What is AI regulation in Palau?
AI regulation: countries and regions
Palau has no AI-specific law, strategy or regulator. AI is governed indirectly through existing instruments: the Privacy Act (Title 6 of the Palau National Code, binding government agencies), sector and telecommunications rules, constitutional privacy and security protections, a pending Cybersecurity Act, and the National Cybersecurity Strategy and Policy 2026 to 2030. As a UN and UNESCO member, Palau is associated with the UNESCO Recommendation on the Ethics of AI and Pacific regional digital commitments, but has adopted no binding AI rules.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Palau is a Pacific island republic of about 17,700 people (2024). It has not passed any statute, regulation or national strategy that targets artificial intelligence as such. There is no Palauan equivalent of the EU AI Act, no risk classification scheme, no AI regulator, and no published national AI strategy. This is typical of the Pacific: the AI Asia Pacific Institute's August 2024 report states that "there is currently no active AI strategy in the 16 Pacific Island countries and AI readiness remains weak, but all recognize AI's potential importance".
In the absence of bespoke rules, anyone building or deploying AI in Palau is governed by general law: the constitution's protection of the person, the Privacy Act provisions of the Palau National Code (which constrain how government agencies handle personal information), sector and telecommunications law, common law duties of confidentiality, and criminal law. Cybersecurity has moved fastest: Palau adopted a National Cybersecurity Strategy and Policy 2026 to 2030 and its Senate passed a Cybersecurity Act, both prompted by the March 2024 ransomware attack on the Ministry of Finance, which President Surangel Whipps Jr described as the country's first major cyberattack.
At the international level Palau is a member of the United Nations, the International Telecommunication Union (ITU) and UNESCO, and it sits within Pacific regional digital frameworks. These memberships carry soft commitments and shared principles rather than binding AI duties, but they are the main external reference points shaping how Palau is likely to approach AI governance.
Why it matters
For an operator, founder, adviser or buyer, the practical message is that Palau is a thin-law jurisdiction for AI. You cannot point to a local AI statute to establish what is permitted or prohibited, and you cannot rely on a dedicated regulator to issue guidance or approvals. Instead, your obligations come from a patchwork: data-handling rules that bind public bodies, sector licences, contractual confidentiality, constitutional rights, and rapidly developing cybersecurity duties.
That patchwork matters most where AI touches personal data, public services or critical systems. Palau's government has been hit repeatedly: the Ministry of Finance was struck by ransomware in March 2024, and in September 2025 the government warned of renewed criminal activity linked to that attack, involving about 25,000 stolen files. So any system that processes government data or connects to public infrastructure will increasingly face cybersecurity expectations even though AI-specific duties are absent. Organisations active in regulated areas (finance, telecommunications, health) should expect their existing sector obligations, not AI law, to be the binding constraint. And because the legal baseline is light, reputational, contractual and international-standard expectations (for example UNESCO's ethics principles) often do more practical work than domestic statute.
How it works
No AI-specific statute or regulator
Palau has not enacted any law that defines or regulates AI, classifies AI systems by risk, or creates an AI authority. There is no national AI strategy. This is a deliberate description of absence, not an oversight: the country is at an early stage of digital development and has concentrated on connectivity, e-government and cybersecurity rather than AI-specific rules.
The constitution and general law
The Constitution of Palau (in force since 1981) is the supreme law and sets out fundamental rights in Article IV, including protections that bear on data and surveillance. These constitutional protections, together with common law duties of confidentiality and the courts, form the backstop that applies to AI-enabled activity in the absence of statute.
The Privacy Act and personal information
Palau's personal-information rules sit in the Privacy Act provisions of Title 6 of the Palau National Code Annotated. The operative duties are framed around a government "agency that maintains personal information": such an agency must protect that information from loss, unauthorised access, modification, disclosure or misuse; must not keep it longer than needed; and must not reuse it for a new purpose except in defined circumstances (for example consent, law enforcement, a serious threat to public health or safety, statistical or research use, or a court order). Importantly, this is an existing chapter of the National Code that binds public bodies; it is not a comprehensive, GDPR-style data-protection statute covering private companies, and Palau has no dedicated data-protection authority. Claims of a standalone "Palau Privacy Act 2019" with GDPR-style consent rules, a 72-hour breach-notification duty and a data-protection commissioner appear only on low-quality aggregator sites and cannot be confirmed from any primary source.
