What is AI regulation in Guyana?
AI regulation: countries and regions
Guyana has no dedicated artificial intelligence law, no adopted national AI strategy, and no AI bill before Parliament as of mid 2026. AI is instead governed indirectly through general statutes: chiefly the Data Protection Act 2023, supported by the Electronic Communications and Transactions Act 2023, the Cybercrime Act 2018, and telecommunications rules overseen by the Public Utilities Commission. Regional bodies such as UNESCO and the Caribbean Telecommunications Union provide voluntary policy guidance, not binding law.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Guyana does not regulate AI as a distinct subject. There is no statute that names artificial intelligence, no risk tiers for AI systems, and no AI regulator. Anyone deploying AI in Guyana is governed by laws of general application, the most important of which is the Data Protection Act 2023 (Act No. 18 of 2023), a law modelled closely on the European approach to personal data.
The picture is shaped by a striking gap between ambition and machinery. The government has declared a goal of becoming an "AI-first nation", signed a memorandum of understanding for a large AI data centre, and embedded AI in health and policing plans. Yet the Data Protection Act, passed in August 2023, sat without a commencement order for roughly thirty months before being activated in 2026, and its enforcement office is still being built out.
For practical purposes, then, "AI regulation in Guyana" means data protection duties, electronic transactions rules, cybercrime offences, sector telecommunications regulation, and a set of non-binding regional frameworks. Organisations should plan around those instruments rather than wait for a bespoke AI Act.
Why it matters
For founders, operators and governance leads, the absence of a dedicated AI law does not mean an absence of legal exposure. Most real-world AI use involves personal data: training sets, customer records, biometric identity, health images, predictive policing inputs. That activity falls squarely within the Data Protection Act 2023, which carries data protection impact assessments, restrictions on automated decision-making, cross-border transfer controls, breach notification duties, registration requirements and significant penalties.
The timing matters too. Because the Act was only activated in 2026 and its supervisory office is still being established, there is a window of legal uncertainty: duties exist on paper, but enforcement capacity, guidance and registration mechanics are immature. Buyers and advisers should treat compliance as a moving target and document their reasoning. Guyana's rapid digitisation, including a national digital identity system and an AI data centre ambition, raises the stakes for getting data governance right early rather than retrofitting it.
How it works
No dedicated AI statute or regulator
There is no AI-specific Act, bill or regulator in Guyana. AI systems are regulated only to the extent that their inputs, processing or effects engage existing laws. This is a deliberate starting point for the rest of this article: everything below describes general instruments, not AI rules.
The Data Protection Act 2023 is the central instrument
The Data Protection Act 2023 (Act No. 18 of 2023) was passed by the National Assembly on 9 August 2023 and received Presidential assent on 16 August 2023. It is closely patterned on the European General Data Protection Regulation, and readers familiar with UK GDPR will recognise its architecture. It applies to the processing of personal data of data subjects in Guyana and assigns duties to data controllers and data processors.
Durable features relevant to AI include: a requirement to carry out a data protection impact assessment where a type of processing, in particular one using new technologies, is likely to result in a high risk to the rights and freedoms of a person; a right for data subjects not to be subject to a decision based solely on automated processing, including profiling, where it produces legal or similarly significant effects, together with a right to human intervention; restrictions on transferring personal data outside Guyana unless the destination provides an adequate level of protection or appropriate safeguards such as binding corporate rules or standard contractual clauses; a personal data breach notification duty to the Commissioner without undue delay and not later than seventy-two hours; mandatory registration of controllers and processors; and a requirement that a controller or processor not established in Guyana nominate a local representative.
Enforcement: a Commissioner and a Data Protection Office
The Act establishes a Data Protection Office as the independent supervisory body, headed by a Data Protection Commissioner appointed by the President. The Commissioner investigates complaints, oversees registration and enforces the Act. The Act provides for substantial fines and terms of imprisonment for serious offences, such as knowingly or recklessly obtaining or disclosing personal data without the controller's consent, and a right to compensation for any person who suffers damage or distress from a contravention. Certain processing, for example by law enforcement or the revenue authority for tax or national security purposes, is exempted from some disclosure requirements.
