Cybersecurity - Bahamas

The sole Bahamian law addressing cybercrime directly, criminalising unauthorised access, modification, and interception of computer systems, as well as disclosure of access codes. It carries extraterritorial jurisdiction when either the accused or the affected computer was in The Bahamas at the time of the offence.

Data controllers must implement appropriate technical and organisational security measures, but there is currently no statutory obligation to notify the Data Protection Commissioner or affected individuals of a data breach. The Commissioner has issued voluntary guidance on managing security breaches.

A draft bill tabled in Parliament in 2025 would repeal and replace the 2003 DPA with a GDPR-inspired regime covering biometrics, AI, cloud computing, and digital assets. It explicitly introduces a 'Notification of breach of personal data' obligation and establishes a statutory Office of the Data Protection Commissioner.

The Cabinet-approved National Cybersecurity Strategy, launched at a December 2024 workshop, sets out five pillars: cybersecurity governance, national incident prevention and response, critical information infrastructure protection, cybersecurity awareness and skills, and international cooperation. It is a policy instrument, not a binding legal framework.

Governs electronic signatures, data retention for communications, intermediary liability, and electronic evidence. It complements but does not substitute for dedicated cybersecurity legislation; ISPs and hosts receive limited safe-harbour protections.

The Bahamas is listed in the Council of Europe Octopus Cybercrime Community as an observer but has not ratified the Budapest Convention on Cybercrime. It has engaged with the OAS, ITU, and US Embassy for technical assistance in developing its cybersecurity strategy and a national CERT.