Who Owns Caribbean Data? The Data Sovereignty Battle Every Organisation Must Win Before 2027

Every time a Caribbean hospital uploads patient records to a US cloud platform, every time a Caribbean bank runs customer data through an AI credit-scoring API, and every time a government ministry stores citizen records with a multinational technology vendor, a question is being answered by default rather than by choice: whose law governs this data?

The answer, for most Caribbean organisations in 2026, is: not Caribbean law. The data sits in jurisdictions governed by US, EU, or UK regulation. The AI models processing it were trained in those jurisdictions. The commercial agreements controlling it were written under New York or English governing-law clauses. Caribbean citizens' data is flowing through systems that have no obligation to reflect Caribbean interests, protect Caribbean rights, or give Caribbean institutions any meaningful say in how that data is used.

This is the data sovereignty problem. It is not abstract. It has direct consequences for AI governance, financial regulation, healthcare delivery, and the ability of Caribbean governments to make evidence-based policy. This article sets out where Caribbean data governance stands today, what the key risks are for organisations operating across the region, and what a workable response looks like.

Where Caribbean Data Protection Law Actually Stands

The gap between Caribbean data protection frameworks and international standards is significant and measurable. GDPR, which came into force in the EU in 2018, set a floor for data subject rights, organisational accountability, and cross-border transfer controls that is now widely treated as the global benchmark. Against that benchmark, the Caribbean region is unevenly positioned.

Jamaica enacted the Data Protection Act in 2020, which came into full force in 2023. The Act establishes a Data Protection Commissioner, sets consent requirements, and provides for cross-border transfer restrictions. It is the most comprehensive data protection framework in the anglophone Caribbean and aligns reasonably well with GDPR principles, though enforcement capacity remains limited.

Trinidad and Tobago passed the Data Protection Act in 2011, making it one of the earliest in the Caribbean. The Act has been criticised for limited enforcement and outdated provisions that predate cloud computing and AI at scale. A review process has been ongoing, but no major amendments have passed as of mid-2026.

Barbados enacted the Data Protection Act in 2019 and established a Data Protection Commissioner. The legislation covers both public and private sector data processing and includes provisions for special categories of sensitive data. Implementation has been gradual and enforcement resources remain stretched.

The majority of CARICOM member states, including Guyana, St. Lucia, Dominica, Grenada, St. Kitts and Nevis, Antigua and Barbuda, and the Bahamas, have either no data protection legislation, or legislation that is narrowly scoped and predates current AI and cloud technology. Haiti, which joins Belize among the non-anglophone CARICOM members, has constitutional privacy provisions but no comprehensive data protection law. Suriname, the region's most populous CARICOM member, also lacks a modern data protection framework.

This legislative patchwork creates three distinct risks. First, organisations operating across multiple Caribbean territories face inconsistent compliance obligations. Second, citizens in most Caribbean states have no enforceable data rights when AI systems process their personal information. Third, Caribbean governments lack the legal instruments to require data localisation or restrict cross-border transfers, leaving them with no practical lever to assert sovereignty over national data assets.

The Cross-Border Data Flow Problem

Caribbean organisations overwhelmingly rely on cloud infrastructure based outside the region. AWS, Microsoft Azure, and Google Cloud each have no Caribbean data centres. The nearest facilities are in the US East Coast region (Virginia, Ohio, South Carolina), which means data classified as sensitive under any future Caribbean framework is currently sitting in US jurisdiction under US law.

This creates a specific legal tension. Under US law, the CLOUD Act of 2018 permits US law enforcement to compel US cloud providers to disclose data stored anywhere in the world, including data held on behalf of foreign customers. A Caribbean government ministry storing citizen records on AWS has, by that choice alone, made that data potentially accessible to US authorities without any notification requirement to the Caribbean government or the affected citizens.

EU-regulated data flows introduce a different set of constraints. Under GDPR Article 46, transfers of personal data to countries without an EU adequacy decision require specific safeguards: standard contractual clauses, binding corporate rules, or other approved mechanisms. No Caribbean nation currently holds a GDPR adequacy decision from the EU. Caribbean organisations that receive personal data from EU customers or that process EU citizens' data are therefore required to implement these transfer mechanisms on every data flow, a compliance obligation that most small and mid-sized Caribbean businesses have not addressed.

