Sri Lanka
AI behavior law: bot and agent disclosure, crawler and training-data rules, automated-agent transactions, and algorithmic decision-making.
Summary
Sri Lanka has two principal instruments relevant to web crawling. The Computer Crime Act No. 24 of 2007 (CCA) criminalises unauthorised computer access (§3), unauthorised access to commit an offence (§4), and modification of computer material (§5); it has been applied by courts in several cybercrime prosecutions. The Personal Data Protection Act No. 9 of 2022 (PDPA) — the first comprehensive data-protection law in South Asia — is phased into force from 2023 to 2025 and covers processing of personal data by entities in or targeting Sri Lanka; the Data Protection Authority is operational from 2024. No TDM copyright exception exists; fair dealing under the Intellectual Property Act No. 36 of 2003 is closed-list. No relevant case law on public-page scraping. The PDPA is rapidly evolving and needs monitoring.
Automated-access legality
Carried forward from the crawler-law index. Governs whether automated clients may access public websites in this jurisdiction.
| Dimension | Value |
|---|---|
| Authorization test | without permission |
| Public-page carve-out | unsettled |
| Terms-of-service browsewrap enforceable | unsettled |
| Terms-of-service clickwrap enforceable | yes |
| Copyright exception model | fair dealing narrow |
| Text and data mining — commercial status | prohibited |
| Text and data mining — opt-out mechanism | none |
| robots.txt legal weight | non binding notice |
| AI training-specific law | none |
| Privacy regime | PDPA 2022 (phased in force 2023–2025) |
| Trespass to chattels | not recognized |
Last reviewed: 2026-05-23. Confidence: medium. Fast-moving area — verify before relying. Not legal advice.