I have been saying this for years, and I will keep saying it until it becomes policy: the Caribbean cannot afford to be a passive consumer of artificial intelligence built by and for other people. Every day that Jamaica and its Caribbean neighbours operate without clear AI and data governance policies, we lose ground. Not metaphorically. We lose actual economic value, actual strategic autonomy, and actual capacity to shape the future our children will inherit.
As a member of Jamaica's National AI Task Force, I see the policy conversations happening from the inside. There is genuine willingness to act. But I also see how slowly government processes move, and how quickly AI technology advances. That gap between policy speed and technology speed is where our sovereignty erodes. Let me explain what is at stake and what we must do about it.
What Data Sovereignty Actually Means
Data sovereignty is a simple concept that has profound implications. It means that data generated within a nation's borders should be subject to that nation's laws. When a Jamaican citizen uses a mobile phone, makes a purchase, visits a doctor, or applies for a loan, data is created. Data sovereignty asks: who controls that data? Who decides how it is used? Who profits from it?
Right now, the honest answer for Jamaica is: mostly foreign companies. When a Jamaican person uses Facebook, their behavioral data is stored on servers in the United States and processed under US law. When a Jamaican business uses Google Cloud, their operational data sits in data centres controlled by an American corporation. When a Jamaican hospital uses a foreign electronic medical records system, patient data leaves Jamaican jurisdiction.
This is not a conspiracy. It is simply the default state of affairs when a small country without its own technology infrastructure uses products built by foreign technology companies. But the arrival of AI makes this situation dramatically more consequential, because AI is not just storing data. AI is learning from data, making decisions based on data, and creating economic value from data at a scale and speed that was previously impossible.
Why AI Makes Data Sovereignty Urgent
Before AI, data sovereignty was primarily a privacy concern. Important, but somewhat abstract for most people. AI changes the equation in three critical ways.
First, AI turns data into decisions. When a foreign AI system processes Jamaican health data, it does not just store it. It makes diagnostic recommendations, treatment suggestions, and risk assessments that directly affect Jamaican lives. If that AI was trained primarily on American or European populations, its decisions may be systematically wrong for Jamaican patients. We have seen this with dermatology AI that fails to identify skin conditions on dark skin, and with diagnostic AI that misses diseases more prevalent in Caribbean populations.
Second, AI turns data into economic value on a massive scale. The data that Jamaican consumers generate through their daily digital activities, their preferences, behaviours, purchase patterns, search queries, and social interactions, is being used to train AI models worth billions of dollars. Jamaica sees none of that value. We are the product, not the customer.
Third, AI creates dependency. Once a country's critical infrastructure depends on foreign AI systems, replacing or even auditing those systems becomes extremely difficult. Imagine Jamaica's banking system running on AI risk models controlled by a foreign company. If that company changes its terms, raises its prices, or is sanctioned by a foreign government, Jamaica has no fallback. We have built our house on someone else's land.
The Current State of Jamaica's Data Protection
Jamaica is not starting from zero. The Data Protection Act of 2020 established a legal framework for how personal data should be collected, processed, and stored. The Office of the Information Commissioner was created to oversee compliance. These were important steps, and Jamaica deserves credit for being among the Caribbean nations to act.
However, the Data Protection Act was written before the current AI explosion. It addresses traditional data processing concerns, consent for data collection, accuracy of records, security of storage, but it does not address the specific challenges that AI introduces. There is no provision for algorithmic transparency, no requirement that AI systems be explainable, no framework for AI-driven automated decision-making, and no specific rules about using Jamaican data to train AI models.
This is not a criticism of the drafters. The law was appropriate for its time. But AI has moved so fast that what was adequate in 2020 is insufficient in 2026. The law needs updating, and that updating needs to happen with AI specifically in mind.
How the European Union's GDPR Compares
The European Union's General Data Protection Regulation, GDPR, is the global gold standard for data protection, and it offers useful lessons for Jamaica. GDPR includes several provisions that are directly relevant to AI governance.
The right to explanation means that EU citizens can demand an explanation of automated decisions that significantly affect them. If an AI system denies your loan application or insurance claim, you have the right to know why. Jamaica has no equivalent provision.
