Data protection & privacy laws in Saint Kitts and Nevis (2026)

The National Assembly passed the Data Protection Act on 4 May 2018 (gazetted 7 June 2018), but the Act requires a ministerial commencement order to take effect; no such order had been published as of early 2026, rendering the law unenforceable.

The 2018 Act is based on the OECS model data protection framework and mirrors GDPR principles: lawful basis for processing, explicit consent for sensitive data, data subject rights (access, rectification, objection), and obligations on both public and private organisations.

The 2018 Act designates a Privacy Commissioner as the supervisory authority with powers to monitor compliance, investigate complaints, and report to the National Assembly; however, because the Act has not been commenced, no Commissioner has been appointed or is operational.

The Electronic Crimes Act 2009 is in force and criminalises illegal access, data interference, illegal interception, identity-related fraud, and child exploitation material, but it does not create data subject rights or impose data-processing obligations on organisations.

Multiple sources indicate the government placed revision of the 2018 Data Protection Act on its 2025 legislative agenda; no enacted replacement or amendment has been confirmed publicly as of May 2026.

The Eastern Caribbean Central Bank published a policy paper in March 2025 urging ECCU member states, including Saint Kitts and Nevis, to enact robust data protection and privacy legislation, underscoring that the current gap poses systemic risk to the digital economy.