Data protection & privacy laws in Bahamas (2026)

The Data Protection (Privacy of Personal Information) Act 2003 (in force 2007) was among the first comprehensive data protection laws in the Caribbean, grounded in the 1980 OECD Privacy Guidelines. The 2025 Act repeals and replaces it to reflect contemporary international standards.

The Office of the Data Protection Commissioner (dataprotection.gov.bs) serves as the independent supervisory authority. It investigates complaints, issues enforcement and prohibition notices, conducts assessments, and acts as a privacy Ombudsman for the public and private sectors.

Data subjects hold rights to access, correction, and deletion of personal data, to object to direct marketing, and to be notified of disclosures. The 2025 Act significantly expands these rights to give individuals greater control aligned with GDPR-era standards.

Data controllers must register with the Commissioner, adhere to eight data protection principles (lawful collection, purpose limitation, data minimisation, accuracy, retention limits, security, individual rights, and transfer restrictions), implement security measures, and notify the Commissioner and affected individuals in the event of a data breach. Fines reach up to BSD $100,000.

The 2025 Act introduces explicit provisions on cross-border transfers of personal data, prohibiting transfer to jurisdictions without adequate protection — a rule already present in the 2003 Act but now substantially strengthened.

The 2025 Act expressly addresses biometrics, artificial intelligence, fintech, digital assets, e-commerce, and cloud computing — areas not covered by the 2003 Act — reflecting the government's digital transformation strategy.