Data portability means EU citizens can take their data from one service to another. This prevents lock-in and gives individuals control over their digital lives. Jamaica's current framework does not include this right.
Data protection by design means that privacy protections must be built into systems from the start, not added later. This is especially important for AI systems, which are much harder to retrofit with privacy controls after deployment.
GDPR also imposes penalties of up to 4% of global revenue for violations. This gives the regulation teeth. Jamaica's Data Protection Act has penalties, but they are significantly smaller and less likely to deter large multinational technology companies.
I am not suggesting that Jamaica simply copy GDPR. Our economic context is different. Our capacity for enforcement is different. But we should learn from GDPR's approach and develop something that is both appropriate for our size and robust enough to actually protect our citizens.
Caribbean-Specific Concerns That Global Frameworks Miss
There are data sovereignty concerns specific to the Caribbean that do not feature prominently in global policy discussions. We need to name them.
Tourism data is one. Jamaica's tourism industry generates enormous amounts of data about visitor preferences, spending patterns, travel behaviours, and service quality. This data is largely captured by foreign platforms, Booking.com, TripAdvisor, Airbnb, Expedia, and foreign airlines. AI systems trained on this data could give Jamaica valuable insights for economic planning, marketing, and service improvement. Instead, that intelligence flows to foreign shareholders.
Diaspora data is another. Jamaica has a diaspora of roughly three million people, more than the population living on the island. The data generated by the Jamaican diaspora, their remittance patterns, communication behaviours, cultural consumption, and travel decisions, is economically significant and culturally sensitive. It is almost entirely in foreign hands.
Climate and environmental data matters enormously. The Caribbean is one of the most climate-vulnerable regions on earth. AI systems that can predict hurricanes, model sea level rise, optimize disaster response, and guide climate adaptation depend on data. If that data is controlled by foreign entities, our ability to respond to our own climate emergency is mediated by foreign interests.
Agricultural data is critical. Jamaica's farming sector produces data about soil conditions, crop yields, weather patterns, and pest incidence that could fuel AI systems optimized for tropical agriculture. Currently, much of this data either is not collected systematically or is collected by foreign agricultural technology companies.
The Risk of Foreign AI Dependency
Let me paint a scenario that keeps me up at night. It is 2030. Jamaica's banking system relies on AI credit scoring models built by a US company. The healthcare system uses AI diagnostic tools from a European firm. The customs and immigration system runs on AI from another foreign provider. The education system uses AI tutoring platforms from yet another foreign company.
Everything works. Until it does not. A geopolitical shift, a sanctions regime, a corporate bankruptcy, a terms-of-service change, or simply a price increase that Jamaica cannot afford. Suddenly, critical systems that millions of Jamaicans depend on are disrupted, and Jamaica has no alternative because it never built its own capacity.
This is not a paranoid fantasy. It is the logical endpoint of the path we are currently on. And it is entirely preventable, but only if we act now.
The solution is not to reject foreign AI. That would be foolish and counterproductive. The solution is to maintain strategic sovereignty over critical sectors while engaging pragmatically with global AI systems for everything else. We use foreign cars, but we control our own roads. We should use foreign AI where appropriate, but we must control our own data infrastructure and critical AI applications.
What a Caribbean AI Data Policy Should Look Like
Based on my work with Jamaica's National AI Task Force and my observations of AI policy development globally, here is what I believe a Caribbean AI data policy framework should include.
Data localization requirements for critical sectors. Health data, financial data, government data, and education data generated in Jamaica should be stored within the Caribbean, with clear legal frameworks governing access. This does not mean banning cloud computing. It means ensuring that critical data has a Caribbean home.
Algorithmic transparency requirements. Any AI system making decisions that significantly affect Jamaican citizens, credit scoring, healthcare diagnostics, hiring algorithms, criminal justice risk assessments, should be required to provide explanations in plain language. Citizens should have the right to challenge automated decisions.
AI impact assessments. Before deploying AI systems in critical sectors, organizations should be required to assess the system's potential impact on Jamaican citizens, including bias analysis specific to Caribbean populations. An AI system that was never tested on Caribbean data should not be making decisions about Caribbean people.
