Domestic law and policy
Kiribati currently lacks a comprehensive legal and policy framework to support digital identity.[20]It has not yet established the necessary implementing rules under its Electronic Transactions Act (2021) which are essential for ensuring that electronic transactions and digital signatures can be used securely and reliably throughout government systems and online public services.[21]In addition, the existing legal basis for ID, the National Identity Registration Act (2018), needs to be revised to support the creation of a trustworthy digital ID system that can serve as the gateway for accessing a wide range of services.[22]Digital identity is not clearly defined under existing domestic laws or policies, and there is no explicit linkage established between digital identity and citizenship. Furthermore, the absence of a formal legal or policy framework means there are no mechanisms in place for filing or resolving complaints related to digital ID. However, the Digital Government Master Plan reveals a plan to develop an Information and Communication Technology policy and review and develop legislation in relation to the creation of a digital ID system.[23]Currently, there are no laws addressing cyber safety or harmful digital communications, which have been flagged as significant community concerns in the Digital Government Master Plan.[24]These gaps highlight the need for Kiribati to develop a robust framework to support the implementation and regulation of digital identity systems.
Data Protection
In January 2022, Kiribati passed a comprehensive Data Protection Policy, outlining several principles aimed at safeguarding personal data within its systems.[25]One aspect that the Policy emphasized was that personal data must be stored securely, accessed only by authorized personnel, and deleted when no longer needed.Kiribati also passed the Data Protection Act (2025), which primarily aligns with the core principles of GDPR,[27]mandates that personal data be processed lawfully, fairly, and confidentially, requiring data controllers to inform individuals about the collection and use of their data to promote transparency.[28]Furthermore, the Act requires data controllers to collect, process, and retain minimal data as long as it is aligned with the specific purpose of data processing.[29]The Act also grants individuals rights such as correction of inaccuracies, the right to lodge complaints, and cross-border data transfers.[30]An individual found to commit an offence under the Act can face penalties up to KID 20,000 (~USD 12,900) or imprisonment up to 10 years or both.[31]Unlike the GDPR, Kiribati’s Data Protection Act includes the right to erasure (the right to be forgotten) as a basic provision in the Act but does not clearly articulate the right to be erased in the case of withdrawal of consent or other legal grounds in which the right to be forgotten can be upheld.[32]
International Commitments
As Kiribati’s digital ID is not yet implemented, there are no current contradictions of the obligations under the treaties Kiribati is party to. Kiribati is not a party to international treaties specific to digital ID or data privacy and protection. As Kiribati continues to develop its digital ID system, it is important to do so in line with its international obligations under the human rights treaties it is party to, including the Statelessness Conventions, the CRC, and CEDAW.[33]
