-
No or minimal and rights-respecting restrictions to the use of encryptionMinimal restrictions
-
Some restrictions to the use of encryptionSome restrictions
-
Widespread/systemic restrictions to the use of encryptionWidespread restrictions
-
No information availableNo information available
- Assessment
- Active Policy Processes
-
National legislation establishes a general right for individuals to use encryption products and services.General right to encryption
-
National legislation sets down either minimum or maximum standards for encryption products and services.Mandatory minimum or maximum encryption strength
-
National legislation requires providers (or users) of encryption products or services to be licensed or registered in some manner.Licensing/registration requirements
-
National legislation sets out limitations or conditions on the lawful importation or exportation of encryption products or services.Import/export controls
-
National legislation or policy requires or requests private entities to assist state authorities to access the content of encrypted communications.Obligations on providers to assist authorities
-
National legislation or policy provides for state authorities to be able to require individuals to decrypt (or assist in the decryption) of encrypted communications.Obligations on individuals to assist authorities
-
All other restrictionsOther restrictions
-
No or minimal and rights-respecting restrictions to the use of encryptionMinimal restrictions
-
Some restrictions to the use of encryptionSome restrictions
-
Widespread/systemic restrictions to the use of encryptionWidespread restrictions
-
No information availableNo information available
- Assessment
- Active Policy Processes
-
National legislation establishes a general right for individuals to use encryption products and services.General right to encryption
-
National legislation sets down either minimum or maximum standards for encryption products and services.Mandatory minimum or maximum encryption strength
-
National legislation requires providers (or users) of encryption products or services to be licensed or registered in some manner.Licensing/registration requirements
-
National legislation sets out limitations or conditions on the lawful importation or exportation of encryption products or services.Import/export controls
-
National legislation or policy requires or requests private entities to assist state authorities to access the content of encrypted communications.Obligations on providers to assist authorities
-
National legislation or policy provides for state authorities to be able to require individuals to decrypt (or assist in the decryption) of encrypted communications.Obligations on individuals to assist authorities
-
All other restrictionsOther restrictions
Afghanistan
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Active policy processes
No known legislation
Albania
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Article 208a of the Criminal Procedure Code provides that, in proceedings relating to crimes involving information technology, the court may (upon the request of the prosecutor) order the seizure of computer data and systems which includes the right to access, search and take computer data. The prosecutor may order an expert competent in the field of computer system functioning to assist in obtaining the data.
A copy of the Criminal Procedure Code (in Albanian) can be found here.
Obligations on providers to assist authorities
Article 22 of the Law on the Interception of Electronic Communication provides that where the authorities are unable to carry out lawful interception, they may request the assistance of the electronic communications operators who must then take all necessary steps in relation to the interception.
A copy of the Law (in Albanian) can be found here.
Assessment Text Area
There is currently no legislation regarding the general right to encryption, nor regulations on the strength of encryption technology, its licensing, or sale in Albania. The law focuses on assisting authorities in intercepting data rather than on decryption of encrypted communications. Albanian law allows governments to access data without legal authorisation under specific circumstances such as where authorities are unable to carry out lawful interceptions. In this case, the authorities may request the assistance of electronic communications operators who must then take all necessary steps in relation to the interception to access the data requested by the authorities.
Algeria
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
While there are no import or export controls relating specifically to encryption products, there is a general requirement in Article 41 of Law No. 2000-03 of 05 August 2000 laying down general rules relating to post and telecommunications requires all terminal equipment and radioelectric installation which is intended to be connected to a public communications network, made for the domestic market, offered for sale or distributed for free, to be approved prior to import. This approval must be obtained from the Regulatory Authority of Post and Electronic Communications under the Ministry of Post, Telecommunications, Technologies and Digitalization.
The law (in French) can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Article 3 of Law No. 09-04 of 5 August 2009 laying down specific rules relating to the prevention and fight against crimes related to information and communication technologies, allows among other things, for the search and seizures of computer systems, where necessary to protect public order or if necessary as part of ongoing investigations or for judicial information. Article 4 sets out the specific circumstances when this can be done: to prevent terrorist offences and subversive acts and offences against the security of the state; where there is information about a probably attack on a computer system that poses a threat to public order, national defence, state institutions or the national economy; for the purposes of investigations and judicial information where it is difficult to obtain results without electronic surveillance; and in order to execute requests for international mutual legal assistance. Article 4 also states that judicial authorisation is required.
Under Article 5, an authority conducting the search and seizure of a computer system is empowered to require any person who knows how to operate the computer system or the measures which have been applied to protect the data on the computer, to assist them and provide them with any information necessary to complete their task. While “measures which have been applied to protect the data” is not defined, this could include encryption of data. Further, under Article 6, the authority is able to use “technical means” to format or reconstitute any data on a computer system to make them workable for the purposes of the investigation provides that this does not alter their contents. This could mean an authority being permitted to bring in external support to decrypt encrypted communications.
The law (in French) can be found here.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
There are no bans on the use of strong encryption in Algeria, although the law does contain provisions allowing the government to decrypt encrypted data, including through hacking, subject to judicial authorisation. The law also requires that all electronic equipment, which can be interpreted to include encryption products, to be granted approval by the government prior to import.
Andorra
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Antigua and Barbuda
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
Section 9(1) of the Electronic Crimes Act 2013 creates a criminal offence of “misuse of encryption”, namely where a person intentionally, without lawful excuse or justification, and for the purpose of commission of an offence or concealment of evidence of any criminal matter, encrypts any communication or data contained in an electronic message or an electronic system. The offence is punishable by a fine of up to XCD 250,000, imprisonment of up to five years or both.
A copy of the Electronic Crimes Act, 2013 can be found here and a copy of the Electronic Crimes (Amendment) Act, 2018 can be found here.
Obligations on individuals to assist authorities
Section 19 of the Electronic Crimes Act 2013 provides that where a police officer has reason to believe that stored data would be relevant for the purposes of an investigation or the prosecution of an offence, they shall apply to a magistrate or judge for a warrant to enter any premises to access, search and seize that data. In executing a warrant, the police officer has the power to “access any information, code or technology which has the capability of transforming or unscrambling encrypted data contained or available to an electronic system into readable and comprehensible format or text” and to “require a person in possession of the decryption information to grant the police officer access to such decryption information necessary to decrypt data”. Failure to comply with a request to assist a police officer is a criminal offence punishable by a fine of up to XCD 50,000, imprisonment of up to twelve months or both.
A copy of the Electronic Crimes Act, 2013 can be found here and a copy of the Electronic Crimes (Amendment) Act, 2018 can be found here.
Obligations on providers to assist authorities
Section 19 of the Electronic Crimes Act 2013 provides that where a police officer has reason to believe that stored data would be relevant for the purposes of an investigation or the prosecution of an offence, they shall apply to a magistrate or judge for a warrant to enter any premises to access, search and seize that data. In executing a warrant, the police officer has the power to “access any information, code or technology which has the capability of transforming or unscrambling encrypted data contained or available to an electronic system into readable and comprehensible format or text” and to “require a person in possession of the decryption information to grant the police officer access to such decryption information necessary to decrypt data”. Failure to comply with a request to assist a police officer is a criminal offence punishable by a fine of up to XCD 50,000, imprisonment of up to twelve months or both.
A copy of the Electronic Crimes Act, 2013 can be found here and a copy of the Electronic Crimes (Amendment) Act, 2018 can be found here.
Assessment Text Area
Although the country does not have specific guidelines on the use of encryption, the law criminalises “misuse of encryption”, where a person intentionally and for the purpose of commission of an offence or concealment of evidence of any criminal matter encrypts any data. Additionally, police officers who have reason to believe that stored data would be relevant for the purposes of an investigation or the prosecution of an offence can apply for a warrant to enter any premises to access, search and seize that data. The warrant allows the officer to access any “any information, code or technology” necessary to decrypt the seized data.
Argentina
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Active policy processes
No known active policy processes.
Angola
Assessment
Law and policy
General right to encryption
While there is no explicit right to encryption, Article 15 of Framework Law No. 23/11 (Electronic Communications and Information Society Services Law) provides that citizens have the right to protection from abuse and violation of their rights through the Internet and other electronic means, including the right to confidentiality of communications.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
While there is no explicit right to encryption in Angola, the law provides that citizens have the right to protection from abuse and violation of their rights through the Internet and other electronic means, including the right to confidentiality of communications.
Armenia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Australia
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
Export controls are set out in the Defence and Trade Controls Act 2012, which specifies that an individual must obtain a permit before exporting or supplying items on the Defence and Strategic Goods List (DSGL). Part 2, Category 5 of the Defence and Strategic Goods List 2021 includes certain forms of encryption such as quantum cryptography algorithms and associated software and technology, in addition to other information security devices and goods.
However, the scope of encryption export controls are limited by a number of exemptions. These exclude all cryptographic goods being exported for the user’s personal use, all cryptographic software and technology in the public domain, all cryptographic software and technology that is considered basic scientific research, all cryptographic goods and software that is generally available to the public, and all cryptographic technology that is considered the minimum necessary information for a patent application. Therefore, most commonly used forms of encryption and cryptography tools, such as commercial or open-source hardware and software, are not subject to export controls.
A copy of the Defence and Strategic Goods List 2021 can be found here.
A copy of the Defence Trade Controls Act 2012 can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Under section 3LA of the Crimes Act 1914 (inserted by the Australian Cybercrime Act 2001 and amended by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018), a constable may apply to a magistrate for an order requiring a specified person to provide any information or assistance that is reasonable and necessary to allow the constable to do one or more things in relation to data held in, or accessible from, a computer or data storage device which has been seized, found on a person being searched or is on property being searched under a warrant. These are to be able to access the data, to copy the data; or to convert the data into documentary form or another form intelligible to the constable.
In order to grant the order, the magistrate must be satisfied of three things. First, that there are reasonable grounds for suspecting that evidential material is held in, or is accessible from, the computer or data storage device. Second, that the specified person is reasonably suspected of having committed an offence, the owner or lessee of the computer or device (or an employee of them or a person engaged under a contract for services by them), a person who uses or has used that computer or device, or a person who is or was a system administrated for the system which includes the computer or device. Third, that the specified person has relevant knowledge of the computer or device or of measures applied to protect data held in, or accessible from, the computer or device. This could include knowledge of the password or other means by which the data has been encrypted and how it can be decrypted.
Failure to comply with a requirement in such an order is a criminal offence, punishable by up to five years’ imprisonment or 300 penalty units (63,000 AUD) in ordinary cases, and by up to ten years’ imprisonment or 600 penalty units (124,000 AUD) where the order relates to a serious offence or a serious terrorism offence.
The Crimes Act 1914 can be found here.
Obligations on providers to assist authorities
The Telecommunications Act 1997 (as amended by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018) provides for three types of requests and notices that the government and certain security and law enforcement agencies can issue to communications providers.
- Technical assistance requests (sections 317G to 317K). These can be issued by a security or law enforcement agency, and ask, but do not require, the provider to take specified steps which would ensure that the provider is capable of giving certain types of help to the agency for purposes such as safeguarding national security or to enforce criminal law.
- Technical assistance notices (sections 317L to 317RA). These can also be issued by a security or law enforcement agency and require the provider to take specified steps which would help the agency in relation to its functions relating to national security or enforcing the criminal law.
- Technical capability notices (sections 317S to 317ZAA). These can only be issued by the Attorney-General and require the provider to do certain specified acts or things, related to technical capability, which ensure that the provider is capable of giving certain types of help to the security agencies, again, in relation to its functions relating to national security or enforcing the criminal law.
Any request or notice must be reasonable and proportionate, and compliance must be practicable and technically feasible. The assessment of reasonableness and proportionality includes consideration of a number of specified factors, including whether the request or notice is “necessary” as well as “the legitimate expectations of the Australian community relating to privacy”. In relation to encryption, a request or notice must not have the effect of “requesting or requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection” or “preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection” (section 317ZG(1)).
The Act explicitly states that such prohibited requests would include any which involve implementing or building new decryption capabilities in relation to a form of electronic protection as well as anything that would render systemic methods of authentication or encryption less effective (sections 317ZG(2) and (3)). Weaknesses and vulnerabilities are systemic if they affect “a whole class of technology” but are not if they are “selectively introduced to one or more target technologies that are connected with a particular person” (section 317B).
Failure to comply with a technical assistance notice or a technical capability notice is an offence, punishable by up to 47,619 penalty units (AUD 9,999,990) if the provider is a body corporate and 238 penalty units (AUD 49,980) if it is not (section 317ZB).
A copy of the Telecommunications Act 1997 can be found here.
Assessment Text Area
Australia’s legal framework contains some restrictions on encryption. These include export controls and obligations on providers and individuals to assist authorities. The export controls prohibit exporting, supplying or publishing certain forms of encryption software or technology unless authorisation is granted, but commonly used forms of encryption and cryptography tools are exempt. The legal framework also provides for three types of requests and notices that the government and certain security and law enforcement agencies can issue to communications providers. The legal framework provides constables with powers to require a specific person to provide access to encrypted data, subject to specific safeguards.
Active policy processes
No known active policy processes.
Austria
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Azerbaijan
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Bahamas
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
Section 24(1) of the Electronic Communications and Transactions Act allows the Minister with responsibility for Electronic Commerce to make Regulations “respecting the use, import and export of encryption technology, encryption programs, or other encryption products”. None, however, appear to have been made.
A copy of the Electronic Communications and Transactions Act can be found here.
Licensing/registration requirements
Section 24(1) of the Electronic Communications and Transactions Act allows the Minister with responsibility for Electronic Commerce to make Regulations “respecting the use, import and export of encryption technology, encryption programs, or other encryption products”. None, however, appear to have been made.
A copy of the Electronic Communications and Transactions Act can be found here.
Import/export controls
Section 24(1) of the Electronic Communications and Transactions Act allows the Minister with responsibility for Electronic Commerce to make Regulations “respecting the use, import and export of encryption technology, encryption programs, or other encryption products”. None, however, appear to have been made.
A copy of the Electronic Communications and Transactions Act can be found here.
Other restrictions
Section 24(1) of the Electronic Communications and Transactions Act allows the Minister with responsibility for Electronic Commerce to make Regulations “respecting the use, import and export of encryption technology, encryption programs, or other encryption products”. None, however, appear to have been made.
A copy of the Electronic Communications and Transactions Act can be found here.
Obligations on individuals to assist authorities
Under section 16(1) of the Computer Misuse Act, a police officer or a person authorised in writing by the Commissioner of Police, where they have a search warrant, is entitled to have access to and inspect and check the operation of a computer, to use or have someone else use a computer to search any data contained in it or available to it, and to have access to any information, code or technology which can retransform or unscramble encrypted data contained or available to the computer into a readable and comprehensible format or text. They are also entitled to require any person they have reasonable cause to suspect is using or has used the computer, or any person in charge of or concerned with the operation of the computer, to provide them with such reasonable technical and other assistance they may require for those purposes. Finally, they are also entitled to require any person in possession of decryption information to grant them access to such decryption information as it necessary to decrypt data.
