Data & Privacy ยท Bahamas
Data protection & privacy law in Bahamas (2026)
Bahamas shaded by its data & privacy status
Data protection in Bahamas: comprehensive law, under Data Protection Act, 2025 (assented 9 December 2025; replaces the Data Protection (Privacy of Personal Information) Act, 2003). Supervisory authority: Office of the Data Protection Commissioner..
The Bahamas has maintained a comprehensive data protection regime since 2003, making it one of the earliest Caribbean nations to enact such a law. The Data Protection Act 2025, which received Royal Assent on 9 December 2025 and is published in the Official Gazette under principal legislation, replaces the 2003 Act with a modernised GDPR-influenced framework covering biometrics, AI, cloud computing, and digital assets. The Act will come into force on a date appointed by the Minister by Gazette notice, with phased implementation planned.
Key points
The Data Protection (Privacy of Personal Information) Act 2003 (in force 2007) was among the first comprehensive data protection laws in the Caribbean, grounded in the 1980 OECD Privacy Guidelines. The 2025 Act repeals and replaces it to reflect contemporary international standards.
The Office of the Data Protection Commissioner (dataprotection.gov.bs) serves as the independent supervisory authority. It investigates complaints, issues enforcement and prohibition notices, conducts assessments, and acts as a privacy Ombudsman for the public and private sectors.
Data subjects hold rights to access, correction, and deletion of personal data, to object to direct marketing, and to be notified of disclosures. The 2025 Act significantly expands these rights to give individuals greater control aligned with GDPR-era standards.
Data controllers must register with the Commissioner, adhere to eight data protection principles (lawful collection, purpose limitation, data minimisation, accuracy, retention limits, security, individual rights, and transfer restrictions), implement security measures, and notify the Commissioner and affected individuals in the event of a data breach. Fines reach up to BSD $100,000.
The 2025 Act introduces explicit provisions on cross-border transfers of personal data, prohibiting transfer to jurisdictions without adequate protection, a rule already present in the 2003 Act but now substantially strengthened.
The 2025 Act expressly addresses biometrics, artificial intelligence, fintech, digital assets, e-commerce, and cloud computing, areas not covered by the 2003 Act, reflecting the government's digital transformation strategy.
Timeline - major decisions & events
The Data Protection Act, 2025 was published in the Official Gazette of The Bahamas as principal legislation, replacing the 2003 Act with a GDPR-aligned framework that mandates breach notification, expands personal data definitions to include biometric and genetic data, codifies data-subject rights (access, correction, erasure), and requires registration of all data controllers and processors.
Official Gazette of The Bahamas (laws.bahamas.gov.bs) โMembers of Parliament examined novel provisions covering biometric and genetic data, the right to erasure, and mandatory breach-notification windows, marking the first substantive legislative update to the Bahamas privacy framework in over two decades and drawing regional attention to the bill's GDPR-inspired architecture.
Biometric Update โPM Philip Davis addressed the House of Assembly on the Data Protection Bill 2025, positioning the legislation as the cornerstone of the country's digital economy strategy and pledging that citizens would gain meaningful control over their personal data for the first time.
Office of the Prime Minister of The Bahamas (opm.gov.bs) โThe Data Protection Commissioner launched a formal 30-day public consultation on the draft Data Protection Bill 2025, the first comprehensive reform proposal since 2003, drawing on GDPR principles and the findings of an ECLAC review that identified significant deficiencies in the existing law.
Office of the Data Protection Commissioner, The Bahamas (dataprotection.gov.bs) โGovernor General Cynthia Pratt's address opening the parliamentary session included a formal commitment to enact modernised data protection legislation, the first official signal that the 2003 Act would be comprehensively replaced rather than merely amended.
Nassau Guardian โThe UN Economic Commission for Latin America and the Caribbean reviewed The Bahamas' data protection framework and found material deficiencies, no breach-notification obligation, limited data-subject rights, weak enforcement tools, compared to GDPR and contemporary international standards, providing the analytical foundation for the 2025 reform.
Bahamas Official Gazette โ Data Protection Bill 2025 Consultation Document (citing ECLAC review) โCommencement Order S.I. 25/2007 brought the Data Protection (Privacy of Personal Information) Act 2003 into legal effect and the Office of the Data Protection Commissioner was activated, making The Bahamas one of the first Caribbean states with a functioning, independent data-protection supervisory authority.
Bahamas Financial Services Board (bfsb-bahamas.com) โThe Bahamas enacted its foundational data-protection statute, modelled on the 1980 OECD Privacy Guidelines and applicable to both public and private sector data processing, making The Bahamas a regional pioneer and the first Caribbean nation to pass a comprehensive personal-data protection law.
Statute Law of The Bahamas (laws.bahamas.gov.bs) โBahamas - other topics
Data & Privacy in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