What is AI regulation in the Marshall Islands?
AI regulation: countries and regions
The Marshall Islands has no dedicated artificial intelligence law, bill, national AI strategy or AI policy, and no AI regulator. There is no AI-specific framework at all. The nearest relevant rules are the Personal Data Protection Act 2025, which applies only to core national government ministries and agencies, the constitutional right to privacy, and cybercrime and cybersecurity statutes passed in 2025. Anyone deploying AI relies on these general laws, contracts and sector rules rather than on AI regulation.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
The Republic of the Marshall Islands (RMI) is a small Pacific island state of 42,418 residents (2021 Census), of whom 23,156 (54.6 per cent) live on Majuro, spread across 29 coral atolls and five single islands, in free association with the United States. It does not regulate artificial intelligence as a distinct subject. There is no AI Act, no AI bill before the Nitijela (parliament), no published national AI strategy, and no agency tasked with AI oversight. Per the AI Asia Pacific Institute's August 2024 report, no Pacific Island country has yet published a national AI strategy, with only Fiji and Papua New Guinea reported to be making progress on developing theirs.
What the RMI does have, as of 2025 and 2026, is the beginning of a digital legal architecture. In 2025 the Nitijela passed a cluster of digital laws, including the Personal Data Protection Act 2025, a Cybersecurity Act 2025 and a Cybercrimes Act 2025, alongside electronic transactions and digital identity legislation. These laws were supported by the World Bank-financed Digital Republic of the Marshall Islands (Digital RMI) project. None of them mentions AI.
For an organisation using AI in the Marshall Islands, the practical position is therefore that AI is governed indirectly: by the new data protection law where a core government body is involved, by the constitutional privacy right, by general criminal and consumer law, by contract, and by whatever foreign laws apply to the vendor or to cross-border data flows.
Why it matters
The absence of AI rules does not mean an absence of legal risk. Personal data fed into AI systems by national government ministries is now subject to enforceable data protection principles. Cyber and cybercrime statutes can reach AI-enabled fraud, intrusion or harmful conduct. The constitutional privacy guarantee underpins claims against intrusive processing. And because the RMI is closely tied to the United States through the Compact of Free Association, and because so much AI tooling and data hosting is offshore, foreign regimes (US sector rules, the EU GDPR for EU-facing services, and the like) will often do the heavy lifting that a domestic AI law would otherwise do. Organisations that assume "no AI law means no obligations" will misjudge their exposure.
How it works
No dedicated AI framework
There is no statute, regulation, bill or official strategy in the Marshall Islands that targets artificial intelligence. There is no AI regulator, no risk-tiering of AI systems, no mandatory AI impact assessment and no register of AI systems. This is the honest baseline: AI is unregulated as a category, and the country's governance effort is directed at digital infrastructure, connectivity, cybersecurity and data, not at AI as such.
The Personal Data Protection Act 2025
The most directly relevant law is the Personal Data Protection Act 2025 (Public Law 2025-43), codified in Title 6 of the Marshall Islands Revised Code. Its scope is deliberately narrow: it applies to "core Government ministries and agencies" that collect, use, store, process, disclose or transfer the personal data of natural persons. It does not, on its face, regulate the private sector. It excludes processing for law enforcement, national intelligence and national security purposes, non-personal data, and certain publicly available information.
The Act sets out six data protection principles: legitimate purpose; data minimisation; accuracy; retention; integrity and security; and accountability. It defines personal data broadly, including online identifiers and location data, and recognises a category of sensitive personal data covering health, biometric, genetic, financial and similar information. It designates the Economic Policy, Planning and Statistics Office (EPPSO) as the competent authority, with duties around guidance, capacity building, coordination of data sharing and annual reporting to the Nitijela. It creates a private right of action for a natural person harmed by improper administration, but limits remedies to orders such as injunction, mandamus, correction or deletion, and an order to amend policies; it expressly bars compensatory damages against a ministry or agency.
The Act's effective date provision states that it takes effect twelve months after certification, so organisations should verify the precise live date from the official text rather than assume immediate force.
Cybercrime, cybersecurity and electronic transactions
The 2025 legislative package also includes a Cybersecurity Act 2025 (Public Law 2025-27) and a Cybercrimes Act 2025 (Public Law 2025-40), plus electronic transactions and digital identity legislation. These can capture AI-enabled wrongdoing (for example, fraud, unauthorised access or harmful digital communications) and they establish the trust framework for digital government, but none of them regulates AI development or deployment directly.
The constitutional privacy right
The Constitution of the Marshall Islands, in its Bill of Rights, protects individuals from unreasonable intrusion into their privacy and from unreasonable interference in personal choices that do not injure others. This provides a constitutional baseline that any data-intensive or surveillance-style AI use would have to respect, and the data protection law is framed as giving effect to that right.
The communications regulator and ICT policy
Telecommunications are governed by the National Telecommunications Authority Act 1990 (Title 40, Chapter 1 of the Revised Code; originally Public Law 1990-105). The Marshall Islands National Telecommunications Authority (NTA) is a government-majority-owned corporation that has historically been both the dominant operator and a de facto regulator. The NTA Act was amended in 2022 (Public Law 2022-46) to remove NTA's exclusive rights and open the market to competition. Regulatory functions, including spectrum licensing, continue to sit with the Ministry of Transportation, Communications and Information Technology (MOTC&IT) and with NTA. An independent "Office of the Regulator" has been proposed in draft communications legislation and in the World Bank reform programme, but as of the latest official public-law records it has not been established by statute.
