Data & Privacy ยท Brunei
Data protection & privacy law in Brunei (2026)
Brunei shaded by its data & privacy status
Data protection in Brunei: comprehensive law, under Personal Data Protection Order 2025 (S 1/2025), supervised by the Authority for Info-Communications Technology Industry of Brunei Darussalam (AITI).
Brunei Darussalam enacted its first comprehensive personal data protection statute, the Personal Data Protection Order 2025 (PDPO), gazetted on 8 January 2025, with key operative provisions commencing 1 January 2026 following a one-year grace period. The law applies to private-sector organisations and NGOs, grants data subjects enforceable rights, and designates AITI as the supervisory authority. The public sector remains outside the PDPO's direct scope.
Key points
The PDPO was gazetted as Subsidiary Legislation S 1/2025 on 8 January 2025 after approval by His Majesty the Sultan. Key operative parts commenced 1 January 2026, with a one-year compliance grace period for organisations to align practices.
The PDPO covers private-sector companies and NGOs (including those handling data on behalf of public bodies). Government agencies and public-sector bodies are expressly excluded and remain governed by existing instruments such as the Official Secrets Act (Cap. 153).
Individuals are granted rights to be informed of data-collection purposes, to access and correct their personal data, to opt in or out of processing, and to withdraw consent at any time. A private right of action is also available to data subjects.
Organisations subject to the PDPO must appoint at least one Data Protection Officer responsible for ensuring compliance. AITI published a formal Guide for Appointment of Data Protection Officers (Version 1.0, June 2025) to support implementation.
The Authority for Info-Communications Technology Industry of Brunei Darussalam (AITI) is the designated data-protection regulator. AITI operates a dedicated PDP portal, issues guidance, and runs a Competency Programme for DPOs leading to CIPM certification.
Non-compliance penalties reach 10% of Brunei annual turnover for organisations with turnover exceeding BND 10 million, or BND 1 million otherwise; criminal sanctions include up to BND 10,000 fine or 3 years imprisonment. Cross-border transfers are addressed via the ASEAN Data Management Framework and Model Contractual Clauses framework.
Timeline - major decisions & events
AITI released its first official guidebook on DPO appointment requirements under the PDPO 2025, detailing qualifications, responsibilities, and accountability structures. This is the primary compliance reference for private-sector organisations during the phased implementation.
AITI (Authority for Info-communications Technology Industry of Brunei Darussalam) โA formal Councils of State session spotlighted the newly enacted PDPO and the broader Digital Economy Masterplan's data-governance pillar, signalling continued legislative commitment to data-protection reform beyond the PDPO's own grace period.
Department of Councils of State, Brunei โEnacted by Royal approval and gazetted as S 1/2025, the PDPO covers all private-sector and NGO processing of personal data, creates individual rights (consent, access, correction, withdrawal), mandates DPO appointment, and imposes penalties of up to 10 % of annual turnover (or BND 1 million). AITI was designated the Data Protection Authority, with enforcement to begin after a one-year compliance grace period.
Attorney General's Chambers, Brunei Darussalam โBrunei's first comprehensive cybersecurity statute (later codified as Chapter 272) established mandatory obligations for critical-information-infrastructure owners, empowered Cyber Security Brunei (CSB) to conduct audits and issue binding directions, and created breach-reporting duties. It is a key complement to the PDPO's data-security obligations.
Attorney General's Chambers, Brunei Darussalam โAfter reviewing submissions from government agencies, businesses, and civil society, AITI published its consolidated response refining the proposed PDPO's scope, exemptions, and enforcement model. This document shaped the final 2025 Order.
AITI (Authority for Info-communications Technology Industry of Brunei Darussalam) โAITI issued a formal consultation paper proposing a comprehensive data-protection framework for private-sector entities, the first structured step toward a dedicated data-protection statute. It sought feedback on core principles, consent mechanisms, enforcement, and an oversight authority.
AITI (Authority for Info-communications Technology Industry of Brunei Darussalam) โThe Ministry of Transport and Infocommunications launched Brunei's first five-year digital economy roadmap, which explicitly identified a Personal Data Protection Order and a Cybersecurity Order as foundational policy outputs needed for the country's Smart Nation vision.
Ministry of Transport and Infocommunications (MTIC), Brunei โThe 2000 Computer Misuse Act (S 65/00) was consolidated and updated as Chapter 194 of the Laws of Brunei, retaining criminal offences for unauthorised computer access, data modification, interception, and obstruction, providing the baseline for data-security enforcement prior to the PDPO.
Attorney General's Chambers, Brunei Darussalam โBruCERT was created as the national government CERT to coordinate detection, analysis, and prevention of cybersecurity incidents. It became the central hub for international CERT liaison and set the operational foundation for what later became Cyber Security Brunei.
Cyber Security Brunei (CSB) โBased on the UNCITRAL Model Law on Electronic Commerce, this Order granted legal recognition to electronic records and digital signatures, enabling secure digital transactions and establishing foundational rules for data authenticity that underpin later data-governance obligations.
Attorney General's Chambers, Brunei Darussalam โBrunei - other topics
Data & Privacy in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