What is AI regulation in the Bahamas?
AI regulation: countries and regions
The Bahamas has no dedicated artificial intelligence law. AI use is governed indirectly, mainly through the Data Protection (Privacy of Personal Information) Act, 2003, enforced by the Office of the Data Protection Commissioner. The government is preparing two things: a draft Data Protection Bill, 2025 (intended to replace the 2003 Act and to address AI), and a separate national AI policy and white paper. Both remain in development, so no AI-specific statute is yet in force.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no standalone AI statute, regulator or licensing regime in the Bahamas. If you deploy or build AI in the country today, the binding rules you must follow are the general ones: principally the Data Protection (Privacy of Personal Information) Act, 2003, which governs how personal data is collected, processed, kept, used and disclosed. Because most AI systems train on or process personal data, that Act is the practical anchor for AI compliance now. The picture is changing in two parallel tracks. First, the government has published a draft Data Protection Bill, 2025 for public consultation. It would repeal and replace the 2003 Act, draw heavily on the European Union General Data Protection Regulation (GDPR), and is expressly intended to cover newer technologies including artificial intelligence. Second, the Ministry of Economic Affairs has said it is preparing a national AI policy and a white paper for Cabinet consideration. Neither track is law yet. So the honest summary is: data protection law plus general law (consumer, sector and professional rules) governs AI in the Bahamas today, with a modernised data protection regime and an AI policy both pending.
Why it matters
For any organisation deploying AI in the Bahamas, the absence of a dedicated AI law does not mean an absence of obligations. The 2003 Act already imposes duties on data controllers and processors: collect data fairly and lawfully, use it only for specified purposes, keep it accurate and secure, and respect data subject rights including access, correction and objection to direct marketing. An AI system that ingests customer records, scores applicants or profiles individuals sits squarely inside those duties. It also matters because the rules are about to move. A GDPR-style replacement Bill would raise the compliance bar considerably (broader rights, stronger controller and processor obligations, and explicit attention to AI, biometrics and automated processing). Organisations that build only to the 2003 baseline may face a step change when the new regime lands. Planning now against GDPR-style expectations is the lower-risk path. For financial services, healthcare and tourism operators handling large volumes of personal data, this is a near-term governance question, not a distant one.
How it works
The current legal anchor: the Data Protection Act, 2003
The Data Protection (Privacy of Personal Information) Act, 2003 is the foundational data law. It was enacted in 2003 and brought into operation in 2007. It applies to data controllers established in the Bahamas, and to controllers outside the Bahamas who use equipment in the Bahamas to process personal data. It binds both the private and public sectors, with exemptions for matters such as national security, household or recreational use, parliamentary deliberations and certain legal procedures. Where AI processes personal data, this Act is the binding framework that applies.
The regulator: the Office of the Data Protection Commissioner
The Act establishes the Data Protection Commissioner as an independent oversight authority. The Office administers and enforces the Act, investigates complaints, promotes good practice by data controllers, and acts as the national supervisory authority on data protection. It is not an AI regulator: it has no AI-specific mandate, and its powers flow from the data protection statute rather than from any AI law.
The pending replacement: the draft Data Protection Bill, 2025
In August 2025 the Office of the Data Protection Commissioner launched a public consultation on a draft Data Protection Bill, 2025. The draft would repeal and replace the 2003 Act with a framework modelled on the GDPR and on recently updated Caribbean regimes such as Jamaica, the Cayman Islands and Bermuda. Government statements describe the Bill as expanding data subject rights and strengthening controller and processor duties, and as being structured to anticipate emerging fields including financial technology, digital assets, e-commerce, biometrics, artificial intelligence and cloud computing. Officials have stated the Bill is intended to govern and legislate AI use in the Bahamas. As a draft under consultation, it is not law, and its final text, scope and timing could change.
The pending policy: a national AI white paper
Separately, the Ministry of Economic Affairs has said it is drafting a national AI policy and a white paper for Cabinet review. Ministers have framed three broad objectives: inclusive AI adoption, ethical principles with transparency and public accountability, and deeper regional and international cooperation. This is policy work, not binding regulation, and no white paper text has been adopted as law.
The regional context: CARICOM and SIDS
The Bahamas is a member of the Caribbean Community (CARICOM). No CARICOM member state has enacted dedicated, AI-specific legislation, and the region's work has so far been concentrated in policy and cooperation, including the UNESCO Caribbean Artificial Intelligence Policy Roadmap (published in 2021). Commentators and regional bodies have repeatedly urged harmonised data protection and AI rules across CARICOM. For the Bahamas, this means national choices are being made against an evolving, largely non-binding regional backdrop rather than a single regional AI law.