The commencement gap and its resolution
A durable point of confusion is that passage did not equal force. No commencement order was issued for roughly thirty months after the Act received assent on 16 August 2023. Aneal Giddings, a former Deputy Chief Elections Officer at the Guyana Elections Commission, was appointed Guyana's first Data Protection Commissioner in early 2026. The government brought the companion Digital Identity Card Act into full operation by commencement order with effect from 31 March 2026, with the Prime Minister stating that the prerequisite appointment of a Data Protection Commissioner had been met. As of mid 2026, the Commissioner publicly stated that his office was still "actively engaged in the process of formally establishing the Data Protection Office". Organisations should verify the current operational status and any registration deadlines directly with the office before relying on it.
Supporting digital statutes
Several other laws form the digital backbone. The Electronic Communications and Transactions Act 2023 (Act No. 12 of 2023) gives legal recognition to electronic records and signatures. The Digital Identity Card Act 2023 (Act No. 19 of 2023) underpins the national electronic identity system; notably, it provides that the Digital Identity Card Registry is administered by the Data Protection Commissioner. The Open Data Act 2024 (Act No. 16 of 2024) governs publication and reuse of public-sector data. The Cybercrime Act 2018 (Act No. 16 of 2018) criminalises illegal access, interception, computer-related fraud and forgery, and using a computer system to harass or intimidate a person.
Telecommunications and spectrum
The Public Utilities Commission (PUC) is the independent regulator for the electricity, water and telecommunications sectors. The Telecommunications Act 2016 (Act No. 18 of 2016) and the Public Utilities Commission Act 2016 were brought into force on 5 October 2020, ending a long-standing monopoly and liberalising the sector. The National Frequency Management Unit manages radio spectrum, and a telecommunications agency handles licensing functions. These bodies regulate the networks over which AI services run, not AI itself.
Caribbean, CARICOM and South American context
Guyana sits within several regional initiatives that are advisory rather than binding. The Caribbean Artificial Intelligence Policy Roadmap, published by UNESCO in June 2021 with the Broadcasting Commission of Jamaica, sets out priorities around digital competencies, fairness and accountability, and regional cooperation, anchored in UNESCO's Recommendation on the Ethics of Artificial Intelligence. The Caribbean Telecommunications Union officially launched a Caribbean AI Task Force on 18 July 2025, chaired by Dr Craig Ramlal of the University of the West Indies, St Augustine. On 13 December 2025 the task force released an interim report titled "Toward Harmonised AI Policies and Recommendations for the Caribbean", presented at the launch of the UWI Artificial Intelligence Innovation Centre, calling for a CARICOM-wide, rights-based AI governance framework supported by model laws; a final consolidated report is expected at a Caribbean AI Forum in 2026. None of this is binding on Guyana unless and until it is enacted domestically.
Examples
1. AI-assisted diagnostics in public health. Guyana's Ministry of Health, in partnership with the Mount Sinai Health System, has been deploying AI-assisted radiology and pathology tools and expanding telemedicine. There is no AI-specific clinical statute; the governing instrument is the Data Protection Act, which is why officials have repeatedly tied the rollout to data protection and patient confidentiality. Health Minister Dr Frank Anthony has framed the shift as moving "from intuition alone to intelligence augmented by data" while stressing "an absolute need for confidentiality". A deployer here must consider impact assessment, lawful basis and cross-border transfer rules for clinical images.
2. The national digital identity system. The Digital Identity Card Act 2023 establishes an electronic identity, with the registry administered by the Data Protection Commissioner. Biometric verification and a single identifier are involved. This is a concrete example of AI-adjacent processing governed through identity and data protection law rather than an AI framework. The government has also announced plans for an automated passenger identification system at Cheddi Jagan International Airport using facial recognition linked to the national eID database, as described by Public Utilities and Aviation Minister Deodat Indar in 2026.
3. A sovereign AI data centre. On 12 November 2025 the Government of Guyana and Cerebras Systems signed a memorandum of understanding to build and operate an AI data centre of up to 100 megawatts at Wales, West Bank Demerara, deploying Cerebras CS-3 supercomputers, alongside stated plans for a sovereign AI cloud and an "AskGov" assistant. The joint release states the memorandum "outlines a shared commitment to data sovereignty and protection, with forward-looking legislation to safeguard national interests in the digital age", which signals that bespoke AI or data rules are aspirational, not yet enacted. It is a memorandum of understanding and a plan, not a completed facility.
Common misunderstandings
1. "Guyana has an AI law." It does not. There is no AI statute, no AI bill before Parliament, and no AI regulator as of mid 2026.