The Caribbean Development Bank, in its 2025 regional technology assessment, identified cross-border data governance as one of the three highest-priority digital economy risks for CARICOM member states. The Bank specifically flagged the absence of Caribbean data infrastructure as a structural vulnerability that limits the region's ability to capture value from its own data assets or to protect citizens as AI systems scale.

The practical consequence for Caribbean banks, insurers, healthcare providers, and government agencies is this: their most sensitive operational data is governed by foreign law, processed by foreign AI systems, and stored in foreign infrastructure. If those foreign providers change their terms, raise their prices, change their data use policies, or become subject to foreign regulatory actions, the Caribbean institution has limited recourse and often no viable alternative.

AI Models and the Consent Problem

A specific and underappreciated dimension of the data sovereignty problem is the role of Caribbean data in training AI models. Large language models, medical AI systems, financial AI tools, and geographic AI applications have all been trained on datasets that include Caribbean content: news articles, legal texts, medical records, financial transaction data, satellite imagery, and social media content generated by and about Caribbean people and places.

In most cases, this training use was not consented to, was not attributed, and generates no return for the Caribbean individuals or institutions whose data was used. A Caribbean hospital group whose anonymised patient records were scraped and included in a medical AI training dataset receives no royalty, no attribution, and no governance right over how that model is subsequently deployed, including deployment back into Caribbean healthcare settings.

This is not a hypothetical concern. Medical AI datasets used to train diagnostic models have been shown to perform systematically worse on populations that are underrepresented in training data. Caribbean populations are consistently underrepresented in clinical AI training datasets, partly because Caribbean health systems have limited data-sharing infrastructure and partly because the commercial AI development ecosystem has not prioritised Caribbean data collection. When those models are then used in Caribbean clinical settings, the performance gap translates directly into diagnostic error rates for Caribbean patients.

The EU AI Act addresses this partially through its transparency and data governance provisions for high-risk AI systems. Under Article 10 of the Act, providers of high-risk AI systems must implement data governance practices covering training, validation, and testing datasets, including documentation of data characteristics and potential biases. Caribbean organisations deploying EU-regulated AI systems, or Caribbean AI developers building systems for the EU market, are subject to these requirements. However, the Act does not yet establish consent or attribution rights for communities whose data contributed to training datasets, leaving the underlying extraction problem unresolved.

The CARICOM Data Framework Discussions

CARICOM's response to the data governance challenge has been deliberate but slow. The CARICOM Single ICT Space initiative, which began in 2016, established a framework for regional digital integration but has not produced a binding data governance instrument. The CARICOM Data Governance Framework discussions, which accelerated in 2024 following the EU AI Act's passage, have produced working group reports and consultations but no ratified agreement as of June 2026.

The structural challenge is familiar to regional governance processes: 15 member states with different legal traditions (common law, civil law, Dutch law), different levels of legislative capacity, and different political priorities must reach consensus on technically complex provisions that will impose costs on their private sectors. The EU took over four years from its initial GDPR proposal to its final adoption. CARICOM is attempting a comparable exercise with a fraction of the administrative and legal resources.

What the discussions have produced is a clearer articulation of the region's goals. The working group reports identify four core objectives: a regional data classification standard, minimum requirements for national data protection legislation, a framework for Caribbean cloud infrastructure, and rules for data localisation in specified sensitive sectors including healthcare, financial services, and government records.

The Caribbean Cloud Initiative, supported by the Caribbean Development Bank and several bilateral donors, is developing the infrastructure component of this agenda. The Initiative aims to establish Caribbean-hosted cloud nodes that would allow sensitive public sector data to remain within regional jurisdiction. Initial deployments are planned in Jamaica and Trinidad and Tobago, with federated access for other member states. Full operational capability is projected for 2028, which means a gap of at least two years during which Caribbean organisations will continue to depend on foreign infrastructure.

For Caribbean organisations making data governance decisions now, the CARICOM framework discussions provide useful directional signals but no binding obligations. The practical implication is that organisations that build strong data governance frameworks now will be well positioned when regional standards are adopted, while those that wait will face a more disruptive compliance transition.

Financial Services: Where the AI Data Risk Is Most Acute

Caribbean banks and insurance companies are the most active early adopters of AI across the region's economy, and they are also where the data governance risks are most concentrated. Credit scoring algorithms, fraud detection systems, AML transaction monitoring, and underwriting models are all now in use across major Caribbean financial institutions. In the majority of cases, the AI systems being used are provided by international vendors, trained on datasets that do not include significant Caribbean representation, and governed by contracts that give the Caribbean institution limited visibility into how its customer data is used within the vendor's broader AI development pipeline.