Regional and Compact context
The RMI is a member of the Pacific Islands Forum and participates in regional cybersecurity cooperation. Its broad digital direction sits within the National Strategic Plan and the World Bank-financed Digital RMI project: a US$30 million grant from the International Development Association (IDA), within a total project cost of US$37.5 million including US$7.5 million of private capital, approved by the World Bank Board on 31 August 2021 and running over seven years. The project finances new infrastructure across all 24 inhabited atolls and islands, including Majuro and Ebeye. Through the Compact of Free Association, renewed in 2023 and brought into force in 2024, the country is deeply linked to the United States, which shapes data hosting, connectivity and security in practice.
Examples
1. A national government ministry adopts an AI tool to triage citizen service requests. Because a core government body is processing personal data, the Personal Data Protection Act 2025 principles apply: the ministry must have a legitimate purpose, minimise data, keep it accurate and secure, and be able to demonstrate accountability. A citizen who suffers harm from improper administration can seek correction, deletion or an injunction, but not compensatory damages from the ministry.
2. A private company in Majuro deploys a customer-facing chatbot. The Personal Data Protection Act 2025 does not directly bind it, because the Act targets core government ministries and agencies. Its obligations come instead from contract, the constitutional privacy right, cybercrime and consumer rules, and any foreign law (for example, the EU GDPR if it serves EU residents). There is no Marshall Islands AI compliance step to complete, because no AI law exists.
3. A foreign vendor offers an AI service hosted offshore to a Marshall Islands buyer. Because there is no domestic AI regime and limited domestic data protection reach, the governing safeguards are largely the vendor's home-jurisdiction rules and the contract terms. The buyer should treat international standards and the vendor's own commitments as the practical control, rather than expecting RMI law to set AI requirements.
Common misunderstandings
1. "There is a Marshall Islands Data Protection Act that works like the GDPR." There is a Personal Data Protection Act 2025, but it applies only to core national government ministries and agencies, not to the private sector generally, and it bars compensatory damages. It is far narrower than the EU or UK regime.
2. "No AI law means no rules apply to AI." General laws still apply: data protection for government bodies, constitutional privacy, cybercrime and cybersecurity statutes, contract and consumer rules, and foreign laws for cross-border services.
3. "The NTA is an independent telecoms and tech regulator." NTA is a government-majority-owned operator that has also performed regulatory functions. An independent regulator has been proposed but not yet established by statute.
4. "The Marshall Islands has a national AI strategy." It does not. Regional and UN-linked surveys list no AI strategy, law or policy for the country.
5. "Because the country is small, it has no relevant digital law at all." That is now outdated. In 2025 the Nitijela passed data protection, cybersecurity and cybercrime laws as part of a digital reform package.
Risks and boundaries
This article describes the position from official sources and is not legal advice. The key boundary is that the Marshall Islands has no AI-specific law, so there is no AI authorisation, classification, transparency or impact-assessment requirement to comply with domestically. The Personal Data Protection Act 2025 is new, narrow (public sector) and its effective date runs twelve months from certification, so its live status and any implementing regulations from EPPSO should be checked against the official text. The independent communications regulator remains a proposal, not an institution. Several digital laws are recent, and implementing rules, guidance and enforcement practice are still developing. Where a fact could not be verified from an official source, it has been omitted here rather than guessed.
What to do next
Treat AI in the Marshall Islands as governed by general law, not AI law. If you are a government body or a vendor to one, map your processing against the Personal Data Protection Act 2025 principles and watch for EPPSO guidance. If you are a private operator, build your controls from contract, the constitutional privacy right, cyber statutes and any applicable foreign regime, and adopt recognised international AI standards voluntarily as your baseline. Confirm the effective date of the data protection law from the official text. Run your own AI impact assessment as good practice even though none is mandated. Monitor the Nitijela public-law list and the World Bank Digital RMI programme for the promised communications regulator and any future AI or broader data measures.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does the Marshall Islands have an AI law?
No. There is no dedicated AI statute, bill, national strategy or policy, and no AI regulator.
Is there a data protection authority?
There is no general-purpose data protection authority. The Personal Data Protection Act 2025 names the Economic Policy, Planning and Statistics Office as the competent authority, but only for core national government ministries and agencies.
Does the data protection law apply to private companies?
Largely no. The Personal Data Protection Act 2025 targets core government ministries and agencies, not the private sector at large.
What laws apply to AI use then?
General laws: the data protection principles for government bodies, the constitutional privacy right, cybersecurity and cybercrime statutes, contract and consumer law, and foreign laws for cross-border services.
Who regulates telecommunications?
The Ministry of Transportation, Communications and Information Technology and the National Telecommunications Authority. An independent regulator has been proposed but not yet established by statute.
Is the GDPR in force in the Marshall Islands?
No. The EU GDPR is not RMI law, but it can apply to RMI organisations that target or serve people in the EU.
Will the Marshall Islands get an AI law soon?
There is no announced AI bill. The recent focus has been on data protection, cybersecurity and digital government, not AI.