Examples
A Bahamian bank deploys an AI model to flag suspicious transactions and score credit applications. There is no AI statute to comply with, but the model processes personal data, so the 2003 Act applies: the bank must have a lawful basis, use the data only for stated purposes, keep it secure, and honour data subject rights. If the draft Data Protection Bill, 2025 is enacted, the bank should expect tighter requirements around automated processing and individual rights. A government department wants to use a generative AI assistant to triage citizen queries. Officials have stated that ethical principles, transparency and public accountability are objectives of the forthcoming AI policy, but those are not yet binding rules. In the meantime the department's handling of any personal data in the queries is governed by the Data Protection Act and overseen by the Data Protection Commissioner. A regional insurer operating across CARICOM, including the Bahamas, plans a single AI underwriting platform. Because no harmonised regional AI law exists, the insurer must map each jurisdiction's data protection regime separately. In the Bahamas that means the 2003 Act today, with planning headroom for the GDPR-style Bill that is under consultation.
Common misunderstandings
"The Bahamas has an AI law." It does not. There is no dedicated AI statute, regulator or licensing regime; AI is governed indirectly through data protection and general law. "The Data Protection Commissioner regulates AI." The Commissioner administers and enforces the Data Protection Act. The Office has no AI-specific mandate; its authority comes from the data protection statute. "The draft Data Protection Bill, 2025 is already in force." It is a draft released for public consultation. It would replace the 2003 Act and address AI, but until enacted the 2003 Act remains the operative law. "A national AI white paper means there are binding AI rules." A white paper and policy are guidance and intent, not legislation. Policy documents do not by themselves create enforceable legal duties. "CARICOM has a single AI law that covers the Bahamas." There is no binding regional AI law. Regional work is largely policy and cooperation, such as the UNESCO Caribbean AI Policy Roadmap.
Risks and boundaries
This article describes the regulatory position, not legal advice. The central boundary is that the Bahamas has no AI-specific law: anyone expecting a clear AI rulebook with defined risk tiers, conformity assessments or an AI regulator will not find one. What exists is general data protection law plus pending reform. Legal status is genuinely uncertain in two respects. The draft Data Protection Bill, 2025 is at consultation stage; its final wording, the extent to which it expressly regulates AI, and its commencement date are all subject to change or could stall. The national AI white paper and policy are in preparation and have not been adopted, so any specific principles, sandboxes or institutions described in public statements should be treated as proposals, not commitments. What is confirmed: the 2003 Act is in force and the Data Protection Commissioner is operating. What is pending: the replacement Bill and the AI policy. What could change: scope, timing and the precise treatment of AI in the new instruments. Organisations should not assume the draft Bill will pass unchanged, nor that the 2003 Act will remain the standard indefinitely.
What to do next
Treat the Data Protection Act, 2003 as your binding baseline today. Map where your AI systems collect or process personal data, confirm your lawful basis and purpose limits, and make sure data subject rights (access, correction, objection to direct marketing) can be honoured. Keep records of processing so you can demonstrate compliance to the Commissioner if asked. Plan against the GDPR-style direction of travel. Because the draft Data Protection Bill, 2025 is modelled on the GDPR and is intended to address AI, building to GDPR-style expectations now (clear documentation, data minimisation, transparency about automated processing, and a route to human review) reduces the cost of adapting later. Track both the Bill and the AI white paper through official channels, engage with the consultation where relevant, and watch CARICOM and SIDS-level developments. For higher-risk or cross-border AI, take Bahamian legal advice rather than relying on a generic regional view, since each jurisdiction's data regime differs and the local rules are in flux.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does the Bahamas have a dedicated AI law?
No. There is no AI-specific statute, regulator or licensing regime. AI is governed indirectly, principally through the Data Protection (Privacy of Personal Information) Act, 2003.
Which law applies to AI in the Bahamas right now?
The main binding law is the Data Protection Act, 2003, because most AI systems process personal data. General consumer, sector and professional rules also apply depending on the use.
Who enforces data protection in the Bahamas?
The Office of the Data Protection Commissioner. It administers and enforces the 2003 Act, investigates complaints and promotes good practice, but it is not an AI-specific regulator.
What is the draft Data Protection Bill, 2025?
It is a draft law released for public consultation in August 2025 that would replace the 2003 Act with a GDPR-style framework. Government statements say it is intended to address AI use, but it is not yet in force.
Is there a national AI policy?
The Ministry of Economic Affairs has said it is preparing a national AI policy and white paper for Cabinet review. These are policy documents in development, not binding legislation.
Does CARICOM provide AI rules for the Bahamas?
No binding regional AI law exists. Regional work is largely policy and cooperation, such as the UNESCO Caribbean Artificial Intelligence Policy Roadmap. The Bahamas sets its own national rules.
When was the Data Protection Act, 2003 brought into force?
It was enacted in 2003 and brought into operation in 2007.
What should organisations do while the new rules are pending?
Comply with the 2003 Act now, plan against GDPR-style expectations, document AI processing of personal data, and monitor the draft Bill and AI policy through official channels.