Sector and telecommunications law
For private-sector data handling, the binding constraints are sectoral. Telecommunications and banking operators are subject to confidentiality obligations under their licences and sector legislation, reinforced by the common law duty of confidence. Palau National Communications Corporation (PNCC) is the national carrier. These sector rules, rather than any AI law, govern most commercial uses of customer data, including AI-driven ones.
Cybersecurity: the fastest-moving area
Cybersecurity is where Palau has built the most concrete governance. The Republic signed a National Cybersecurity Strategy and Policy 2026 to 2030, developed with technical support from the ITU Regional Office for Asia and the Pacific, working with Palau's Bureau of Communications and the Ministry of Finance, following national co-creation workshops in September 2025. Separately, in October 2025 the Senate unanimously passed Senate Bill No. 12-9, SD1, the Cybersecurity Act, which would create a Bureau of Cybersecurity under the Ministry of Public Infrastructure and Industries headed by a Chief Information Security Officer, mandate minimum cybersecurity standards, breach notification and data protection by agencies, and impose penalties (civil fines up to 10,000 US dollars per violation, or up to five years in prison for intentional misconduct); the bill moved to the House of Delegates for consideration. The Act was developed with guidance from cybersecurity experts including MITRE.
Centralising government technology and AI
In April 2026 President Surangel Whipps Jr signed an executive order creating an Office of Applied Technology and Strategy within the Office of the President, headed by a Chief Technology Officer. Its remit includes developing government-wide standards and architectures, assessing risks such as cybersecurity and system resilience, and supporting digital transformation. The President explicitly cited AI use as one of the themes the office would address, and the order noted data-protection issues among the risks of fragmented government systems. This is the closest thing Palau has to an institutional home for AI questions, though it is an executive-branch coordination body, not an AI regulator.
International and regional alignment
Palau has been a UNESCO member since 1999. The UNESCO Recommendation on the Ethics of Artificial Intelligence, adopted on 23 November 2021 by all 193 UNESCO Member States at the 41st General Conference, is therefore an instrument Palau is associated with as a member; it is a non-binding standard built around human-rights-centred values, principles such as proportionality and do-no-harm, and policy action areas. There is no public evidence that Palau has completed UNESCO's Readiness Assessment Methodology (RAM), the diagnostic tool used to gauge a country's preparedness to implement the Recommendation; the RAM countries published to date are elsewhere in Asia, not the Pacific. Palau is also a member of the ITU and has engaged with the UN Global Digital Compact. At the regional level, Palau sits within Pacific Islands Forum frameworks, notably the 2050 Strategy for the Blue Pacific Continent and its Technology and Connectivity theme, and the Pacific ICT and digital transformation agenda associated with the 2023 Lagatoi Declaration. Palau is not among the signatories of the Council of Europe Framework Convention on Artificial Intelligence.
Examples
Example 1: A government agency deploys an AI tool to triage citizen records. Because there is no AI law, the binding rules are the Privacy Act provisions of Title 6 of the Palau National Code: the agency must secure the personal information, limit retention, and avoid reusing it for a new purpose without a lawful basis. The emerging cybersecurity framework adds expectations on standards and breach handling.
Example 2: A telecommunications or banking provider introduces AI-based fraud detection on customer data. The governing constraints are the provider's sector licence and confidentiality duties under telecommunications or banking law and the common law, not any AI statute. Misuse of customer data risks licence and confidentiality consequences enforced by the sector regulator or the courts.
Example 3: Palau Community College adopted an institutional academic policy on the ethical use of AI in 2025. This shows how, absent national rules, individual public institutions write their own AI-use policies. Such policies are internal governance, not law, and bind only the institution that issues them.
Common misunderstandings
"Palau has a GDPR-style privacy law from 2019." Not confirmed. The personal-information rules are the Privacy Act provisions in Title 6 of the Palau National Code, which bind government agencies. There is no verifiable standalone 2019 data-protection statute, no GDPR-style private-sector scope, and no data-protection authority; those claims trace only to unreliable aggregator websites.
"There must be an AI regulator somewhere in government." There is not. The new Office of Applied Technology and Strategy coordinates government technology and touches AI, but it is an executive coordination body, not an AI regulator with enforcement powers.
"UNESCO's AI ethics Recommendation is binding on Palau." It is a non-binding standard. As a UNESCO member Palau is associated with it, but it creates no enforceable domestic duties.
"Palau signed the global AI treaty." Palau is not among the signatories of the Council of Europe Framework Convention on Artificial Intelligence, the first binding international AI treaty.
