What is AI regulation in Saint Vincent and the Grenadines?
AI regulation: countries and regions
Saint Vincent and the Grenadines has no AI-specific law, strategy or regulator. AI is governed indirectly by existing instruments: the constitutional right to privacy, the Electronic Transactions Act 2007, the Cybercrime Act 2016 and sector regulation (telecoms via the NTRC and ECTEL), plus the never-commenced Privacy Act 2003. The country aligns with regional and international soft-law frameworks (CARICOM, OECS, OAS and UNESCO) rather than binding AI rules.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
AI regulation in Saint Vincent and the Grenadines (SVG) means the patchwork of general laws, constitutional rights, sector rules and regional commitments that apply when AI systems are built or used, because there is no dedicated AI statute. SVG is a small Eastern Caribbean state, a member of both the Caribbean Community (CARICOM) and the Organisation of Eastern Caribbean States (OECS), and it uses the Eastern Caribbean dollar. Its digital legal base is thinner than that of larger jurisdictions, and several key instruments are either old or not in force.
The most important fact for any reader: SVG has not enacted a data protection act. The Privacy Act 2003 was passed by the House of Assembly but never brought into force, because the required commencement order has never been issued. Some commercial websites wrongly claim SVG has a "Data Protection Act 2021" in force via Statutory Instrument No. 4 of 2023. That is a misattribution of Saint Lucia's law and should be disregarded.
In short, this is a thin-source jurisdiction. There is genuinely little dedicated material to cite, so the honest position is to state plainly what exists, what is merely drafted or proposed, and what is simply absent.
Why it matters
For founders, operators, advisers and buyers, the practical point is twofold. There is no AI rulebook to comply with locally, but there is also no comprehensive data protection regime to rely on. Organisations deploying AI in SVG cannot point to a national AI duty, an algorithmic transparency requirement, an automated-decision right or a functioning data protection authority. The protections that businesses and individuals often assume exist are, in domestic law, largely absent.
That means governance has to be built from first principles, from general law, and from cross-border obligations. Where an SVG entity processes the personal data of EU residents, the EU GDPR can reach it extraterritorially. Contractual commitments to overseas partners, card networks, cloud providers or funders frequently impose stricter standards than anything in SVG law. For public-sector deployers, general administrative and constitutional law is the backstop rather than a tailored AI accountability statute. The upshot is that the burden of trustworthy AI sits with the deploying organisation, not the statute book.
How it works
No AI-specific statute or strategy
There is no AI Act, no national AI strategy in force, and no AI regulator in SVG. The UNIDIR AI Policy Portal profile for SVG, last reviewed in August 2025, lists no national AI strategy, legislation or institutions. The most concrete signal of intent came in September 2025, when the then Minister of Finance and Information Technology, Camillo Gonsalves, told NBC Radio SVG that "the Government will be rolling out an Artificial Intelligence (AI) policy in its next term of office," adding that AI "is a reality that St Vincent and the Grenadines has to grapple with and it must be talked about, studied and dealt with." That was a forward-looking pledge by an administration that lost the November 2025 general election, so its continuation is uncertain and no AI policy document has been published.
What governs AI in the absence of a dedicated law
Several general instruments do the regulatory work. The 1979 Constitution protects the privacy of the home and other property and provides that, except with consent, a person shall not be subjected to the search of their person or property or entry on their premises. The Electronic Transactions Act 2007 gives legal effect to electronic contracts and signatures and contains a set of computer-misuse offences (illegal access, data interference, system interference, computer-related fraud and related conduct). The Cybercrime Act 2016 provides a fuller modern criminal framework covering illegal access and interception, identity-related crimes, harassment and offences against critical infrastructure. The Privacy Act 2003 exists on paper but is not in force, so there is no statutory data protection authority and no operative data protection principles to enforce.
Sector regulation
Telecommunications are regulated nationally by the National Telecommunications Regulatory Commission (NTRC), established under the Telecommunications Act, working alongside the regional Eastern Caribbean Telecommunications Authority (ECTEL), set up by treaty in 2000 for the five-member Eastern Caribbean group. Financial services and electronic payments are shaped at currency-union level, including by the Eastern Caribbean Central Bank. These bodies regulate the infrastructure on which AI runs, such as connectivity, spectrum and payment systems, rather than AI systems themselves. There is no sectoral AI mandate analogous to those emerging in larger economies.
Regional and international alignment
SVG participates in regional digital initiatives rather than building its own AI law. The World Bank-funded Caribbean Digital Transformation Project (CARDTP), coordinated through the OECS, supports harmonised data protection and cybersecurity frameworks across the Eastern Caribbean; the OECS issued a request for expressions of interest on 19 January 2022 to develop harmonised data protection legislation for the Eastern Caribbean Currency Union under that project. CARICOM operates a Single ICT Space and a Digital Agenda, and UNESCO published a Caribbean Artificial Intelligence Policy Roadmap in 2021. The Caribbean Telecommunications Union (CTU) launched a Caribbean AI Task Force on 18 July 2025, chaired by Dr Craig Ramlal of the University of the West Indies, St Augustine; the Task Force is mandated to develop model legislation and to report at a Caribbean AI Forum in 2026, aligned with the CARICOM Single ICT Space. At hemispheric level, the Organisation of American States (OAS) has produced an Inter-American Framework on Data Governance and AI (known as MIGDIA). SVG is not an OECD member and has not adhered to the OECD AI Principles.
