flag

Sri Lanka

Last updated : July 15, 2025

Compare with other countries

Digital ID Overview

overview_background_image

Sri Lanka’s digital ID system, established in 2012, is a digital version of the NIC, termed the e-NIC.[14]The e-NIC stores an individual’s family information, biodata, biometric data, including facial, iris, and fingerprint data, and photographs of the individual.[15]

In 2022, in support of the e-NIC development, Sri Lanka began a pilot for the Sri Lanka Unique Digital ID (SL-UDI)  which aims to assign every citizen a National Unique Digital Identifier. This foundational identity system is designed to eliminate duplication in identity records across government departments and ensure data accuracy and efficiency in government operations.[16]The SL-UDI system is planned to be launched in 2026.[17]In the pilot phase, citizens’ participation in the system is voluntary.[18] 

In December 2023, the Sri Lankan government launched the country’s first digital birth certificate, which assigns each newborn a unique ID number, that will later become their National ID Card number, as part of the digital identity transformation.[19] 

e-NICs have already begun being issued to those who are applying for an NIC for the first time or renewing their NIC.[20] Both the e-NIC and SL-UDIs are currently intended for use by citizens, excluding stateless persons.[21] The e-NIC is primarily a foundational identity system with the government working to integrate it into other forms of functional identities, such as integration with passports and drivers licence.[22] A wide range of public and private services are linked to the NIC, including applying for a SIM card, education, voter registration, paying taxes, social security, and pensions.[23] Sri Lanka’s e-NIC system is mandatory.[24] Failure to register can result in a 5,000 rupee fine.[25]

Law

law_background_image

Domestic law and policy

Sri Lanka’s civil registration is regulated by the Births and Deaths Registration Act (1954).[26] The Registration of Persons (Amendment) Act (2016), mandates that all citizens 15 years of age and older must register for an NIC.[27] This amended Act also provides that biometrics, including the applicant’s fingerprint will be taken.[28] Under the Act, there is an avenue for addressing grievances related to applications of registration through the Registration of Persons Tribunal.[29] There is yet to be legislation made specifically for the e-NIC system. There is no definition of the NIC or e-NIC provided by Sri Lanka’s legislation. 

With support from the World Bank and Asian Development Bank, Sri Lanka’s digital ID system was modeled in collaboration with Indian companies and its Unique ID card project has been funded by India since early 2022.[30] This raises concerns for data sovereignty and security.[31] Sri Lanka’s State Technology Minister Kanaka Herath has “emphasized the need to address data security issues and obtain authorization from the Public Security Ministry before proceeding with the [SL-UID] project”.[32] The India-funded project is yet to be cleared by the Public Security Ministry for full implementation.[33] When an MOU was signed between Sri Lanka and India solidifying this collaboration in 2022, an opposition lawmaker, Harin Fernando, warned that India’s support in the development of SL-UID “could allow the country access to the data of Sri Lankans”.[34] MOSIP, a non-profit inspired by the Aadhaar system and with core advisors who are “some of the original architects of Aadhaar”, also partnered with Sri Lanka in the development of its digital ID system.[35] Moving to a system similar to Aadhaar would raise potential concerns for centralized data storage, and could also lead to “third-party access, authentication records, and real-time surveillance”.[36] 

Data Protection

Sri Lanka’s Personal Data Protection Act (2022) stipulates the lawful collection and use of personal data, including the rights of data subjects in line with international standards of data protection.[37] It mandates the responsibility of data ‘controllers’, stipulating that “every controller should ensure that personal data is processed for a specified, explicit, and legitimate purposes” only.[38] It is unclear whether the National Register of Citizens, responsible for operating the e-NIC system, is considered to be ‘data controllers’ under this Act.[39] Part II of the Act, states that data subjects shall have the right to access their personal data and the right to withdraw their consent for data processing as well as request their personal data be erased, except in cases of national security, public order, investigations, criminal procedures, among others.[40] Conditions for lawful processing of personal data include consent from the data subject unless the processing is carried out in public interest, including for health purposes or if “processing of personal data is necessary by official authorities for achieving the purposes or objects laid down by law”.[41] The Act also includes the information required to be provided to data subjects upon personal data collection in order to gain informed consent of the potential uses of their data.[42] Data controllers are also mandated under the Act to ensure “integrity and confidentiality of personal data” collected, including through encryption, pseudonymisation, anonymisation, access controls, among other methods.[43]

