Data protection & privacy laws in Papua New Guinea (2026)

PNG lacks a standalone, comprehensive personal-data protection statute. The 2024 policy is a government-approved framework document, not enacted legislation; it explicitly anticipates future legislation to give it legal force.

Finalised by DICT on 27 March 2024, the policy establishes principles of data minimisation, purpose limitation, accuracy, and cross-border data-flow governance for both public and private sectors. The ICT Minister announced it was 'ready to be put into law' in May 2024.

Act No. 35 of 2016 criminalises unauthorised access, data espionage (up to 15 years imprisonment or K100,000 fine for corporations), and cyber-attacks, providing limited criminal-law protections for personal data integrity but no civil data-subject rights.

This older statute provides baseline protections for the privacy of private communications but does not address modern data processing, profiling, or digital personal-data rights.

PNG has no independent data protection authority. The DICT holds policy responsibility for data governance; NICTA (National Information and Communications Technology Authority) is the sector-wide ICT regulator. The 2024 policy envisages establishing a dedicated Data Protection Authority once legislation is enacted.

As part of the 2024 policy rollout, the ICT Minister announced plans to recommend PNG's membership in the APEC Cross-Border Privacy Rules (CBPR) Forum to the National Executive Council, signalling intent to align with international data-transfer standards.