2. "Because the Data Protection Act passed in 2023, it has applied since then." Passage and commencement are different. The Act lacked a commencement order for roughly thirty months and its enforcement office was only being formally established in 2026.
3. "The CARICOM and UNESCO frameworks are binding on Guyanese businesses." They are voluntary policy instruments. They guide and may inspire future legislation, but they do not themselves create enforceable duties.
4. "The Public Utilities Commission regulates AI." The PUC regulates telecommunications, electricity and water. It governs the networks AI runs on, not AI systems or models.
5. "No dedicated AI law means no compliance obligations." Most AI use touches personal data, electronic transactions or cybercrime offences, so duties under the Data Protection Act 2023 and related statutes can apply even without an AI-specific regime.
Risks and boundaries
This article describes general law applied to AI, not a dedicated AI regime, and it is not legal advice. The most important boundary is legal status and timing. The Data Protection Act 2023 was activated only recently after a long commencement gap, and its supervisory office is still being built; guidance, registration mechanics and enforcement practice are therefore immature and may change quickly.
What is confirmed: there is a Data Protection Act with GDPR-style duties; companion electronic transactions, digital identity, open data and cybercrime statutes; a telecommunications regulator; and voluntary regional AI frameworks. What is pending or uncertain: the full operational state of the Data Protection Office, registration deadlines, any subsidiary regulations or codes of practice, and whether Guyana will adopt a national AI strategy or AI-specific legislation. Specific penalty figures and section numbers derive from the gazetted statute as reported through secondary summaries of that text, because the official gazette is a scanned document; they should be verified against the official gazette before being relied upon. Several deployment claims (the data centre, sovereign cloud and assistant) rest on a memorandum of understanding and policy statements, which are commitments and plans rather than completed facts.
What to do next
1. Treat the Data Protection Act 2023 as your primary compliance anchor for any AI that touches personal data. Map your lawful basis, conduct an impact assessment for high-risk or novel processing, and document automated decision-making and human oversight.
2. Verify operational status directly. Confirm with the Data Protection Office whether registration of controllers and processors is open, what the deadlines are, and whether any subsidiary regulations have been issued. Do not assume from the statute alone.
3. Address cross-border transfers early. If you process Guyanese personal data offshore (a live issue for cloud AI), build adequacy or safeguard mechanisms such as standard contractual clauses, and appoint a local representative if you are not established in Guyana.
4. Watch three triggers that would change the picture: the publication of a national AI strategy, the introduction of an AI bill, or the adoption of CARICOM model AI laws via the Caribbean Telecommunications Union process. Any of these would shift Guyana from indirect to direct AI regulation.
5. Use risk-based discipline voluntarily. Even without a statutory risk tiering, adopting impact assessments and proportionate controls aligns you with the direction of regional policy and reduces exposure under existing data and cybercrime law.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Guyana have a dedicated AI law?
No. As of mid 2026 there is no AI-specific statute, no AI bill before Parliament, and no AI regulator. AI is governed through general laws, primarily the Data Protection Act 2023.
Which law matters most for AI in Guyana?
The Data Protection Act 2023 (Act No. 18 of 2023). It is modelled on the European General Data Protection Regulation and covers most AI that involves personal data.
Is the Data Protection Act actually in force?
It was passed in 2023 but lacked a commencement order for roughly thirty months. Aneal Giddings was appointed Data Protection Commissioner in early 2026, and the Data Protection Office was still being formally established as of mid 2026.
Who regulates telecommunications and spectrum?
The Public Utilities Commission regulates the telecommunications, electricity and water sectors, and the National Frequency Management Unit manages radio spectrum. They regulate networks, not AI.
Does the Act restrict automated decision-making?
Yes. It provides a right not to be subject to decisions based solely on automated processing, including profiling, that have legal or similarly significant effects, with a right to human intervention.
What about transferring data outside Guyana for cloud AI?
Transfers are restricted unless the destination offers an adequate level of protection or appropriate safeguards such as binding corporate rules or standard contractual clauses.
Are the UNESCO and CARICOM AI frameworks binding?
No. The Caribbean Artificial Intelligence Policy Roadmap and the Caribbean Telecommunications Union task force outputs are voluntary policy guidance, not enforceable law.
Is Guyana planning AI-specific rules?
The government has signalled "forward-looking legislation" and AI ambitions, and regional bodies are drafting harmonised recommendations, but no AI statute or national AI strategy had been adopted as of mid 2026.