What is AI regulation in the Gambia?
AI regulation: countries and regions
As of June 2026, the Gambia has no dedicated artificial intelligence law, bill, strategy or regulator. AI is governed indirectly through instruments of general application: the Personal Data Protection and Privacy Act, 2025 (assented on 7 November 2025), the Information Commission as data regulator, the communications regulator PURA, and national digital and data policies. Regional context comes from ECOWAS data protection rules and the African Union Continental AI Strategy. None of these is a binding Gambian AI statute.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
The Gambia is a small West African country that is digitising quickly but has not yet written rules specifically for AI. There is no Gambian AI Act, no national AI strategy or policy, and no AI regulator. Anyone deploying AI in the Gambia is governed by laws of general application rather than by AI-specific duties.
The most important of these is the Personal Data Protection and Privacy Act, 2025 (PDPP), the country's first comprehensive data protection law. It was approved unanimously by the National Assembly on 29 September 2025 and, per African Law and Business (whose authors include Momodou Alieu Jallow, ICT director at the Ministry of Communications and Digital Economy), President Adama Barrow assented to it on 7 November 2025. Because most AI systems process personal data, the PDPP is the single most relevant legal instrument for AI deployers. Other relevant pieces include the communications regulator PURA, the Information and Communications Act, 2009, the National Digital Economy Master Plan, the National Data Policy validated in 2025, and cybersecurity policy.
The Gambia also sits inside regional frameworks: the ECOWAS Supplementary Act on personal data protection, the African Union Malabo Convention, and the African Union Continental AI Strategy. None of these is a binding Gambian AI law, but they shape the direction of travel.
Why it matters
For organisations, the practical point is that AI is not unregulated in the Gambia; it is regulated by default through data protection and sector rules. The PDPP applies whenever an AI system processes personal data relating to individuals within the Gambia, even if the controller sits abroad. It carries real duties: a lawful basis, transparency, purpose limitation, breach notification within 72 hours, data protection impact assessments for high-risk processing, and a right for individuals not to be subject to solely automated decisions. Penalties are significant: per African Law and Business, the highest penalty for a legal entity is the greater of GMD 1,000,000 dalasis (about EUR 11,500) or 5 percent of the preceding year's gross income, alongside criminal liability for serious breaches. Treating an AI project as outside the law, rather than as a data protection matter, is the main compliance risk.
How it works
No dedicated AI framework
There is no Gambian statute, bill or regulation that names artificial intelligence, and no national AI strategy or policy as of June 2026. AI activity in the Gambia is currently confined to capacity-building and diplomacy rather than regulation. The University of the Gambia hosted a Commonwealth-supported AI training in 2024, and the Foreign Minister spoke at an African Union Peace and Security Council ministerial session on AI in March 2025, calling for responsible governance and for legal and policy frameworks to guide AI. Neither created binding rules. An honest summary is that the Gambia governs AI through general law, not through any AI-specific instrument.
Data protection law as the main control
The Personal Data Protection and Privacy Act, 2025 is the de facto AI rulebook. It applies to processing by automated and non-automated means, and reaches controllers outside the Gambia where processing relates to individuals within the jurisdiction. It codifies principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, security and accountability) and lawful bases including consent, contract, legal obligation, vital interests, public interest and legitimate interest. It imposes a stricter regime on sensitive data, including biometric and genetic data, requires a data protection officer for public authorities and for large-scale or sensitive processing, mandates breach notification to the regulator within 72 hours, and requires data protection impact assessments for high-risk processing such as profiling or large-scale surveillance. Crucially for AI, it grants individuals a right not to be subject to a decision based solely on automated processing, including profiling, where this produces legal or similarly significant effects. The Act does not provide a GDPR-style right to data portability.
The regulator: the Information Commission
Rather than creating a new agency, the PDPP designates the existing Information Commission (established under the Access to Information Act, 2021) as the data protection authority, giving it a dual mandate over access to information and data protection. It has powers to investigate complaints, search premises with warrants, impose administrative fines and issue binding enforcement notices. There is no requirement to register processing with the Commission; the Gambia instead emphasises governance and accountability. The dual mandate is also a known pressure point: the Commission must resource and staff two distinct functions, so its data protection capacity is still developing.
PURA and sector rules
The Public Utilities Regulatory Authority (PURA) was created by the Public Utilities Regulatory Authority Act, 2001 and regulates communications, energy, water and transport. Its information and communications mandate comes from the Information and Communications Act, 2009, under which it is the authority responsible for regulating communications services, networks and associated facilities. PURA licenses operators and enforces service standards. It is not an AI regulator and has no AI-specific powers, but it is the body that would touch AI deployed within licensed communications networks.
