What is AI regulation in Antigua and Barbuda?
AI regulation: countries and regions
Antigua and Barbuda has no dedicated artificial intelligence law in force. AI is governed indirectly through general statutes, chiefly the Data Protection Act 2013 and the Electronic Crimes Act 2013, supported by the constitution. The government has completed a UNESCO Readiness Assessment, appointed an AI policy focal point and reports finalising a national AI policy, with draft AI legislation said to be prepared. None of this is enacted, so AI-specific duties remain policy ambitions rather than binding law.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no statute in Antigua and Barbuda that names artificial intelligence and sets binding duties on how it is built or deployed. What exists today are general laws that apply whenever AI processes personal data or touches electronic systems. The Data Protection Act 2013 governs the handling of personal data, and the Electronic Crimes Act 2013 criminalises misuse of computer systems. Neither was written with machine learning in mind, but both still bite on common AI uses. Alongside these laws, the government has taken policy steps. In June 2025 it published an Artificial Intelligence Readiness Assessment Report, prepared with the UNESCO Office for the Caribbean using UNESCO's Readiness Assessment Methodology. An AI policy focal point sits within the relevant ministry, and officials have said a national AI policy is being finalised. The Prime Minister has also stated that draft AI legislation has been prepared. The honest position is that this is an early-stage, policy-led picture. The country is assessing readiness and signalling intent, but the binding rules that apply to AI are still the older, general statutes rather than anything AI-specific.
Why it matters
If you deploy or govern AI that touches people in Antigua and Barbuda, your legal obligations come from general law, not from an AI rulebook. That means the Data Protection Act 2013 sets the binding floor for any system that processes personal data: consent, notice, security, retention and the rights of data subjects. The Electronic Crimes Act 2013 governs unauthorised access, fraud and misuse of electronic systems, which is relevant to model security and data handling. Because there is no AI-specific statute, there is no local requirement for high-risk classification, mandated impact assessments or registered AI systems of the kind seen in some larger jurisdictions. That can read as lighter-touch, but it also means less tailored guidance and more reliance on your own governance. The policy direction signals that AI-specific duties may arrive, so organisations that build defensible governance now will adapt more cheaply later. Watch the status of the national AI policy and any AI Bill closely, because the legal floor could rise.
How it works
The Data Protection Act 2013
The Data Protection Act 2013 (No. 10 of 2013) is the central instrument for any AI that processes personal data. It sets principles covering consent and lawful processing, notice and choice, disclosure, security, retention, data integrity and access. It uses the term "data user" rather than controller or processor, defined as a person who alone or jointly processes personal data or controls its processing. Data subjects have rights to access, rectification, erasure, to be informed and to object. The Act establishes an Information Commissioner as the supervisory authority, with that role linked to the Freedom of Information framework, and provides for offences, penalties and appeals to the Court. These duties apply whenever an AI system collects or processes personal data, even though the Act predates modern AI.
The Electronic Crimes Act 2013
The Electronic Crimes Act 2013 (No. 14 of 2013), amended in 2018, criminalises unauthorised access and interference with electronic systems, electronic fraud and forgery, identity theft, violation of privacy, misuse of encryption and related conduct. It carries investigative and procedural provisions. For AI deployers this matters for model and data security, access controls and the integrity of automated systems.
Policy and institutional layer
The architecture above the statutes is policy, not law. In June 2025 the government launched its Artificial Intelligence Readiness Assessment Report, developed with the UNESCO Office for the Caribbean under the Readiness Assessment Methodology and the Ministry responsible for information and communication technologies. The assessment found transparency and legal openness to be the country's strongest dimension, noting a high Right to Information ranking, while identifying gaps including the absence of a national AI strategy and the need to modernise existing laws for AI-specific issues such as impact assessments for high-risk uses. It recommended developing a national AI strategy, establishing a dedicated AI governance unit and aligning AI rules with digital transformation work. An AI policy focal point has been appointed within the ministry, and officials have publicly described a national AI policy as being finalised.
Pending legislation and regional context
The Prime Minister has stated that draft legislation to regulate AI has been prepared, intended to address misuse while supporting beneficial applications. As of the latest available reporting, no such Act has been confirmed as enacted, so the draft remains an intention rather than law. Regionally, Antigua and Barbuda engages through CARICOM, the OECS, the ITU, UNESCO and the Commonwealth AI Consortium, and sits within a wider Caribbean push toward coordinated AI governance. The country also targets digitising public services by 2030.