Regional data sharing frameworks. CARICOM should develop agreements that allow Caribbean nations to share data for AI development while maintaining sovereignty. Individually, Caribbean nations are too small to develop robust AI systems for many applications. Collectively, we have enough data and enough diversity to build AI that actually works for our populations.
Economic value capture. When foreign AI companies use Caribbean data, there should be mechanisms to ensure that some of the economic value flows back to the region. This could take the form of data taxes, local hiring requirements, technology transfer obligations, or revenue-sharing agreements.
The CARICOM Dimension
No individual Caribbean nation can effectively address AI data sovereignty alone. Jamaica has 2.8 million people. Barbados has 280,000. Dominica has 72,000. Individually, these countries have no leverage against companies with market capitalizations larger than their entire national GDPs.
But CARICOM as a bloc has 18 million people, a combined GDP of over USD $80 billion, and significant geopolitical weight as a voting bloc in international organizations. A unified CARICOM position on AI data governance would command attention from global technology companies in a way that Jamaica alone cannot.
I have been advocating for a CARICOM AI policy framework that builds on existing regional cooperation mechanisms. The Caribbean Single Market and Economy (CSME) already provides a framework for regional economic integration. Extending this to include data governance and AI policy is a natural and necessary step.
What Jamaica Must Do Now
I want to be specific about the actions that Jamaica should take immediately, not in five years, not in ten years, but in the next 12 to 24 months.
First, update the Data Protection Act to address AI specifically. Add provisions for algorithmic transparency, automated decision-making rights, and AI training data governance. The Information Commissioner's office needs additional resources and AI expertise to enforce these updated provisions.
Second, invest in local data infrastructure. Jamaica needs at least one Caribbean-based data centre with the capacity to support AI workloads. This is not as expensive as it sounds. Modern cloud infrastructure can be deployed incrementally, and several Caribbean nations have expressed interest in shared regional data infrastructure.
Third, build local AI talent. Data sovereignty means nothing if we do not have people who can build and maintain sovereign AI systems. Every dollar invested in AI education and training today is a dollar invested in future sovereignty. This is why I have run free weekly AI training for seven years and founded four AI labs in Jamaica. Talent is the foundation of everything else.
Fourth, negotiate from strength, not weakness. When foreign AI companies want access to Jamaican markets, we should negotiate from a position of clear policy frameworks and genuine alternatives. This requires having our own AI capabilities, even if modest, so that "take it or leave it" is not the only option on the table.
The window for action is not infinite. Every month that passes without a clear AI policy framework, more Jamaican data flows out of the country, more dependency is created, and the cost of catching up increases. The physics of this situation are not complicated. Momentum matters. And right now, the momentum is carrying us toward dependency, not sovereignty.
AI Prompt Templates You Can Use Today
I am a policymaker in [CARIBBEAN COUNTRY] working on AI data governance. Help me draft a policy brief that covers: data sovereignty principles applicable to small island developing states, comparison with GDPR and other international frameworks, specific provisions needed for AI training data governance, and practical implementation steps considering our country's limited regulatory capacity. Keep it under 2,000 words.
I run a business in Jamaica that uses cloud-based AI services from [PROVIDER NAME]. Help me audit my data sovereignty exposure: what data am I sharing with this provider, where is it stored, what rights do I have under Jamaica's Data Protection Act, what risks exist if the provider changes terms or is acquired, and what alternative arrangements could reduce my dependency?
Explain the concept of data sovereignty to a non-technical audience in the Caribbean context. Use specific examples relevant to Jamaica including tourism data, health records, financial information, and agricultural data. Explain why it matters for the average Jamaican citizen and what they can do about it. Write in clear, accessible language.
I am researching how Caribbean countries can develop a regional AI data governance framework through CARICOM. Outline the key components such a framework should include, potential challenges to regional cooperation on data issues, lessons from the EU's approach to data governance, and a realistic timeline for implementation. Consider the varying levels of digital infrastructure across CARICOM member states.
Frequently Asked Questions
What is data sovereignty and why does Jamaica need it?