The Bank of Jamaica's 2025 technology risk circular flagged AI third-party data governance as a supervisory priority, requiring regulated institutions to conduct due diligence on the data practices of AI system vendors and to document data flows for all AI-assisted decision-making processes. The Central Bank of Trinidad and Tobago issued comparable guidance in late 2025. These supervisory signals are important: they establish that regulators view AI data governance as a prudential risk issue, not merely a compliance formality.

The specific risk that Caribbean financial regulators are most concerned about is model opacity combined with data sovereignty gaps. If a Caribbean bank's credit scoring model is a black-box system trained by a US vendor on non-Caribbean data, running on US cloud infrastructure, and subject to US law, the Caribbean regulator's ability to audit, challenge, or override that model's decisions is severely constrained. When that model produces discriminatory outcomes for Caribbean borrowers, the regulatory and legal remediation path is uncertain.

The insurance sector presents a parallel challenge. Caribbean insurers increasingly use AI models for underwriting, particularly for catastrophe risk. These models incorporate satellite imagery, climate projections, and historical claims data. If the underlying data includes Caribbean properties and claimants, as it does for any model covering Caribbean catastrophe risk, the data governance obligations are real. Yet most Caribbean insurers have not conducted a systematic audit of the data lineage for the AI models they use from international reinsurers and modelling firms.

A Five-Pillar Data Governance Framework for Caribbean Organisations

Given the legislative gap, the cross-border data flow problem, and the specific risks in financial services and healthcare, what should a Caribbean organisation actually do? CAIRMC recommends a five-pillar approach that any organisation can begin implementing without waiting for regional or national legislation to mature.

Pillar 1: Data Asset Inventory and Classification

The first step is knowing what data you hold, where it is, and what category it falls into. A data asset inventory covers every database, file store, cloud service, and third-party system that processes organisational data. Classification assigns each asset to a sensitivity tier: public, internal, confidential, or restricted. For a Caribbean organisation, the restricted tier should specifically include: citizen or customer national identification data, health records, financial account data, data subject to regulatory retention requirements, and data that could affect national security if disclosed.

This inventory should document not just where data is stored but where it flows: which AI systems receive it, which cloud platforms process it, which third-party vendors access it, and under what contractual terms. Most Caribbean organisations that complete this exercise for the first time discover flows they were not aware of and gaps in their vendor contracts that they had not previously identified.

Pillar 2: Vendor Contract Governance

Data governance obligations must appear explicitly in contracts with AI vendors, cloud providers, and data processors. The minimum provisions are: data use limitation clauses restricting the vendor from using your data to train models or build products without explicit consent; data deletion and return rights on contract termination; audit rights allowing you to verify data handling practices; incident notification timelines (72 hours is the GDPR standard and a reasonable benchmark); and governing law and jurisdiction clauses that are negotiated rather than defaulted to US or UK law.

Caribbean organisations negotiating with large US technology vendors will face resistance on some of these points. Vendors with standard form agreements are reluctant to modify governing law clauses or to grant audit rights that go beyond their standard security review programs. The appropriate response is not to accept the standard terms without negotiation, but to document the negotiation, escalate unresolved gaps to your board risk committee, and decide consciously whether to accept residual risk or to select an alternative provider.

Pillar 3: AI Model Data Lineage Documentation

For every AI system in use, the organisation should be able to answer four questions. What data was used to train it? Was that data collected with appropriate consent? Does the training data adequately represent Caribbean populations and contexts? And how is the organisation's ongoing operational data used by the AI vendor once it enters the system?

These questions are increasingly asked by Caribbean financial regulators. They are also required by the EU AI Act for organisations using high-risk AI systems. Building the documentation discipline now creates a foundation for regulatory compliance, vendor accountability, and AI performance auditing.

Pillar 4: Data Localisation for Highest-Risk Data Categories

While comprehensive data localisation is neither feasible nor necessarily desirable for most Caribbean organisations, specific data categories warrant a localisation or near-shoring policy. Health records, national identification data, financial transaction records, and government administrative data should be processed within systems where the governing law and data residency are clearly understood and as aligned with Caribbean jurisdiction as current infrastructure allows.

