Power Plays: The uncomfortable position between governments and tech companies

By Saritha Irugalbandara

A year and a half since its dramatic entrance into Sri Lanka’s legal ecosystem, the Online Safety Act (OSA) remains a political hot potato. Although the OSA originated from the Ministry of Public Security, the Ministry of Mass Media is now looking to make amendments to the law. This renewed discussion is also accompanied by Sri Lanka’s ambitions for expanding digital public infrastructure and economy.

Since it was rushed through the legislative process in 2023, the OSA has been one of the most controversial laws introduced by the previous administration led by Ranil Wickremesinghe. Amnesty International slammed it as a “major blow to freedom of expression”. Others have criticised it on the basis of serious implications for privacy, pointing to how this could harm already marginalised groups like the country’s LGBTQ+ community.

The OSA was indubitably a response to the 2022 people’s movement that had been largely mobilised through social media and private messaging platforms. The mass protests against the government led to the eventual resignation of President Gotabaya Rajapaksa, who temporarily fled the country. Within days of being appointed the caretaker president, Ranil Wickremesinghe — who had previously been the prime minister — made it his first order of business to brutally disperse protesters occupying Galle Face Green, a park in the heart of Colombo. His second order of business: announcing that measures were underway to introduce a law to regulate social media, drawing inspiration from regulations in Singapore.

The role of Facebook in the 2018 Digana anti-Muslim riots — during which two people were killed and hundreds of Muslim-owned homes and businesses were attacked — was a watershed moment that snowballed into a vibrant and diverse movement of digital rights activists, legal experts, researchers, policy analysts, journalists, academics, trade unions and think-tanks in Sri Lanka. Although this movement failed to prevent the passage of the OSA years later, it managed to exert enough pressure to compel the government to reconsider the law’s implementation in its current form. Civil society continues to grapple with the convergence of state and corporate tech power, and Sri Lanka presents an important litmus test for the Global South’s ability to resist regulatory capture while confronting what experts in South Asia call the “contagion effect”, referring to situations in which “emerging markets in South Asia are implicitly compelled to adopt governance frameworks and regulations set by dominant markets, primarily in Australia, Canada, the European Union (EU), and the United States”.

The lack of transparency from Big Tech on their actual moderation practices is a global issue. By downsizing their trust and safety teams, leaving the moderation of content in non-English languages largely under-resourced, and blowing hot-and-cold when engaging civil society, the tech companies have by and large failed to build trust — especially in the Global South — in their commitment to even the most basic safety standards. However, there are rare moments when the interests or concerns of civil society and Big Tech appear to align, creating opportunities for civil society lobbying.

This was seen when the Asia Internet Coalition (AIC) — an industry association focused on internet policy in the Asia-Pacific region, with companies like Meta, Google, Apple and Amazon among its members — released a statement within ten days of the gazetting of the Online Safety Bill in 2023, expressing concern at the lack of stakeholder consultations and the law’s potential to “dampen innovation by restricting public debate and the exchange of ideas that can consequently impact the digital economy”. A lengthier policy submission followed in December that year, pointing to concerns that “overbroad and vague definitions of terms such as ‘facts,’ ‘false statements,’ and ‘feelings of ill-will’ also raise the concern for significant abuse, misunderstanding and threats to users’ ability to access and use information and knowledge”. Big Tech’s corporate interests were more clear in other parts of the policy submission: another key concern raised was the need for “safe harbour” provisions that reduce liability thresholds for companies for harmful content published on their platforms.

According to a newspaper owned by the then-Public Security Minister, a meeting between the ministry and “civil society and media reps” took place in October 2023. But many civil society actors who’d been working on the issue hadn’t been invited; participants had been selected through backchannel communications. The ministry later also met the AIC in Singapore, but the outcome of these consultations have never been publicly divulged by the ministry, the AIC or other parties. When the amendments were tabled, many in civil society pointed out that no substantive changes had been made in relation to concerns about freedom of expression and privacy. Instead, the amendments focused on reducing the liability of technology companies. There had been no genuine, meaningful consultations, but many of us expected this from a government that had already demonstrated its authoritarian tendencies and its lack of interest in fostering goodwill with civil society.

This experience with the OSA reminds me of another instance in which the AIC had been involved in tech regulation in Sri Lanka. In 2022, the AIC represented Big Tech in providing input on SAFEWebLK, a Sri Lankan initiative to develop a voluntary code of practice akin to New Zealand’s Code of Practice for Online Safety and Harm. SAFEWebLK was positioned as the first attempt in Asia to create such a code and was meant to be the product of a collaborative process involving the tech industry, civil society, mass media, government and academia. To make it relevant to the local context, a series of public consultations were held to gather insight into the online safety issues that needed to be prioritised. It all seemed promising at the time: the draft and review processes were led by a team of diverse experts, public consultations included many different communities and identities, and industry engagement, through AIC, seemed forthcoming.