Data sovereignty is the principle that data collected within a country's borders is subject to that country's laws and governance. Jamaica needs it because Jamaican citizens' data, from health records to financial transactions to social media activity, is currently stored and processed by foreign companies on foreign servers. This means Jamaica has limited legal control over how that data is used, shared, or monetized. With AI systems now making decisions based on this data, sovereignty is not just a privacy issue. It is an economic and strategic imperative.
Who owns Jamaican data used by AI companies?
Most Jamaican data used by AI companies is owned or controlled by foreign technology corporations like Meta, Google, Amazon, and Microsoft. When Jamaicans use social media, search engines, cloud services, or mobile applications, their data is typically stored on servers outside Jamaica and governed by the laws of other countries, primarily the United States. The economic value generated from this data flows to foreign shareholders, not to Jamaica or its citizens.
Does Jamaica have a data protection law?
Yes. Jamaica enacted the Data Protection Act in 2020, which establishes rules for how personal data is collected, processed, and stored. The Office of the Information Commissioner oversees compliance. However, the law was written before the current AI explosion and does not specifically address AI-related data issues like training data usage, algorithmic bias, automated decision-making transparency, or AI model governance. It needs updating to address the AI-specific challenges of 2026.
How does Jamaica's data protection compare to GDPR?
Jamaica's Data Protection Act shares foundational principles with the EU's GDPR, including consent requirements and individual data rights. However, GDPR is more comprehensive in several critical areas: the right to explanation for automated decisions, data portability, mandatory data protection officers for certain organizations, data protection by design requirements, and significantly larger penalties (up to 4% of global revenue). Jamaica's law needs strengthening, particularly around AI-specific provisions.
What happens to Caribbean data when it leaves the region?
When Caribbean data leaves the region, it becomes subject to foreign legal jurisdictions and surveillance regimes. It can be accessed by foreign intelligence agencies under their domestic laws, used to train AI models without Caribbean consent or compensation, monetized by foreign companies with no value returning to the Caribbean, and processed in ways that may violate Caribbean cultural norms or emerging legal standards. The Caribbean loses both control over and economic benefit from its own data.
Should CARICOM have a unified AI data policy?
Yes. A unified CARICOM AI data policy would give the region significantly greater negotiating power with global technology companies, establish consistent standards that reduce compliance complexity across Caribbean nations, enable regional data sharing for AI development, and create a larger unified market that is more attractive to responsible AI investment. Individual Caribbean nations, most with populations under one million, are too small to effectively regulate multinational technology corporations alone.
Can Jamaica build its own AI without foreign data dependency?
Jamaica can build AI systems for specific Caribbean applications using locally collected and governed data. This includes AI for Jamaican agriculture, healthcare diagnostics calibrated for Caribbean populations, education systems adapted for local curricula, and government services. While Jamaica will still use foreign AI infrastructure for general-purpose AI capabilities, building sovereign AI applications for critical sectors is both technically feasible and strategically necessary.
What are the risks of depending on foreign AI systems in Jamaica?
The risks are substantial. AI systems not trained on Caribbean data may make systematically poor decisions for Jamaican citizens. Economic value from Jamaican data flows to foreign shareholders. Geopolitical shifts or corporate decisions could disrupt critical AI-dependent infrastructure. Jamaica cannot effectively audit or verify AI systems it does not control. And dependency deepens over time, making it progressively more expensive and difficult to develop alternatives.
Is Jamaica on the National AI Task Force working on data sovereignty?
Yes. Jamaica's National AI Task Force, established by the Government of Jamaica and including Adrian Dunkley among its members, is actively working on developing a comprehensive AI policy framework that addresses data governance, AI ethics, and sovereignty concerns. The task force examines international best practices while developing policies appropriate for Jamaica's specific economic and social context. Data sovereignty is a central concern in the task force's deliberations.
How can Jamaican businesses protect their data from foreign AI companies?
Jamaican businesses can take practical steps: carefully read and understand the terms of service of any AI tool before sharing business data, choose AI providers that offer data residency options in or near the Caribbean, implement internal data governance policies that classify data by sensitivity, minimize unnecessary data sharing with AI platforms, negotiate data handling terms in contracts with technology providers, use local or regional cloud infrastructure where available, and actively advocate for stronger national data protection legislation.