Sri Lanka’s AI Ambitions Require Strong Data Governance Foundation 📈

• Overview: President Anura Kumara Dissanayake at the AI Impact Summit 2026 emphasized updating legal frameworks for personal data and cyber security to foster a responsible ICT/BPM ecosystem. While the draft National AI Strategy aims to integrate AI into public services, legal clarity on the "data layer" remains a critical hurdle. • Data Protection Challenges: • The Personal Data Protection Act (PDPA) No. 9 of 2022 currently applies to "publicly available data," creating compliance risks for AI models trained on web-scraped information. • Calls are growing for regulatory guidance on "disproportionate effort" exemptions and "legitimate interests" to align with global trends like the EU’s Digital Omnibus and Japan’s revised laws. • Intellectual Property (IP) Risks: • Under the IP Act No. 36 of 2003, the use of Sinhala and Tamil language materials for training LLMs faces uncertainty. • It is unclear if AI training qualifies as "fair use"; experts recommend a licensing regime to protect creators while encouraging homegrown AI models. • Policy Gaps: • The data governance landscape remains fragmented; the National Data Sharing Policy has been in draft form for over a decade. • Experts stress that AI innovation requires machine-readable data and a cohesive framework to move beyond the current policy stagnation. _Source: Based on LIRNEasia’s "Data Governance Framework in Sri Lanka" report (May 2026)._