What is AI regulation in Saint Lucia?
AI regulation: countries and regions
Saint Lucia has no AI-specific law, strategy or policy in force. Artificial intelligence is governed indirectly through the partially proclaimed Data Protection Act (Cap 8:18), sector regulation (notably the Financial Services Regulatory Authority under the Virtual Asset Business Act), constitutional privacy protection, and non-binding regional and international instruments such as the UNESCO Caribbean AI Policy Roadmap and the CARICOM-aligned CTU Caribbean AI Task Force. National AI legislation has been signalled but not drafted.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Saint Lucia, a member of CARICOM, the Organisation of Eastern Caribbean States (OECS) and the Organization of American States (OAS), does not yet regulate artificial intelligence directly. There is no national AI Act, no published national AI strategy and no AI-specific regulator. Independent trackers, including DPO Caribbean's mapping of Caribbean AI law, record that no substantive national AI document has been identified for the country.
In the absence of bespoke rules, AI use falls under whatever existing law happens to touch it. The most important instrument is the Data Protection Act (also referenced as the Privacy and Data Protection Act, Cap 8:18), which was partially brought into force at the end of January 2023. Its data protection principles and its data controller registration duty apply to anyone processing personal data in Saint Lucia, including the data that trains or feeds AI systems. Sector regulators, the constitution's privacy guarantees and contract and consumer law fill other gaps.
Above the national layer sits a growing set of regional and international frameworks. These are advisory rather than binding, but they shape the direction Saint Lucia is expected to take and provide the templates a future national policy would likely follow.
Why it matters
For any organisation deploying or governing AI that touches Saint Lucia, the practical message is that the binding constraints are data protection, sector licensing conditions and general law, not an AI statute. If your system processes personal data of people in Saint Lucia, the Data Protection Act's principles (purpose limitation, fairness, transparency, accountability and security) and the duty to register as a data controller apply now, even though the rights and enforcement machinery are not all switched on. Financial and virtual-asset operators face the most concrete obligations, because the Financial Services Regulatory Authority requires a documented cybersecurity and data protection framework as part of licensing. Because the regional bodies are moving toward harmonised AI rules, an investment in privacy-by-design and basic model governance today is the cheapest way to stay ahead of what is coming.
How it works
No AI-specific law yet
Saint Lucia has not enacted an AI statute, published a national AI strategy or designated an AI regulator. The Minister for Education, Youth Development, Sports and Digital Transformation, Hon. Kenson Casimir, has publicly said that policy and legislation will be needed to guide responsible AI use. Addressing concerns about AI in Caribbean Examinations Council school-based assessments in January 2026, he said that "robust legislation is necessary to guard against unsavoury practices" and that the matter "is one that will eventually be addressed at the Cabinet level," describing AI as "real, existential" and a potential "major game changer if used correctly." These are signals of intent rather than instruments in force. There is no risk-tiering, no conformity assessment regime and no AI-specific transparency duty under domestic law.
The Data Protection Act (Cap 8:18) as the main lever
The Data Protection Act is the closest thing Saint Lucia has to AI governance, because most AI systems process personal data. A Proclamation Order at the end of January 2023 brought key provisions into force. Now active are the core data protection principles (in section 32) and the obligation for data controllers to register with the Data Protection Commissioner. The Act also contains a privacy impact assessment provision (section 12A), restrictions on cross-border transfers of personal data, criteria for processing sensitive personal data, and a broad set of exemptions covering national security, crime and taxation, health and social work, regulatory activity, journalism and the arts, research and statistics, legal professional privilege and domestic purposes. Several parts of the Act have not yet been proclaimed: pending provisions include the data subject rights to access personal data, correct inaccuracies and object to processing, and the investigation and enforcement mechanisms that would let the Commissioner monitor compliance, investigate breaches and impose penalties. The Revised Laws portal flags the 2023 text as not yet authenticated through a Commencement Order, so the exact effective scope should be checked against the Gazette.
The Data Protection Commissioner
The Act provides for a Data Protection Commissioner, appointed in writing by the Governor General acting on the advice of the Prime Minister after consultation with Cabinet and the Leader of the Opposition. Under the current revised text (as substituted by Act 2 of 2015), an appointee needs a minimum of six years of training or experience in one of several fields: law, economics, finance, information management, information and communication technology, accounting or human resource management. (Note that the 2011 enacted text instead required an attorney-at-law of at least ten years standing, so the qualification wording itself has shifted across versions and should be read from the current Revised Laws.) The Commissioner holds office for five years and is intended to have an independent, parliamentary-appropriated budget. In practice, there is no public evidence that a Commissioner has been appointed or that an operational office, register or complaints mechanism exists. The registration duty is nominally in force, but the regulator that should receive registrations appears to be a paper provision for now.