For the period before Caribbean cloud infrastructure is available, this means: selecting cloud regions as geographically proximate as possible, using contractual data residency commitments from vendors where available (AWS, Azure, and GCP all offer contractual residency commitments for their commercial customers), and maintaining an offline backup of the most sensitive data categories in a locally controlled system.

Pillar 5: Data Rights Register and Subject Access Process

Organisations in jurisdictions with data protection legislation (Jamaica, Trinidad and Tobago, Barbados) have explicit obligations to handle data subject access requests, correction requests, and deletion requests. Organisations elsewhere in the Caribbean that serve EU customers have the same obligations under GDPR. A data rights register documents every active request, the actions taken, and the outcome within the required timeframe.

Beyond compliance, establishing a data rights process builds organisational discipline around data governance. Staff who regularly handle access requests develop a more precise understanding of what data the organisation holds and how it is used, which reinforces the data asset inventory and classification work in Pillar 1.

The EU AI Act's Caribbean Reach

The EU AI Act became fully applicable to high-risk AI system providers in August 2026. Its geographic scope is comparable to GDPR: it applies to any provider or deployer of AI systems that affects persons in the EU, regardless of where the provider or deployer is established. A Caribbean insurer that uses an AI underwriting model to assess risks for EU-domiciled customers is a deployer within the Act's scope. A Caribbean technology company that builds an AI system and markets it into the EU is a provider within scope.

For Caribbean organisations, the most practically significant provisions are the requirements for high-risk AI systems in sectors including healthcare, financial services, education, employment, and law enforcement. These requirements include: a conformity assessment before the system is placed in service, technical documentation covering training data, model architecture, and performance metrics, post-market monitoring with regular performance reviews, and registration in the EU AI Act database for systems in specified high-risk categories.

Caribbean financial services firms that use AI credit scoring, fraud detection, or AML systems supplied by EU-regulated AI providers are deployers of high-risk AI systems. Their obligation is to verify that the provider has conducted the required conformity assessment, to implement appropriate governance around the system's use, to maintain logs for audit purposes, and to provide human oversight for decisions that significantly affect customers.

CAIRMC's detailed analysis of EU AI Act enforcement implications for Caribbean organisations sets out the specific obligations by sector. The central message is that the EU AI Act is not a European problem for Caribbean organisations to ignore. It is an active compliance obligation for any Caribbean organisation with EU market exposure, and it is being enforced from August 2026.

StarApple AI and Caribbean Data Governance Support

StarApple AI, the Caribbean's first AI company founded by Adrian Dunkley, has been working with Caribbean organisations on AI governance and data frameworks since its founding. The firm's data governance practice helps Caribbean banks, insurers, healthcare organisations, and government agencies conduct data asset inventories, review AI vendor contracts, build data lineage documentation, and prepare for compliance with both Caribbean legislation and extraterritorial requirements including GDPR and the EU AI Act.

The practical reality is that most Caribbean organisations lack the internal legal and technical capacity to address data sovereignty comprehensively on their own. The intersection of cloud law, AI regulation, data protection, and procurement contracting requires specialist expertise that most Caribbean risk teams are still building. The role of CAIRMC and partners like StarApple AI is to make that expertise available to Caribbean institutions at a scale and cost that is appropriate for the region.

Regional peer networks also play a role. The Caribbean AI Association is developing shared standards for AI data governance that any Caribbean organisation can adopt as a baseline. Country-level AI hubs including AI T&T, AI Jamaica, and AI St. Lucia are building national capacity and connecting organisations with expertise and peer support.

The 2027 Deadline Is Real

The title of this article refers to a 2027 deadline. This is not rhetorical. Several converging pressures will make data governance failures significantly more costly after 2027 than they are today.

The EU AI Act's enforcement regime will be fully operational, with penalties of up to 3 percent of global annual turnover for deployer violations and 6 percent for provider violations. Any Caribbean organisation with EU exposure that has not completed its high-risk AI system compliance work will be at risk of enforcement action from 2027 onwards.

The CARICOM data governance framework, if it follows the projected timeline, should produce a ratified regional agreement or model legislation by late 2027 or 2028. Organisations that have built their data governance foundations will face a manageable compliance transition. Those starting from scratch will face simultaneous pressure from the regional framework, the EU AI Act, and their own national regulators.

Caribbean financial regulators in Jamaica, Trinidad and Tobago, and Barbados have signalled that AI governance, including data governance, will be an active examination focus from 2026 onwards. Examination findings in this area will affect supervisory ratings and, for institutions with international correspondents, could affect correspondent banking relationships that are already under pressure across the region.

