Sri Lanka becomes the first Country in South Asia to adopt an international standard for digital transactions


Sri Lanka becomes the first Country in South Asia to adopt an international standard for digital transactions

Sri Lanka’s National Digital Certificate Authority Key Ceremony Successfully Completed
- National Certification Authority Task Force

With the rapid deployment of Digital services and expansion of e-government initiatives to deliver citizen services in the country, electronic transactions in Sri Lanka will grow substantially in the near future. This increases the probability of identity theft, financial fraud and other security breaches. Therefore, the requirement to authenticate citizens as well as organizations involved in digital transactions becomes pivotal.

To address this requirement, it is essential for a Country to establish a national framework which defines legal, administrative and technical regulations for granting, managing and enforcing the use of digital certificates to establish the identities of citizens and organizations in the digital space to minimize fraud.

The Electronic Transactions Act No, 19 of 2006, amended by Act No. 25 of 2017, provides the legal basis for a national framework, with legal recognition for Electronic Signatures, including Digital certificates. From a legal perspective Digital Certificates have ensured that there is a mechanism to reliably and securely prove the origin, receipt and integrity of information and also to identify the parties involved in a digital transaction. The use of Digital Certificates also enables users to achieve transaction confidentiality and integrity using the public key cryptosystem and the hash function. The issue of digital certificates is done by certified third-party certificate service providers (CSPs).

The National Certification Authority (NCA) is the overall governance as well as the standard setting entity required for the smooth and effective functioning of Certification Service Providers (CSPs). Chapter IV of the Electronic Transactions Act No. 19 of 2006 grants authority for a recognized body to perform the function of the NCA and to establish an NCA task force to manage and administer the Certification Authority, having regard to the qualifications and experience as well as the need to represent relevant stakeholders, with the objective of ensuring its proper administration

The NCA Task Force was first established in 2011 jointly by ICT Agency of Sri Lanka (ICTA) and Central Bank of Sri Lanka (CBSL), with ICTA’s Legal Advisor Jayantha Fernando CBSL Asst. Governor, Janakie Mampitiya as Co-Chairs. The ICTA was designated to perform NCA functions on 24th September 2013 by Gazette Extraordinary 2147/58 made under Section 18 of the Electronic Transactions Act, while NCA operational functions were performed by Sri Lanka CERT. Part of the equipment for this purpose was also procured by ICTA under the “e-Sri Lanka Development Program”.

The Electronic Transactions (Amendment) Act No. 25 of 2017 further modernized Sri Lanka’s legal digital transactions framework by giving effect to Sri Lanka’s ratification of the UN Electronic Communications Convention. Further this Amendment broadened the scope of application of Electronic Signatures, provided for licensing and authorizing of CSPs while separating the NCA Task Force with the operations of NCA.

Pursuant to Gazette Extraordinary, 2147/58, dated 30th October 2019, Sri Lanka CERT was designated as the Certification Authority under section 18 of the above Act to perform the functions of the NCA.

The key ceremony, a formal function to generate the Root certificate of the NCA, was held on 14th February 2020 and was carried out by the staff of Sri Lanka CERT. This was a major milestone in the annuls of Digital transactions in Sri Lanka. The Root Certificate facilitates secure digital transactions not only within Sri Lanka but also internationally with other countries. In order to enhance the operations of NCA as well as to ensure that digital certificates issued by the Sri Lankan NCA are recognized internationally, including web browser vendors (Browser forum), the objective of the NCA is to be “WebTrust standard” certified. Thus, Sri Lanka would become the first Country in South Asia to adopt an international standard in this domain.

The simple but formal key generation ceremony was inaugurated by Mr. Jayantha Fernando, Co-Chair of National Certification Authority (NCA) Task Force. Fernando is Board Director of Sri Lanka CERT and Legal Advisor, ICTA. A detailed presentation on the operations NCA and the Key generation ceremony was given by Mr. Rohana Palliyaguru, Director-Operations of Sri Lanka CERT. This was followed by the Key Generation ceremony which was carried out step by step by the staff of Sri Lanka CERT, in the presence of WebTrust Auditors.