Under the Personal Data Protection Act (2022), controllers are required to undertake data protection impact assessments, which may entail consulting with the data protection authority who must “ensure compliance by entities with the law, conduct inquiries, hear grievances and appeals, and issue directives on entities which do not adhere to the provisions of the proposed law”.[44] The Act also mandates controllers to notify authorities and/or data subjects of data breaches.[45]

There is some contradiction between the Personal Data Protection Act and the Registration of Persons (Amendment) Act, with the latter being an “invasive model of data collection and processing” while the former aligns with international standards.[46] Further, there are concerns that “an all-encompassing mandatory digital identity system has the potential to turn into a mass surveillance system of the populace by the State” as a result of it being mandatory and “all-encompassing”.[47] The Registration of Persons (Amendment) Act (2016) provides that data collection and storage be overseen by the executive government, which could allow for the addition of new categories of data collection “without undergoing the legislative process”.[48]

International Commitments

ICESCR, ICERD, and CRC, all of which Sri Lanka is a party to, protect an individual’s right to an education under Article 13, Article 28, and Article 5 respectively.[49] However, Sri Lanka has contradicted these obligations through administrative barriers which exclude the children of stateless parents from access to birth registration, which is required in order to attend school.[50] Further, the requirement of an NIC in order to vote disproportionately excludes women, war widows and tea estate workers,[51] contradicting the right to vote under Article 25(b) of the ICCPR.[52] The inability of stateless persons and others without access to the NIC to receive a SIM card [53] also contradicts Article 19 of the ICCPR, which protects the right to “receive and impart information and ideas of all kinds”.[54]

Designed to Include?

The Impact of Digital ID and Legal Identity on Citizenship and Nationality Rights

background_image

While the e-NIC system has not been fully implemented, the exclusion of stateless persons means that when the system is implemented, stateless people will be excluded from the services intended to be linked to it, including drivers’ licenses, passports, pensions, banking, public welfare, insurance, employment opportunities, and more.[55]Sri Lanka’s legal identity and digital ID systems have not contributed to or reduced statelessness in the country, however, exclusion of stateless people from access to the NIC barres them from the services currently attached to it, such as obtaining a SIM card, education, income taxes, social security, and pensions.[56]

Wider inclusion in the e-NIC system could be achieved by allowing optional enrollment in the system and ensuring it can “accommodate multiple registration methods beyond NIC or birth certificates”.[57]This would fulfill Sri Lanka’s commitments to the international obligations under international treaty bodies it is a party to. Further, the collection of biometric data should not be mandatory or have legal implications, but should allow for consent of the data subject.[58]

References
27.^

 Registration of Persons (Amendment) Act (2016) Part 1A (5(2)).

28.^

Registration of Persons (Amendment) Act (2016) Part 1B (12(3)).

38.^

Personal Data Protection Act (2022) Part I (5(c)).

40.^

Personal Data Protection Act (2022) Part II (13-17).

41.^

 Personal Data Protection Act (2022) Schedule I (a,e,g).

42.^

 Personal Data Protection Act (2022) Schedule V.

43.^

 Personal Data Protection Act (2022) Part I (10).

49.^

 International Covenant on Economic, Social, and Cultural Rights (adopted 16 December 1966, entered into force 3 January 1976) 993 UNTS 3 (ICESCR) art 13; Convention on the Rights of the Child (adopted 20 November 1989, entered into force 2 September 1990) 1577 UNTS 3 (CRC) art 28; International Covenant on the Elimination of All Forms of Racial Discrimination (adopted 21 December 1965, entered into force 4 January 1969) 160 UNTS 195 (ICERD) art 5.

52.^

 International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 (ICCPR) art 25(b).

54.^

International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 (ICCPR) art 19(2); Universal Declaration of Human Rights (adopted 10 December 1948) UNGA Res 217 A(III) (UDHR) art 19.

See Statelessness Overview
Footer design