The search warrant to exercise these powers must be obtained under section 70 of the Criminal Procedure Code which regulates search warrants more generally. Search warrants must be obtained from a magistrate, who must be satisfied that there is reasonable cause to believe that an offence has been committed on a particular property.
Furthermore, the powers under the Computer Misuse Act can only be used in relation to a computer where the police officer or person authorised in writing by the Commissioner of Police has reasonable cause to suspect is being used or has been used in connection with an offence under the Computer Misuse Act or disclosed in the course of the lawful exercise of the powers under section 16. They cannot be exercised in relation to criminal offences generally.
Additionally, where the powers to be exercised involve searching data on a computer, accessing decryption technology, or requiring a person to provide decryption information, the consent of the Attorney-General is required.
Failure to comply is a criminal offence, punishable by up to three years’ imprisonment or a fine of up to BSD 10,000.
The Computer Misuse Act can be found here.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Bahamian law allows law enforcement agencies who have been granted a search warrant to access any assistance they may require to decrypt data found in the search. However, safeguards apply – where the powers to be exercised involve searching data on a computer, accessing decryption technology, or requiring a person to provide decryption information, the consent of the Attorney-General is required. Failure to comply is a punishable offence. Although the Minister has the power to regulate encryption technology in addition to the import and export of encryption programs and technology, no such policies have been enacted thus far.
Bahrain
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
Article 9 of Law No. 60 of 2014 on Information Technology Crimes provides for a criminal offence of using encryption in order to commit or conceal any crime provided for in that law, or any other law, punishable by imprisonment or a fine of up to BHD 100,000, or both.
A copy of the law (in Arabic) can be found here.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Bahrain does not impose any limitations on the use of encryption or provide government agencies with specific powers to decrypt data or order specific persons to do so. However, it does criminalise the use of encruption to to commit or conceal any crime, punishable by imprisonment, a fine or both.
Bangladesh
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
Section 60 of the Digital Security Act, 2018, enables the government to make rules in relation to, among other things, decryption. None, however, appear to have been made.
A copy of the law (in Bengali) can be found here.
Obligations on individuals to assist authorities
Section 60 of the Digital Security Act, 2018, enables the government to make rules in relation to, among other things, decryption. None, however, appear to have been made.
A copy of the law (in Bengali) can be found here.
Obligations on providers to assist authorities
Section 60 of the Digital Security Act, 2018, enables the government to make rules in relation to, among other things, decryption. None, however, appear to have been made.
A copy of the law (in Bengali) can be found here.
Assessment Text Area
The Digital Security Act enables the government of Bangladesh to make rules in relation to, among other things, decryption. None, however, appear to have been made.
Barbados
Assessment
Law and policy
General right to encryption
Section 21(2) of the Electronic Transactions Act, 2001 provides that, subject to any regulations made under section 21(1), a person can use any encryption programme or product of any bit size or other of measure of strength that they lawfully possess. No such regulations have been made.
A copy of the law can be found here.
Mandatory minimum or maximum encryption strength
Section 21(1) of the Electronic Transactions Act, 2001 permits the government to make regulations (a) respecting the use, import and export of encryption programmes or other encryption products, and (b) prohibiting the export of encryption programmes or other encryption products from Barbados generally, or subject to such restrictions as may be prescribed. However, section 21(2) makes clear that, subject to any regulations made under section 21(1), a person can use any encryption programme or product of any bit size or other measure of strength that they lawfully possess. No such regulations have been made.
A copy of the law can be found here.
Licensing/registration requirements
Section 21(1) of the Electronic Transactions Act, 2001 permits the government to make regulations (a) respecting the use, import and export of encryption programmes or other encryption products, and (b) prohibiting the export of encryption programmes or other encryption products from Barbados generally, or subject to such restrictions as may be prescribed. However, section 21(2) makes clear that, subject to any regulations made under section 21(1), a person can use any encryption programme or product of any bit size or other measure of strength that they lawfully possess. No such regulations have been made.
A copy of the law can be found here.
Import/export controls
Section 21(1) of the Electronic Transactions Act, 2001 permits the government to make regulations (a) respecting the use, import and export of encryption programmes or other encryption products, and (b) prohibiting the export of encryption programmes or other encryption products from Barbados generally, or subject to such restrictions as may be prescribed. However, section 21(2) makes clear that, subject to any regulations made under section 21(1), a person can use any encryption programme or product of any bit size or other measure of strength that they lawfully possess. No such regulations have been made.
A copy of the law can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Under section 15(1) of the Computer Misuse Act, magistrates are able to issue search warrants authorising police officers to enter and search places, including computers there, using such force as is necessary. In order to grant such a warrant, the magistrate must be satisfied that there are reasonable grounds for suspecting that an offence under the Act has been or is about to be committed in a particular place, and that evidence that such an offence has been or is about to be committed is in that place.
A warrant issued under section 15(1) may authorised a police officer to:
(a) seize any computer, data, programme, information, document or thing if they reasonably believe that it is evidence that an offence under the Act has been or is about to be committed;
(b) inspect and check the operation of any such computer;
(c) use or requires someone else to use any such computer to search any programme or data held in or available to the computer;
(d) have access to any information, code or technology which has the capability of transforming or converting an encrypted programme or data held in or available to the computer into readable and comprehensible format or text, for the purpose of investigating any offence under the Act;
(e) convert an encrypted programme or data held in another computer system at the place specified in the warrant, where there are reasonable grounds for believing that computer data connected with the commission of the offence may be stored in that other system; and
(f) make and retain a copy of any programme or data held in the computer referred to in (a) or (e) and any other programme or data held in the computers.
Failure to comply with a request for assistance from a police officer is a criminal offence, punishable by up to eighteen months’ imprisonment or to a fine of up to BBD 15,000, or both.
Additionally, section 16(1) also allows a police officer to require access to decryption information necessary to decrypt computer data required for the purpose of investigating the commission of an offence from any person in possession or control of a computer data storage medium or computer system. Again, failure to comply with a request for assistance from a police officer is a criminal offence, punishable by up to eighteen months’ imprisonment or to a fine of up to BBD 15,000, or both.
The Computer Misuse Act can be found here.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
The law in Barbados permits the government to make regulations regarding the use, import and export of encryption programmes or other encryption products although to date no such regulations have been made. The law provides police officers to enter and search places under warrants, including computers. This includes access to information that would allow for the decryption of information, it also allows a police officer to require access to decryption information necessary to decrypt computer data required for the purpose of investigating the commission of an offence. Failure to comply is a punishable offence. The law provides limited safeguards with regards to these powers as the warrant must be issued by a magistrate with reasonable grounds to suspect that an offence under the Act has been or is about to be committed, and that evidence that such an offence has been or is about to be committed.
Belarus
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
Under Resolution of the Council of Ministers of the Republic of Belarus No. 218 of 18 March 1997, the import and export of cryptography is prohibited without a license from the Ministry of Foreign Affairs or the State Center for Information Security of the Security Council.
A copy of the Resolution (in Russian) can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
In Belarus, the import and export of cryptography is prohibited without a license from the Ministry of Foreign Affairs or the State Center for Information Security of the Security Council, thereby allowing for the possibility of limitations on the use of certain types or strengths of encryption.
Belgium
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Article 88quater of the Code of Criminal Instruction provides a power for examining magistrates and other officials to order anyone with particular knowledge of a computer system that is the subject of a search warrant, or of services or applications which encrypt data to provide information on how to access content that has been encrypted and to make it accessible in a particular format. A further provision allows similar orders to be made to any appropriate person to operate the computer system themselves to make information accessible in a particular format. They must then do so to the best of their capabilities.
Refusal to provide such technical assistance, if requested, is a criminal offence punishable by imprisonment of between six months and three years, a fine of between 26 EUR and 20,000 EUR, or both. Where that assistance would prevent a crime, and they fail to provide it, the punishment is imprisonment of between one and five years, a fine of 500 EUR to 50,000 EUR, or both.
A copy of the Code of Criminal Instruction (in French) can be found here.
Obligations on providers to assist authorities
Article 18/17 of the Law of 30 November 1998, Organic Law on the Intelligence and Security Services, allows the intelligence and security services to intercept communications and record them, although Article 18/10 requires prior authorisation in such cases from an independent commission. Under Article 18/17, if an operation on an electronic communications network is necessary for the interception and recording to take place, the head of the intelligence and security services can make a written request for technical assistance to a network operator or provider of an electronic communications service.
Failure to comply with such a request is a criminal offence punishable by a fine of between 26 EUR and 20,000 EUR.
A copy of the law (in French) can be found here.
Article 127 of the Law of 13 June 2005, Law on Electronic Communications, allows the King to establish technical and administrative measures with which operators must comply, in order to be able to identify end users, identify their location, listen to their communications, and record the communications. Under the Royal Order of 12 October 2010, these measures include being able to transmit the content of a call clearly in circumstances where operator of the electronic communications network or the provider of an electronic communications service has used encryption. As such, operators and service providers need to be able decrypt any encryption that they use with regards to communications.
A copy of the law (in French) can be found here.
A copy of the Royal Order (in French) can be found here.
Article 90ter of the Code of Criminal Procedure allows, limited circumstances, and only where authorised by the Royal Prosecutor, an examining magistrate to secretly intercept, take knowledge, explore and record non-publicly accessible communications or data from a computer system or part of it, or to search a computer system or part thereof. Where undertaken, the examining magistrate may also, without the knowledge or consent of the owner, to install technical devices in the relevant computer systems to decrypt data stored, processed or transmitted. Under the Royal Order of 9 January 2003, operators and electronic communications service providers must be technically able to transmit the content of communications clearly in circumstances where they have used encryption. As such, operators and service providers need to be able decrypt any encryption that they use with regards to communications. Article 90quartier allows the examining magistrate to require the assistance of an operator of an electronic communications work or a provider of an electronic communications service so as to be able undertake the measures. They must then do so to the best of their capabilities.
Refusal to provide such technical assistance, if requested, is a criminal offence punishable by a fine of between 26 EUR and 20,000 EUR.
A copy of the Code of Criminal Procedure (in French) can be found here.
A copy of the Royal Order (in French) can be found here.
Assessment Text Area
A range of legislation exists in Belgium providing different government agencies with the power to either intercept communications, require network operators to support interception or decryption of encrypted data, and the ability to require specific persons to decrypt encrypted data in a computer system that is the subject of a search warrant. Some of these powers, particularly those relating to interception, are limited to intelligence and security agencies. Safeguards exist for the deployment of these powers, although these are limited.
Belize
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Benin
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Bhutan
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Bolivia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Bosnia and Herzegovina
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Botswana
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Brazil
Assessment
Law and policy
General right to encryption
While there is no explicit right to encryption, Article 5 of the Constitution guarantees the secrecy of correspondence and of telegraphic, data and telephonic communications is inviolable, except, in the latter case, by court order, in the situations and manner established by law for purposes of criminal investigation or the fact-finding phase of a criminal prosecution.
A copy of the Constitution can be found here.
Article 7(III) of the Civil Rights Framework for the Internet (Law No. 12.965) guarantees the inviolability and secrecy of user communications online, with exceptions only permitted by court order.
A copy of the law (in Portuguese) can be found here.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Article 52 of Anatel Resolution No. 614 of 28 May 2013 provides that telecommunication service providers must ensure the secrecy inherent in telecommunication services and the confidentiality of data, including connection records, and subscriber information, using all necessary means and technologies. Article 52 also requires telecommunication service providers to make available data relating to the suspension of telecommunication secrecy to authorities that, according to the law, have competence to request such information.
A copy of the Resolution can be found here.
There have been at least two court decisions which suspended the use of an encrypted communications app on the basis that they failed to comply with court orders demanding the contents of encrypted communications. However both cases are under judicial secrecy (segredo de justiça) meaning it is not possible to see the decisions to determine the legal basis for the actions taken.
Assessment Text Area
Brazil’s legal frameworks provide for the inviolability of the secrecy of communications, including online, with exceptions permitted only by court order. So far, there have been at least two court decisions which suspended the use of an encrypted communications app on the basis that they failed to comply with court orders demanding the contents of encrypted communications. It’s not possible to determine the legal basis for the actions taken.
Brunei
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Under section 18(1) of the Computer Misuse Act, a police officer or a person authorised in writing by the Commissioner of Police is entitled to have access to and inspect and check the operation of a computer, to use or have someone else use a computer to search any data contained in it or available to it, and to have access to any information, code or technology which can retransform or unscramble encrypted data contained or available to the computer into a readable and comprehensible format or text. They are also entitled to require any person they have reasonable cause to suspect is using or has used the computer, or any person in charge of or concerned with the operation of the computer, to provide them with such reasonable technical and other assistance they may require for those purposes. Finally, they are also entitled to require any person in possession of decryption information to grant them access to such decryption information as it necessary to decrypt data.
These powers can only be used in relation to a computer where the police officer or person authorised in writing by the Commissioner of Police has reasonable cause to suspect is being used or has been used in connection with an offence under the Computer Misuse Act or disclosed in the course of the lawful exercise of the powers under section 18. They cannot be exercised in relation to criminal offences generally.
Additionally, where the powers to be exercised involve searching data on a computer, accessing decryption technology, or requiring a person to provide decryption information, the consent of the Attorney-General is required.
Failure to comply is punishable by up to three years’ imprisonment, a fine of up to BND 10,000, or both.
A copy of the law can be found here.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
The law in Brunei grants polices officer or a person authorised to be able to demand access to decryption information in the course of a criminal investigation. Where the powers to be exercised involve searching data on a computer, accessing decryption technology, or requiring a person to provide decryption information, the consent of the Attorney-General is required. Failure to comply is a punishable offence.
Bulgaria
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Burkina Faso
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Burundi
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Cambodia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Cameroon
Assessment
Law and policy
General right to encryption
There is no general right to encryption as such, however section 42 of Law No. 2010/012 of 21 December 2010 Relating to Cybersecurity and Cybercriminality in Cameroon provides that “the confidentiality of information channelled through electronic communication and information systems networks, including traffic data, shall be ensured by operators of electronic communication and networks information systems”.
A copy of Law No. 2010/012 can be found here.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Section 7(2) of Law No. 2010/012 of 21 December 2010 Relating to Cybersecurity and Cybercriminality in Cameroon says that the National Agency for Information and Communication Technologies (ANTIC) shall be “responsible for the regulation, control and monitoring of activities related to the security of electronic communication networks, information systems, and electronic certification on behalf of the State” and that one of its missions is to “examine applications for the certification of cryptographic means”.
Section 58 of Law No. 2010/013 of 21 December 2010 Regulating Electronic Communications in Cameroon provides, more specifically, that “the supply, export, import or use of cryptography means or services associated with the transmission of information” requires prior declarations, where its sole purpose “is to authenticate a communication or to ensure the integrity of the message transmitted” and prior authorisation in other cases. These requirements do not apply, however, to cryptographic functions which are integrated into application software used by users. The rules on how to make a declaration to and seek authorisation from ANTIC are set out in Decree No. 2013/0400.
