What is AI regulation in Jamaica?
AI regulation: countries and regions
Jamaica has no dedicated AI law or standalone AI regulator. AI is governed indirectly through existing instruments: the Data Protection Act, 2020 (enforced by the Office of the Information Commissioner), the Cybercrimes Act, 2015, and sector rules such as telecoms regulation by the Office of Utilities Regulation. A National AI Policy is being drafted, informed by a UNESCO Readiness Assessment, but as of mid-2026 it is policy, not binding law.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Jamaica regulates artificial intelligence the way most countries did before AI-specific statutes appeared: through laws of general application that happen to bite on AI systems. The most important is the Data Protection Act, 2020, which became fully enforceable on 1 December 2023 and is closely modelled on the EU GDPR and the UK Data Protection Act 2018. It gives individuals a right not to be subject to significant decisions taken solely by automated processing, and it requires data controllers to file annual data protection impact assessments. Those two duties reach directly into how AI is built and deployed.
Alongside data protection sit the Cybercrimes Act, 2015 (which criminalises unauthorised access and interference with computer systems and data) and ordinary sector regulation. There is no AI Act, no risk tiering of AI systems, and no body whose sole job is to police algorithms.
What Jamaica does have is a clear policy direction. A National Artificial Intelligence Task Force was set up in 2023, delivered policy recommendations in 2024, and steered a UNESCO Readiness Assessment launched in April 2026. The Government has committed to drafting a National AI Policy. Until that policy is adopted and any legislation is passed, the binding rules remain the general laws.
Why it matters
For any organisation using AI in Jamaica, the practical point is that "there is no AI law" does not mean "there are no rules". If your AI system processes personal data, the Data Protection Act applies in full: lawful basis, the eight data protection standards, registration with the Office of the Information Commissioner, breach notification, and the automated decision-taking right. A credit-scoring model, a recruitment screen, or a fraud-detection engine that makes or heavily informs decisions about individuals is squarely within scope.
The stakes are real. Penalties under the Act run to a fine of up to 4 per cent of annual gross worldwide turnover for a body corporate (Section 68), while individuals face a fine of up to JMD 5 million plus imprisonment of up to ten years, depending on the nature and severity of the offence. Cross-border transfer restrictions matter for any firm running models on overseas cloud infrastructure or sending data to a foreign processor. And because a National AI Policy is in development, organisations that build good governance now, human oversight, transparency, and impact assessments, will be better placed when firmer rules arrive.
How it works
The Data Protection Act, 2020 as the main lever
The Data Protection Act, 2020 was passed in June 2020, brought partially into force on 1 December 2021, and became fully enforceable on 1 December 2023 after a transitional period (extended by six months to 31 May 2024 for registration). It applies to data controllers established in Jamaica and, on an extraterritorial basis, to controllers outside Jamaica who process the personal data of individuals in Jamaica or monitor their behaviour. Every data controller must register with the Office of the Information Commissioner before processing personal data; the fees and categories are set in the Data Protection (Data Controller Registration) Regulations, 2024.
Automated decision-taking: the AI-facing right
Section 12 of the Act gives an individual the right, by written notice, to require that no decision significantly affecting them is based solely on the automatic processing of their personal data for evaluating matters such as performance at work, creditworthiness, reliability, or conduct. Where such a decision is taken without notice, the controller must inform the individual, who then has a window to require reconsideration. Section 6 also gives a right to be informed of the logic involved in automated decision-taking. These provisions are the closest thing Jamaica has to direct AI regulation, and they mirror the automated-decision rules in the GDPR and UK GDPR.
Impact assessments and the eight standards
The Act builds in eight data protection standards (sections 22 to 31): fair and lawful processing; purpose limitation; data minimisation; accuracy; storage limitation; processing in line with data subject rights; security through technical and organisational measures; and restricted cross-border transfers. Separately, section 45 requires a data controller to submit a data protection impact assessment to the Commissioner within 90 days after the end of each calendar year covering all personal data in its custody and control, including an assessment of risks to the rights and freedoms of data subjects and the measures to address them. For AI deployers, that is an annual, statutory risk-assessment duty that maps neatly onto AI impact assessment practice.
