In Sri Lanka, one piece of legislation has fueled debate over the country’s future in internet freedom. Now, that same law is about to undergo its biggest test yet.
Sri Lanka’s newly elected government is preparing to amend the Online Safety Act (OSA), which has faced heavy public and legal scrutiny since its inception in September 2023. First introduced as the Online Safety Bill, the legislation was presented by the former government as a measure to tackle cybercrimes, including data theft, child abuse, and online fraud. By October 2023, nearly 50 petitions had been filed challenging it before the Supreme Court. Despite criticisms, the draft bill was passed in January 2024.
Critics argue that the OSA violates Article 14(1) of the Sri Lankan Constitution, which protects freedom of speech and expression and may disproportionately affect already-marginalized communities in the country. In February 2024, the Human Rights Commission of Sri Lanka published a statement noting that the Supreme Court had found over thirty clauses and omissions in the Bill to be inconsistent with the Sri Lankan Constitution, and that the final Act failed to fully comply with the Court’s required amendments.
Governments worldwide are stepping up efforts to regulate online spaces in response to digital threats. International frameworks like the European Union’s Digital Services Act and Australia’s Online Safety Act, alongside established guidelines from UNESCO and the Manila Principles, offer proven blueprints for balancing digital safety with fundamental rights. The question for Sri Lanka’s new government is whether it can adopt global best practices to align the OSA with rights-based principles.
Gaps in the Drafting Process
It remains unclear who was formally involved in drafting Sri Lanka’s OSA. The only known consultations were behind closed-door meetings with various technology companies without a public draft being released for review. A Right to Information request revealed the names of several individuals linked to the process, though some later denied involvement or stated they had resigned.
In contrast, the European Union’s Digital Services Act (DSA), implemented in early 2024, is widely regarded as a rights-based regulatory model shaped by broad stakeholder engagement. It emerged through extensive consultation with civil society, academics, technology platforms, national governments, and digital rights organisations. A public consultation was held to gather feedback ahead of the draft proposal, which was submitted in December 2020 along with an impact assessment informed by that feedback.
The extensive EU consultation process ensured that, despite differing national laws, the DSA reflects input from nearly all major stakeholders across the European Union. Australia followed a similar approach in developing their Online Safety Act (2021). An exposure draft of the Bill was released in 2020, followed by an eight‑week public consultation. After receiving over 370 submissions, several revisions were made to the Bill, including clarification on coverage, takedown scheme and strengthening of decision review mechanisms.
Centralized Enforcement and Lack of Oversight
Beyond how Sri Lanka’s OSA was drafted, its enforcement through a centralized structure without adequate oversight has raised several concerns. At the heart of the legislation sits the Online Safety Commission (OSC), a presidentially-appointed body empowered to define “prohibited statements” and order content removals. The OSA’s vague definitions of illegal or harmful content give the OSC wide discretion, including the power to recommend prosecutions without judicial oversight. If found guilty by the OSC, individuals may face criminal penalties. Perhaps most concerning is that users affected by content removals or account restrictions under the OSA have no structured appeal mechanism or guaranteed right to seek redress.
In comparison, Australia’s Online Safety Act empowers an independent eSafety Commissioner backed by a multidisciplinary team including legal, policy, and technology experts. It allows users to request internal reviews of eSafety Commissioner decisions and pursue judicial review if necessary. It also engages with industry and civil society actors, both domestically and internationally, and includes individuals with lived experience of online harms to support a more expert-informed approach to regulation. The Act establishes defined schemes that address specific categories of harm in order to enable more consistent and accountable enforcement.
Reflecting a similar rights-based approach, the EU’s DSA decentralises enforcement assigning responsibilities to national Digital Services Coordinators, civil society groups, trusted flaggers and out-of-court dispute resolution bodies. It also requires platforms to provide justifications for any flagged or removed content, and users are granted the right to appeal within six months if they believe their content was unfairly targeted.
Further, the 2015 Manila Principles on Intermediary Liability call for any content takedown request to be based on public criteria and grounded in due process. This means that users receive intelligible reasons for any takedown and a chance to contest those decisions. The 2023 UNESCO Guidelines for the Governance of Digital Platforms advance the Manila Principles into the regulatory domain, and identify transparency as an overarching duty for states and companies alike. The Guidelines request platforms to publish auditable policies, explain how automated and human reviewers make decisions on content removal, and support independent oversight mechanisms that ensure users have access to timely and effective redress.
In February 2025, Sri Lanka’s Cabinet agreed to amend the OSA, appointing a multi-sectoral committee chaired by a Supreme Court judge. Three months later in May 2025, the Cabinet Spokesperson and Mass Media Minister publicly committed to making the legislation “more people-friendly.” This momentum comes as international scrutiny continues to grow.
In April 2025, the EU raised concerns about OSA and laws like Prevention of Terrorism Act, warning that the legislations were factored into decisions about trade privileges. At stake was the country’s access to the Generalised Scheme of Preferences Plus (GSP+), a special arrangement that allows countries like Sri Lanka to export goods to the EU at reduced or zero import tariffs. In 2010, Sri Lanka lost access to GSP+ for seven years due to alleged human rights violations and its failure to effectively implement three key UN conventions. In a statement issued at the conclusion of his visit to Sri Lanka in June 2025, United Nations High Commissioner for Human Rights Volker Türk raised concerns about the OSA and called for its repeal.
Risk of Legal Misuse and the Path Forward
Without proper safeguards and independent oversight, OSA may lead to unintended consequences and potential misuse. Over the years, several laws in Sri Lanka, such as the aforementioned Prevention of Terrorism Act have been criticized for its application in cases involving journalists and human rights activists in Sri Lanka. Similarly, the Antiquities Ordinance has reportedly been applied in ways that disproportionately affect Tamil and Muslim minority communities through state claims over unregistered land for archaeological purposes.
To address concerns about the unchecked powers proposed for the OSC, there could be an initiative to restructure it as an independent, pluralistic body free from political influence. Structural reform alone won’t suffice. The OSA’s Achilles’ heel is its susceptibility to misuse due to vague language and that calls for careful and precise reform. Consideration should be given to ensuring that platforms and users receive clear notice and have the right to appeal enforcement actions.
Clearer definitions of illegal and harmful content, together with provisions for judicial or impartial review, may be considered as ways to reduce the risk of arbitrary enforcement in cases where criminal liability could arise. In the absence of such safeguards, the OSA may prompt continued concerns similar to those associated with other laws viewed as limiting dissent and fundamental freedoms in Sri Lanka.
Sri Lanka still has the opportunity to shape a rights-respecting legal framework around online safety by considering international best practices. For months, there have been growing calls for the newly elected government to address the initial concerns surrounding the enactment of the OSA. The demands are refreshingly simple: transparency where there was once secrecy, and consultation where there was once exclusion.
On August 13, in a positive step forward, a public notice was issued inviting citizens, local and international media to submit their observations, comments, recommendations, and suggestions on amending the Online Safety Act. This marks the first phase of broader community engagement, including the need to consult stakeholders who were excluded from the original drafting process, such as civil society, digital rights advocates, and legal experts. As the new government embarks on the consultation process, the blueprint for success is already available in international best practices. The question is whether Sri Lanka’s leaders have the political wherewithal to follow it.