A copy of Law No. 2010/012 can be found here.
A copy of Law No. 2010/013 (in French) can be found here.
A copy of Decree No. 2013/0400 (in French) can be found here.
Import/export controls
Section 58 of Law No. 2010/013 of 21 December 2010 Regulating Electronic Communications in Cameroon provides, more specifically, that “the supply, export, import or use of cryptography means or services associated with the transmission of information” requires prior declarations, where its sole purpose “is to authenticate a communication or to ensure the integrity of the message transmitted” and prior authorisation in other cases. These requirements do not apply, however, to cryptographic functions which are integrated into application software used by users. The rules on how to make a declaration to and seek authorisation from ANTIC are set out in Decree No. 2013/0400.
Section 95 of Law No. 2010/013 of 21 December 2010 Regulating Electronic Communications in Cameroon provides that importation of exportation of cryptography means without authorisation shall be published by imprisonment of between one and three months, a fine of between 1 million and 20 million CFA, or both. A court may also, upon conviction, order the confiscation of the cryptographic means and prohibit the interested party from requesting any authorisation for up to two years.
A copy of Law No. 2010/013 (in French) can be found here.
A copy of Decree No. 2013/0400 (in French) can be found here.
Other restrictions
Under section 88 of Law No. 2010/012 of 21 December 2010 Relating to Cybersecurity and Cybercriminality in Cameroon, “whoever, knowing about a secret decoding convention, a cryptographic means likely to have been used to prepare, facilitate or commit a crime or felony, refuses to hand over the said convention to judicial authorities or to use it upon request by such authorities” commits a criminal offence, punishable by imprisonment of between 1 and 5 years, a fine of between 100,000 and 1 million CFA, or both.
Where such refusal occurs in a case where providing the secret decoding convention could have helped prevent the commission of a crime or felony or limit the effects thereof, the punishment is imprisonment of between 3 and 5 years, a fine of between 1 million and 5 million CFA, or both.
A copy of Law No. 2010/012 can be found here.
Obligations on individuals to assist authorities
Section 52 of Law No. 2010/012 of 21 December 2010 Relating to Cybersecurity and Cybercriminality in Cameroon provides that criminal investigation officers and authorised officials of ANTIC may carry out investigations into cyber offences. These investigations may include the search and seizure of documents and data. Under section 55, “when it appears that data seized or obtained in the course of an investigation or inquiry has been the subject of transformation, thus hindering clear access or is likely to impair the information it contains”, the State Counsel, an examining judge or a court “may request any qualified natural person or corporate body to perform technical operations to obtain the clear version of the said data”. Furthermore, “when a cryptographic means has been employed, judicial authorities may request the secret conversion of the encrypted text.”
A copy of Law No. 2010/012 can be found here.
Obligations on providers to assist authorities
Under Section 49 of Law No. 2010/012 of 21 December 2010 Relating to Cybersecurity and Cybercriminality in Cameroon, in cases of criminal offences contained within the Law, criminal investigation officers may intercept, record or transcribe any electronic communication. Under section 50, where data transmitted by electronic communication networks or electronic communication service providers has been encoded, compressed or ciphered, criminal investigation officers are able to require “clear corresponding interceptions” to be provided. Under section 51, if a request is received, the personnel of the electronic communication network operators or electronic communication service providers are bound to secrecy. Under section 56, a request made under section 50 may also be made to any expert.
Furthermore, under section 58, any natural or legal person that provides cryptographic services aimed at performing a duty of confidentiality are required to provide criminal investigation officers or authorised officials of ANTIC, upon their request, agreements allowing the conversion of data transformed by means of the services that they deliver. Criminal investigation officers and authorised officials of ANTIC may request service providers to implement these agreements of their own motion, except where they are unable to satisfy such requests.
A copy of Law No. 2010/012 can be found here.
Assessment Text Area
The law in Cameroon requires authorisation for the supply, export, import or use of cryptography means or services although the requirements do not apply to cryptographic functions which are integrated into application software used by users. Under the law, criminal investigation officers and authorised officials may require the decryption of encrypted data by specified persons as authorised by the State Counsel, an examining judge or a court. They may also require communication service providers to comply with these requests, except where they are unable to satisfy such requests. The use of encryption to commit a crime and refusal to ‘hand over the convention to judicial authorities in such cases is punishable by imprisonment, a high financial penalty, or both.
Canada
Assessment
Law and policy
General right to encryption
Although the Canadian Charter of Rights and Freedoms doesn’t provide for a specific right to encryption, the Charter does protect the right to “freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication” (section 2(b)) and provides that “everyone has the right to be secure against unreasonable search or seizure” (section 8). The government of Canada has recognised that these rights would be engaged by any restrictions relating to encryption.
A copy of the Charter can be found here.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
Section 3 of the Export and Import Permits Act allows the government to establish an Export Control List, setting out restrictions on the export of certain articles. Items on the list must generally be authorised by an export permit before they can be exported from Canada, and include certain forms of cryptography. A permit is not required, however, if the cryptographic item is being exported to the USA, nor if the cryptographic item is one that is marketed to the general public.
A copy of the law can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
There is no legislative power which can be used to require individuals to decrypt encrypted communications. Indeed, in R v. Boudreau-Fontaine (2010 QCCA 1108), the Quebec Court of Appeal found that an order compelling an individual to provide a password violated his constitutional rights, including his rights to silence and against self-incrimination. Various lower courts have followed this decision, although the Supreme Court of Canada has not ruled on this issue. The federal government has also recognised that it has no legislative authority to compel individuals to provide a password in the course of a criminal investigation.
In some cases, however, law enforcement may attempt, using various technical and investigative means to circumvent the protections afforded by encryption or to acquire an individual’s private key or password. When an individual has a reasonable expectation of privacy in the information sought, the constitution generally requires law enforcement to secure prior judicial authorisation (normally on a “reasonable grounds to believe” standard) for the search, seizure, or interception of the data sought. In some cases, additional legal safeguards may also apply.
Depending on the technical infrastructure in question, in certain cases assistance orders (section 487.014 of the Criminal Code) or production orders (section 487.02 of the Criminal Code) against third parties (including service providers) may be used to facilitate attempts by law enforcement to access to encrypted data.
Section 8 of the Canadian Charter of Rights and Freedoms requires not only that the search is reasonable, but that the search is conducted in a reasonable manner. This aspect of the section 8 analysis may serve to limit certain methods of circumventing encryption which are clearly disproportionate or prejudicial. Evidence obtained in breach of a Charter right can be excluded subject to section 24(2) of the Charter.
A copy of the Charter can be found here.
A copy of the Criminal Code can be found here.
Obligations on providers to assist authorities
There is no legislative power which can be used to require telecommunication or online service providers to facilitate the decryption of encrypted communications, although, more generally, and depending on the technical infrastructure in question, in certain cases assistance orders (section 487.014 of the Criminal Code) or production orders (section 487.02 of the Criminal Code) against third parties (including service providers) may be used to facilitate attempts by law enforcement to access to encrypted data.
A copy of the Criminal Code can be found here.
Assessment Text Area
According to Canada’s constitution everyone has the right to be secure against “unreasonable search or seizure” and the government of Canada has recognised that these rights would be engaged by any restrictions relating to encryption. There is no legislative power which can be used to require individuals to decrypt encrypted communications and the federal government has recognised that it has no legislative authority to compel individuals to provide a password in the course of a criminal investigation. However, law enforcement may attempt circumvent the protections afforded by encryption or to acquire an individual’s private key or password. The search must be “reasonable” and conducted in a “reasonsable manner”, and generally law enforcement is required to secure prior judicial authorisation. In some cases additional legal safeguards may apply.
Cape Verde
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Article 25(1)(m) of Legislative Decree n.º7/2005 requires all providers of electronic communications networks and services to set up, at their own expense, the provision of legal interception systems and means of decryption where they provide encryption facilities.
Assessment Text Area
The law in Cape Verde does not provide a right to private communications that could be interpreted to engage the right to use encryption. It requires all providers of electronic communications networks and services to set up, at their own expense, the provision of legal interception systems and means of decryption where they provide encryption facilities.
Central African Republic
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Chad
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Chile
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
China
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
State Council Order No. 273 “Regulation of Commercial Encryption Codes” provides that manufacturers must obtain approval from the National Commission on Encryption Code Regulations/ State Cryptography Administration for the type and model (including key length) of their encryption products.
A copy of the Order can be found here.
Import/export controls
State Council Order No. 273 “Regulation of Commercial Encryption Codes” provides that the import and export of encryption products requires a license by the National Commission on Encryption Code Regulations/ State Cryptography Administration.
A copy of the Order can be found here.
Other restrictions
State Council Order No. 273 “Regulation of Commercial Encryption Codes” provides that organisations and individuals may not distribute encryption products produced abroad. People may only use encryption products approved by the National Commission on Encryption Code Regulations, and they may not use commercial encryption products developed by themselves or produced abroad. For this use, they must have approval by the National Commission on Encryption Code Regulations. Only foreign diplomatic missions and consulates are exempted from this approval.
A copy of the Order can be found here.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Under the Counter-Terrorism Law, technology firms are required to help decrypt information.
Assessment Text Area
The law in China imposes a range of restrictions on the manufacturing, import, export and use of encryption: It requires manufacturers must obtain approval for the type and model (including key length) of their encryption products, requires a license for the import and export of encryption products. This means organisations and individuals may not distribute encryption products produced abroad as only products that have received government authorised may be used. It also imposes obligations on technology firms, who are broadly required to help decrypt information.
Colombia
Assessment
Law and policy
General right to encryption
There is no general right to encryption, however Law No. 1621 of 2013, which regulates intelligence activities, provides at Article 44, paragraph 2, that telecommunications services providers must offer encrypted voice call service to high government and intelligence officials.
A copy of the law (in Spanish) can be found here.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
Article 103, paragraph 4 of Law No. 104 of 1997 prohibits subscribers, licensees and other persons authorised to use certain radiocommunications systems (including pagers and mobile phones) from sending messages which are encrypted or in an “unintelligible language”. It is not clear if this prohibition extends to encrypted communications on the internet.
A copy of the law (in Spanish) can be found here.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
The law prohibits subscribers, licensees and other persons authorised to use certain radio communications systems (including mobile phones) from sending messages which are encrypted although it remains unclear whether this prohibition extends to encrypted communications on the internet.
Comoros
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Costa Rica
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Cote d'Ivoire
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Croatia
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Article 257(1) of the Law on Criminal Procedure provides that searches permitted under the Law also include searches of computers and other devices for collecting, storing and transmitting data. If so requested, a person using or having access to such a computer or device must provide access to it and to provide the necessary information for uninterrupted use and to achieve the purposes of the search. It is not clear whether this would include a requirement to decrypt encrypted data.
A copy of the law (in Croatian) can be found here.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
The law provides that for the authorised purposes of investing crime, a person using or having access to such a computer or device must provide access to it and to provide the necessary information for uninterrupted use and to achieve the purposes of the search. It is not clear whether this would include a requirement to decrypt encrypted data.
Cuba
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Article 19(5) of Resolution No. 128/2011 (Regulation for Private Data Networks) requires official approval in order to use any type of application or service supported by a private network that involves encryption of the information which is transmitted.
Import/export controls
No known legislation or policies.
Other restrictions
Article 19 of Resolution No. 179/08 (Regulation for Internet Access Service Providers) requires internet access service providers to guarantee that any software they use does not involve cryptographic systems or the transfer or encrypted files.
A copy of the Resolution (in Spanish) can be found here.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
The law in Cuba limits the use of encryption by requiring official approval in order to use any type of application or service supported by a private network that involves encryption of the information which is transmitted. It also requires internet access service providers to guarantee that any software they use does not involve cryptographic systems or the transfer or encrypted files.
Cyprus
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Czech Republic
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 8 of the Criminal Procedure Code requires all state authorities, private entities and individuals to comply with any request of law enforcement bodies. It is not clear whether this would extend to decrypting encrypted information or providing decryption keys.
A copy of the law (in Czech) can be found here.
Section 75(1) of the Law on Electronic Communications (Law No. 127/2005) provides a power for the Police to request a mobile network providers to make it impossible, for a specified period of time, for encryption, coding or any other type of concealment to be used by users of the network to transmit messages. The request can only be made if it is technically feasible. Further, under sections 97(1) and (5) of the same law, any private entity or individual who provides a public communications network or electronic communications service must install interfaces at specified points along the network to enable the tapping and recording of messages by the police. If that entity or individual uses coding, compression or encryption which renders the messages incomprehensible, they must ensure that, at the specified points, the messages (and associated traffic and location data) are comprehensible.
A copy of the law (in Czech) can be found here.
Obligations on providers to assist authorities
Section 8 of the Criminal Procedure Code requires all state authorities, private entities and individuals to comply with any request of law enforcement bodies. It is not clear whether this would extend to decrypting encrypted information or providing decryption keys.
A copy of the law (in Czech) can be found here.
Section 75(1) of the Law on Electronic Communications (Law No. 127/2005) provides a power for the Police to request a mobile network providers to make it impossible, for a specified period of time, for encryption, coding or any other type of concealment to be used by users of the network to transmit messages. The request can only be made if it is technically feasible.
Further, under sections 97(1) and (6) of the same law, any private entity or individual who provides a public communications network or electronic communications service must install interfaces at specified points along the network to enable the tapping and recording of messages by the police. If that entity or individual uses coding, compression or encryption which renders the messages incomprehensible, they must ensure that, at the specified points, the messages (and associated traffic and location data) are comprehensible.
A copy of the law (in Czech) can be found here.
Assessment Text Area
The law requires all state authorities, private entities and individuals to comply with any request of law enforcement bodies although its not clear whether this extends to decrypting encrypted information or providing decryption keys. The also provides law enforcement the power to request a mobile network providers to make it impossible, for a specified period of time, for encryption, coding or any other type of concealment to be used by users of the network to transmit messages, if its technically feasible. In addition, the law requires that public communications networks and electronic communication services must be interceptable to enable the tapping and recording of messages by the police.
Democratic Republic of the Congo
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Denmark
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Under section 804 of the Law on the Administration of Justice, persons other than suspects and accused persons (including private entities) who are in possession of information relevant to an investigation can be required to hand over information. It is not clear whether this would include decryption keys.
A copy of the law (in Danish) can be found here.
Obligations on providers to assist authorities
Section 10 of the Law on Electronic Communications Networks and Services requires providers of electronic communications networks and services to ensure that any technical equipment or systems that they use are set up in such a way so that the police are able to access information about telecommunications traffic and to intervene in the “secrecy of communications” in the form of historical and future telecommunications data, and interception of telecommunications, including access to data directly after its recording.
A copy of the law (in Danish) can be found here.
Under section 804 of the Law on the Administration of Justice, persons other than suspects and accused persons (including private entities) who are in possession of information relevant to an investigation can be required to hand over information. It is not clear whether this would include decryption keys.