The data sovereignty question, framed as a political or philosophical matter, can feel distant from the daily operations of a Caribbean risk manager or compliance officer. Framed accurately, it is a set of specific, tractable operational risks. Which law governs our data? Which AI systems process it, and on what terms? What happens to our data if our vendor is acquired, changes its terms, or is compelled by a foreign court? Can we meet our regulatory obligations in a world where our most sensitive data is outside our jurisdiction?

These are answerable questions. The five-pillar framework set out in this article gives Caribbean organisations a structured path to answering them. The time to start is now, not when regional legislation arrives, and not when a regulatory examination or a vendor dispute forces the issue.

Frequently Asked Questions

Which Caribbean countries have data protection legislation?

Jamaica (Data Protection Act 2020, in force 2023), Trinidad and Tobago (Data Protection Act 2011), and Barbados (Data Protection Act 2019) have the most developed frameworks in the anglophone Caribbean. The majority of CARICOM member states, including Guyana, St. Lucia, Dominica, Grenada, and the Bahamas, have no comprehensive data protection legislation as of mid-2026.

Does GDPR apply to Caribbean organisations?

Yes, if the organisation processes personal data of EU citizens or targets the EU market. GDPR applies based on the location of data subjects, not the location of the organisation. Caribbean businesses serving EU tourists, EU-based diaspora customers, or EU corporate clients must comply, including with GDPR's cross-border transfer requirements. No Caribbean nation currently holds a GDPR adequacy decision.

What is Caribbean data sovereignty?

Caribbean data sovereignty is the principle that Caribbean nations and institutions should have meaningful control over data generated by their citizens and organisations: where it is stored, which law governs it, and how AI systems use it. Currently, most Caribbean data is stored in US or EU cloud infrastructure under foreign law, with limited ability for Caribbean governments or citizens to assert control over it.

Does the EU AI Act apply to Caribbean organisations?

Yes, for organisations with EU market exposure. The EU AI Act applies to any provider or deployer of AI systems affecting persons in the EU, regardless of where the provider is based. Caribbean financial institutions, healthcare providers, and technology companies serving the EU market or using EU-regulated AI systems must comply with the Act's high-risk AI system requirements from August 2026.

What is the CARICOM data governance framework?

CARICOM has been developing a regional data governance framework under its Single ICT Space initiative, with work accelerating since 2024. The framework targets minimum standards for national data protection legislation, regional data classification standards, and sensitive sector data localisation rules. No binding instrument has been ratified as of mid-2026. A framework agreement is projected for late 2027 or 2028.

What is the Caribbean Cloud Initiative?

The Caribbean Cloud Initiative is a regional infrastructure program supported by the Caribbean Development Bank, aiming to establish Caribbean-hosted cloud nodes that keep sensitive public sector data within regional jurisdiction. Initial deployments are planned in Jamaica and Trinidad and Tobago, with federated access for other CARICOM members. Full capability is projected for 2028.

How does AI training on Caribbean data without consent affect Caribbean populations?

AI models trained on Caribbean data without consent generate no return or attribution for Caribbean data subjects. Medical AI trained without adequate Caribbean representation has shown higher diagnostic error rates when deployed in Caribbean clinical settings. Financial AI trained primarily on US or European data may systematically misprice Caribbean credit risk or produce biased underwriting decisions for Caribbean customers.

What five steps should Caribbean organisations take to improve data governance now?

CAIRMC recommends five pillars: (1) Complete a data asset inventory and classify every database and AI system by sensitivity tier. (2) Review AI vendor and cloud contracts for data use limitation, audit rights, and governing law. (3) Build AI model data lineage documentation for every system in use. (4) Implement data localisation for the highest-risk data categories using contractual residency commitments where regional infrastructure is unavailable. (5) Establish a data rights register and subject access request process aligned to your applicable legal obligations.

What is the role of CAIRMC and StarApple AI in Caribbean data governance?

CAIRMC provides AI risk governance frameworks, guidance, and research for organisations across CARICOM. StarApple AI, the Caribbean's first AI company founded by Adrian Dunkley, supports Caribbean organisations with data governance frameworks, AI vendor contract review, and compliance preparation for both Caribbean legislation and extraterritorial requirements. Together they form the governance and capability layer for AI development across the region.