The Office of the Information Commissioner
The Office of the Information Commissioner (OIC) is the supervisory authority. It was established under the Act, with Celia Barclay appointed as Information Commissioner on 1 December 2021. The OIC monitors compliance, registers data controllers, advises the responsible Minister, issues guidance, and can serve enforcement, assessment, information and fixed penalty notices. It is not an AI regulator; its remit is data protection and access to information.
The Cybercrimes Act and other general law
The Cybercrimes Act, 2015 criminalises unauthorised access, unauthorised modification, interception, and obstruction of computer systems and data, and use of a computer for malicious communication. It applies to all data, not just personal data, so it covers misuse of AI systems and the data they hold. A single incident can attract both civil liability under the Data Protection Act and criminal liability under the Cybercrimes Act.
Sector and institutional regulation
The Office of Utilities Regulation (OUR) regulates telecommunications under the Telecommunications Act, alongside electricity and water; it licenses providers and sets service standards but has no AI-specific mandate. The Jamaican judiciary moved early: Chief Justice Bryan Sykes issued Practice Direction No. 1 of 2025 on the use of generative AI in court proceedings, requiring disclosure and verification and prohibiting AI-fabricated case law. This is a court rule, not legislation of general effect.
Policy track: Task Force, UNESCO assessment, draft policy
The National Artificial Intelligence Task Force, chaired by Christopher Reckord, was established under the Office of the Prime Minister in August 2023 and delivered its National AI Policy Recommendations in September 2024. It then steered Jamaica's UNESCO AI Readiness Assessment, launched on 1 April 2026. The assessment engaged over 196 individuals across government, academia, the private sector, civil society, and youth organisations, with nearly half of participants being women. As UN Resident Coordinator Dennis Zulu summarised it, Jamaica has a meaningful legal groundwork, but "there is no standalone AI law or dedicated oversight body," and research and development investment stands at a critically low 0.06 per cent of Gross Domestic Product, with just 13 AI-related publications recorded between 2019 and 2024. Minister with responsibility for science and technology, Dr Andrew Wheatley, framed the gap directly: "We need AI-specific legislation, addressing accountability and biases. We need stronger institutional infrastructure for AI governance, including a national AI oversight and implementation council." He also cited Jamaica's 85 per cent internet penetration rate as part of the existing digital-governance foundation. The Government has committed to develop a draft National AI Policy by November 2026, covering eight domains and aligned to Vision 2030 Jamaica and UNESCO's 2021 Recommendation on the Ethics of AI.
The Caribbean and CARICOM context
Jamaica's work sits inside a regional frame. The Caribbean Artificial Intelligence Policy Roadmap was published in 2021 by UNESCO with the Broadcasting Commission of Jamaica, built on four pillars. The Caribbean Telecommunications Union launched a Caribbean AI Task Force in July 2025 to harmonise AI policy across the region, and CARICOM has endorsed a Regional Digital Resilience Strategy that includes AI skills and an AI Centre of Excellence in Grenada. Jamaica, as a CARICOM member and recent CARICOM chair, is positioning itself as an early mover.
Examples
Automated credit or eligibility scoring. A lender or insurer in Jamaica running an algorithmic scoring model that decides applications must reckon with section 12: an affected individual can require that no decision significantly affecting them is based solely on automated processing of their data relating to creditworthiness or reliability, and can ask for the logic involved. The deployer needs a human-review path and clear notices.
Annual data protection impact assessment for an AI deployer. A registered data controller using AI to process personal data must submit a data protection impact assessment to the Office of the Information Commissioner within 90 days after each calendar year ends, covering all personal data in its custody and control, the processing risks, and the safeguards. For an AI system, that means documenting model purpose, data sources, risk to data subjects, and mitigations.
Generative AI in litigation. An attorney using a tool like a large language model to draft submissions before the Supreme Court of Judicature must comply with Practice Direction No. 1 of 2025: disclose the AI use, verify the content, and never rely on AI-fabricated authorities, on pain of costs orders, contempt, or referral to the General Legal Council.
Common misunderstandings
"Jamaica has an AI law." It does not. As of mid-2026 there is no AI-specific statute and no dedicated AI regulator. AI is governed through general laws and a developing policy.
"No AI law means no rules apply to AI." Wrong. The Data Protection Act applies fully to AI that processes personal data, including an automated decision-taking right and annual impact assessments, and the Cybercrimes Act applies to misuse of systems.