A copy of the law (in Danish) can be found here.
Assessment Text Area
The law in Denmark requires providers of electronic communications networks and services can be intercepted. For the purposes of a criminal investigation, persons other than suspects and accused persons (including private entities) who are in possession of information can be required to hand over information. It is not clear whether this would include decryption keys.
Djibouti
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Dominica
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Dominican Republic
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Ecuador
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Article 77 of the Organic Law on Telecommunications provides that the interception of communications is permitted where there is an express order from a judge, within the framework of the investigation of an offence or for reasons of public or state security, and in accordance with legal provisions and due process. Where interception is permitted, service providers are required to provide all information requested in the information order, including any necessary technical information and procedures in order to decompress, decipher or decide communications where they have been subject to security measures. This requirement would appear to be limited to decryption of communications that the service provider has encrypted.
A copy of the law (in Spanish) can be found here.
Assessment Text Area
In Ecuador, the law requires service providers to comply with orders to decrypt information although legal safeguards exist (there must be express order from a judge, within the framework of the investigation of an offence or for reasons of public or state security, and in accordance with legal provisions and due process).
Egypt
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Article 64 of Law No. 10 of 2003 on Telecommunication Regulations prohibits telecommunication service operators, providers, their employees and users of such services from using any telecommunication service encryption equipment without written permission from the National Telecom Regulatory Authority, the armed forces and national security entities. This prohibition does not, however, apply to encryption equipment used for radio and television broadcasting.
Contravention of this prohibition is a criminal offence punishable by imprisonment and a fine of between 10,000 and 100,000 EGP.
A copy of the law (in Arabic) can be found here.
Import/export controls
Although there is no provision referring to encryption specifically, Article 44 of Law No. 10 of 2003 on Telecommunication Regulations prohibits the import, manufacture or assembly of any telecommunication equipment without a licence from the National Telecom Regulatory Authority according to the standards and specifications approved by it. This appears to apply to encryption technology as well.
A copy of the law (in Arabic) can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Article 64 of Law No. 10 of 2003 on Telecommunication Regulations requires each operators and providers, at their own expense, to provide within the telecommunication networks licenced to them, all technical possibilities, including equipment, systems, software and communications, to enable the armed forces and national security entities to exercise their powers within the law. This could include capabilities for decrypting encrypted communications.
Contravention of this prohibition is a criminal offence punishable by imprisonment and a fine of between 10,000 and 100,000 EGP.
A copy of the law (in Arabic) can be found here.
Assessment Text Area
The use of encryption in Egypt is subject to authorisation by the National Telecom Regulatory Authority, the armed forces and national security entities; the National Telecom Regulatory Authority is responsible for issuing licenses for the deployment of any encryption technology in Egypt. Operators and providers must all technical possibilities, including equipment, systems, software and communications, to enable the armed forces and national security entities to exercise their powers, including capabilities for decrypting encrypted communications. Contravention of the law is punishable by imprisonment or a heavy financial fine.
El Salvador
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
Article 21 of the Special Law for the Interception of Telecommunications (Legislative Decree No. 285 of 18 February 2010) provides that if material recorded in the course of an interception could not be translated or interpreted, in full or in part, due to encryption, protection by passwords or another similar reason, the Interception Centre shall keep the material until its translation or interpretation. The prosecutor shall indicate in detail this circumstance to the authorising judge, giving him the complete recording of the said material. Once the material is revealed, the prosecutor shall transmit a copy of it to the authorising judge.
A copy of the law (in Spanish) can be found here.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Article 42-D of the Law on Telecommunications (Legislative Decree No. 142 of 6 November 1997) provides that operators of commercial telecommunications networks must decode, or ensure that the authorities can decode, any communication from a subscriber or client for the purpose of obtaining certain types of information, in cases where the encryption has been provided by the service operator. The types of information are those relating to telephone calls as well as databases containing such information.
A copy of the law (in Spanish) can be found here.
Assessment Text Area
The law requires that network operators or providers be able to decrypt encrypted data of subscribers or clients and permits the “Interception Office” to keep a copy of recorded material that is encrypted until it can be decrypted.
Equatorial Guinea
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Eritrea
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Estonia
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Article 215 of the Criminal Procedure Code allows investigative authorities and prosecutors’ offices to order the production of information from any person. However, there is no requirement that such persons disclose encryption keys or passwords.
A copy of the Criminal Procedure Code (in Estonian) can be found here.
Obligations on providers to assist authorities
Article 215 of the Criminal Procedure Code allows investigative authorities and prosecutors’ offices to order the production of information from any person. However, there is no requirement that such persons disclose encryption keys or passwords.
A copy of the Criminal Procedure Code (in Estonian) can be found here.
Assessment Text Area
In Estonia, investigative authorities and prosecutors’ offices are allowed to order the production of information from any person. However, there is no requirement to comply through the production of encryption keys or passwords.
Ethiopia
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Article 3(1) of the Proclamation on Telecom Fraud Offences (Proclamation No. 761/2012) criminalises the manufacture, assembly or import of any telecommunications equipment without a permit, punishable by “rigorous imprisonment” for between 10 and 15 years and a fine of between ETB 100,000 and ETB 150,000.
Import/export controls
Article 3(1) of the Proclamation on Telecom Fraud Offences (Proclamation No. 761/2012) criminalises the manufacture, assembly or import of any telecommunications equipment without a permit, punishable by “rigorous imprisonment” for between 10 and 15 years and a fine of between ETB 100,000 and ETB 150,000.
Other restrictions
Article 3(1) of the Proclamation on Telecom Fraud Offences (Proclamation No. 761/2012) criminalises the manufacture, assembly or import of any telecommunications equipment without a permit, punishable by “rigorous imprisonment” for between 10 and 15 years and a fine of between ETB 100,000 and ETB 150,000.
Obligations on individuals to assist authorities
Article 32(1) of the Cyber Crime Proclamation (Proclamation No. 258/2016) provides that, where it is necessary for computer crime investigation, an “investigatory organ” may, with a court warrant, search or access physically or virtually any computer system, network or computer data. Under Article 32(4), in the execution of search, the “investigatory organ” may “order any person who has knowledge in the course of his duty about the functioning of the computer system or network or measures applied to protect the data therein to provide the necessary information or computer data that can facilitate the search or access”. This could include a requirement to decrypt or assist in the decryption of encrypted data. Failure to comply with an order is a criminal offence punishable with simple imprisonment of up to one year or a fine of up to ETB 10,000.
A copy of the Cyber Crime Proclamation can be found here.
Obligations on providers to assist authorities
Article 32(1) of the Cyber Crime Proclamation (Proclamation No. 258/2016) provides that, where it is necessary for computer crime investigation, an “investigatory organ” may, with a court warrant, search or access physically or virtually any computer system, network or computer data. Under Article 32(4), in the execution of search, the “investigatory organ” may “order any person who has knowledge in the course of his duty about the functioning of the computer system or network or measures applied to protect the data therein to provide the necessary information or computer data that can facilitate the search or access”. This could include a requirement to decrypt or assist in the decryption of encrypted data. Failure to comply with an order is a criminal offence punishable with simple imprisonment of up to one year or a fine of up to ETB 10,000.
A copy of the Cyber Crime Proclamation can be found here.
Assessment Text Area
In Ethiopia, the manufacture, assembly and import of any telecommunications equipment (which can include encryption technology) requires a license from the government; failure to comply is a crime punishable with imprisonment and a fine. The law also allows an “investigatory organ” with a court warrant to search or access – physically or virtually – any computer system, network, or computer data – where it is necessary for a computer crime investigation. This stipulation encompasses both individuals and providers; failure to comply is a crime punishable with imprisonment or a fine.
Fiji
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 21(1) of the Cybercrime Act 2021 provides that a police officer or other authorised person under the Act may make an application to a judge or magistrate for a warrant authorising them to search and seize a specified computer system, program, data or computer data storage medium. The application must be made under oath and affidavit, and must show that there exist reasonable grounds to believe that there may be a specified computer system, program, data, or computer data storage medium that (a) is reasonably required for the purpose of a criminal investigation or criminal proceedings which may be material as evidence in proving a specifically identified offence or (b) has been acquired by a person as a result of the commission of an offence.
A warrant granted under section 21(1) may require any person, other than the suspect, in possession of decryption information to grant the police officer or authorised person access to such decryption information necessary to decrypt data required for the purpose of the warrant issued, or to provide them with such reasonable technical and other assistance as the police officer or other authorised person may require for the purposes of the warrant.
Wilfully obstructing the lawful exercise of the powers under the section is a criminal offence punishable with a fine of up to FJD 5,000, imprisonment of up to 2 years, or both.
A copy of the Cybercrime Act 2021 can be found here.
Obligations on providers to assist authorities
Section 21(1) of the Cybercrime Act 2021 provides that a police officer or other authorised person under the Act may make an application to a judge or magistrate for a warrant authorising them to search and seize a specified computer system, program, data or computer data storage medium. The application must be made under oath and affidavit, and must show that there exist reasonable grounds to believe that there may be a specified computer system, program, data, or computer data storage medium that (a) is reasonably required for the purpose of a criminal investigation or criminal proceedings which may be material as evidence in proving a specifically identified offence or (b) has been acquired by a person as a result of the commission of an offence. A warrant granted under section 21(1) may require any person, other than the suspect, in possession of decryption information to grant the police officer or authorised person access to such decryption information necessary to decrypt data required for the purpose of the warrant issued, or to provide them with such reasonable technical and other assistance as the police officer or other authorised person may require for the purposes of the warrant. Wilfully obstructing the lawful exercise of the powers under the section is a criminal offence punishable with a fine of up to FJD 5,000, imprisonment of up to 2 years, or both.
A copy of the Cybercrime Act 2021 can be found here.
In addition, section 73(2) of the Telecommunications Act 2008 requires licensed telecommunications service providers to give “officers and authorities of the government such help as is reasonably necessary” to enforce criminal law, protect public revenue and safeguard national security. Section 73(5) provides that giving “help” includes help by way of intercepting services (where a warrant has been granted), providing information about any communication that is lawfully intercepted, and disclosing information or a document in accordance with section 30 (that is, confidential information can be lawfully disclosed if and when it relates to a criminal investigation).
A copy of the Telecommunications Act 2008 can be found here.
Assessment Text Area
In Fiji, the law allows police officers or other authorised person(s) to apply for a search warrant for the purposes of a criminal investigation or criminal proceedings. The warrant can apply to either service providers for individuals, and can authorise the seizure of a specified computer system, program, data, or computer data storage medium. A warrant also grants the police officer or authorised person access to or assistance with such decryption information necessary to decrypt data. Failure to do so is a criminal offence punishable with a fine, imprisonment, or both. The law also requires licensed telecommunications service providers to give “officers and authorities of the government such help as is reasonably necessary” to enforce criminal law, protect public revenue and safeguard national security.
Finland
Assessment
Law and policy
General right to encryption
Section 6 of the Law on the Protection of Privacy in Electronic Communications (Law 516/2004) provides that subscribers and users of electronic communication services have the right to protect their communications and identification information how the wish, using any technical possibilities available, unless otherwise provided by law.
A copy of the law (in Finnish) can be found here.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 23 of Chapter 8 of the Law on Coercive Measures Act provides that persons (including persons who maintain information systems) other than suspects/accused persons can be required to hand over passwords and decryption keys if it is necessary to conduct a search of data contained in a device.
A copy of the law (in Finnish) can be found here.
Obligations on providers to assist authorities
Section 23 of Chapter 8 of the Law on Coercive Measures Act provides that persons (including persons who maintain information systems) other than suspects/accused persons can be required to hand over passwords and decryption keys if it is necessary to conduct a search of data contained in a device.
A copy of the law (in Finnish) can be found here.
Assessment Text Area
In Finland, everyone has the right to protect their communications and identification information how the wish, using any technical possibilities available, unless otherwise provided by law. However, the law also requires anyone to hand over passwords and decryption keys if it is necessary to conduct a search of data contained in a device during the course of a criminal investigation.
France
Assessment
Law and policy
General right to encryption
Article 30(I) of Law No. 2004-575 of 21 June 2004 on confidence in the digital economy provides that the use of means of cryptography are free.
A copy of the law (in French) can be found here.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Article 31 of Law No. 2004-575 of 21 June 2004 on confidence in the digital economy provide that a person wishing to supply cryptography services must make a declaration to the Prime Minister. These provisions also give the government the power to issue a decree setting out exceptions to this general requirement, as well as the process by which declarations are to be made.
Providing cryptography services aimed at ensuring confidentiality without having satisfied the reporting obligation provided for in Article 31 is a criminal offence, punishable by two years’ imprisonment and a fine of 30,000 EUR.
A copy of the law (in French) can be found here.
A copy of the decree (in French) can be found here.
Import/export controls
Article 30(III) of Law No. 2004-575 of 21 June 2004 on confidence in the digital economy provides that a person wishing to supply or import or export cryptography products and services, where the the product or service is not exclusively for the purpose of authentication or to ensure integrity. must make a declaration to the Prime Minister.
Article 30(IV) provides that a person wishing to export cryptography products and services, where the the product or service is not exclusively for the purpose of authentication or to ensure integrity, must seek authorisation from the Prime Minister.
These provisions also give the government the power to issue a decree setting out exceptions to these general requirements, as well as the processes by which declarations are to be made and authorisation obtained.
Where a person fails to comply with the requirements under Article 30, the Prime Minister may, after having enabled the person concerned to present their observations, issue a ban on the circulation of the cryptographic products or services concerned until they comply with those requirements.
Failure to comply with the requirement in Article 30 to make a declaration is a criminal offence, punishable by one year’s imprisonment and a fine of 15,000 EUR.
Failure to comply with the requirement in Article 30 to obtain authorisation is a criminal offence, punishable by two years’ imprisonment and a fine of 30,000 EUR.
Selling or renting cryptography products or services which have been banned under Article 34 is a criminal offence, punishable by two years’ imprisonment and a fine of 30,000 EUR.
A copy of the law (in French) can be found here.
A copy of the decree (in French) can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Article L.871-1 of the Internal Security Code requires, under certain circumstances, private entities or individuals who provide cryptology services which ensure confidentiality to deliver to authorised agents the means of enabling the decryption of the data which has been encrypted by their services within 72 hours. The authorised agents may also require the service providers to decrypt the data themselves within 72 hours unless they can show that this would not be possible.
A copy of the Code (in French) can be found here.
Under Article 230-1 of the Criminal Procedure Code, where it appears that data entered or obtained during an investigation has been processed in a manner that makes the data unreadable, or protected by an authentication mechanism (such as encryption), a public prosecutor, investigating court or judicial police officer may designate any private entity or individual so qualified to undertake the technical operations necessary to obtain access to a readable version of the data. Where encryption has been used, they may use secret decryption to do so if necessary.
A copy of the Code (in French) can be found here.
Obligations on providers to assist authorities
Article L.871-1 of the Internal Security Code requires, under certain circumstances, private entities or individuals who provide cryptology services which ensure confidentiality to deliver to authorised agents the means of enabling the decryption of the data which has been encrypted by their services within 72 hours. The authorised agents may also require the service providers to decrypt the data themselves within 72 hours unless they can show that this would not be possible.
A copy of the Code (in French) can be found here.
Under Article 230-1 of the Criminal Procedure Code, where it appears that data entered or obtained during an investigation has been processed in a manner that makes the data unreadable, or protected by an authentication mechanism (such as encryption), a public prosecutor, investigating court or judicial police officer may designate any private entity or individual so qualified to undertake the technical operations necessary to obtain access to a readable version of the data. Where encryption has been used, they may use secret decryption to do so if necessary.
A copy of the Code (in French) can be found here.
Assessment Text Area
The import, export, provision of cryptography services is subject to authorisation by the Prime Minister in France. under certain circumstances, private entities or individuals who provide cryptology service must decrypt encrypted data by their services within 72 hours, unless they can show that this would not be possible. The law also provides a public prosecutor, investigating court or judicial police officer to designate any private entity or individual to use whatever technical means necessary to decrypt encrypted data in the course of a criminal investigation.
Gabon
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Gambia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Georgia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Germany
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
The Ordinance on the Technical and Organisational Implementation of Telecommunications Surveillance Measures obliges telecommunications service providers to be able to surveil communications. Section 8, paragraph 3, provides that it the service provider uses technical measures to protect telecommunications, or “cooperates in the production or exchange of keys”, it must ensure that it is able to decode any telecommunications that are ultimately surveilled. This does not, however, require telecommunication service providers to decrypt any encryption which is used by other parties, such as their users.
A copy of the Ordinance (in German) can be found here.
Assessment Text Area
In Germany telecommunications service providers must be able to decode any telecommunications which are protected through technical measures. This does not, however, require telecommunication service providers to decrypt any encryption which is used by other parties, such as their users.
Ghana
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Section 28 of the Electronic Transactions Act, 2008 prohibits the selling or provision of encryption or authentication services unless it is compliant with the Act. Section 30 provides that the National Information Technology Agency shall act as the “Certifying Agency” and its functions include issuing licences for encryption and authentication service (section 31).
A copy of the Electronic Transactions Act, 2008 can be found here.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 98 of the Electronic Transactions Act, 2008 provides that a law enforcement agent may seize any computer, electronic record, program, information, document, or thing in executing a warrant under the Act if they have reasonable grounds to believe that an offence under the Act has been or is about to be committed.
Section 99(1) goes on to provide that, in executing such a warrant, they may be accompanied by an authorised person and are entitled, with the assistance of that person to have access to “information, any code or technology which has the capability of retransforming or unscrambling an encrypted programme or electronic record held in or available to the computer into readable and comprehensible format or text” to investigate an offence under the Act or any other offence which has been disclosed in the course of the lawful exercise of the powers under the Act.
In addition, under section 99(2), the law enforcement officer is also entitled to require any suspect or person concerned with the operation of the computer to provide them “with the reasonable technical and other assistance required for investigation or prosecution”. Finally, under section 99(3), the law enforcement officer is specifically entitled to require “a person in possession of decryption information to grant the law enforcement officer access to the decryption information necessary to decrypt an electronic record required to investigate an offence”.
A copy of the Electronic Transactions Act, 2008 can be found here.
Obligations on providers to assist authorities
Section 98 of the Electronic Transactions Act, 2008 provides that a law enforcement agent may seize any computer, electronic record, program, information, document, or thing in executing a warrant under the Act if they have reasonable grounds to believe that an offence under the Act has been or is about to be committed.
Section 99(1) goes on to provide that, in executing such a warrant, they may be accompanied by an authorised person and are entitled, with the assistance of that person to have access to “information, any code or technology which has the capability of retransforming or unscrambling an encrypted programme or electronic record held in or available to the computer into readable and comprehensible format or text” to investigate an offence under the Act or any other offence which has been disclosed in the course of the lawful exercise of the powers under the Act.
In addition, under section 99(2), the law enforcement officer is also entitled to require any suspect or person concerned with the operation of the computer to provide them “with the reasonable technical and other assistance required for investigation or prosecution”. Finally, under section 99(3), the law enforcement officer is specifically entitled to require “a person in possession of decryption information to grant the law enforcement officer access to the decryption information necessary to decrypt an electronic record required to investigate an offence”.
A copy of the Electronic Transactions Act, 2008 can be found here.
Assessment Text Area
Ghanian law grants law enforcement agents the right to seize any computer, electronic record, program, information, document, or thing from an individual or service provider in executing a warrant if they have reasonable grounds to believe that an offence has been or is about to be committed. Law enforcement officers are also entitled to require access to decryption information and “the reasonable technical and other assistance required for investigation or prosecution”. The law prohibits the sale or provision of encryption or authentication services unless it is compliant with the country’s 2008 Electronic Transactions Act. Per Ghanian law, the National Information Technology Agency is charged with certifying and issuing licenses for encryption and authentication services.
Greece
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Article 8 of Presidential Decree 47/2005 provides that the providers of communications services and networks are required to respond immediately to any request for the “removal of confidentiality of communications” when they are notified by a competent authority and to cooperate with them. Under Article 8(7), if they use encryption, they must deliver or transmit any requested data in a decided form when complying within an order. Article 3(1) provides that the removal of confidentiality refers to any type of communication which is being carried out either through a communications network or through a service provider and by a subscriber or user, but does not include live communications.
A copy of the Decree (in Greek) can be found here.
Assessment Text Area
There is currently no legislation regarding the general right to encryption. Per Greek law, providers of communications services and networks are required to respond immediately to any request for the “removal of confidentiality of communications” when they are notified by a competent authority and to cooperate with them. Removal of confidentiality under Greek law refers to any type of communication which is being carried out either through a communications network or through a service provider and by a subscriber or user, but does not include live communications.
Grenada
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
Section 11(1) of the Electronic Crimes Act, 2013 creates a criminal offence of “misuse of encryption”, namely where a person, for the purpose of the commission of an offence or concealment of incriminating evidence, encrypts in any electronic system any incriminating communication or data contained relating to the offence or incriminating evidence. The offence is punishable by a fine of up to XCD 100,000, imprisonment of up to three years or both.
A copy of the Electronic Crimes Act, 2013 can be found here.
Obligations on individuals to assist authorities
Section 22(1) of the Electronic Crimes Act, 2013 provides that a police officer may apply to a court for a warrant to access, search and seize data where they can show that the stored data would be relevant for the purposes of an investigation or the prosecution of an offence. Under section 22(2), the powers of the police officer executing the warrant include powers to “access any information, code or technology which has the capability of transforming or unscrambling encrypted data contained or available to an electronic system into readable and comprehensible format or text” for the purpose of investigating any offence under the Act or any other offence which is disclosed in the course of the lawful exercise of the powers. This also includes the power to “require a person in possession of the decryption information to grant the police officer access to such decryption information necessary to decrypt data required for the purpose of investigating the offence”.
Failure to comply with a request made by a police officer is a criminal offence punishable by a fine of up to XCD 10,000, imprisonment of up to one year, or both.
A copy of the Electronic Crimes Act, 2013 can be found here.
Obligations on providers to assist authorities
Section 22(1) of the Electronic Crimes Act, 2013 provides that a police officer may apply to a court for a warrant to access, search and seize data where they can show that the stored data would be relevant for the purposes of an investigation or the prosecution of an offence. Under section 22(2), the powers of the police officer executing the warrant include powers to “access any information, code or technology which has the capability of transforming or unscrambling encrypted data contained or available to an electronic system into readable and comprehensible format or text” for the purpose of investigating any offence under the Act or any other offence which is disclosed in the course of the lawful exercise of the powers. This also includes the power to “require a person in possession of the decryption information to grant the police officer access to such decryption information necessary to decrypt data required for the purpose of investigating the offence”.
Failure to comply with a request made by a police officer is a criminal offence punishable by a fine of up to XCD 10,000, imprisonment of up to one year, or both.
A copy of the Electronic Crimes Act, 2013 can be found here.
Assessment Text Area
Per Grenadian law, police officers may apply for a warrant to access, search and seize data from either service providers or individuals in cases where they can show that the stored data would be relevant for the purposes of an investigation or the prosecution of an offence. The warrant entitles officers to access any information, code or technology which has the capability of transforming or unscrambling encrypted data into readable and comprehensible text. The law also requires any person(s) in possession of decryption information to provide the police officers with access to such information. Failure to comply is a criminal offence punishable by a fine, imprisonment, or both. “Misuse of encryption”, namely where a person uses encryption to conceal incriminating data, is also punishable by a fine, imprisonment, or both.
Guatemala
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Guinea-Bissau
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Guinea
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Guyana
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 4 of the Interception of Communications Act allows for certain authorised individuals to apply to a court for a warrant to intercept and record specified communications. Under section 12(1), if the authorised officers comes into the possession of a “protected communication”, or is likely to do so, and they have reasonable grounds to believe that (a) a key to the communication is in the possession of any person; and (b) disclosure of the key is necessary for the purposes of the investigations in relation to which the warrant was issued, they may apply to a court for a disclosure order requiring the person whom he believes to have possession of the key to provide disclosure in respect of the protected communication. The court making the order must take into account (a) the extent and nature of any protected communication, in addition to the intercepted communication, to which the key is also a key; and (b) any adverse effect that complying with the order might have on a business carried on by the person to whom the order is addressed, and shall require only such disclosure as is proportionate to what is sought to be achieved, allowing, where appropriate, for disclosure in such manner as would result in the putting of the communication in intelligible form other than by disclosure of the key itself.
Under section 13(1), the person to whom the disclosure order is addressed (a) shall be entitled to use any key in his possession to obtain access to the protected communication; and (b) in accordance with the order, shall disclose the protected communication in an intelligible form.
Failure to comply with a disclosure order is a criminal offence punishable by a fine of up to GYD 1,000,000, imprisonment of up to six months, or both.
A copy of the Interception of Communications Act can be found here.
Obligations on providers to assist authorities
Section 4 of the Interception of Communications Act allows for certain authorised individuals to apply to a court for a warrant to intercept and record specified communications. Under section 12(1), if the authorised officers comes into the possession of a “protected communication”, or is likely to do so, and they have reasonable grounds to believe that (a) a key to the communication is in the possession of any person; and (b) disclosure of the key is necessary for the purposes of the investigations in relation to which the warrant was issued, they may apply to a court for a disclosure order requiring the person whom he believes to have possession of the key to provide disclosure in respect of the protected communication. The court making the order must take into account (a) the extent and nature of any protected communication, in addition to the intercepted communication, to which the key is also a key; and (b) any adverse effect that complying with the order might have on a business carried on by the person to whom the order is addressed, and shall require only such disclosure as is proportionate to what is sought to be achieved, allowing, where appropriate, for disclosure in such manner as would result in the putting of the communication in intelligible form other than by disclosure of the key itself.
Under section 13(1), the person to whom the disclosure order is addressed (a) shall be entitled to use any key in his possession to obtain access to the protected communication; and (b) in accordance with the order, shall disclose the protected communication in an intelligible form.
Failure to comply with a disclosure order is a criminal offence punishable by a fine of up to GYD 1,000,000, imprisonment of up to six months, or both.
A copy of the Interception of Communications Act can be found here.
Assessment Text Area
There is currently no legislation regarding the general right to encryption, nor regulations on the strength of encryption technology, its licensing, or sale. Guyanese law does allow certain authorised individuals to apply for a warrant to intercept and record specified communications if they have reasonable grounds to believe that (a) a key to the communication is in the possession of any person; and (b) disclosure of the key is necessary for the purposes of the investigations. If these criteria are met, authorised individuals may apply to a court for a disclosure order. Failure to comply with a disclosure order is a criminal offence punishable by a fine, imprisonment, or both.
Haiti
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Other restrictions
No known legislation or policies.
Assessment Text Area
Honduras
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Hungary
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Iceland
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
India
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
Section 84A of the Information Technology Act 2000 allows the government to set nationally permitted “modes or methods” for encryption, however no such modes or methods have been prescribed.
A copy of the law can be found here.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Section 69 of the Information Technology Act 2000, as amended by the Information Technology (Amendment) Act 2008, gives the central and state governments the power to direct any agency to intercept, monitor or decrypt, or cause to be intercepted, monitored or decrypted any information transmitted, received or stored through any computer resources. The government must be satisfied that “it is necessary or expedient to do so in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence”. In consequence, the agency may required any “subscriber or intermediary or any person in charge of the computer resource” to “extend all facilities and technical assistance” necessary to decrypt the information.
Failure to do so is a criminal offence punishable by up to seven years’ imprisonment, a fine, or both.
A copy of the law can be found here.
Assessment Text Area
Limitations exist on the use of strong encryption in India as internet service providers may not deploy “bulk encryption” on their networks, and users cannot use encryption with greater 40-bit key length without prior permission. The law provides central and state governments the power to direct any agency to intercept, monitor or decrypt, or cause to be intercepted, monitored or decrypted any information transmitted, received or stored through any computer resources and requires any “subscriber or intermediaries” to provide technical assistance necessary to decrypt information, without adequate safeguards. Failure to do so is a criminal offence punishable by imprisonment, a fine, or both.
Indonesia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Iran
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
Article 10 of the Law on Computer Crime Law provides for a criminal offence of “concealing data, changing passwords, or encrypting data that prevents access of authorised individuals to data, computer and telecommunication systems”.
The offence is punishable by imprisonment of between 91 days and one year or a fine of between between IRR 5,000,000 and IRR 20,000,000.
A copy of the law (in Farsi) can be found here.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
In Iran, using encryption that prevents access of authorised individuals to data, computer and telecommunication systems is a crime punishable by imprisonment or a fine.
Iraq
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Ireland
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 27 of the Electronic Commerce Act, 2000 allows a District Court to issue a search warrant in respect of a particular place and persons found at that place, where it is satisfied that there are reasonable grounds for suspecting that evidence of or relating to an offence under the Act is to be found there. Such warrants authorised any named officers to, among other things, enter the place, search it and persons there, and seize anything found which the officer reasonably believes to be evidence of or relating to an offence under the Act. Where the thing seized is or contains information or an electronic communication that cannot readily be accessed or put into intelligible form, the officer can require the disclosure of the information or electronic communication in intelligible form. Section 28, however, provides that this does not include “disclosure or enabling the seizure of unique data, such as codes, passwords, algorithms, private cryptographic keys, or other data, that may be necessary to render information or an electronic communication intelligible”.
Failure to comply with a requirement under section 27 is a criminal offence punishable by imprisonment of up to 12 months, a fine, or both.
Section 7(1) of the Criminal Justice (Offences Relating to Information Systems) Act 2017 provides that a judge of the District Court, if “satisfied by information on oath of a member that there are reasonable grounds for suspecting that evidence of, or relating to, the commission of a relevant offence is to be found in any place”, may issue a warrant for the search of that place and any persons found at that place.
Under section 7(4), a person acting under authority of such a search warrant may operate any computer at the place that is being searched (or cause any such computer to be operated by another person). It further provides that they may require any other person at that place who appears to them to have lawful access to the information in any such computer (i) to give to them any password necessary to operate it and any encryption key or code necessary to unencrypt the information accessible by the computer, (ii) to enable them to examine the information accessible by the computer in a form in which the information is visible and legible, or (iii) to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible.
Under sections 7(7) and 8(3), failure to comply with such a requirement is a criminal offence punishable with a class A fine or imprisonment for a term not exceeding 12 months, or both.
A copy of the Electronic Commerce Act, 2000 can be found here.
A copy of the Criminal Justice (Offences Relating to Information Systems) Act 2017 can be found here.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
In Ireland, officers with a search warrant are able to access require the disclosure of the information or electronic communication in intelligible form. This includes the ability to require any other person who has lawful access to the information to provide the ability to decrypt it. Failure to comply is a punishable offence.
Israel
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Section 2 of the Order Regarding the Engagement in Encryption Items – 1974 (5734) prohibits organisations and individuals from engaging in encryption-related items unless they have a licence to do so from the Director-General at the Ministry of Defence. Section 3(d) of the Order does, however, grant the Director-General the power to declare certain encryption items as “free means” meaning that no licence is required.
A copy of the Order can be found here.
Import/export controls
Section 2 of the Order Regarding the Engagement in Encryption Items – 1974 (5734) prohibits organisations and individuals from engaging in encryption-related items unless they have a licence to do so from the Director-General at the Ministry of Defence. The definition of “engagement” includes importing and exporting items. Section 3(d) of the Order does, however, grant the Director-General the power to declare certain encryption items as “free means” meaning that no licence is required.
A copy of the Order can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
In Israel, organisations and individuals are prohibited from engaging in encryption-related items, including importing or exporting them unless they have a licence to do so from the Director-General at the Ministry of Defence.
Italy
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Jamaica
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Sections 12 and 13 of the Interception of Communications Act allow for the police, after obtaining a “disclosure order” from a magistrate, to require persons who are in possession of a key to decrypt data to provide the decrypted data in an intelligible form or to provide the key.
Failure to comply with a disclosure order is punishable with up to six months’ imprisonment and/or a fine of JMD 500,000.
A copy of the law can be found here.
Obligations on providers to assist authorities
Sections 12 and 13 of the Interception of Communications Act allow for the police, after obtaining a “disclosure order” from a magistrate, to require persons who are in possession of a key to decrypt data to provide the decrypted data in an intelligible form or to provide the key.
Failure to comply with a disclosure order is punishable with up to six months’ imprisonment and/or a fine of JMD 500,000.
A copy of the law can be found here.
Assessment Text Area
In Jamaica, law enforcement officers are about to require persons who are in possession of a key to decrypt data to provide the decrypted data in an intelligible form or to provide the key subject to obtaining a “disclosure order” from a magistrate. Failure to comply is an offence punishable by imprisonment, a fine, or both.
Japan
Assessment
Law and policy
General right to encryption
The second paragraph of Article 21 of the Constitution of Japan provides that “No censorship shall be maintained, nor shall the secrecy of any means of communication be violated.”
A copy of the Constitution can be found here.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
The second paragraph of Article 21 of the Constitution of Japan provides that “No censorship shall be maintained, nor shall the secrecy of any means of communication be violated.”
A copy of the Constitution can be found here.
Obligations on providers to assist authorities
Article 111-2 of the Criminal Procedure Code provides that where an article is seized pursuant to a search or seizure order is a “recording medium pertaining to electromagnetic records”, the person executing the search or seizure order may ask a person subject to the order to operate the computer or for some other form of cooperation. This could include the decryption of encrypted electronic records.
Articles 99-2 and 218 of the Criminal Procedure Code provides that a court may order the custodian of electronic records, or a person with authority to use them, to record the necessary records onto a recording medium, or to print them out, and to seize the recording medium. The term “to record” could include the decryption of any encrypted electronic records.
Article 11 of the Act on the Interception of Communications for Criminal Investigations (Act No. 137 of Heisei 11) allows a public prosecutor or a judicial police officer to request a telecommunications service provider to install interception equipment and provide any other necessary cooperation in relation to conducting interception. Although the Act states that a telecommunications service provider should not refuse such a request without a justifiable reason, it does not set out any penalty for failure to comply. Telecommunications service providers are not, however, required to develop systems or software allowing them to decrypt communications. Article 13(2) of the Act provides that where intercepted communications are encrypted, law enforcement officers can record them and attempt to decrypt them later. Article 197(2) of the Criminal Procedure Code provides that private enterprises can be requested to assist in investigations generally, which could include decrypting encrypted communications.
A copy of the Criminal Procedure Code can be found (in Japanese) here and an English translation can be found here.
A copy of the Act on the Interception of Communications for Criminal Investigations (in Japanese) can be found here.
Assessment Text Area
In Japan, the constitution guarantees a general right to encryption. However, a court may order specified persons with a key to decrypt encrypted data to decrypt encrypted electronic records. Additionally, the law allows a public prosecutor or a judicial police officer to request a telecommunications service provider to install interception equipment and provide any other necessary cooperation in relation to conducting interception. Telecommunications service providers are not, however, required to develop systems or software allowing them to decrypt communications. Where intercepted communications are encrypted, law enforcement officers can record them and attempt to decrypt them later. Private enterprises can be requested to assist in investigations generally, which could include decrypting encrypted communications.
Jordan
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Kazakhstan
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Regulations made under the Law on Communications require every internet user in the country to install a backdoor, allowing the government to conduct surveillance. KazakhTelecom, the country’s largest telecommunications company, has said that citizens are “obliged” to install a “national security certificate” on every device, including desktops and mobile devices. This allows the government to conduct a so-called “man-in-the-middle” attack, which allows the government to intercept every secure connection in the country and see web browsing history, usernames and passwords, and even secure and HTTPS-encrypted traffic.
Obligations on providers to assist authorities
Regulations made under the Law on Communications require every internet user in the country to install a backdoor, allowing the government to conduct surveillance. KazakhTelecom, the country’s largest telecommunications company, has said that citizens are “obliged” to install a “national security certificate” on every device, including desktops and mobile devices. This allows the government to conduct a so-called “man-in-the-middle” attack, which allows the government to intercept every secure connection in the country and see web browsing history, usernames and passwords, and even secure and HTTPS-encrypted traffic.
Assessment Text Area
Regulations in Kazakhstan require every internet user in the country to install a backdoor, allowing the government to conduct surveillance and to intercept communications. This allows the government to access web browsing history, usernames and passwords, and even secure and HTTPS-encrypted traffic.
Kenya
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Kiribati
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 87(5) of the Communications Act 2013 provides that where the Communications Commission believes that a person that a person is in possession of data stored in a computer system or computer-data storage medium, and that data is necessary to investigate a breach of the Act, the Commission may, by written notice to that person, require them to access the computer system or computer-data storage medium; seize or similarly secure the computer system or computer-data storage medium; maintain the integrity of the relevant stored computer data; and render inaccessible or remove that data from the computer system.
A copy of the Communications Act 2013 can be found here.
Obligations on providers to assist authorities
Section 87(1) of the Communications Act 2013 requires licensed communications network and service providers, as well as individuals engaged in their operation or provision, to intercept or disclose messages and communications, but only pursuant to a warrant issued by a court in connection with a criminal investigation or criminal proceedings. Under section 87(2), they also have to ensure that any communications networks and services are capable of such interception and “shall facilitate such interception as reasonably directed by the police or other services directly employed by the State for national security”.
A copy of the Communications Act 2013 can be found here.
Assessment Text Area
The law in Kirbati requires that communications providers ensure that their networks and services are capable of interception and provides for those with a warrant to carry out such interception, as well as to compel those in possession of a passcode or ability to access encrypted data to provide access, as long as it doesn’t risk the integrity of the system.
Kuwait
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Kyrgyzstan
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Laos
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Latvia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Lebanon
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Article 9 of Law No. 140/99 provides that the Minister of the Interior and the Minister of Defence can ask the Prime Minister for authorisation to intercept communications for the purposes of “combating terrorism, crimes against state security, and organised crime”. Article 10 of the law requires the public and private sectors “to assist in the implementation” of any order. Although it does not mention it explicitly, this could include decrypting encrypted communications.
Assessment Text Area
In Lebanon, the Prime Minister is able to grant the Minister of the Interior and the Minister of Defence authorisation to intercept communications for the purposes of “combating terrorism, crimes against state security, and organised crime”. The public and private sectors to assist in the implementation of any order, which could include decrypting encrypted communications.
Lesotho
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Liberia
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 79 of the Telecommunications Act 2007 provides that the Liberia Telecommunications Authority “shall collaborate with the appropriate government agency or ministry, for the purposes of exercising its responsibilities, functions and powers under this Act” and shall have the power, among other things, to require the production of documents and information, search premises and seize documents (subject to obtaining any necessary warrant), and “require the disclosure of technical information or the provision of technical assistance, particularly in connection with the functioning of telecommunications equipment or systems”. It is not clear whether this would extend to decrypting encrypted information or providing decryption keys.
A copy of the Telecommunications Act 2007 can be found here.
Obligations on providers to assist authorities
Section 79 of the Telecommunications Act 2007 provides that the Liberia Telecommunications Authority “shall collaborate with the appropriate government agency or ministry, for the purposes of exercising its responsibilities, functions and powers under this Act” and shall have the power, among other things, to require the production of documents and information, search premises and seize documents (subject to obtaining any necessary warrant), and “require the disclosure of technical information or the provision of technical assistance, particularly in connection with the functioning of telecommunications equipment or systems”. It is not clear whether this would extend to decrypting encrypted information or providing decryption keys.
A copy of the Telecommunications Act 2007 can be found here.
Assessment Text Area
There is currently no legislation regarding the general right to encryption, nor regulations on the strength of encryption technology, its licensing, or sale. Under Liberian law, the country’s telecommunications authority must collaborate with government agencies and is authorised to “search remises and seize documents” and “require the disclosure of technical information or the provision of technical assistance, particularly in connection with the functioning of telecommunications equipment or systems” It is not clear whether this would extend to decrypting encrypted information or providing decryption keys.
Libya
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Liechtenstein
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Lithuania
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Luxembourg
Assessment
Law and policy
General right to encryption
Article 3 of the Law of 14 August 2000 on Electronic Commerce provides that “The use of cryptographic techniques is free.”
A copy of the law (in French) can be found here.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Article 66(4) of the Code of Criminal Procedure provides that an investigating judge may require a person – other than the subject of the person to whom a direction relates – who has knowledge of encryption mechanisms to provide access to a particular system, to data entered into or accessible from the system, and understanding of protected or encrypted data.
A copy of the Code of Criminal Procedure (in French) can be found here.
Obligations on providers to assist authorities
Article 66(4) of the Code of Criminal Procedure provides that an investigating judge may require a person – other than the subject of the person to whom a direction relates – who has knowledge of encryption mechanisms to provide access to a particular system, to data entered into or accessible from the system, and understanding of protected or encrypted data.
A copy of the Code of Criminal Procedure (in French) can be found here.
Assessment Text Area
In Luxembourg an investigating judge may require anyone who has knowledge of encryption mechanisms to provide access to a particular system, to data entered into or accessible from the system, and understanding of protected or encrypted data.
Macedonia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Madagascar
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Malawi
Assessment
Law and policy
General right to encryption
Section 52(4) of the Electronic Transactions and Cyber Security Act, 2016 provides that, subject to any regulations made the Act, it is lawful for any person to use encryption programme or product provided that it has lawfully come into possession of that person.
A copy of the law can be found here.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Section 54(1) of the Electronic Transactions and Cyber Security Act, 2016 prohibits the provision of cryptography services or products without registration. Applications must be made to the Malawi Communications Regulatory Authority (s.54(2)). The government must issue regulations (a) in respect of use, importation and exportation of encryption programmes and encryption products; and (b) prohibiting the exportation of encryption programmes or other encryption products from Malawi generally or subject to such restrictions as may be prescribed (s.54(3)).
Section 67(1) further requires a person who provides encryption services to declare to the Malawi Communications Regulatory Authority “the technical characteristics of the encryption means as well as the source code of the software used”. The government must issue regulations defining the conditions for such declarations and “may define encryption services whose technical characteristics or conditions of supply are such that, with regard to national defence or internal security interests, their provision shall not require any prior formality” (s. 67(2)).
Violation of either of these provisions is a criminal offence punishable by up to seven years’ imprisonment and a fine of MWK 5,000,000.
A copy of the law can be found here.
Import/export controls
Section 54(1) of the Electronic Transactions and Cyber Security Act, 2016 prohibits the provision of cryptography services or products without registration. Applications must be made to the Malawi Communications Regulatory Authority (s.54(2)). The government must issue regulations (a) in respect of use, importation and exportation of encryption programmes and encryption products; and (b) prohibiting the exportation of encryption programmes or other encryption products from Malawi generally or subject to such restrictions as may be prescribed.
A copy of the law can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
In Malawi, cryptography services or products must be registered and as such, the use, importation and exportation of encryption programmes and encryption products is subject to authorisation by the government. Violation of these regulations is a criminal offence punishable by up by imprisonment and a fine.
Malaysia
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
Sections 7 and 9 of the Strategic Trade Act 2010 prohibit the import and export of strategic goods and technology as determined by the Minister of International Trade and Industry. The Minister’s determination includes certain forms of encryption technology.
A copy of the law can be found here.
A copy of the list of strategic goods and technology can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 116B(1) of the Criminal Procedure Code (Act 593) requires a police officer conducting a search under the Code to be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of the computerized data” (s. 116B(3)).
A copy of the Criminal Procedure Code can be found here.
Section 10(1)(c) of the Computer Crimes Act 1997 (Act 563) allows a police officer, upon obtaining a warrant from a magistrate, to require any information contained in a computer and accessible from the premises to be produced in a form in which it can be taken away and in which it is visible and legible.
Failure to comply is a criminal offence punishable by up to three years’ imprisonment and/or a fine of up to MYR 25,000.
A copy of the law can be found here.
Section 79(1) of the Digital Signature Act 1997 (Act 562) requires that a police officer conducting a search under section 77 or 78 of the Act, or an authorised officer conducting a search under section 77 of the Act, be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data” (s.79(2)).
Failure to comply is a criminal offence punishable by imprisonment for up to four years and/or a fine of up to MYR 200,000.
A copy of the law can be found here.
Section 249(1) of the Communications and Multimedia Act 1998 (Act 588) requires that a police officer conducting a search under section 247 or 248 of the Act, or an authorised officer conducting a search under section 247 of the Act, be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data” (s.79(2)).
Failure to comply is a criminal offence punishable by imprisonment for up to six months years and/or a fine of up to MYR 20,000.
A copy of the law can be found here.
Section 32(1) of the Anti-Trafficking in Persons and Anti-Smuggling of Migrants Act 2007 (Act 670) requires that an enforcement officer conducting a search under the Act be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data” (s.32(2)).
Failure to comply is a criminal offence punishable by imprisonment for up to three years and/or a fine of up to MYR 150,000.
A copy of the law can be found here.
Section 32(1) of the Strategic Trade Act 2010 requires that an enforcement officer conducting a search under the Act be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of the computerized data” (s.32(2)).
Failure to comply is a criminal offence punishable by imprisonment for up to five years and/or a fine of up to MYR 5,000,000.
A copy of the law can be found here.
Obligations on providers to assist authorities
Section 116B(1) of the Criminal Procedure Code (Act 593) requires a police officer conducting a search under the Code to be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of the computerized data” (s. 116B(3)).
A copy of the Criminal Procedure Code can be found here.
Section 10(1)(c) of the Computer Crimes Act 1997 (Act 563) allows a police officer, upon obtaining a warrant from a magistrate, to require any information contained in a computer and accessible from the premises to be produced in a form in which it can be taken away and in which it is visible and legible.
Failure to comply is a criminal offence punishable by up to three years’ imprisonment and/or a fine of up to MYR 25,000.
A copy of the law can be found here.
Section 79(1) of the Digital Signature Act 1997 (Act 562) requires that a police officer conducting a search under section 77 or 78 of the Act, or an authorised officer conducting a search under section 77 of the Act, be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data” (s.79(2)).
Failure to comply is a criminal offence punishable by imprisonment for up to four years and/or a fine of up to MYR 200,000.
A copy of the law can be found here.
Section 249(1) of the Communications and Multimedia Act 1998 (Act 588) requires that a police officer conducting a search under section 247 or 248 of the Act, or an authorised officer conducting a search under section 247 of the Act, be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data” (s.249(2)).
Failure to comply is a criminal offence punishable by imprisonment for up to six months years and/or a fine of up to MYR 20,000.
A copy of the law can be found here.
Section 32(1) of the Anti-Trafficking in Persons and Anti-Smuggling of Migrants Act 2007 (Act 670) requires that an enforcement officer conducting a search under the Act be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data” (s.32(2)).
Failure to comply is a criminal offence punishable by imprisonment for up to three years and/or a fine of up to MYR 150,000.
A copy of the law can be found here.
Section 32(1) of the of the Strategic Trade Act 2010 requires that an enforcement officer conducting a search under the Act be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of the computerized data” (s.32(2)).
Failure to comply is a criminal offence punishable by imprisonment for up to five years and/or a fine of up to MYR 5,000,000.
A copy of the law can be found here.
Assessment Text Area
The law in Malaysia provides police officers with a warrant from a magistrate with the power to be given access to encrypted data, including through the provision of a “necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of the computerised data”. Failure to comply is an offence punishable by imprisonment or a fine. The law also requires the import and export of certain types of encryption technology to be approved by the Minister of International Trade and Industry.
Maldives
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Mali
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Malta
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
Article 23(7) of the Electronic Commerce Act provides that no person shall use cryptographic or other similar techniques for any illegal purpose.
Doing so is an offence punishable by imprisonment of up to two years and/or a fine of up to €250,000 (s. 24).
A copy of the law can be found here.
Obligations on individuals to assist authorities
Section 355Q of the Criminal Code provides that the police may, in addition to the power of seizing a computer machine, require any information which is contained in a computer to be delivered in a form in which it can be taken away and in which it is visible and legible.
A copy of the Criminal Code can be found here.
Obligations on providers to assist authorities
Section 355Q of the Criminal Code provides that the police may, in addition to the power of seizing a computer machine, require any information which is contained in a computer to be delivered in a form in which it can be taken away and in which it is visible and legible.
A copy of the Criminal Code can be found here.
Assessment Text Area
The law in Malta empowers the police to seize a computer/machine in the course of an investigation and to require encrypted information to be decrypted by the person in possession of the passcode. It also makes the use of encryption for any illegal purpose punishable by imprisonment and/or a fine.
Marshall Islands
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Mauritania
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Mauritius
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 13 of the Computer Misuse and Cybercrime Act 2003 allows certain authorised individuals, when required for the purpose of a criminal investigation or the prosecution of an offence, to apply to a judge for an order compelling “any person to submit specified data in that person’s possession or control, which is stored in a computer system”. Moreover, “where any material to which an investigation relates consists of data stored in a computer, disc, cassette, or on microfilm, or preserved by any mechanical or electronic device, the request shall shall be deemed to require the person to produce or give access to it in a form in which it can be taken away and in which it is visible and legible”.
A copy of the Computer Misuse and Cybercrime Act 2003 can be found here.
Obligations on providers to assist authorities
Section 12 of the Computer Misuse and Cybercrime Act 2003 allows certain authorised individuals, for the purposes of a criminal investigation or the prosecution of an offence, to apply to a judge for an order for the disclosure of preserved data. This order may require the disclosure of “(a) all preserved data, irrespective of whether one or more service providers were involved in the transmission of such data; (b) sufficient data to identify the service providers and the path through which the data was transmitted; or (c) electronic key enabling access to or the interpretation of data”.
Section 13 of the Computer Misuse and Cybercrime Act 2003 allows certain authorised individuals, when required for the purpose of a criminal investigation or the prosecution of an offence, to apply to a judge for an order compelling “any person to submit specified data in that person’s possession or control, which is stored in a computer system”. Moreover, “where any material to which an investigation relates consists of data stored in a computer, disc, cassette, or on microfilm, or preserved by any mechanical or electronic device, the request shall shall be deemed to require the person to produce or give access to it in a form in which it can be taken away and in which it is visible and legible”.
A copy of the Computer Misuse and Cybercrime Act 2003 can be found here.
Assessment Text Area
There is currently no legislation regarding the general right to encryption, nor regulations on the strength of encryption technology, its licensing, or sale. Under the country’s Computer Misuse and Cybercrime Act, certain authorised individuals may apply to a judge for an order for the disclosure of preserved data for the purposes of a criminal investigation or the prosecution of an offence. The order can require “any person to submit specified data in that person’s possession or control, which is stored in a computer system” and where necessary, “produce or give access” to such data “…in a form in which it can be taken away and in which it is visible and legible”. It is not clear whether this would extend to decrypting encrypted information or providing decryption keys.
Mexico
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Micronesia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Moldova
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Monaco
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Article 268-5 the Code of Criminal Procedure provides that “where it appears that data seized or obtained during the investigation or investigation have been transformed operations preventing access to, or understanding of, the unencrypted information contained therein, or that such data is protected by an authentication mechanism, the Attorney General, the investigating court or the trial court seized of the case may designate any qualified natural or legal person, with a view to carrying out the technical operations to obtain access to such information, its unencrypted version and, in the event that, in the event that a cryptology means was used, the secret decryption convention, if it seems necessary”.
Article 268-7 further provides that “the results obtained and the documents received are returned by the person designated to clear the encrypted data to the requesting judicial authority. The results are accompanied by technical information useful for understanding and their use as well as a certificate signed by the designated person certifying the sincerity of the results transmitted”.
A copy of the Criminal Procedure Code (in French) can be found here.
Obligations on providers to assist authorities
Article 268-5 the Code of Criminal Procedure provides that “where it appears that data seized or obtained during the investigation or investigation have been transformed operations preventing access to, or understanding of, the unencrypted information contained therein, or that such data is protected by an authentication mechanism, the Attorney General, the investigating court or the trial court seized of the case may designate any qualified natural or legal person, with a view to carrying out the technical operations to obtain access to such information, its unencrypted version and, in the event that, in the event that a cryptology means was used, the secret decryption convention, if it seems necessary”.
Article 268-7 further provides that “the results obtained and the documents received are returned by the person designated to clear the encrypted data to the requesting judicial authority. The results are accompanied by technical information useful for understanding and their use as well as a certificate signed by the designated person certifying the sincerity of the results transmitted”.
A copy of the Criminal Procedure Code (in French) can be found here.
Assessment Text Area
There is currently no legislation in Monaco regarding the general right to encryption, nor regulations on the strength of encryption technology, its licensing, or sale. However, under the country’s criminal code, where data that has been “seized or obtained during the investigation” is in such a form that “preven[s] access to, or understanding of, the encrypted information contained therein,”or is “protected by an authentication mechanism, the Attorney General or the court may designate “any qualified natural or legal person” to obtain access to an unencrypted version of this data. The decrypted results must be “accompanied by technical information useful for understanding and their use as well as a certificate signed by the designated person certifying the sincerity of the results transmitted”.
Mongolia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Montenegro
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
The Electronic Communications Act requires network operators and service providers to retain certain data on traffic and location, as well as data relevant for the identification and registration of their customers. Such data may only be retained for limited purposes such as for national security, the prevention of crime, to investigate, reveal and prosecute criminal offenders or for the unauthorised use of a system for electronic communications. Under Article 181 of this Act, network operators and service providers are also required to provide necessary technical and organisational conditions which would enable competent government agencies to take over such data. This would oblige a network operator or service provider to decrypt encrypted data when required to do so by a court order.
A copy of the Electronic Communications Act can be found here.
Assessment Text Area
There is currently no legislation in Montenegro regarding the general right to encryption, nor regulations on the strength of encryption technology, its licensing, or sale. However, the country’s Electronic Communications Act requires network operators and service providers to retain certain data on traffic, location, as well as data relevant customer data in specific cases such as for national security, the prevention of crime, to investigate, reveal and prosecute criminal offenders, or for the unauthorised use of a system for electronic communications. This law also obliges network operators and service providers to decrypt encrypted data when required to do so by a court order.
Morocco
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Article 13 of Law No. 53-05 on the Electronic Exchange of Legal Data provides that, in order to prevent their use for illegal purposes and to preserve the interests of national defence and the internal or external security of state, the import, export, supply or use of cryptography means or services are subject either prior declaration or authorisation. Prior declaration is required where the sole purposes of the cryptography is to authenticate transmission, or ensure the completeness of data transmitted electronically. Prior authorisation, however, is required in all other purposes. Article 13 also gives the government the power to provide for simplified declaration or authorisation processes, and to exempt certain types of cryptography means or services from the requirements.
Article 14 provides that where prior authorisation is required, such authorisation can only be granted to electronic certification service providers approved under Article 21, or persons approved by the government. Article 21 sets out the process for seeking approval, and states that it must be provided by a ‘national authority’ and that any providers seeking approval must be a company based in Morocco. Under Decree 2.13.1881, the ‘national authority’ is the Directorate General for Information Systems Security.
The import, export, supply or use of cryptographic means or services without prior declaration or authorisation is a criminal offence, punishable by up to one year’s imprisonment and a fine of up to 100,000 MAD.
A copy of the law (in Arabic) can be found here.
A translation of the law (in French) can be found here.
A copy of the decree (in Arabic) can be found here.
Import/export controls
Article 13 of Law No. 53-05 on the Electronic Exchange of Legal Data provides that, in order to prevent their use for illegal purposes and to preserve the interests of national defence and the internal or external security of state, the import, export, supply or use of cryptography means or services are subject either prior declaration or authorisation. Prior declaration is required where the sole purposes of the cryptography is to authenticate transmission, or ensure the completeness of data transmitted electronically. Prior authorisation, however, is required in all other purposes. Article 13 also gives the government the power to provide for simplified declaration or authorisation processes, and to exempt certain types of cryptography means or services from the requirements.
Article 14 provides that where prior authorisation is required, such authorisation can only be granted to electronic certification service providers approved under Article 21, or persons approved by the government. Article 21 sets out the process for seeking approval, and states that it must be provided by a ‘national authority’ and that any providers seeking approval must be a company based in Morocco. Under Decree 2.13.1881, the ‘national authority’ is the Directorate General for Information Systems Security.
The import, export, supply or use of cryptographic means or services without prior declaration or authorisation is a criminal offence, punishable by up to one year’s imprisonment and a fine of up to 100,000 MAD.
A copy of the law (in Arabic) can be found here.
A translation of the law (in French) can be found here.
A copy of the decree (in Arabic) can be found here.
Other restrictions
Article 33 of Law No. 53-05 on the Electronic Exchange of Legal Data provides that, where encryption is used to commit a criminal offence, and the penalty is one of imprisonment, the maximum penalty for the offence is to be increased by between three and five years.
Article 34 provides that where persons provide cryptography services for the purposes of confidentiality, they are liable in respect of any injury caused to persons using those services where there is a breach of the integrity, confidentiality or availability of their data.
A copy of the law (in Arabic) can be found here.
A translation of the law (in French) can be found here.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
There is a higher penalty for crimes committed using encryption in Morocco and the law also provides that where there is a breach of the integrity, confidentiality or availability of data, those responsible for providing those services are liable for any injury caused. Further, the import, export, supply or use of cryptography means or services are subject either prior declaration or authorisation by the government.
Mozambique
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
While not a restriction on encryption, Article 283 of the Code of Criminal Procedure provides that where documents which have been seized are encrypted, they must be examined by experts to decrypt them.
A copy of the Code of Penal Procedure can be found (in Portuguese) here.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
In Mozambique, there are no restrictions on the use of encryption but the law provides that where documents which have been seized are encrypted, they must be examined by experts to decrypt them.
Myanmar
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
Section 69 of the Telecommunications Law provides that the disclosure of information which has been encrypted is only allowed in relation to a telecommunications-related matter prosecution and only when authorised by a court order.
Breach of section 69 is a criminal offence punishable by up to one year’s imprisonment, a fine or both.
A copy of the law (in Burmese) can be found here, and a translation of the law into English can be found here.
Obligations on individuals to assist authorities
Section 69 of the Telecommunications Law provides that the disclosure of information which has been encrypted is only allowed in relation to a telecommunications-related matter prosecution and only when authorised by a court order.
Breach of section 69 is a criminal offence punishable by up to one year’s imprisonment, a fine or both.
A copy of the law (in Burmese) can be found here, and a translation of the law into English can be found here.
Obligations on providers to assist authorities
Section 69 of the Telecommunications Law provides that the disclosure of information which has been encrypted is only allowed in relation to a telecommunications-related matter prosecution and only when authorised by a court order.
Breach of section 69 is a criminal offence punishable by up to one year’s imprisonment, a fine or both.
A copy of the law (in Burmese) can be found here, and a translation of the law into English can be found here.
Assessment Text Area
In Myanmar, a court order can authorise the disclosure of information which has been encrypted in relation to a telecommunications-related matter prosecution.
Namibia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Nauru
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Nepal
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Netherlands
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Article 126nh of the Criminal Procedure Code allows an investigating judge to order someone (although not a suspect) to decrypt any encrypted data, or to provide information on how to do so.
A copy of the Criminal Procedure Code (in Dutch) can be found here.
Obligations on providers to assist authorities
Article 126nh of the Criminal Procedure Code allows an investigating judge to order someone (although not a suspect) to decrypt any encrypted data, or to provide information on how to do so.
A copy of the Criminal Procedure Code (in Dutch) can be found here.
