What is AI regulation in Kiribati?
AI regulation: countries and regions
Kiribati has no dedicated artificial intelligence law, no AI strategy and no standalone data protection authority. AI is governed indirectly through general law: the Data Protection Act 2025 (enacted but awaiting a commencement notice), the Communications Act 2013 administered by the Communications Commission of Kiribati, the Digital Government Act 2023, and the Cybercrime Act 2021. The Digital Transformation Office leads digital policy. Regional Pacific, Commonwealth and UNESCO initiatives shape direction.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Kiribati is a small, geographically dispersed Pacific island state made up of 32 atolls and one raised coral island, Banaba, spread across more than 3.4 million square kilometres of ocean. It has not passed any law that names or specifically regulates artificial intelligence, and it has not published a national AI strategy. If you are deploying or governing AI in or into Kiribati, there is no AI-specific rulebook, no AI regulator and no register of AI systems to consult.
What exists instead is a developing set of general digital laws. The most important for AI is the Data Protection Act 2025, which was passed by Parliament and assented to but, on the available record, has not yet been brought into force by a Ministerial commencement notice. It contains a provision that is directly relevant to automated systems: a right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Other relevant instruments are the Communications Act 2013, the Digital Government Act 2023 and the Cybercrime Act 2021.
Institutional responsibility is split. The Communications Commission of Kiribati (CCK) regulates telecommunications networks, spectrum, licensing and the .ki domain. The Digital Transformation Office (DTO), established under the Digital Government Act 2023 and sitting within the Ministry of Information, Communications and Transport, coordinates national ICT policy and is named as the enforcing body under the Data Protection Act 2025.
Why it matters
For organisations, the practical point is that AI risk in Kiribati is managed through general law, not through an AI statute. There is no conformity assessment, no high-risk classification and no AI registration duty. That lowers the immediate compliance burden but raises uncertainty: you cannot point to a local AI rulebook to demonstrate good practice, and the rules that do apply (data protection, telecoms licensing, cybercrime) were not designed with machine learning in mind.
The most concrete near-term constraint is data protection. Once the Data Protection Act 2025 commences, any organisation processing personal data about people in Kiribati, including via AI systems, will face GDPR-style duties: lawful basis, transparency, security, breach notification, data protection impact assessments for high-risk processing, and the automated-decision right in Section 17. Until commencement, those duties are not yet legally binding, though the government's 2022 Data Protection Policy already sets internal expectations for public bodies.
Connectivity also matters. Starlink officially launched in Kiribati on 22 March 2025, and the state-owned wholesale provider BwebwerikiNET Ltd activated its Starlink Community Gateway in Nanikai, Tarawa on 29 October 2025, with submarine cable capacity also expanding. As these services reach the islands, the volume of data and the practical scope for AI services grows faster than the legal framework. Organisations should expect the gap between deployment and regulation to be where most risk sits.
How it works
There is no dedicated AI law
Kiribati has not enacted AI legislation and has not published a national AI strategy. There is no AI regulator, no statutory definition of an AI system in domestic law and no risk-based AI classification. Any claim that Kiribati has an AI Act or AI-specific rules should be treated as incorrect. The honest position is that AI is governed only by laws of general application.
Data protection: the Data Protection Act 2025
The Data Protection Act 2025 is the single most relevant instrument for AI. It was passed by the Maneaba ni Maungatabu (Parliament) on 18 August 2025, following a first reading on 1 April 2025, and was published by the Ministry of Information, Communications and Transport on 18 September 2025. Its stated objectives include protecting data subjects from risks arising from the processing of personal data and promoting fair, lawful and transparent processing.
Crucially, Section 2 provides that the Act "commences on a date that the Minister may by notice appoint", and the published text leaves the commencement date blank. On the available official record there is no gazetted commencement notice, so the Act appears to be enacted but not yet in force. The Act also delays application: under Section 6(2) it does not apply to a person who is not a "controller of major importance" (one processing personal data on more than 10,000 data subjects in Kiribati) until the second anniversary of the date it comes into force.
For AI specifically, Section 17 gives a data subject the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, except where the decision is necessary for a contract, authorised by a written law with suitable safeguards, or authorised by the data subject's consent. Section 21 requires data protection impact assessments for high-risk processing. These provisions mirror European data protection concepts.
The enforcing body: the Digital Transformation Office
The Act does not create a standalone data protection commissioner. Instead, the "Office" responsible for enforcement is the Digital Transformation Office (DTO), established under the Digital Government Act 2023 and sitting within the Ministry of Information, Communications and Transport. The DTO is given powers to promote awareness, receive complaints, investigate, issue notices and impose penalties, with administration under the direction of the Ministry's Secretary.
Telecommunications: the Communications Act 2013 and CCK
The Communications Commission of Kiribati (CCK), formerly the Telecommunication Authority of Kiribati, was established under the Communications Act 2013. It regulates communications networks and services, manages radio spectrum, issues individual and class licences, sets type approval for equipment, manages numbering and operates the .ki country-code domain. CCK is a telecoms and spectrum regulator, not an AI or data protection regulator, but it is the body that licenses the connectivity layer on which AI services depend.
Digital government and cybercrime
The Digital Government Act 2023 provides the legal basis for whole-of-government digital services, the DTO, a National Digital Transformation Advisory Board and an ICT audit function. The Cybercrime Act 2021, developed with Council of Europe and Australian support, criminalises offences such as unauthorised access and provides investigative procedures; Kiribati acceded to the Budapest Convention on Cybercrime on 20 June 2024. The National ICT Policy 2019 and the Digital Government Master Plan set strategic direction, emphasising connectivity, e-government and data protection as foundations.