Sector and financial regulation
Where AI appears inside a regulated activity, the sector regulator's rules bite. The Financial Services Regulatory Authority (FSRA) supervises virtual-asset business under the Virtual Asset Business Act (Act 24 of 2022, in force 28 December 2022). Licence applicants must submit a cybersecurity and data protection framework, which is the kind of control that captures automated decision systems used in onboarding, monitoring or trading. Telecommunications and broadcasting are overseen by the National Telecommunications Regulatory Commission under the Telecommunications Act, with the Eastern Caribbean Telecommunications Authority (ECTEL) acting as the regional regulator. The Electronic Transactions Act supports e-commerce and addresses intermediary liability.
State digital capacity
Saint Lucia's most concrete digital-governance investments are institutional rather than regulatory. Through the World Bank-funded Caribbean Digital Transformation Project (CARDTP), coordinated by the OECS, the government is building a National Government Datacenter and establishing a Governmental Cyber Incident Response Team (CIRT); a stakeholder consultation on both was held on 11 February 2025. Public-sector AI awareness has featured at events such as the AI Summit held during Productivity Awareness Week. These build the capacity that any future AI oversight body would rely on, but they are not themselves regulation.
The regional and international layer
Several non-binding instruments shape Saint Lucia's trajectory. The UNESCO Caribbean Artificial Intelligence Policy Roadmap, published by the UNESCO Office in Kingston and developed through consultation with over 1,000 institutions and individuals across 20 Caribbean countries, sets out four pillars: Culture and Creativity; Governance and Transformation; Upskilling and Education; and Resiliency and Sustainability. The CTU Caribbean AI Task Force, launched on 18 July 2025, is mandated to harmonise AI policies and regulatory frameworks across the region and to build regional AI capacity with a focus on youth, women and underrepresented communities. It is chaired by Dr Craig Ramlal, Head of the Control Systems Group in Electrical and Computer Engineering at the University of the West Indies, St Augustine, who was recognised by the United Nations as one of 39 preeminent AI leaders. It is a coordination mechanism, not an enforcement body, and is scheduled to present a final report and consolidated policy guidance at a Caribbean AI Forum in 2026, in alignment with the CARICOM Single ICT Space. CARICOM Heads of Government endorsed a Regional Digital Resilience Strategy at their 47th Regular Meeting in St George's, Grenada (28 to 30 July 2024, chaired by Prime Minister Dickon Mitchell), agreeing to a regional project to train citizens in artificial intelligence and data analytics, a digital skills fund to train 10,000 CARICOM youths, and the establishment of an Artificial Intelligence Centre of Excellence in Grenada. At the hemispheric level, the OAS has developed an Inter-American Framework on Data Governance and AI (MIGDIA) and adopted a Declaration and Plan of Action on trustworthy AI. Saint Lucia is not an OECD member and has not adhered to the OECD AI Principles, though those principles inform the regional templates it engages with.
Examples
A regional fintech seeking a virtual-asset licence: A company applying to the FSRA to conduct virtual-asset business in or from Saint Lucia must submit a cybersecurity and data protection framework as part of its application. If it uses AI for transaction monitoring or customer onboarding, the controls around that system, including data handling compliant with the Data Protection Act, are assessed during licensing. The binding obligation flows from the Virtual Asset Business Act and FSRA review, not from any AI law.
A business processing personal data through an AI tool: A retailer or service provider in Saint Lucia using an AI system that ingests customer personal data is a data controller. It must observe the data protection principles now in force and is, in principle, required to register with the Data Protection Commissioner. Because enforcement provisions and the regulator's office are not demonstrably operational, the practical risk today is reputational and contractual rather than a regulatory fine, but the underlying duty exists.
Schools and the education ministry weighing AI in assessment: Following concern about AI use in Caribbean Examinations Council school-based assessments, the responsible minister has called for policy and eventual legislation. There is no statute governing this yet, so schools operate under institutional rules and CXC guidance rather than a national AI law.
Common misunderstandings
"Saint Lucia has an AI law." It does not. No AI-specific statute, strategy or regulator exists; AI is governed indirectly through data protection, sector rules and general law.
"The Data Protection Act is fully in force." It is only partially proclaimed. Core principles and the registration duty are active, but key data subject rights and the investigation and enforcement powers have not all been brought into force.
"There is a data protection regulator I can complain to." The Act provides for a Data Protection Commissioner, but there is no public evidence of an appointment or of an operational office and complaints mechanism.
"The UNESCO Roadmap and CTU Task Force are binding." They are advisory and coordinating instruments respectively. Neither creates enforceable obligations in Saint Lucia.
"Because Saint Lucia engages with OECD-style principles, it is bound by them." Saint Lucia is not an OECD member and has not adhered to the OECD AI Principles; it references them only through regional frameworks.
Risks and boundaries
The central boundary is that AI governance in Saint Lucia is indirect and partial. The Data Protection Act is the main instrument, but its commencement status is genuinely uncertain: the Revised Laws portal marks the 2023 text as not yet authenticated through a Commencement Order, and the precise list of proclaimed provisions should be verified against the Gazette before relying on it. The Data Protection Commissioner appears not to have been appointed and the office not operational, which means that even in-force duties such as registration lack a functioning regulator. None of the regional instruments (UNESCO Roadmap, CTU Task Force, CARICOM strategy, OAS frameworks) is binding law in Saint Lucia, and they should not be treated as compliance obligations. There is no AI-specific transparency, risk-classification or conformity-assessment regime. This is a thin-law jurisdiction: within CARICOM, peers such as Jamaica (whose Data Protection Act carries extra-territorial reach and a 72-hour breach-notification duty) and Barbados (with a functioning Data Protection Commissioner) are further ahead, which underscores how much of Saint Lucia's framework remains prospective. The honest position is that durable architecture exists mainly in data protection and sector regulation, while AI-specific rules are still to come.
What to do next
Treat the Data Protection Act as your baseline. If you process personal data of people in Saint Lucia, apply the data protection principles, run privacy impact assessments for higher-risk AI, and prepare to register as a data controller. Verify current commencement against the Gazette and the Attorney General's Chambers Revised Laws portal rather than assuming the whole Act is live.
If you are in a regulated sector, especially financial services or virtual assets, build your AI controls into the cybersecurity and data protection framework the FSRA expects, and treat automated decision systems as in scope. For telecoms and broadcasting, engage with the National Telecommunications Regulatory Commission and ECTEL requirements.
Adopt voluntary good practice now, using the UNESCO Roadmap pillars and OECD-style principles as a design reference: documented model governance, human oversight, bias testing and transparency. This positions you for the harmonised regional rules the CTU Task Force is expected to recommend in 2026. Monitor for a national AI policy or legislation emerging from Cabinet, the appointment of a Data Protection Commissioner, and the Caribbean AI Forum's consolidated guidance, as any of these would change the compliance picture.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Saint Lucia have a law specifically regulating artificial intelligence?
No. There is no AI-specific statute, no published national AI strategy and no AI regulator. AI is governed indirectly through data protection law, sector regulation, constitutional privacy protection and general law.
What governs AI in the absence of an AI statute?
Principally the Data Protection Act (Cap 8:18), plus sector rules such as the Virtual Asset Business Act enforced by the FSRA, telecommunications regulation, the Electronic Transactions Act, contract and consumer law, and the constitution's privacy protections.
Is the Data Protection Act fully in force?
No. A Proclamation Order at the end of January 2023 brought core principles and the data controller registration duty into force. Key data subject rights and the investigation and enforcement powers have not all been proclaimed.
Is there a Data Protection Commissioner I can contact?
The Act provides for one, but there is no public evidence that a Commissioner has been appointed or that an operational office and complaints mechanism exist.
Do the UNESCO Roadmap and CTU Task Force impose obligations?
No. The UNESCO Caribbean AI Policy Roadmap is advisory and the CTU Caribbean AI Task Force is a regional coordination body. Neither creates binding duties in Saint Lucia.
Is Saint Lucia bound by the OECD AI Principles?
No. Saint Lucia is not an OECD member and has not adhered to the OECD AI Principles. It engages with them only indirectly through regional frameworks.
When might Saint Lucia get an AI law?
There is no timetable. The responsible minister has signalled that policy and legislation will be needed and that the matter will go to Cabinet, and the CTU Task Force is due to present consolidated regional guidance at a Caribbean AI Forum in 2026.
What should a company deploying AI do now?
Comply with the Data Protection Act, build AI controls into any sector licensing framework, and adopt voluntary model governance aligned to UNESCO and OECD-style principles to prepare for harmonised regional rules.