Promise can help build, but it can also blind. Within months of its launch in 2022, New Zealand’s Code of Practice for Online Safety and Harm was being scrutinised by the country’s government and civil society. Some criticised it for being a fig leaf for Big Tech’s attempts to pre-empt and deflect strong regulation. Concerns about the code being an industry-led effort to subvert New Zealand’s institutions and online safety mechanisms began to surface. These critiques should have been a warning for us in Sri Lanka; ultimately, the tech industry unilaterally decided that SAFEWebLK was not worth pursuing beyond a third iteration and abandoned it in early 2023. Whether this decision came from a lack of faith in a Global South country’s ability to implement a voluntary code, or perhaps because a more lucrative opportunity had come up for these companies, is worth a post-mortem.

The power dynamic between Big Tech and the Global South has always been uneven; a relationship sustained by empty platitudes from the former and polite smiles from the latter. As someone involved in the final months of active work on SAFEWebLK, I wonder, two years later, whether it’s even possible for the Global South to engage in a truly consultative process with Big Tech to produce mutually beneficial frameworks. Such processes require good faith and a working relationship premised on common values. What could under-resourced “small markets” possibly have in common with trillion-dollar companies wielding unprecedented power, resources, and influence?

Where New Zealand’s code of practice might have been a fig leaf, SAFEWebLK may have unfortunately paved a road to greater gains for the tech industry with the draconian OSA — with little market power or political leverage to actually hold companies liable, the full weight of the state’s authoritarian tendencies can be aimed strictly at its population with greater ease. Although the AIC did adopt some of the same language as rights-focused advocates in communicating issues at the early stages of the OSA, we cannot make the mistake of assuming that such trade lobbies will do any more than what they were created for. Their terms of engagement are bound to prioritise their bottom lines: reducing intermediary liabilities, pushing for safe harbour guarantees, and ensuring that their consumer bases aren’t threatened.

This is not to fault Sri Lankan civil society for engaging with the AIC on either SAFEWebLK or the OSA, or even to caution against continued engagement. The boulder needs to be pushed up the hill by any means necessary. I am, however, urging an interrogation and rethink of civil society’s modes of advocacy for meaningful regulatory frameworks, especially since we’re operating from a structural disadvantage. Although the AIC’s statements were heartening for civil society resisting the OSA, in hindsight they might have also worked to further centralise state power over the digital space and strengthen the channels of communication between the state and Big Tech. The transparency that civil society demands of both tech companies and states should not be compromised for incremental change — especially if such change comes at the cost of inadvertently betraying causes and solidifying the opacity of these public–private engagements.

As Sri Lanka’s new National People’s Power government embarks on its own trajectory of digitalisation with bold promises of a new “digital economy”, SAFEWebLK and the OSA should be homegrown cautionary tales of executive power and corporate–state solidarity for profit. Anti-tech nationalism has been replaced with the more attractive e-nationalism: unique digital IDs, data monopolisation and centralisation, biometrics, and surveillance architecture will soon become part of economic development strategies.

We should learn from developments elsewhere: India’s Aadhaar, the world’s largest biometric ID system, is a well-covered example of how “Big ID” has failed people and exacerbated structural discrimination — sometimes to the point of costing people their lives. Given these problems, it was a cause for serious concern to see Aadhaar’s chief technology officer at the 2025 Sri Lanka Digital Public Infrastructure Summit, sharing the stage with a plethora of private telecommunications companies, banks and lenders, and the digital economy ministry. Digital rights groups and activists were notably absent at the event. The dialogue had been facilitated by the United Nations Development Programme (UNDP), who also promoted the event aggressively on their websites. The elite capture of such a discussion was clear. The UNDP can hardly be considered a civil society organisation, much less a representative of Sri Lanka’s civil society sector. Furthermore, the Ministry of Digital Economy is headed by the country’s president, and its senior advisors consist of former private telecommunications bigwigs. Little concern was raised about the potential for executive overreach and the opacity around the development of public–private partnerships shaping Big ID architecture.

At the time of writing, consultations to amend the OSA, once again, have yet to materialise. When they do, they shouldn’t be closed-door discussions; they need to be open for public comment and involvement to be meaningful. The continued opacity around the inner workings of the state’s digital public infrastructure plans are worrying; economic development cannot once again be grounds for public–private power consolidation to trump people’s right to safety and privacy. This should especially be the case for a political party that secured its victory on the back of the people’s demands for systemic change. We cannot simply depend on politicians to do the right thing. Civil society will have to, once again, take on the responsibility of pushing for and facilitating transparency.

Saritha Irugalbandara is a queer feminist from Sri Lanka. Their analysis, writing and activism lies at the intersection of gender, technology, expression and accountability.