Speed Read:
- The national fuel pass system collects consumers’ sensitive personal data, including the national identity card number, contact details, and vehicle information, creating a centralized database of millions of citizens.
- Though citizens’ personal data is purportedly protected through the Personal Data Protection Act No. 9 of 2022, it is not yet fully enforced, leaving gaping holes in accountability and compliance.
- Digital rights experts and activists warn of serious privacy, transparency, and cybersecurity risks tied to centralized data systems.
- With limited clarity on data usage, storage, and retention, the latest controversy highlights growing concerns over whether Sri Lanka’s digital transformation is outpacing its safeguards.
COLOMBO—Sri Lanka’s push toward digital governance is entering a critical phase and not without controversy. The reintroduction and expansion of the National Fuel Pass (NFP) system, a platform that aggregates vast amounts of citizen data, has sparked renewed debate over privacy, legality, and state accountability. At the heart of the issue lies a pressing question: Is Sri Lanka ready to protect the very data it is rapidly collecting?
The debate has gained urgency as the country sits in a transitional legal moment. The Personal Data Protection Act No. 9 of 2022 has been enacted but is yet to be fully enforced, creating a gray area where large-scale data systems operate without the full weight of regulatory oversight.
Privacy nightmare
Digital rights advocate Sanjana Hattotuwa described the NFP as a landmark case in this evolving landscape. “This is the first instance where a platform of this scale, collecting millions of records, has been launched after the passage of the Act,” he noted, framing it as a precursor to broader government-led digitalization initiatives expected in the near future.
At a functional level, the system serves a clear purpose: managing fuel distribution, preventing hoarding, and ensuring equitable access. But the scale and sensitivity of the data collected have raised significant concerns. Users are required to provide national identity card or passport details, vehicle registration numbers, phone numbers, and residential addresses. In effect, multiple layers of personal data are consolidated under a single identifier.
Hattotuwa did not mince words about the rollout. “The platform itself has been a complete technical nightmare,” he said, pointing to widespread public frustration as thousands struggled to register due to persistent glitches. While these technical failures dominated early public discourse, he emphasized that deeper structural issues, particularly around privacy, were initially overlooked.
One of the most concerning revelations, according to Hattotuwa, was that the system launched with an outdated privacy policy dating back to 2022, predating the data protection framework. “That policy was completely non-compliant,” he said, calling it a “major red flag” that suggested a lack of legal preparedness.
Although a revised privacy policy was issued shortly after public scrutiny intensified, he argued that the changes fell far short. “Out of around 30 areas assessed, only a handful were fully compliant. The majority were either partially compliant or entirely non-compliant,” he explained. “Even when prompted to revise the policy, the outcome suggests a lack of capacity, urgency, or genuine commitment to compliance.”
Technical glitches
For Hattotuwa, the implications are particularly serious because of the system’s nature. He described the NFP as “critical national infrastructure,” a platform essential to the functioning of the country. “We now have a system of national importance that is almost entirely non-compliant with the very law designed to protect citizen data,” he noted.
He also raised unresolved questions around transparency: Where is the data stored, who has access to it? Is it hosted locally or overseas? The absence of a clearly identified Data Protection Officer (DPO)—
despite being a requirement under the law—was highlighted as another major gap.
Beyond legal compliance, Hattotuwa pointed to global precedents to underscore the risks. Large-scale breaches linked to India’s Aadhaar system under the Unique Identification Authority and a major data leak in Ecuador demonstrate how centralized databases can become targets for cyberattacks, negligence, or misuse. “Sri Lanka now has a platform that is potentially vulnerable to the same kinds of threats,” he cautioned.
He drew a clear line between public awareness and state responsibility. “It is not the public’s responsibility to ensure systems are lawful or secure. That duty lies with the state,” he said, adding that the lack of official communication in the days following the platform’s launch only deepens public concern.
Echoing these concerns, digital rights activist and tech policy researcher Saritha Irugalbandara spoke to CIR on the broader implications of centralized data collection and public awareness.
She pointed out that while such systems may be necessary for service delivery, they create high-value, high-risk data environments. “When you centralize data in this way, especially under a single identifier like the NIC, it significantly increases both the value and the vulnerability of that dataset,” she said.
Irugalbandara emphasized that transparency is critical. Systems like the NFP must clearly establish the legal basis for data collection and communicate how that data will be processed. However, she noted that in practice, consent is often tied to necessity. “It becomes less about informed consent and more about necessity,” she explained, highlighting how users are required to agree in order to access essential services like fuel.
