Data & Privacy · Palau
Data protection & privacy law in Palau (2026)
Palau shaded by its data & privacy status
Data protection in Palau: sectoral rules, under No comprehensive data-protection statute; privacy is addressed through sector-specific rules (Freedom of Information Act privacy provisions at 6 PNCA §§ 205-206, telecommunications confidentiality rules, banking secrecy) and the constitutional right to privacy (Palau Constitution Art. IV). No dedicated data-protection supervisory authority exists..
Palau has not enacted a comprehensive, GDPR-style personal-data protection law and has no dedicated data-protection supervisory authority. Privacy obligations are dispersed across sectoral instruments — government-records privacy provisions in the Freedom of Information Act (6 PNCA), telecommunications confidentiality, banking secrecy, and criminal provisions on non-consensual intimate imagery — while a recently Senate-passed Cybersecurity Act (SB 12-9, October 2025) focuses on cyber-infrastructure rather than personal-data rights and still requires House passage.
Key points
Palau lacks an omnibus personal-data protection statute equivalent to the EU GDPR. Analysts consistently describe the country as having regulatory gaps in data protection, with obligations arising only from scattered sectoral instruments.
Title 6 of the Palau National Code (Freedom of Information Act), at §§ 205-206, requires agencies holding personal information to protect it against loss, unauthorized access, modification, disclosure or misuse, and prohibits retention beyond the lawful purpose. These are public-sector rules, not private-sector data-protection rules.
The Telecommunications Act contains confidentiality obligations for electronic communications and subscriber data, and banking legislation imposes customer-information secrecy — the principal private-sector data-handling obligations in force today are found in these sectoral licensing regimes.
Palau has not established a Data Protection Authority or Privacy Commissioner. Sector regulators (telecommunications, financial supervision) enforce their own confidentiality rules via licence conditions; there is no cross-sectoral privacy regulator or breach-notification regime of general application.
In October 2025 the Palau Senate unanimously passed Senate Bill No. 12-9 SD1, the Cybersecurity Act, which would create a Bureau of Cybersecurity under the Ministry of Public Infrastructure and Industries headed by a CISO. It targets critical-infrastructure security and incident response rather than establishing personal-data rights, and still requires House of Delegates approval.
The Ministry of Finance issued a Cyber Security Regulation for the Palau Digital Residency Program, imposing information-security controls on that specific programme and its operators — an example of Palau's programme-specific rather than economy-wide approach to personal-data protection.
Palau - other topics
Data & Privacy in other countries
Last verified 7/1/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →