Data protection & privacy laws in Marshall Islands (2026)

The Personal Data Protection Act 2025 applies to 'core Government ministries and agencies that may collect, use, store, process, disclose or transfer personal data of natural persons.' It does not establish general obligations for private-sector data controllers, leaving commercial data handling outside a comprehensive regime.

The Act takes effect twelve (12) months after the date of certification, so as of mid-2026 the operative obligations and enforcement machinery were only beginning to apply.

The Act designates a 'competent authority' with duties and enforcement powers and the ability to make regulations under the Administrative Procedure Act 1979; its officers and engaged persons must keep personal data confidential. Previously the RMI had no dedicated data-protection authority.

The Act sets out personal-data-protection principles binding on core Government, and includes provisions for complaints, remedies, compliance, and a private right of action for affected individuals.

Article II of the RMI Constitution guarantees personal autonomy and privacy, and the Criminal Code criminalizes unlawful eavesdropping, surveillance and breach of privacy of messages — partial protections that pre-date and sit alongside the 2025 Act.

The data-protection law accompanies the Digital Transformation and Identity Verification Act 2025 and a planned digital-ID rollout; further instruments (a digital transactions bill, cybersecurity programme and harmful digital communications law) are targeted by around August 2028, signalling the framework is still developing.