She further flagged the absence of clear data retention policies as a key concern. “There should be a clearly defined timeframe for how long personal data will be stored,” she said, noting that such omissions leave users uncertain about how long their information remains in stake systems.
At the same time, Irugalbandara acknowledged a broader behavioral issue: many users do not read privacy policies in full. But this does not shift responsibility, she noted. “At the very least, State agencies must meet the minimum requirements set out in the law,” she said, stressing the need for purpose limitation, informed consent, and safeguards against misuse.
Not aligned with new law
Offering a legal perspective, technology law consultant and research fellow Ashwini Natesan highlighted the complexities of the current legal environment.
Natesan emphasized that while the Personal Data Protection Act was passed in 2022, it has not yet come into force. It was said to come into operation in 2025, but subsequent amendments have moved the enforcement.
“The Act is not yet in force,” Natesan noted, underscoring that although it was expected to be operational earlier, revised timelines are expected soon. Until those enforcement dates are finalized, institutions, including government entities, are not legally bound by its provisions.
This distinction is critical when assessing claims that the NFP system breaches the law. “Strictly speaking, since the Personal Data Protection Act is not yet in force, there could be areas that don’t comply with the Act, but this period where the law is passed but not yet in force is called the grace period for compliance,” she explained. However, this does not mean that data collection practices operate in a vacuum.
Even in the absence of enforceable legislation, organizations are expected to adhere to the commitments outlined in their own privacy policies. These documents, often overlooked by users, function as binding agreements that govern how personal data is collected, used, and shared.
“If data is being shared with third parties, that information should be clearly stated in the privacy notice,” Natesan said. “Users can, and should, check whether such disclosures are made. If there are concerns, they still have the option to write to the relevant organization/entity collecting the data and seek further information or clarification.”
This places a degree of responsibility on both institutions and citizens. On the one hand, data collectors must ensure transparency and consistency with their stated policies. On the other hand, users must navigate an increasingly complex digital environment where consent is often given without scrutiny.
Natesan acknowledged this reality. “On a daily basis, we agree to countless privacy notices, whether they are cookies on websites or app permissions. Even as a technology law professional, I don’t read every policy in full,” she said. This widespread disengagement, while understandable, weakens the practical effectiveness of consent-based data protection.
The situation is expected to change once the law is enforced. Under the act, individuals will gain stronger rights over their personal data, including the ability to withdraw consent even after initially agreeing to a privacy policy. This marks a significant shift from the current framework, where such protection is limited.
Until then, the focus remains on best practices rather than legal obligations. Natesan noted that government entities, in particular, should proactively align with the principles of the act, even before it becomes enforceable. “It would be ideal if institutions began following these standards now,” she said, noting that early compliance would build public trust and ensure a smoother transition once the law takes effect.
The debate also reflects differing interpretations among experts. While some argue that the mere existence of the Act necessitates immediate compliance, others, like Natesan, point to the legal reality that enforcement is an important factor.
Data at risk
This divergence highlights a necessity: Sri Lanka’s regulatory framework must keep pace with these developments. Systems like the NFP were introduced as urgent solutions during times of crisis, prioritizing efficiency and accessibility. However, their long-term sustainability depends on robust safeguards for user data.
For now, Sri Lanka finds itself in an interim phase caught between legislative intent and practical enforcement. As the country moves closer to operationalizing its data protection regime, the scrutiny surrounding initiatives like the fuel pass system is likely to intensify.
The conversation is no longer optional. In an era where data is both a resource and a risk, the question is not just whether laws exist, but whether they are ready, relevant, and rigorously applied. The differing perspectives highlight a central tension: while the law exists, its practical application remains incomplete. For some, this demands immediate alignment; for others, enforcement is the key threshold.
What is clear, however, is that Sri Lanka’s regulatory framework is being tested in real time. Systems like the NFP, introduced as urgent solutions during times of crisis, now sit at the intersection of efficiency and rights.
As the country accelerates its digital transformation, the stakes are rising. The question is no longer whether data will be collected but whether it will be protected.
In this evolving landscape, the national fuel pass may well become a defining case. One that determines not just the credibility of a single platform, but the future of data governance in Sri Lanka.
Reporting and Editing: Gagani Weerakoon
This story was produced with support from Report for the World, a global media service strengthening local independent journalism.
