Cybercrime policies/strategies
The government has taken many policy initiatives to address the threats against its Critical National Infrastructure, its financial sectors and its citizens. Among them, it established Sri Lanka CERT-CC in 2006, which has acted as the National Centre for Cyber Security to mitigate cyber threats and incidents at a national level. CERT-CC supported the e-Government Policy in 2009 and continues to work in partnership with many public and private sectors.
In 2016, CERT-CC took the lead on the creation of the national Cyber security strategy. In it, ten key strategic areas have been identified:
- Critical Infrastructure Protection
- Legislative framework
- Research and Development
- Human Resource and capacity building
- Awareness and education
- Governance
- Public-Private, Local-International partnership
- Information sharing
- Privacy, free flow and freedom of online information
- Cyber security Technology Framework (CTF)
Currently no national cybercrime strategy exists for Sri Lanka, but sector-based initiatives exist, such as the cybercrime training strategy of the Sri Lanka Judges’ Institute (SLJI).
Under the SLJI supervision and coordination, a national judicial training program on cybercrime has been completed in 2019, which provided basic knowledge on cybercrime and electronic evidence to the whole judicial system of Sri Lanka (High Court, District Judges and Magistrates). A total of more than 200 judges were trained by a pool of national trainer justices from the Supreme Court and the Court of Appeal, trained as trainers under the GLACY+ framework.
With regard to regional policy developments, Sri Lanka took a leading role in the South-South collaboration effort by facilitating initial discussions between the CoE and governmental representatives of Fiji, Ethiopia, Nepal and Papua New Guinea.
Cybercrime legislation
State of cybercrime legislation
The primary statutes that deal with offences such as, unlawful access to a computer, data or network, illegal use of malware, undertaking denial of service attacks, unlawful interception and illegal use of data are dealt with in these authorities.
- Computer Crimes Act No. 24 of 2007
- Payment Devices Frauds Act No. 30 of 2006
- Intellectual Property Act No. 36 of 2003
Substantive law
Sri Lanka has passed into law the Cyber Crime Act 2007, which has made a number of the requisite articles offences within its jurisdiction.
The Criminal Code- as amended by the Amendment Acts No. 5 of 2005 and No. 22 of 2006 deals in s. 286 a-d with child pornography and related issues.
Procedural law
Provisions about investigative powers can be found in the Criminal Procedural Act (1979). In addition to the powers of the general Procedural Code and for use in specific areas, investigative powers can be found in the Payment Device Fraud Act No. 30 of 2006 and last but not least in the Computer Crimes Act No. 30 of 2006.
Safeguards
Safeguards are provided under the Computer Crime Act (no. 24 of 2007), section “Powers of search and seizure with warrant” and “Rights of certain persons arrested for offences under this Act”.
Related laws and regulations
There are other statutes that support the implementation of the Budapest Convention for Cyber Crime. These include:
- Mutual Assistance in Criminal Matters Act No. 25 of 2002 (Amended in 2018)
- Prevention of Money Laundering Act No. 5 of 2006 (Amended by Act No. 40 of 2011)
- Financial Transactions Reporting Act No. 6 of 2006
The Mutual Assistance in Criminal Matters (Amendment) Act has been passed in 2018, act that provides for the rendering of assistance in criminal matters by Sri Lanka and specified countries.
In addition, it is worth noticing that in 2019, Sri Lanka worked on finalising its legislation on cyber security and on data protection.
The Cybersecurity Bill passed all the preliminary procedural stages and it is waiting for cabinet approval and enactment. The objectives of the Act is to ensure the effective implementation of the National Cyber Security Strategy in Sri Lanka, prevent, mitigate and respond to cyber security threats and incidents effectively and efficiently, set up the Cyber Security Agency of Sri Lanka and to empower the institutional framework to provide a safe and secure cyber security environment; and protect the Critical Information Infrastructure.
The Data Protection Bill was finalized in 2019 and will come into operation within a period three years from the date the Speaker certifies the Bill. This would provide sufficient time for Government and private sector to take adequate steps to implement this legislation. The Data Protection authority is required to be established within 18 months.
Specialised institutions
The Cyber Crime Unit (“CCU”) in the Sri Lanka Police is one of the units positioned within the Criminal Investigation Department (“CID”). The CCU conducts investigations into pure cyber-crime (e.g. Hacking and Malware) and cyber enabled crime, either with the allegation reported to them directly to their unit or referred from the district police officers elsewhere within the Sri Lanka Police. Victims of cybercrime may also make a criminal allegation using the e-report form available from the Sri Lanka Police public website.
The CCU can count on a fully operational digital forensics lab and on the competencies of a number of police officers that have been certified professional digital forensics analysts.
The protection of children is undertaken by two agencies in Sri Lanka. The first agency is the Child Protection Agency, under the National Child Protection Authority (NCPA). The second one is the Children and Women Bureau under the Sri Lanka Police.
The centralised unit for investigating economic crime or financial crimes is the Financial Crimes Investigation Division. It carries out investigations into serious financial fraud, misuse of state assets or funds, cases that require intellectual skills and complex in nature.
The School of Computing in the University of Colombo supports the Sri Lanka Police by undertaking part of the digital forensic examination work needed. They set up a Digital Forensic Centre in 2011. They have been playing a key role in assisting the Sri Lanka Police and the Criminal Investigation Department since 2003 in a variety of crime investigations.
There is no specialised prosecution department for dealing with cybercrime. Any case may be allocated to any State Prosecutor and there is no special training program in cybercrime available for State Prosecutors. Electronic evidence is covered by the Evidence Ordinance, which along with the Code of Criminal Procedure Act, also cover expert evidence (please see Section 3 above).
Computer Crime Act prosecutions are always held in the High Court before a Judge and are not heard before a jury.
International cooperation
Jurisprudence/case law
Sources and links
National And Information CyberSecurity strategy (2019-2023)
Mutual Assistance In Criminal Matters (Amendment) Act, No. 24 Of 2018
Electronic Transactions Act, No. 19 Of 2006
Computer Crime Act, No. 24 Of 2007
Payment Devices Frauds Act, No. 30 Of 2006
Criminal Procedural Act (1979)
Penal Code (amended in 2018, 2006, 1995)
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.
Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?
Share this information with us helping to keep this platform up to date.
- Cybercrime website
- Template: Mutual Legal Assistance Request for subscriber information (Art. 31 Budapest Convention). English and bilingual versions available.
- Template: Data Preservation Request (Articles 29 and 30 Budapest Convention). English and bilingual versions available.