Digital strategy and data policy
The Ministry of Communications and Digital Economy (MOCDE) leads digital policy. Its National Digital Economy Master Plan sets a decade-long programme across digital infrastructure, digital government, digital financial services, skills and innovation. In 2025 the Ministry validated the National Data Policy Framework 2025 at the Sir Dawda Kairaba Jawara International Conference Centre; according to Research ICT Africa, the Gambia thereby became the first African country to domesticate the African Union Data Policy Framework, a process supported by AUDA-NEPAD and GIZ. The Gambia ICT Agency (GICTA), established by the ICT Agency Act, 2019, coordinates e-government and IT standardisation. None of these creates AI law, but together they form the policy environment in which any future AI rules would sit.
Regional and continental context
The Gambia is within the scope of the ECOWAS Supplementary Act A/SA.1/01/10 on Personal Data Protection (2010), a regional instrument now under revision to address modern data challenges. The Gambia signed the African Union Malabo Convention (the Convention on Cyber Security and Personal Data Protection) but has not ratified it. The Convention entered into force on 8 June 2023, thirty days after Mauritania deposited the 15th instrument of ratification on 9 May 2023; the African Union status list dated 12 May 2023 lists the Gambia among states that signed without ratifying. The African Union Continental AI Strategy was adopted by the AU Executive Council at its 45th Ordinary Session, held on 18 and 19 July 2024 in Accra, Ghana. It is a non-binding guiding framework, with a phased implementation running from 2025 to 2030, that encourages member states to build national AI governance grounded in data protection. The Gambia has no national AI strategy responding to it yet.
Examples
Example 1: A fintech firm deploys an AI credit-scoring model for Gambian mobile-money users. There is no AI law, but the PDPP applies because personal data is processed. The firm needs a lawful basis, must run a data protection impact assessment for the high-risk profiling, and must respect customers' right not to be subject to a solely automated lending decision that has significant effects.
Example 2: A foreign software vendor offers an AI analytics tool to a Gambian bank. The PDPP reaches the vendor because it processes data of individuals within the Gambia. Cross-border transfers must rest on adequacy or appropriate safeguards assessed against the Act, and the Information Commission may impose additional conditions.
Example 3: A government agency pilots facial recognition tied to the national digital ID programme. This is sensitive biometric processing, triggering the stricter PDPP regime, a likely data protection impact assessment, and oversight by the Information Commission. No AI-specific statute governs it.
Common misunderstandings
Misconception 1: The Gambia has an AI law. It does not. There is no AI statute, bill, strategy or regulator as of June 2026.
Misconception 2: Because there is no AI law, AI is unregulated. Incorrect. AI that processes personal data is governed by the Personal Data Protection and Privacy Act, 2025 and overseen by the Information Commission.
Misconception 3: PURA regulates AI. PURA regulates communications, energy, water and transport utilities, not AI or data protection.
Misconception 4: The Gambia created a new National Data Protection Commission. The Act designates the existing Information Commission as the regulator, not a separate new body.
Misconception 5: The Gambia has ratified the Malabo Convention. It signed but has not ratified it.
Risks and boundaries
This article describes general law, not AI-specific law, because none exists. The PDPP is very new and largely untested; implementing regulations, guidance and the Information Commission's data protection capacity are still developing, so enforcement practice is uncertain. The Commission carries a dual mandate over both access to information and data protection, which raises resourcing questions. A draft Cybercrime Bill has been pending for several years. Malabo Convention ratification is outstanding and the ECOWAS Supplementary Act is being revised. This article is general information, not legal advice; organisations should obtain qualified Gambian legal counsel before relying on any point here.
What to do next
Treat the Personal Data Protection and Privacy Act, 2025 as your primary AI compliance baseline in the Gambia. Map where your AI systems process personal data of individuals in the Gambia, including systems operated from abroad. Run data protection impact assessments for high-risk uses such as profiling, biometrics and large-scale monitoring. Build a lawful basis and transparency into automated decisions, and provide a route for individuals to contest decisions taken solely by automated processing. Appoint a data protection officer where the Act requires one, and document cross-border transfer safeguards. Watch for three triggers that would change the picture: the Information Commission's first data protection guidance or regulations, the publication of any national AI strategy, and ratification of the Malabo Convention.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does the Gambia have an AI law?
No. As of June 2026 there is no dedicated AI law, bill, strategy or regulator in the Gambia.
What law governs AI in the Gambia then?
Primarily the Personal Data Protection and Privacy Act, 2025, because most AI processes personal data. Communications and sector rules also apply.
Who regulates data protection in the Gambia?
The Information Commission, established under the Access to Information Act, 2021 and designated as the data protection authority by the 2025 Act.
Does the Gambia's data law cover automated decisions?
Yes. It gives individuals a right not to be subject to a decision based solely on automated processing, including profiling, that has significant effects.
Has the Gambia ratified the Malabo Convention?
No. The Gambia signed the African Union Malabo Convention but has not ratified it.
Is the Gambia bound by the African Union Continental AI Strategy?
The Strategy is a non-binding guiding framework adopted in July 2024. It does not impose binding obligations on the Gambia.
Does PURA regulate AI?
No. PURA regulates communications, energy, water and transport utilities, not AI.