Regional and international context
Kiribati's direction is shaped by external frameworks rather than domestic AI rules. As a Pacific Islands Forum member it participates in regional digital and data governance discussions, though there is no Pacific regional AI statute. As a Commonwealth member it falls within the scope of the Commonwealth Artificial Intelligence Consortium (CAIC), which was established in June 2023, emerged from the 2022 Commonwealth Heads of Government Meeting in Rwanda, and focuses on the Commonwealth's 33 small states, few of which have developed national AI strategies. As a UNESCO member state Kiribati is within the scope of the 2021 Recommendation on the Ethics of Artificial Intelligence, a non-binding standard. None of these creates binding AI law in Kiribati.
Examples
A health ministry deploying an automated triage or eligibility tool: once the Data Protection Act 2025 commences, Section 17 means a person should not be subject to a decision based solely on automated processing with significant effects unless an exception applies, and Section 21 would require a data protection impact assessment for high-risk processing. The DTO would be the body to engage.
A telecommunications or internet provider introducing an AI-driven service: the provider must hold the appropriate individual or class licence from CCK under the Communications Act 2013, and comply with type approval and spectrum rules. AI features themselves are not separately licensed, but the underlying network and equipment are regulated by CCK.
A bank or fintech using AI for credit or fraud scoring: Kiribati has no central bank and uses the Australian dollar; the only commercial bank is the Bank of Kiribati, 75 per cent owned by the Australia and New Zealand Banking Group (ANZ) since 2001 and 25 per cent by the Government of Kiribati, with the Ministry of Finance and Economic Development overseeing the sector. There is no AI-specific financial rule, so an automated credit decision would fall under general contract law and, once in force, the Data Protection Act 2025's automated-decision provision.
Common misunderstandings
"Kiribati has an AI Act." It does not. There is no AI-specific statute, bill or strategy. Some third-party trackers imply a risk-based AI approach is taking shape; this is not supported by official sources.
"There is a data protection regulator." There is no standalone data protection commissioner. Enforcement under the Data Protection Act 2025 is assigned to the Digital Transformation Office, a government division, not an independent authority.
"The Data Protection Act 2025 is already in force." It was enacted and assented to, but commencement depends on a Ministerial notice and the published text leaves the date blank. On the available record it is not yet in force, and even after commencement key duties are phased in over two years.
"CCK regulates AI." CCK regulates telecommunications, spectrum, licensing and the .ki domain. It is not an AI or data protection regulator.
"International AI standards are binding in Kiribati." UNESCO, Commonwealth and Pacific Islands Forum instruments are non-binding or capacity-building; they shape direction but do not create enforceable AI law.
Risks and boundaries
This article describes a thin and evolving framework, not a settled regime. The central uncertainty is the commencement status of the Data Protection Act 2025: it is enacted but, on the available official record, not yet brought into force, and its key obligations are phased in. Treat any date-specific compliance claim with caution and verify the current commencement position before relying on it.
What is confirmed: there is no dedicated AI law or strategy; the Communications Act 2013 and CCK regulate telecoms; the Digital Government Act 2023 and Cybercrime Act 2021 are in force; Kiribati acceded to the Budapest Convention in 2024. What is pending or uncertain: the commencement of the Data Protection Act 2025, the issuance of any DTO guidance, and whether subsidiary regulations will be made. This is general information, not legal advice; for any specific deployment, confirm the position with Kiribati counsel and the DTO.
What to do next
Map your AI use to general law, not to an AI statute. Identify whether your system processes personal data of people in Kiribati, whether it makes automated decisions with significant effects, and whether it touches licensed telecoms infrastructure.
Prepare for the Data Protection Act 2025 as if it will commence. Build a lawful basis, transparency notices, security measures, breach response and data protection impact assessments now, and design human review into any solely-automated decision so you can rely on Section 17 exceptions.
Confirm commencement status before relying on it. Check with the Digital Transformation Office and the official gazette for any commencement notice and subsidiary regulations.
Engage the right bodies: the DTO for data and digital policy, and CCK for any communications licensing or equipment approval.
Use international frameworks as a baseline. UNESCO's AI ethics recommendation and Commonwealth small-states AI work offer practical reference points where local rules are silent.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Kiribati have an AI law?
No. Kiribati has no dedicated AI legislation, no AI strategy and no AI regulator. AI is governed only by laws of general application such as data protection, telecoms and cybercrime law.
Is there a data protection law in Kiribati?
Yes, the Data Protection Act 2025 was enacted and assented to in 2025, but on the available record it has not yet been brought into force by a Ministerial commencement notice. A 2022 Data Protection Policy already guides public bodies.
Who enforces data protection in Kiribati?
The Digital Transformation Office (DTO), a division within the Ministry of Information, Communications and Transport, established under the Digital Government Act 2023. There is no independent data protection commissioner.
Does the law restrict automated decision-making?
Yes. Section 17 of the Data Protection Act 2025 gives a right not to be subject to a decision based solely on automated processing with legal or similarly significant effects, subject to exceptions for contracts, written law with safeguards, or consent. It binds once the Act commences.
Who regulates telecommunications and internet services?
The Communications Commission of Kiribati (CCK), under the Communications Act 2013. It handles licensing, spectrum, type approval, numbering and the .ki domain, but not AI itself.
Do international AI rules apply in Kiribati?
Not as binding law. Kiribati is within the scope of UNESCO's 2021 AI ethics recommendation, the Commonwealth AI Consortium and Pacific Islands Forum digital work, but these are non-binding or capacity-building rather than enforceable AI statutes.
What should an organisation deploying AI in Kiribati do?
Map AI use to general law, prepare for the Data Protection Act 2025 as if it will commence, build human review into automated decisions, confirm commencement status with the DTO and gazette, and engage CCK for any communications licensing.