Data protection & privacy laws in Brunei (2026)

The PDPO was gazetted as Subsidiary Legislation S 1/2025 on 8 January 2025 after approval by His Majesty the Sultan. Key operative parts commenced 1 January 2026, with a one-year compliance grace period for organisations to align practices.

The PDPO covers private-sector companies and NGOs (including those handling data on behalf of public bodies). Government agencies and public-sector bodies are expressly excluded and remain governed by existing instruments such as the Official Secrets Act (Cap. 153).

Individuals are granted rights to be informed of data-collection purposes, to access and correct their personal data, to opt in or out of processing, and to withdraw consent at any time. A private right of action is also available to data subjects.

Organisations subject to the PDPO must appoint at least one Data Protection Officer responsible for ensuring compliance. AITI published a formal Guide for Appointment of Data Protection Officers (Version 1.0, June 2025) to support implementation.

The Authority for Info-Communications Technology Industry of Brunei Darussalam (AITI) is the designated data-protection regulator. AITI operates a dedicated PDP portal, issues guidance, and runs a Competency Programme for DPOs leading to CIPM certification.

Non-compliance penalties reach 10% of Brunei annual turnover for organisations with turnover exceeding BND 10 million, or BND 1 million otherwise; criminal sanctions include up to BND 10,000 fine or 3 years imprisonment. Cross-border transfers are addressed via the ASEAN Data Management Framework and Model Contractual Clauses framework.