The Data Protection Act provides a comprehensive regime of data protection.

According to Art. 45 of The Data Protection Act, a data controller shall submit to the Commissioner a data protection impact assessment (DPIA) in respect of all personal data in the custody or control of the data controller. The data protection impact assessment form shall require at least the following information:
- Detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable, the legitimate interest pursued by the data controller;
- Assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- Assessment of the risks to the rights and freedoms, of data subjects;
- Measures envisaged addressing the risks, including safeguards, security measures, and mechanisms to protect personal data and demonstrate compliance with the Act.
In addition, certain categories of data controllers are required to appoint a data protection officer (DPO' under the Act. These categories include: data controllers who are public authorities; data controllers who process or intend to process sensitive personal data or data relating to criminal convictions; data controllers who process personal data on a large scale; and data controllers that are designated by the Commissioner as requiring a DPO.

Concerns about corruption are particularly prominent in the government procurement processes in Jamaica. Additionally, some stakeholders have reported that there is a need to reevaluate procurement procedures, as numerous government agencies and ministries are facing significant delays in their procurement activities.

Jamaica is not a party to the World Trade organization (WTO) Agreement on Government Procurement (GPA), nor does it have observer status.

According to The Companies Act, all private entities, domestic and foreign, have the right to establish and own business enterprises. Jamaica imposes no limits on foreign ownership or control, and local laws do not distinguish between local and foreign investors.

Jamaica is a party to the Patent Cooperation Treaty (PCT).

Jamaica is not a signatory of the 1996 World Trade organization (WTO) Information Technology Agreement (ITA) nor the 2015 expansion (ITA II).

According to Section 43 of the Public Procurement Regulations 2018, procuring entities must apply a domestic margin of preference in open bidding conducted through international competitive bidding. This preference is extended to eligible Jamaican bidders as outlined under Section 44 of the Regulations, as well as any administrative guidelines issued by the Office. The domestic margin of preference aims to provide Jamaican bidders with a competitive advantage in public procurement processes involving international bids.
According to Sections 2 and 3 of the Public Procurement (Domestic Margin of Preference) Order, 2019, national bidders incorporating at least 35% domestic content in the supply of goods, execution of works, or provision of services are eligible for a domestic margin of preference up to 20%.

According to Section 84A of the Information Technology Act, the Government may, for secure use of the electronic medium and for the promotion of e-governance and e-commerce, prescribe the modes or methods for encryption. However, no rules have been introduced under this section.

Since the implementation of the Consolidated FDI Policy Circular of 2016, last amended by the Consolidated FD) Policy Circular of 2020, India permits fully owned FDI in business-to-business (“marketplace-based”) electronic commerce, i.e. "providing an information technology platform by an e-commerce entity on a digital & electronic network to act as a facilitator between buyer and seller." However, India prohibits foreign investment in business-to-consumer (or “inventory-based”) electronic commerce, also defined as "e-commerce activity where the inventory of goods and services is owned by an e-commerce entity and is sold to the consumers directly".
When a marketplace e-commerce entity exercises ownership or control over the inventory, the business is categorised into the inventory-based model. Additionally, India implemented regulations that expressly prohibit subsidiaries of foreign-owned marketplace-based electronic commerce sites from selling products on their parent companies’ sites. The rules also prohibit exclusivity arrangements by which electronic commerce retailers can offer a product on an exclusive basis.
The only exceptions for FDI in inventory-based electronic commerce are for food-product retailing and single-brand retailers that meet certain conditions, including the operation of physical stores in India. According to Section 5.2.15.3 of the Consolidated FDI Policy Circular of 2020, retail trading through e-commerce can also be undertaken before opening physical stores, subject to the entity opening physical stores within two years from the start of online retail. Overall, it is reported that these narrow exceptions limit the ability of many electronic commerce service suppliers to serve the Indian market.

According to Section 2 of the Companies Act of 2013, foreign companies relating to B2B, B2C e-commerce, data interchange and other digital supply transactions, web-based marketing, database services, online services such as telemarketing, telecommuting, telemedicine, education and information research and all related data communication services, even when not incorporated in India, should register in India when they are engaged in business in the country.

According to Art. 2 of the Processing and Settlement of Export-related receipts facilitated by Online Payment Gateways from 2011, the Reserve Bank of India restricts export-related payments for goods and services through online payment gateways. It is reported that PayPal had to limit payments for export-related payments above 500 USD. From July 2013, this limit has been increased to USD 10,000.
In addition, according to Section 2 of the Storage of Payment System Data Directive, all payment data held by payment companies should be held in local facilities. Furthermore, according to section 5 of the directive, data must be stored only in India after processing and should be deleted from systems abroad and brought back to India no later than 24 hours after processing. Any subsequent activity, such as settlement processing after payment processing done outside India, must be undertaken on a real-time basis, pursuant to which the data must be stored only in India. However, The RBI has clarified that banks, especially foreign banks, can continue to store banking data abroad but in respect to domestic payment transactions, the data must be stored only in India.

Following a negative response from international payment companies such as MasterCard, Visa, and American Express, the RBI has proposed (in "Frequently Asked Questions" of its website) to ease this restriction so as to allow payment firms to store data offshore as long as a copy was kept in India. The RBI has further clarified that for cross-border transaction data consisting of a foreign component and a domestic component, a copy of the domestic component may be stored abroad if required.

In accordance with NPCI Notification: NPCI/UPI/SOP-01/2020-21, the National Payments Corporation of India (NPCI), a state-owned entity, introduced a 30% market share cap for foreign electronic payment service providers processing online payments via India’s Unified Payment Interface (UPI), which is owned and operated by NPCI. Foreign digital payment companies were required to comply with this 30% market share limit by January 2023.

India does not implement a de minimis threshold, which refers to the minimum value of goods below which customs do not charge duties. Although the Courier Imports and Exports (Electronic Declaration and Processing) Regulations, 2010 refer to "low-value dutiable consignments" as those with an invoice value below INR 100,000 (approx. USD 1,000) for imports (excluding documents, gifts, and samples), the specific de minimis threshold applied in the country remains unclear.