Draft legislation and strategy in the pipeline
New data protection legislation is being developed regionally under CARDTP, based on an OECS Data Protection Model Bill. Neighbouring members have already moved: Saint Kitts and Nevis enacted an OECS-modelled Data Protection Act in 2018 (passed but not yet commenced), and Grenada enacted a Data Protection Act in 2023, both designed to protect personal data processed by public and private bodies. SVG is expected to follow the model, but no SVG-specific bill name, tabling date or commencement has been confirmed. A national Five-Year Digital Transformation Strategy (also referred to as a National Digital Economy Development Strategy) has been in draft and validation under CARDTP; a finalised, published version could not be confirmed. Responsibility for the digital portfolio shifted after the December 2025 change of government to the Minister with the education, innovation and digital transformation brief.
Examples
1. A fintech using automated credit scoring in SVG. There is no national rule requiring algorithmic transparency or a right to human review of an automated decision. The effective guardrails are contractual obligations, the constitutional privacy provision, the computer-misuse and cybercrime offences that bite if data is mishandled, and any commitments owed to overseas card networks or EU-facing counterparties.
2. A government service using AI for disaster-risk planning. SVG sits in a climate-vulnerable region where AI is being applied to infer building and rooftop characteristics from satellite imagery for resilience planning. Public-sector use of such tools is governed by general administrative law and, in principle, the unenforceable Privacy Act, rather than by any AI impact-assessment duty, audit requirement or published-disclosure obligation.
3. A regional employer rolling out AI workforce tools. Business voices in SVG, including the local chamber of commerce, have publicly urged faster AI workforce training as Caribbean industries prepare for technological change. An employer deploying AI tools relies on regional frameworks, internal policy and cross-border data rules for compliance, because there is no local AI statute to follow.
Common misunderstandings
"SVG has a Data Protection Act 2021." False. SVG has not enacted any data protection act. The claim, repeated on some commercial legal-content sites, confuses Saint Lucia's law, which commenced via Statutory Instrument No. 4 of 2023. Only the never-commenced Privacy Act 2003 exists in SVG.
"The Privacy Act 2003 protects personal data." It is not in force, and even on its terms it only ever covered public authorities. There is no operating data protection regulator and no enforcement mechanism.
"There is an AI regulator or an AI law." There is neither. No agency in SVG supervises AI specifically.
"Regional frameworks are binding law in SVG." CARICOM, OECS, OAS and UNESCO instruments are largely soft law or programmes. They guide policy and can shape future legislation, but they do not directly bind a deployer in the way a statute does.
"No AI law means no legal risk." General law still applies: constitutional privacy, cybercrime and computer-misuse offences, contract, consumer protection and sector rules, plus extraterritorial regimes such as the EU GDPR.
Risks and boundaries
This page describes a thin-source jurisdiction, and the depth of coverage reflects that honestly. The central boundary is that SVG has no dedicated AI regime and no enforceable comprehensive data protection law. The features deployers and individuals often expect, such as algorithmic transparency, automated-decision rights, mandatory breach notification and an independent supervisory authority, are absent from domestic law.
Legal status is uncertain and in flux. Regional data protection legislation is being drafted under CARDTP on the OECS model; a national digital strategy has been in draft; and a previously pledged national AI policy is now in doubt following the change of government. None of these should be treated as in force. Anyone advising on SVG should verify current status from primary or official sources before relying on it, and should not read the regional AI activity (the CTU Task Force, the UNESCO roadmap, the OAS framework) as creating binding domestic obligations. Equally, the absence of local AI rules is not a safe harbour: extraterritorial laws and contractual standards can be the operative constraint.
What to do next
Treat SVG as a jurisdiction where AI governance is your responsibility rather than the statute book's. Concretely:
Build internal AI governance to a recognised external benchmark, such as the OECD AI Principles or the UNESCO Recommendation on the Ethics of Artificial Intelligence, since no local standard exists to anchor to.
Map which extraterritorial regimes apply to your operation, particularly the EU GDPR where you handle EU residents' data, and any standards imposed by overseas partners, funders, cloud providers or payment networks.
Apply data protection good practice voluntarily, because there is no enforceable national regime: document lawful bases, retention, security and, in particular, any automated decision-making affecting individuals.
Engage the right sector regulator where relevant, the NTRC (with ECTEL) for telecoms-dependent services and the currency-union financial authorities for payments.
Watch three triggers that would change the picture: the arrival of an OECS-model data protection bill in SVG, the publication of the national digital transformation strategy, and any revived national AI policy. Each would shift the compliance baseline from voluntary to mandatory.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Saint Vincent and the Grenadines have an AI law?
No. There is no AI-specific statute, no national AI strategy in force and no AI regulator.
Is there a data protection law?
No comprehensive law is in force. The Privacy Act 2003 was passed but never commenced, and it only ever covered public authorities, so there is no operating data protection authority.
What about online claims of a Data Protection Act 2021?
That is a misattribution of Saint Lucia's law, which commenced via Statutory Instrument No. 4 of 2023. SVG has not enacted a data protection act.
What laws actually apply to AI in SVG then?
The Constitution's privacy and search provisions, the Electronic Transactions Act 2007, the Cybercrime Act 2016, sector regulation, contract and consumer law, and cross-border obligations such as the EU GDPR.
Who regulates AI-related infrastructure?
Telecoms are regulated by the NTRC alongside ECTEL, and payments and currency matters involve the Eastern Caribbean Central Bank. None regulates AI directly.
Is SVG bound by the OECD AI Principles or the EU AI Act?
SVG has not adhered to the OECD AI Principles and sits outside the EU. EU rules can still apply extraterritorially to SVG entities that serve the EU market.
Is anything changing?
Yes. Data protection legislation is being drafted regionally under CARDTP on an OECS model, a national digital strategy has been in draft, and regional AI governance work is active through the CTU Caribbean AI Task Force and the OAS.
What should a business deploying AI in SVG do now?
Build governance to an external benchmark, comply voluntarily with data protection good practice, identify which foreign laws and contracts bind you, and monitor the pending regional bill and national strategy.