Data protection & privacy laws in Kiribati (2026)

The Data Protection Bill 2025 passed its first parliamentary reading on 1 April 2025 and is recorded by the Digital Watch Observatory as a promulgated Act. It supersedes the earlier non-binding Data Protection Policy of January 2022 and is explicitly modelled on the Australian Privacy Act and New Zealand Privacy Act 2020.

The Digital Transformation Office (DTO), housed within MICT, is the designated enforcement body empowered to investigate complaints, issue compliance orders, and impose fines; serious offences may also attract imprisonment.

The Act covers personal data processing by both private entities and government bodies relating to individuals in Kiribati, with extraterritorial reach applying in specified circumstances where data concerning Kiribati residents is processed abroad.

Individuals hold rights to access their personal data, request correction or erasure, withdraw consent, and protection from solely automated decisions that significantly affect them.

Data controllers must process personal data lawfully, fairly, and transparently; apply data minimisation and retention limits; maintain data quality; and implement technical and organisational security safeguards, including encryption.

Entities must notify the DTO and affected individuals of harmful data breaches; non-compliance can trigger significant financial penalties or criminal liability including imprisonment.