Caribbean Data Protection and Privacy Laws

Please visit our DPO Updates Page for further discourse on the region's developments in data protection and privacy.

Anguilla Data Protection Law

Entry into Force: N/A

Regulatory Authority: N/A

Overview: There is currently no data protection legislation for Anguilla. The Constitution provides for the fundamental rights and freedoms concerning the protection for the private and family life of a person.

Antigua and Barbuda Data Protection Act, 2013 

Entry into Force: On Assent

Regulatory Authority: Information Commissioner

Overview: The DPA promotes the protection of personal data processed by public and private bodies and promote transparency and accountability by providing for certain data subject rights, privacy and data protection principles, and conferring on the Information Commissioner the role of carrying out and enforcing the protection of data pursuant to the Act.        

Bahamas Data Protection (Privacy of Personal Information) Act, 2003

Entry into Force: 2007

Regulatory Authority: Office of the Data Protection Commissioner

Overview: The Act seeks to protect the privacy of individuals concerning personal data and to regulate the  processing of certain information relating to individuals by providing for data subject rights, obligations of data controllers and conferring on the Data Protection certain roles pursuant to the Act. 

Barbados Data Protection Act, 2019

Entry into Force: March 2021, with certain exceptions

Regulatory Authority: Data Protection Commissioner

Overview: The Act regulates the processing of personal data and the protection of the individual privacy of individuals in relation to their personal data by providing for data protection principles, rights of data subjects, obligations of data controllers and data processors, and conferring the role of the Data Protection Commissioner.

Belize Data Protection Act, 2021

Entry into Force: by Order in the Gazette

Regulatory Authority: Data Protection Commissioner

Overview: The Act regulates the processing of personal data and the protection of the privacy of individuals in relation to their personal data by providing for the rights of data subjects, data protection principles, obligations of data controllers and processors, conferring the role of the Data Protection Commissioner, and establishing the Data Protection Tribunal.

Bermuda Personal Information Protection Act, 2016  and

Personal Information Protection Amendment Act 2023

Entry into Force: Partially in force. Fully in force on 1 January 2025

Regulatory Authority: Privacy Commissioner

Overview: The Act regulates the processing of personal information by establishing the Privacy Commissioner, specifying certain obligations of organisations, general principles and rules regarding data protection, rights of individuals, and certain exclusions of the Act.

BVI Data Protection Act, 2021

Entry into Force: 9 July 2021

Regulatory Authority: Office of the Information Commissioner

Overview: The Act regulates the protection of personal data processed by public and private bodies by establishing the OIC, specifying privacy and data protection principles, rights of data subjects, and certain obligations of data users and data processors.

The Cayman Islands Data Protection, 2021 Revision

Entry into Force: 30 September 2019

Regulatory Authority: The Ombudsman

Overview: The Act regulates the processing of personal data and the protection of the privacy of individuals in relation to their personal data by providing for the rights of data subjects, data protection principles, obligations of data controllers and data processors, and conferring the role of the Ombudsman.

Cuba Personal Data Protection Act, 2022, Ley No. 149

De Protección De Datos Personales

Entry into Force: February 2023

Regulatory Authority: The Ministry of Justice (El Ministro de Justicia)

Overview:  The Act regulates the right of individuals to the protection of their personal data by specifying data protection principles, obligations in relation to the use and processing of personal data by public and private persons or entities, and information of a nature public nature.

Dominica Data Protection Law

Entry into Force: N/A

Regulatory Authority: N/A

Overview: No data protection legislation for Dominica was identified. The Constitution, provides for the fundamental rights and freedoms concerning the protection for the privacy of a person's home and other property.

Dominica Republic Protection of Personal Data Law, Law No. 172-13 for the Protection of Personal Data

Entry into Force: N/A

Regulatory Authority: The Ombudsman, and in relation to SICs, the Superintendent of Banks.

Overview: The Act regulates the privacy of individuals and the protection of personal data recorded in archives, public records, data banks or other technical means of data processing intended to provide reports, whether public or private.

Grenada Data Protection Act, 2023

Entry into Force: by Order in the Gazette

Regulatory Authority: Information Commission

Overview: The Act seeks to promote the protection of personal data processed by public and private bodies by establishing the Information Commission, specifying privacy and data protection principles, rights of data subjects, and certain obligations of data users and data processors.

Guyana Data Protection Act, 2023

Entry into Force: by Order in the Gazette

Regulatory Authority: Data Protection Office

Overview: The Act regulates the processing of personal data and the protection of the privacy of individuals in relation to their personal data by providing for the rights of data subjects, data protection principles, obligations of data controllers and data processors, establishing the Data Protection Office, and conferring the role of the Data Protection Commissioner.