The ceremony was attended by the Task Force Co-Chair, R. A. A. Jayalath (Asst. Governor, Central Bank) and Task Force Members, Rohan Seneviratne (DGM, CEB), Waruna Sri Dhanapala (Additional Secretary Digital Infrastructure & Information Technology, Ministry of Defence), Channa De Silva (CEO Lanka Clear), Mrs. S.G.A.R.K.R. Seneviratne (Additional Secretary Technical, MOD) and Lal Dias (CEO, Sri Lanka CERT). In addition, a number of other dignitaries including Rohan Fernando (Chairman, SLT), Oshada Senanayake (DG, TRCSL) and Mahinda Herath, ICTA CEO attended this formal ceremony.

Seeds for the Future Programme 2019

Huawei, one of the leading global provider of Information and Communications Technology (ICT) infrastructure and smart devices, recently sponsored the fourth batch of top ICT undergraduates studying at local universities of Sri Lanka, providing them with an opportunity to study and gain work experience at Huawei’s headquarters in China, under their global CSR flagship program Seeds for the Future. A graduation ceremony to show appreciation for the students that participated in the program was held recently at the Huawei CIS, Colombo.

The 2019 batch of Sri Lankan students that participated in Huawei’s Seeds for the Future CSR program travelled to China where they spent two weeks from the 30th of November to the 14th of December. The students gained a clear understanding of how cutting edge technologies such as 5G, LTE and cloud computing work, whilst getting a hands-on experience in such technologies through most advanced laboratories.

This year, Anura Dissanayake, Secretary to Ministry of Higher Education, Technology and Innovations, Liang Yi, CEO – Huawei Sri Lanka, Yang Zuoyuan Counsellor, Economic and Commercial Office of the Embassy of China in Sri Lanka, and Officials from Ministry of Information & Communication Technology participated at the Graduation Ceremony

These students were rewarded at the graduation ceremony for the engagement that they displayed throughout this ICT and cultural education trip to China. The program agenda included studying ICT technologies, operating equipment in labs, studying Huawei's corporate culture and management experience, visiting Huawei's exhibition halls and campuses, learning about Chinese culture, and visiting local historical scenic spots.

Originally launched in Sri Lanka in 2016, together with Government of Sri Lanka, the Huawei Sri Lanka Representative Office fully sponsors 10 Sri Lankan University students to China for an ICT and culture trip once a year through the Huawei Seeds for the Future program. With a MoU signed at Huawei Headquarters with the Sri Lankan Government in 2016, Huawei contributes immensely to boost Sri Lanka to a digitally empowered nation.


Ministry of Digital Infrastructure and Information Technology


Data Protection Legislation finalized by Ministry of Digital Infrastructure and Information Technology

The Personal Data Protection Legislation, defining measures to protect personal data of individuals held by banks, telecom operators, hospitals and other personal data aggregating and processing entities, has now been finalized by the Ministry of Digital Infrastructure and Information Technology. The final draft of the Bill, prepared by the Legal Draftsman Department and the Data Protection Drafting Committee of the Ministry, will be released through the website by the Ministry of Digital Infrastructure and Information Technology this week.

The drafting of the Legislation was initiated by Hon. Ajith P. Perera, Minister of Digital Infrastructure and Information Technology on 5th February 2019. This latest version released, is based on modifications done to the previously released Data Protection Framework, published by the Ministry on 12th June 2019. However, substantial modifications were made to the said Framework, based on consultations held with key stakeholders as well as feedback received from them.

The Legislation will be implemented in stages. The entire Bill will come into operation within a period three (03) years from the date the Speaker certifies the Bill. This would provide sufficient time for Government and private sector to take adequate steps to implement this legislation. The Data Protection authority is required to be established within 18 months.

