VottsUp

Thursday, July 3, 2025

Critical Review ( July 3, 2025) : Sri Lanka's Draft Cloud Policy

Critical Review: Sri Lanka's Draft Cloud Policy

Critical Review of Sri Lanka's Draft Cloud Policy & Sovereign Cloud Strategy

By: Sanjaya Gunasiri( An Independent Policy Critic ).

The Information and Communication Technology Agency of Sri Lanka (ICTA) has called for public input on two pivotal documents: "Towards a Sovereign Cloud Strategy for Sri Lanka" and "Revised Cloud Policy and Procurement Guidelines for Interim Use." While the intent is commendable, a deeper look reveals significant gaps that could compromise national sovereignty, economic independence, and citizen rights.

1. Foreign Dominance: The Missing Legal Firewalls

The draft enables hyperscalers (e.g., AWS, Azure) to operate locally but fails to enforce vital safeguards:

  • No requirement for mandatory joint ventures with Sri Lankan entities
  • Insufficient localization mandates for critical sectors like health or defense
  • Absence of restrictions on foreign cloud infrastructure ownership
Recommendation: Introduce strict legal barriers,
  • mandate data residency (locally) for all sensitive data, and
  • Ban foreign authentication control, andb ensure authentication is controlled locally (e.g., Singpass model from Singapore, prevent citizen ID access)
  • Require Sri Lankan oversight and joint ventures (51%+ local ownership)

2. Technofeudalism & Vendor Lock-In Risks

The policy lacks mechanisms to counteract big tech dominance. There's no support for open-source cloud alternatives or anti-monopoly frameworks.

Recommendation:

  • Mandate open-source cloud platforms (OpenStack, Kubernetes)
  • Ensure data portability and avoid vendor lock-in
  • Introduce preferential procurement for local providers

3. Digital Sovereignty Still Out of Reach

Public-private partnerships are emphasized, but no sovereign cloud or national exit strategy exists.

Recommendation:

  • Launch a state-owned sovereign cloud (e.g., "LankaStack")
  • Set up a "Sovereign Cloud Fund" to build homegrown cloud infrastructure
  • Mandate government-held encryption keys and domestic KMS

4. Data Sovereignty & Monetization Control

Current Gap:
Foreign and domestic entities currently exploit Sri Lankan user data without transparency, compensation, or consent—leading to economic leakage and loss of digital sovereignty.

Policy Amendments:

  1. Ban on Non-Consensual Data Monetization
    • No entity (foreign or domestic) may monetize personal/personally identifiable data (PIDs) of Sri Lankan citizens without:
      • Explicit, informed consent from each individual (opt-in, not opt-out).
      • Granular control (users must approve specific use-cases, e.g., ads, AI training).
    • Anonymized/pseudonymized datasets may be monetized only if:
      • Approved by the Data Protection Authority (DPA).
      • Revenue is shared via a National Data Fund (10% levy).
  2. Individual Rights Over Data Value
    • Right to Compensation: Users must be paid directly or via public benefits if their data generates commercial profit (e.g., health data used for pharmaceutical research).
    • Right to Audit: Users may request full disclosure of how their data was monetized and by whom.
  3. Foreign Firm Restrictions
    • Data Taxation: Foreign firms monetizing Lankan data must pay a 15% "Data Sovereignty Fee" on gross revenue derived from such activities.
    • Local Partnerships: Required for any data-driven business (e.g., AI firms must partner with Lankan universities/startups).
    • No Unilateral Exports: Raw or minimally processed data cannot leave Sri Lanka without DPA approval.
  4. Penalties for Violations
    • First offense: 4% of global revenue or LKR 200M (whichever is higher).
    • Repeat offenses: Criminal liability for executives + ban on operating in Sri Lanka.

5. Security Gaps and AI Exploitation Threats

The draft doesn’t account for AI-related data exploitation risks or enforce zero-trust architecture. Propose a "Sri Lanka Cloud Security Tier Framework (SL-CSTF)" with encryption protocols and storage guidelines by data sensitivity. Emphasize Zero-Knowledge Encryption, government-held keys, and local HSMs.

Recommendation:

  • Prohibit foreign AI training on Sri Lankan data without consent
  • Ban biometric data processing by foreign providers
  • Require ethical AI audits and multi-tier security standards

6. Comparative Global Lessons

Insights from global leaders can offer Sri Lanka actionable models:

  • India's MeghRaj: Open-source sovereign cloud, strict localization
  • EU's GAIA-X: Federated model, GDPR-grade user protections
  • Singapore's GCC: Balanced global-local model with local control over auth & encryption
  • China (with caution): Mandatory JV model, AI training restrictions

7. GDPR Gaps: Weak User Rights & Enforcement

Unlike GDPR, the draft lacks robust individual rights, extraterritorial enforcement, and a true independent Data Protection Authority.

Key Shortcomings:

  • No "Right to be Forgotten" or data portability
  • No GDPR-style financial penalties
  • Conflict of interest in enforcement bodies

Solution: Enact a standalone Data Protection Act with GDPR-grade features and an independent DPA.

Final Thoughts

ICTA’s draft policy is a good first step, but to safeguard Sri Lanka’s digital future, it must go further. We must avoid becoming a digital tenant in our own land. Real sovereignty demands more than compliance—it requires control, transparency, and local innovation.

Submitted to: policy@icta.lk | Deadline: July 04, 2025

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home