Reduction in Bureaucracy or Infringement upon Civil Rights? Lingering Questions about the SL-UDI
By the end of this year, the Sri Lankan government is set to release its much promoted new digital identification system: the Sri Lankan Unique Digital Identity, or SL-UDI. While the current National Identification Card system relies on administrative documents such as birth or citizenship certificates to prove citizens’ identities, the proposed SL-UDI will instead rely on biometric data, such as fingerprint and iris scans.
The program is a key component of the government’s National Digital Economy Strategy 2030. Spearheaded by the Ministry of Digital Economy, this program aims to turn Sri Lanka into a regional “digital innovation and entrepreneurship hub” through expanding Sri Lanka’s digital economy. The SL-UDI is intended to facilitate this transformation through creating a streamlined and secure way for Sri Lankans to prove their identity, both in person and online.
However, concerns have been raised about the proposed program’s potential infringement on digital privacy rights. In 2022, Sri Lanka, along with the EU and several other Asian countries, was a signatory to the Joint Declaration on Privacy and the Protection of Personal Data. Among other promises, the joint declaration claimed that signatories planned to foster protection of data and privacy rights by following “core principles” including “purpose limitation, data minimisation, [and] limited data retention” when dealing with citizens’ personal data. That same year, Sri Lanka passed the Personal Data Protection Act, which, in principle, legally upholds these same tenets.
Contrary to these promises, the government plans to use the SL-UDI to link together information on a single individual across databases, including financial transactions. This directly violates the core principles of data minimisation and purpose limitation, and would give the government an unprecedented ability to track its citizens. Given ongoing reports of government surveillance of Tamils, as well as Sri Lanka’s extensive past history of governmental infringement upon civil rights, it is difficult to believe that the government will ignore the SL-UDI’s potential for use as a surveillance mechanism.
In addition, the security of the proposed digital ID program has come under scrutiny, with many Sri Lankans worried that their biometric information will be leaked to foreign parties. The Modular Open Source Identity Platform software that is being used to create the SL-UID is not Sri Lankan but rather Indian, with the project funded by a grant from the Government of India. The Sri Lankan government has given assurances that safeguards are in place to protect citizens’ biometric data, promising that Sri Lankans will be the ones in control of the system and that biometric data will only be collected once the system has fully come under Sri Lankan management. While these promises sound good on paper, cracks have already begun to form in the government’s narrative. Legal petitions allege that the agreed-upon Indian involvement is more extensive than originally promised, raising questions about exactly how secure Sri Lankans’ data will actually be.
At first glance, the SL-UDI appears to be nothing more than a useful improvement upon the National Identification Card. It is crucial to understand, however, the significant infringement on privacy rights that the currently proposed system would cause. A close eye must be kept on the program as it is rolled out later this year, to ensure that its implementation does not reduce civil rights along with bureaucratic red tape.
References
https://mot.gov.lk/assets/files/DOCE-7285826ba315a554a816d31269c24b9b.pdf
https://echelon.lk/sri-lankas-digital-strategy-for-a-digital-future/
https://www.biometricupdate.com/202511/sri-lanka-digital-id-launch-by-q3-2026-president
https://island.lk/sri-lankas-digital-id-project-implications-risks-and-safeguards/
https://www.biometricupdate.com/202508/sri-lanka-digital-id-faces-a-legal-showdown
Last updated – March 2026