Several obligations have been imposed by this legislation on those who collect and process personal data (“Controllers” and “Processors”) and whole new set of rights have been given to citizens under this new legislation, which are known as “Rights of data subjects”.

For instance, personal data could be collected only for a specified purpose and not for any other purpose that is incompatible with the said purposes. However, processing data in public interest, scientific or historical research will not be considered incompatible. Personal Data has to be processed in a manner to ensure appropriate security, including protection against accidental loss, destruction or damage.

Data subject (individuals) will have the right to withdraw his or her consent given to Controllers and will also have the right to rectify the data without undue delay. Further, the Data Subjects have been given the right to object to processing of their data. These rights of data subject can be exercised directly by the individuals with the Controller, who are required to respond within a defined time period and is obliged to give reasons for refusing to meet the request or reasons why the Controller would refrain from further processing the said data. The individual has a right of appeal against the decision of Controller to the Data Protection Authority.

Although the original Framework had provisions for the mandatory registration of Controllers, this requirement has been removed in the latest version. Instead, the Drafting Committee has deliberated and introduced specific and comprehensive transparency and accountability obligations on Controllers. The accountability obligations would require the Controllers to implement internal controls and procedures, known as a “Data Protection management Program”, in order to demonstrate how it implements the data protections obligations imposed under the Act.

The Legislation also prohibits Controllers who process personal data from sending unsolicited messages, unless the individuals have given express consent. Provisions have also been included to deal with relationships between controllers and third parties who process personal data on their behalf.

Importantly, administrative penalties have been introduced with a ceiling instead of fines calculated on the global turnover of the controllers.

The drafting Committee had also taken into account international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation and laws enacted in other jurisdictions such as United Kingdom, Singapore, Australia and Mauritius, Laws enacted in the State of California as well as the Indian Bill, when formulating the said draft Legislation.

The Ministry of Digital Infrastructure and Information Technology, in partnership with other entities, conducted two rounds of stakeholder discussions. In addition, targeted group discussions were held with other stakeholder communities, including Bank Chief Information Officers, Health Informatics Unit of the Ministry of Health and representatives of the Right to Information Commission. In addition, the proposed legal framework was reviewed by an Independent Review Panel led by Hon. K. T. Chithrasiri, former Justice of the Supreme Court of Sri Lanka and Prof. Savithri Goonesekera.

The Data Protection Drafting Committee was led by Jayantha Fernando (Chair/ Convenor), and comprised Yamuna Ranawana and Thushari Vitharana (Legal Draftsman’s Dept), Kanchana Ambahawita & Niluka Herath (Central Bank of Sri Lanka), Sunali Jayasuriya (ICTA), Sanduni Wickramasinghe (Mobitel), Trinesh Fernando and Shenuka Jayalath (Dialog PLC).

24th September 2019

Data protection Bill 2019-10-03 -Amended - FINAL - Click here



'National Digital Policy' outlines Sri Lanka’s digital agenda for 2020 to 2025. It provides a high-level principles and conceptual framework for the country to achieve sustained digital economic development and growth through the creation of an Innovative Economy and an Effective Government.


Sri Lanka Digital Economy Strategy

“Sri Lanka has the choice of being a future player or sitting on the bench of Asia’s growing digital economy boom. Being left on the bench is clearly not a desirable option for Sri Lanka’s vibrant youthful population.”
- “Is Sri Lanka sitting on the bench of Asia’s booming digital economy”, Lakshman Kadirgamar Institute of International Relations and Strategic Studies
Technology has reshaped businesses, industries, and economies. It has opened up greater access to the economy for small and medium enterprises, and empowered individuals to become content creators and service providers. The already rapid pace of change we have seen in the past decade is expected to further accelerate in the decade ahead.
Against this backdrop, Sri Lanka must prepare our businesses, workers and people for the digital economy that is upon us. The digital economy will bring new possibilities and opportunities as it transforms businesses, industries, jobs and lifestyles.