"The Office of the Information Commissioner is an AI regulator." It is the data protection and access-to-information authority. It supervises personal data processing, which captures much AI, but it has no general mandate over AI as such.
"The National AI Policy is already in force." It is being drafted, with a draft targeted for November 2026. Policy recommendations and a UNESCO readiness assessment exist; binding national AI rules do not yet.
"Jamaica simply copies the EU AI Act." Jamaica's data protection law is GDPR-influenced, but it has not adopted the EU AI Act's risk-tiered model. Any future AI law is still to be designed.
Risks and boundaries
This article describes a moving target and is not legal advice. The confirmed position is that Jamaica governs AI through general law, principally the Data Protection Act, 2020, the Cybercrimes Act, 2015, and sector regulation, plus a judicial practice direction on generative AI in courts. There is no standalone AI statute and no dedicated AI regulator.
What is pending: a National AI Policy, with a draft targeted for November 2026, and recommendations to enact AI-specific legislation and create a National AI Oversight and Implementation Council. These are commitments and recommendations, not law. Timelines and content could change through the Cabinet process and consultation.
What is uncertain: the practical reach of enforcement. The UWI Data Protection Office notes that, although the Act is formally in force, "as of now, no fines or legal actions are being imposed, as the enforcement mechanisms have not yet been activated." Firms should not treat that as permanent; the statutory duties stand. Penalty figures and registration fees derive from the Act and the 2024 Regulations and may be amended by order. Where this article cites secondary sources for context, the underlying duties rest on the statute itself.
What to do next
Treat the Data Protection Act as your AI rulebook for now. If your AI touches personal data, register as a data controller with the OIC, confirm your lawful basis, and map your processing against the eight standards.
Build human oversight into significant automated decisions. Where an AI system makes or heavily informs decisions about individuals (credit, hiring, eligibility), provide a human-review route and be ready to explain the logic, in line with sections 6 and 12.
Run an annual impact assessment that doubles as an AI assessment. Use the section 45 data protection impact assessment to document model purpose, data, risks to data subjects, and safeguards, and file it within 90 days of year-end.
Check cross-border data flows. If you train or run models on overseas infrastructure, confirm the destination meets the Act's adequacy test or that an exception applies.
Track the National AI Policy. Watch for the draft due around November 2026 and any proposed AI legislation or oversight council, and design governance now so you are not retrofitting later.
Mind sector and court rules. Telecoms players answer to the OUR; anyone litigating should follow the judiciary's generative AI practice direction.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Jamaica have a dedicated AI law?
No. As of mid-2026 there is no AI-specific statute and no standalone AI regulator. AI is governed through general laws such as the Data Protection Act, 2020 and the Cybercrimes Act, 2015, plus a developing National AI Policy.
Which law most affects AI in Jamaica today?
The Data Protection Act, 2020. It applies whenever AI processes personal data and includes a right against solely automated significant decisions (section 12) and mandatory annual impact assessments (section 45).
Who enforces data protection?
The Office of the Information Commissioner, established under the Act, with Celia Barclay appointed Information Commissioner on 1 December 2021. It registers data controllers, monitors compliance, and can issue enforcement notices and penalties.
What are the penalties for breaching the Data Protection Act?
A body corporate can be fined up to 4 per cent of annual gross worldwide turnover (Section 68). Individuals face a fine of up to JMD 5 million plus imprisonment of up to ten years, depending on the offence.
Is there a National AI Policy?
Not yet in force. A National AI Task Force delivered recommendations in September 2024, a UNESCO Readiness Assessment launched in April 2026, and the Government has committed to a draft National AI Policy by November 2026.
How does Jamaica fit into the Caribbean picture?
Jamaica is a CARICOM member and contributed to the 2021 Caribbean AI Policy Roadmap via the Broadcasting Commission of Jamaica. Regional bodies including the Caribbean Telecommunications Union are working to harmonise AI policy.
Are there rules for AI in Jamaican courts?
Yes. The judiciary's Practice Direction No. 1 of 2025 governs generative AI in court proceedings, requiring disclosure and verification and prohibiting AI-fabricated case law.
Does the Data Protection Act apply to firms outside Jamaica?
Yes, on an extraterritorial basis, where they process personal data of individuals in Jamaica or monitor their behaviour in Jamaica.