Examples
A fintech firm deploying an AI credit-scoring tool that processes residents' personal data must satisfy the Data Protection Act 2013: obtain a lawful basis such as consent, give notice of purposes, secure the data and honour access and rectification requests. There is no separate AI registration or high-risk classification requirement in local law. A public body piloting an AI service as part of the 2030 digitisation agenda would operate under the Data Protection Act and the policy direction of the Readiness Assessment, but without a binding AI-specific statute setting mandatory impact assessments. Governance here is driven by policy and good practice rather than an AI law. A company running an AI customer system that suffers an intrusion or data misuse would look to the Electronic Crimes Act 2013, which criminalises unauthorised access and interference with electronic systems, alongside the security duties in the Data Protection Act.
Common misunderstandings
"Antigua and Barbuda has an AI law." It does not. AI is governed through general statutes, chiefly the Data Protection Act 2013 and the Electronic Crimes Act 2013. "The UNESCO Readiness Assessment is a regulation." It is an assessment and roadmap, not binding law. It diagnoses strengths and gaps and recommends steps such as a national strategy and a governance unit. "There is a national AI strategy in force." Officials have described a national AI policy as being finalised and assessments report no adopted national AI strategy. Intent is not the same as an enacted framework. "The draft AI legislation is already in effect." The Prime Minister has said draft AI laws have been prepared, but there is no confirmation of enactment in the available sources. Treat it as pending. "No AI law means no rules apply." Personal data and electronic systems are already regulated, so existing duties bind AI uses today.
Risks and boundaries
The clearest boundary is that Antigua and Barbuda has no dedicated, enacted AI statute. Anyone relying on an AI-specific local rulebook is mistaken; the binding duties come from general law. The national AI policy is reported as being finalised rather than published, and the draft AI legislation described by the Prime Minister has not been confirmed as enacted in the sources reviewed. Both could change in scope or timing, or stall. The existing statutes predate modern AI and were not designed for issues such as automated decision-making transparency or high-risk system controls, which the Readiness Assessment itself flags as gaps. Status and effective dates should be checked against the official gazette and government sources before relying on them, because this picture is evolving.
What to do next
Treat the Data Protection Act 2013 as your binding baseline for any AI that processes personal data, and document lawful basis, notice, security and data-subject rights. Apply the Electronic Crimes Act 2013 lens to model and system security. Even without a local mandate, run an AI impact assessment for higher-risk uses, since the Readiness Assessment signals this direction and it future-proofs your governance. Track the status of the national AI policy and any AI Bill through official channels, and check the gazette for enactment rather than relying on announcements. For multi-jurisdiction deployments, align to a recognised governance baseline so you can absorb new local duties cheaply when they arrive.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Antigua and Barbuda have a dedicated AI law?
No. As of the latest available sources there is no enacted AI-specific statute. AI is governed through general laws, mainly the Data Protection Act 2013 and the Electronic Crimes Act 2013.
Which law applies when AI processes personal data?
The Data Protection Act 2013, which sets principles for consent, notice, security and retention, gives data subjects rights of access, rectification, erasure and objection, and establishes an Information Commissioner.
Is there a national AI strategy or policy?
Assessments report that no national AI strategy has been adopted, though officials have described a national AI policy as being finalised. A UNESCO Readiness Assessment Report was published in June 2025.
Is AI legislation being drafted?
The Prime Minister has stated that draft AI legislation has been prepared to address misuse. There is no confirmation in the available sources that it has been enacted, so treat it as pending.
Who regulates data protection in Antigua and Barbuda?
The Information Commissioner, established under the Data Protection Act 2013, with the role connected to the Freedom of Information framework.
What did the UNESCO Readiness Assessment find?
It identified transparency and legal openness as the strongest dimension, flagged gaps including the lack of a national AI strategy and the need to modernise existing laws, and recommended a national strategy and a dedicated AI governance unit.
Are AI impact assessments required?
There is no binding local requirement for AI impact assessments. The Readiness Assessment notes the need for them in high-risk uses, so they are advisable as good practice.
How does regional cooperation shape AI governance here?
Antigua and Barbuda engages through CARICOM, the OECS, the ITU, UNESCO and the Commonwealth AI Consortium, situating its approach within wider Caribbean coordination on AI.