or stores computer data or information on behalf of such a provider or its clients.
For the Act, the term "expert" denotes a public officer possessing the requisite qualifications and experience in electronic engineering or software technology, who is appointed by the Minister responsible for science and technology, in consultation with the Minister of Justice, through an order published in the Gazette. The term "service provider" encompasses any public or private entity that enables its clients to communicate via a computer system, as well as any entity that processes or stores computer data or information on behalf of such a provider or its clients.
Coverage Telecommunications sector
SRI LANKA
Since February 2024
Pillar Domestic data policies |
Indicator Requirement to allow the government to access personal data collected
Online Safety Act, No. 9 of 2024
Section 33 of the Online Safety Act confers upon experts appointed to assist the Online Safety Commission the authority, for an investigation under the Act, to access any information system, computer, or computer programme, as well as any data or information contained therein, to perform their designated functions. Additionally, such experts are empowered to compel individuals to disclose traffic data. Notably, it has been reported that these investigatory powers do not require the issuance of judicial warrants to access user data.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.
Coverage Horizontal
Sources
- https://web.archive.org/web/20250527234653/https://www.parliament.lk/uploads/acts/gbills/english/6311.pdf
- https://web.archive.org/web/20250528012817/https://globalnetworkinitiative.org/sri-lankas-online-safety-act-a-year-in-review-and-framework-for-reform/
- https://web.archive.org/web/20250605234159/https://www.themorning.lk/articles/Y6EtzyPsnSQGhvPjXU50
- Show more...
SRI LANKA
N/A
Pillar Intermediary liability |
Indicator Safe harbour for intermediaries for copyright infringement
Lack of intermediary liability framework in place for copyright infringements
A basic legal framework on intermediary liability for copyright infringement is absent in Sri Lanka's law and jurisprudence.
Coverage Internet intermediaries
SRI LANKA
Since February 2024
Pillar Intermediary liability |
Indicator Safe harbour for intermediaries for any activity other than copyright infringement
Online Safety Act, No. 9 of 2024
A basic legal framework on intermediary liability beyond copyright infringement is absent in Sri Lanka's law and jurisprudence.
Section 27 of the Online Safety Act establishes a safe harbour regime for intermediaries regarding the dissemination of 'prohibited statements'. It provides that any individual or entity engaged in the provision of services such as internet intermediation, telecommunications, public internet access, computing resources, email, short messaging services (SMS), multimedia messaging services (MMS), or one-to-one live aural communication shall not be held liable for the dissemination of a prohibited statement transmitted through an online platform owned, operated, or controlled by such a provider. Nor shall they be liable for enabling end users to access, via such a platform, a communication link containing a prohibited statement authored by a third party. In addition, where a false or prohibited statement, or other unlawful material, is removed within six months of the Act’s commencement, or where such material has been uploaded or tampered with by third parties, neither the owner of the online account nor the internet service provider shall bear liability in relation to the content in question.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.
Section 27 of the Online Safety Act establishes a safe harbour regime for intermediaries regarding the dissemination of 'prohibited statements'. It provides that any individual or entity engaged in the provision of services such as internet intermediation, telecommunications, public internet access, computing resources, email, short messaging services (SMS), multimedia messaging services (MMS), or one-to-one live aural communication shall not be held liable for the dissemination of a prohibited statement transmitted through an online platform owned, operated, or controlled by such a provider. Nor shall they be liable for enabling end users to access, via such a platform, a communication link containing a prohibited statement authored by a third party. In addition, where a false or prohibited statement, or other unlawful material, is removed within six months of the Act’s commencement, or where such material has been uploaded or tampered with by third parties, neither the owner of the online account nor the internet service provider shall bear liability in relation to the content in question.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.
Coverage Internet intermediaries
Sources
- https://web.archive.org/web/20250527234653/https://www.parliament.lk/uploads/acts/gbills/english/6311.pdf
- https://web.archive.org/web/20250605234159/https://www.themorning.lk/articles/Y6EtzyPsnSQGhvPjXU50
- https://web.archive.org/web/20260507142823/https://www.parliament.lk/en/business-of-parliament/bill-details/P1585
- Show more...
