Data & Privacy ยท Papua New Guinea
Data protection & privacy law in Papua New Guinea (2026)
Papua New Guinea shaded by its data & privacy status
Data protection in Papua New Guinea: proposed, under National Data Governance & Data Protection Policy 2024 (DICT) โ finalised policy awaiting translation into legislation; no comprehensive Data Protection Act yet in force. Existing protections rest on Constitution s.49 (right to privacy) and the Cybercrime Code Act 2016 (No. 35 of 2016)..
Papua New Guinea has no comprehensive personal data protection law in force as of mid-2026. The Department of Information and Communications Technology (DICT) finalised a National Data Governance & Data Protection Policy in 2024 and is preparing implementing legislation that would create a Data Protection Commission and GDPR-style obligations; in the meantime privacy is grounded in s.49 of the Constitution, the Cybercrime Code Act 2016, and sectoral rules (telecoms via NICTA, banking via the Bank of PNG).
Key points
PNG lacks an enacted, GDPR-style personal data protection statute. The 2024 National Data Governance & Data Protection Policy was finalised by DICT and progressed for ministerial/cabinet endorsement, but it is a policy instrument, not legislation โ the implementing Act remains pending.
Section 49 of the Constitution of the Independent State of Papua New Guinea guarantees a qualified right to privacy of person, property, communications and family life, subject to laws reasonably justifiable in a democratic society.
Act No. 35 of 2016 criminalises unauthorised access, interception of data, identity theft and computer-related fraud, providing the main statutory protections for the integrity and confidentiality of personal data in the interim.
DICT is the policy lead for data governance and protection; the National ICT Authority (NICTA) regulates telecoms-sector data and content. The 2024 policy contemplates a dedicated Data Protection Commission/Office to enforce the future Act, but no independent data-protection authority is yet operational.
Confidentiality and data-handling obligations are dispersed across sectoral instruments โ e.g. the National Information and Communications Technology Act 2009 (telecoms), the Banks and Financial Institutions Act 2000 and Bank of PNG prudential standards, and the Cybercrime Code Act 2016 โ rather than a unified personal-data regime.
PNG's Cabinet (NEC) endorsed the National Digital Identity Policy 2025; the SevisPass digital ID and SevisDEx data-exchange platform are scheduled for 2026 rollout, with associated privacy/cyber-security regulations cited by DICT as the trigger for finalising the data-protection legal framework.
Papua New Guinea - other topics
Data & Privacy in other countries
Last verified 6/28/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