Haiti Data Protection Law

Entry into Force: N/A

Regulatory Authority: N/A

Overview: No data protection legislation for Haiti was identified.

Jamaica Data Protection Act, 2020

Entry into Force: Certain sections on 1 Dec 2021/2023

Regulatory Authority: Office of the Information Commissioner

Overview: The Act sets out the rights of data subjects, data protection standards, obligations of data controllers and enforcement provisions. The Act also establishes the Office of the Information Commissioner. The Act provides for a 2-year transitional period and the government also granted a 6-month grace period to allow data controllers to comply.

Montserrat Data Protection Law

Entry into Force: N/A

Regulatory Authority: N/A

Overview: No data protection legislation for Montserrat was identified. The Constitution provides for the fundamental rights and freedoms concerning the protection for the privacy of a person's home and other property.

Saint Kitts and Nevis Data Protection Act 2018

Entry into Force: by order in the Gazette

Regulatory Authority: Information Commissioner

Overview: The Act seeks to promote the protection of personal data processed by public and private bodies by specifying privacy and data protection principles, rights of data subjects, and certain obligations of data users and data processors.

Saint Lucia Privacy and Data Protection Act (Cap 8.18)

Entry into Force: Certain provisions in 2023

Regulatory Authority: Data Protection Commissioner

Overview: The Act provides for the protection of individuals in relation to personal data and regulates the processing of personal information by specifying the appointment of the Data Protection Commissioner, data protection principles, rights of data subjects, registration and obligations of data controllers, and PIA requirements.

Saint Vincent and the Grenadines Privacy Act, 2003

Entry into Force: by Order in the Gazette

Regulatory Authority: Privacy Commissioner

Overview: The Act provides for the promotion and protection of the privacy of individuals by regulating the processing of personal information by public authorities and provides certain rights to individuals relating to personal information.

Suriname Privacy and Personal Data Protection Bill (2020)

Entry into Force: N/A

Regulatory Authority: Data Protection Commissioner (Proposed)

Overview:  There is currently no data protection law in Suriname. The current Bill seeks to impose legal obligation to handle that personal data responsibly by establishing an independent data protection authority, rights relating to individuals, and obligations of controllers and processors.

Trinidad and Tobago Data Protection Act, 2011

Revised Data Protection Bill in progress

Entry into Force: Certain provisions in 2012 and 2021.

Regulatory Authority: Office of the Information Commissioner

Overview:  The Act provides for the protection of personal privacy and information, establishes an Office of the Information Commissioner, and provides for certain obligations concerning the protection of personal data by public and private entities

Turks and Caicos Islands Data Protection Law

Entry into Force: N/A

Regulatory Authority: N/A

Overview:  No national data protection legislation for Turks and Caicos was identified. The Constitution provides for the fundamental rights and freedoms concerning the protection for the privacy of a person's home and other property.

Privacy Act, 1985

Personal Information Protection and Electronic Documents Act, 2000

Bill to enact the Consumer Privacy Protection Act

Regulatory Authority: Office of the Privacy Commissioner

Overview: The PIPEDA seeks to support and promote electronic commerce by protecting personal information that is processed in certain circumstances. 

Regulation (EU) 2016/679 (General Data Protection Regulation) 

Regulatory Authority: Competent Supervisory Authority

Overview: Repeals directive Directive 95/46/EC and seeks to continue to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States.

Ghana Data Protection Act, 2012

Regulatory Authority: Data Protection Commission

Overview: The Act establishes the Data Protection Commission and makes provision for the regulation of the processing of personal data, the principles of data protection, the rights of data subjects, obligations of data controllers and data processors, and registration requirements.

Kenya Data Protection Act, 2019

Regulatory Authority: Data Protection Commissioner

Overview: The Act establishes the Office of the Data Protection Commissioner and makes provision for the regulation of the processing of personal data, the rights of data subjects and obligations of data controllers and data processors including registration.

Singapore Personal Data Protection Act, 2012

Regulatory Authority: Personal Data Protection Commission

Overview: The Act governs the processing of personal data by organisations, establishes the Do Not Call (DNC) Registry, and designates the Info‑communications Media Development Authority as the regulator.  

The latest amendments took effect in phases from 1 February, 2021.

The UK's Data Protection Act 2018

Regulatory Authority: Information Commissioner Office, UK

Overview: The Data Protection Act reflects the UK's implementation of the EU General Data Protection Regulation (GDPR). The Act regulates the processing of personal information relating to individuals used by organisations, businesses and the government.