"Cybersecurity law and AI law are the same thing." They overlap but are distinct. Palau's cybersecurity strategy and pending Cybersecurity Act address digital security and data protection; neither regulates AI systems as such.
Risks and boundaries
This page describes Palau's national approach to AI governance. It is not legal advice and not a data-protection compliance guide; generic privacy obligations belong on dedicated privacy pages.
The central boundary is that Palau has no AI-specific law. Treating general data, sector or cybersecurity rules as if they were AI regulation overstates the position; conversely, assuming "no AI law" means "no obligations" understates it, because constitutional rights, sector duties and cybersecurity expectations all apply.
Legal status is partly pending and may change. The Cybersecurity Act passed the Senate in October 2025 and moved to the House of Delegates; its final form and entry into force should be verified from official sources before relying on it. The National Cybersecurity Strategy and Policy 2026 to 2030 is a strategy document, not a statute. The Office of Applied Technology and Strategy is newly created and its practical role is still forming. Because Palau is a thin-source jurisdiction, several details circulating online (especially about a "Privacy Act 2019") are unreliable and should not be relied on.
What to do next
Map your real obligations, not imagined ones. If you handle personal data with AI in Palau, identify whether you are a government agency (Title 6 Privacy Act duties apply) or a private operator (sector and contractual duties apply), and document the lawful basis for any data reuse.
Treat cybersecurity as the live compliance frontier. Track the Cybersecurity Act through the House of Delegates and align to the National Cybersecurity Strategy and Policy 2026 to 2030, including breach handling and minimum standards, especially if you touch government data or critical systems.
Use international standards as your design baseline. With no domestic AI statute, anchor AI governance to durable references such as the UNESCO Recommendation on the Ethics of AI (human oversight, proportionality, transparency, data protection) and recognised risk-management practice.
Engage the right institutions. The Office of Applied Technology and Strategy, the Bureau of Communications and the Ministry of Finance are the practical points of contact for government technology, cybersecurity and digital policy.
Watch the triggers that would change the picture: introduction of any AI-specific bill or strategy, completion of a UNESCO Readiness Assessment, enactment of the Cybersecurity Act, or creation of a data-protection authority. Any of these would shift Palau from indirect to direct AI governance.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Palau have an AI law?
No. Palau has no AI-specific statute, no risk-based AI rules and no AI regulator. AI is governed indirectly through constitutional rights, the Privacy Act provisions of the Palau National Code, sector and telecommunications law, and developing cybersecurity rules.
Is there a national AI strategy in Palau?
No published national AI strategy exists. The AI Asia Pacific Institute's August 2024 report found no active AI strategy across the sixteen Pacific Island countries. The closest institutional development is the Office of Applied Technology and Strategy, created in 2026, which addresses technology and AI but is not an AI strategy or regulator.
What law protects personal data in Palau?
The Privacy Act provisions in Title 6 of the Palau National Code, which require government agencies to protect personal information, limit retention, and avoid unauthorised reuse. There is no comprehensive GDPR-style law covering private companies and no data-protection authority.
Has Palau adopted the UNESCO Recommendation on the Ethics of AI?
As a UNESCO member since 1999, Palau is associated with the Recommendation, which all 193 member states adopted in November 2021. It is a non-binding ethical standard, not enforceable domestic law, and there is no public evidence Palau has completed UNESCO's Readiness Assessment.
What is Palau doing about cybersecurity?
Palau signed a National Cybersecurity Strategy and Policy 2026 to 2030 with ITU support, and its Senate passed a Cybersecurity Act in October 2025 that would create a Bureau of Cybersecurity, mandate standards and breach notification, and impose penalties. The Act moved to the House of Delegates.
Why has Palau experienced so much cybersecurity activity but no AI law?
Palau's government suffered serious ransomware attacks from March 2024 onward, which pushed cybersecurity to the top of the agenda. AI-specific regulation has not been a near-term priority given limited resources and an early stage of AI adoption.
Does any Pacific regional framework regulate AI in Palau?
Not directly. Palau sits within Pacific Islands Forum frameworks such as the 2050 Strategy for the Blue Pacific Continent and the Lagatoi Declaration digital agenda, which set shared connectivity and digital-transformation priorities rather than binding AI rules.
Is Palau a party to the international AI treaty?
No. Palau is not among the signatories of the Council of Europe Framework Convention on Artificial Intelligence, the first legally binding international treaty on AI.