Assessment Text Area
In the Netherlands, the law provides an investigating judge with the powers to order someone, who is not the suspect, to decrypt any encrypted data, or to provide information on how to do so.
New Zealand
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Under section 130 of the Search and Surveillance Act 2012, a person with a search power in respect of data held in a computer system or other data storage device may require a specified person to provide access information and other information or assistance that is reasonable and necessary to allow the person exercising the search power to access that data. This could include a requirement that they decrypt information which is necessary to access a particular device. The search power cannot be used to require the specified person give any information tending to incriminate them (section 130(2)), however this does not prevent a person exercising a search power from requiring the specified person to provide information or providing assistance that is reasonable and necessary to allow the person exercising the search power to access data held in, or accessible from, a computer system or other data storage device that contains or may contain information tending to incriminate the specified person (section 130(3)).
Failure to assist a person exercising a search power when requested to do so under section 130(1), without reasonable excuse, is a criminal offence punishable with imprisonment for up to three months (section 178).
A copy of the law can be found here.
Obligations on providers to assist authorities
Section 9(1) of the Telecommunications (Interception Capability and Security) Act 2013 requires all network operators to ensure that public telecommunications networks and telecommunications services have “full interception capability”.
This includes a duty to ensure that the interception capability is developed, installed, and maintained (section (9(3)). The duty is only complied with if every surveillance agency that is authorised under an interception warrant or any other lawful interception authority to intercept telecommunications or services on that network, or the network operator concerned, is able to – amongst other things – identify and intercept telecommunications, and obtain call associated data and the content of those telecommunications (section 10(1)). Network operators must decrypt telecommunications on that operator’s public telecommunications network or telecommunications service if they have been encrypted and the network operators provided that encryption (section 10(3)). However this does not require them to decrypt telecommunications that were encrypted by a product supplied by a person other than the operator and is available to the public, or was supplied by the operator as an agent for that product (section 10(4)). Nor does it require them to ensure that surveillance agencies have the ability to decrypt any telecommunication (section 10(4)).
Together, these duties mean that network operators cannot design and implement end-to-end encryption.
Under section 24 of the Act, where a network operator or service provider is shown an interception warrant which has been issued to a surveillance authority, it must assist the surveillance agency. This assistance includes “taking all other reasonable steps that are necessary for the purpose of giving effect to the warrant or lawful authority”, including decrypting telecommunications where they have provided the encryption. As with the duties under sections 9 and 10, this does not, however, require them to decrypt telecommunications that were encrypted by a product supplied by them as an agent for that product, or supplied by another person where the product is available to the public (section 24(4)). Nor does it require them to ensure that surveillance agencies have the ability to decrypt any telecommunication (section 24(4)).
A copy of the law can be found here.
Under section 130 of the Search and Surveillance Act 2012, a person with a search power in respect of data held in a computer system or other data storage device may require a specified person to provide access information and other information or assistance that is reasonable and necessary to allow the person exercising the search power to access that data. This could include a requirement that they decrypt information which is necessary to access a particular device. The search power cannot be used to require the specified person give any information tending to incriminate them (section 130(2)), however this does not prevent a person exercising a search power from requiring the specified person to provide information or providing assistance that is reasonable and necessary to allow the person exercising the search power to access data held in, or accessible from, a computer system or other data storage device that contains or may contain information tending to incriminate the specified person (section 130(3)).
Failure to assist a person exercising a search power when requested to do so under section 130(1), without reasonable excuse, is a criminal offence punishable with imprisonment for up to three months (section 178).
A copy of the law can be found here.
Assessment Text Area
In New Zealand, network operators must ensure that public telecommunications networks and telecommunications services have “full interception capability”. This includes a duty to ensure that the interception capability is developed, installed, and maintained, meaning that network operators cannot design and implement end-to-end encryption. Failure to assist a person exercising a search power when requested to do so is a criminal offence punishable with imprisonment for up to three months.
Nicaragua
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Niger
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Nigeria
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 45 of the Cybercrimes (Prohibition, Prevention, etc) Act 2015 allow a law enforcement officer, after obtaining a warrant from a judge, to “use any technology to decode or decrypt any coded or encrypted data contained in a computer into readable text or comprehensible format”.
While there is no requirement in the Act for individuals to assist by providing a key or otherwise decrypting any data, section 46 provides that wilfully obstructing any law enforcement officer in the exercise of any powers conferred by the Act or failing to comply with any lawful inquiry or requests made by any law enforcement agency in accordance with provisions of the Act is a criminal offence, punishable by imprisonment for up to two years and/or a fine of up to NGN 500,000. This could be interpreted as including a request to assist in the decryption of data.
A copy of the law can be found here.
Obligations on providers to assist authorities
Section 70 and 147 of the Nigerian Communications Act, 2003, enable the Nigerian Communications Commission (NCC) to make regulations which set out requirements on those who are licenced to operate communications system and provide communications services relating. These include requirements to implement the capability to allow authorised interception of communications.
A copy of the law can be found here.
Under these provisions, the NCC has made the Lawful Interception of Communications Regulations, 2019. The interception of communications is prohibited unless the Regulations or other legislation provide otherwise. Regulation 7 allows for a judge to make a warrant authorising or requiring a licensee to (a) intercept any communication as described in the warrant; (b) disclose, in such a manner as may be described in the warrant of such intercepted communication; or (c) assist foreign authorities in accordance with an international mutual assistance agreement.
Regulation 7 also provides that a judge may only issue a warrant where: (i) there is no other lawful means of investigating the matter for which the warrant is required, (ii) where it is necessary it is in the interest of the national security, for the purpose of preventing or investigating a crime, for the purpose of protecting and safeguarding the economic wellbeing of Nigerians, in the interest of public emergency or safety, or to give effect to any international mutual assistance agreements, which Nigeria is a party; and (iii) such information can only be obtained by lawfully intercepting such Communication as specified in the warrant.
Regulation 8 provides that the interception of communications is also lawful where (a) one of the parties to the communication has consented to the interception; (b) it is done by a person who is a party to the communication, and has sufficient reason to believe that there is a threat to human life and safety; and (c) in the ordinary course of business, it is required to record or monitor such communication.
Under Regulation 9, where a communication intercepted is an encrypted or protected communication within the possession of the licensee, the licensee shall provide relevant security agencies with the key, code or access to the protected or encrypted communication. Where the key or code is in the possession of another person, the relevant security agency must request that person to disclose it. Instead of providing a key or code, a licensee or person may disclose any encrypted or protected communication in an intelligible form.
Failure to comply with a requirement is a criminal offence punishable by a fine of up to NGN 5,000,000.00, and where the offence continues, an additional daily default penalty of NGN 500,000.00. A licensee may also have its licence revoked.
A copy of the Regulations can be found here.
Assessment Text Area
In Nigeria, the law sets out the conditions for the interception of encrypted communications including the powers to require licensees to provide relevant security agencies with the key, code or access to the protected or encrypted communication. Wilfully obstructing any law enforcement officer in the exercise of any powers conferred by the law or failing to comply with any lawful inquiry or requests made by any law enforcement agency is a criminal offence, punishable by imprisonment and/or a fine. This could be interpreted as including a request to assist in the decryption of data.
North Korea
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Norway
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Oman
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Article 48 of the Telecommunications Regulatory Act provides that encryption shall not be used in telecommunications or between computer networks without a license from the Minister. The license shall determine the persons who may operate and the conditions of operating, fees imposed for issue of license and the controls of keeping the encryption key.
A copy of the Telecommunications Regulatory Act can be found here.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
There is currently no legislation guaranteeing the general right to encryption. The country’s Telecommunications Regulatory Act requires a license from the Minister in order to utilise encryption in telecommunications or between computer networks. The license determines who may operate and the conditions of operating, fees imposed for issue of license, and control of the encryption key.
Pakistan
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
The Pakistan Telecommunication Authority requires prior approval for the use of VPNs in their licensing agreements.
A copy of the licence agreement template can be found here.
Import/export controls
No known legislation or policies.
Other restrictions
Regulation 5 of the Monitoring and Reconciliation of Telephony Traffic Regulations 2010 provides that licensed mobile and telephony service providers must establish systems for monitoring telecommunication traffic (voice and data). These systems must ensure that voice and data signalling information is uncompressed, unencrypted, and not formatted in a manner which the installed monitoring system is unable to decipher.
A copy of the Regulations can be found here.
Obligations on individuals to assist authorities
Section 35 of the Prevention of Electronic Crimes Act, 2016, provides law enforcement officers various powers relating to information systems. One of these is a power to require any person who is in possession of “decryption information of an information system, device or data under investigation” to grant the officer access to such data, device or information system “in unencrypted or decrypted intelligible format” for the purposes of investigating the offence.
A copy of the law can be found here.
Obligations on providers to assist authorities
Section 35 of the Prevention of Electronic Crimes Act, 2016, provides law enforcement officers various powers relating to information systems. One of these is a power to require any person who is in possession of “decryption information of an information system, device or data under investigation” to grant the officer access to such data, device or information system “in unencrypted or decrypted intelligible format” for the purposes of investigating the offence.
A copy of the law can be found here.
Regulation 5 of the Monitoring and Reconciliation of Telephony Traffic Regulations 2010 provides that licensed mobile and telephony service providers must establish systems for monitoring telecommunication traffic (voice and data). These systems must ensure that voice and data signalling information is uncompressed, unencrypted, and not formatted in a manner which the installed monitoring system is unable to decipher.
A copy of the Regulations can be found here.
Assessment Text Area
In Pakistan, the ability to use encrypted technologies is largely restricted. The Pakistan Telecommunication Authority requires prior approval for the use of VPNs in their licensing agreements. Law enforcement officers have various powers relating to decryption including requiring officers access to such data, device or information system “in unencrypted or decrypted intelligible format” for the purposes of investigating the offence. Licensed mobile and telephony service providers must establish systems for monitoring telecommunication traffic and these systems must ensure that voice and data signalling information is uncompressed, unencrypted, and not formatted in a manner which the installed monitoring system is unable to decipher.
Palau
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Palestine
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Panama
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Papua New Guinea
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 33 of the Cybercrime Code Act 2016 provides that a police officer, where they suspect on “reasonable grounds that a thing may provide evidence of a commission of an offence”, and in execution of a warrant, can direct a person to operate an electronic system or device in order to access that data (and subsequently seize or copy that data).
Section 34 of the Act further provides that upon production of a warrant, a police officer may also require a person assist or enable the officer to access or obtain/copy the data (in a format that can be read) even if that person is not a suspect of an offence, but is in possession or control of a device or data that is “reasonably required for the purposes of an investigation or proceeding”.
A copy of the Cybercrime Code Act 2016 can be found here.
Obligations on providers to assist authorities
Section 39 of the Cybercrime Code Act 2016 states that a court can, where satisfied on the basis of sufficient grounds that data or communications are reasonably required for an investigation or proceeding, order an ICT service provider to collect and record (or authorise or assist police to collect and record) data or communications transmitted by means of an electronic system. Section 40 of the Act similarly allows a court to order a person in control of traffic data associated with a specified communication to collect and record such data (or enable and assist police to collect and record it).
Section 44(1)(d) of the Act provides that an ICT Service Provider that does not comply with such a court order is guilty of a crime resulting in a fine not exceeding K1,000,000 (if a body corporate) or a fine not exceeding K100,000 and/or imprisonment for a term not exceeding 25 years (if a natural person).
A copy of the Cybercrime Code Act 2016 can be found here.
Assessment Text Area
In Papua New Guinea, a court can order an ICT service provider to collect and record or authorise or assist police to collect and record electronic data or communications. An ICT Service Provider that does not comply with such a court order is guilty of an offence punishable by imprisonment and/fine. Police officer in possession of a warrant can direct a person to operate an electronic system or device in order to access encrypted data data (and subsequently seize or copy that data).
Paraguay
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Peru
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Philippines
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
Section 23 of the Data Privacy Act of 2012 requires government agencies to ensure that “any technology used to store, transport or access sensitive personal information for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the [National Privacy] Commission”.
A copy of the Data Privacy Act of 2012 can be found here.
In its NPC Circular 16-01 – Security of Personal Data in Government Agencies, the Commission has stated that “personal data that are digitally processed must be encrypted, whether at rest or in transit” and recommends “Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard”.
A copy of the Circular can be found here.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
There are no restrictions on the use of encryption in the Philippines. There are minimum advanced encryption standards set for personal data kept by government agencies.
Poland
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Portugal
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Qatar
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Republic of the Congo
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Romania
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Russia
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Article 12 of Federal Law No. 128-FZ “On Licensing Specific Types of Activity” provides that a licence is required for distributing encryption facilities, maintaining encryption facilities, providing encryption services, and developing and manufacturing encryption facilities protected by means of encryption.
A copy of the law (in Russian) can be found here.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Article 10-1, paragraph 4-1 of Federal Law No. 149-FZ “On Information, Information Technologies and Protection of Information” requires “organisers of information distribution” that add “additional coding” to transmitted electronic messages to provide the Federal Security Service with any information necessary to decrypt those messages.
A copy of the law (in Russian) can be found here.
Assessment Text Area
In Russia, a licence is required for distributing encryption facilities, maintaining encryption facilities, providing encryption services, and developing and manufacturing encryption facilities. The Federal Security Service can compel the provision of any information necessary to decrypt encrypted messaging.
Rwanda
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Article 8 of Law No 60/2018 of 22/8/2018 on Prevention and Punishment of Cyber Crimes provides that all persons have an obligation to collaborate with organs in charge of the investigation of cyber crimes. This includes compliance with any lawful directions, including disclosing access codes to a computer system, or all data required for the purposes of the investigation. Article 11 further provides that if the disclosure of data is required for the purposes of an investigation or prosecution of an offence, the prosecution authority may issue an order to a person in possession of such data compelling them to disclose the data. If this data is stored in a computer or computer system, the request is considered to require that person to produce or give access to that data in a form in which it can be taken away and in which it is visible and legible.
While encryption is not explicitly mentioned within the law, these broad procedural powers could be interpreted as requiring persons (whether natural or legal) to facilitate or provide access to encrypted data.
A copy of Law No 60/2018 of 22/8/2018 on Prevention and Punishment of Cyber Crimes can be found here.
Obligations on providers to assist authorities
Article 8 of Law No 60/2018 of 22/8/2018 on Prevention and Punishment of Cyber Crimes provides that all persons have an obligation to collaborate with organs in charge of the investigation of cyber crimes. This includes compliance with any lawful directions, including disclosing access codes to a computer system, or all data required for the purposes of the investigation. Article 11 further provides that if the disclosure of data is required for the purposes of an investigation or prosecution of an offence, the prosecution authority may issue an order to a person in possession of such data compelling them to disclose the data. If this data is stored in a computer or computer system, the request is considered to require that person to produce or give access to that data in a form in which it can be taken away and in which it is visible and legible.
While encryption is not explicitly mentioned within the law, these broad procedural powers could be interpreted as requiring persons (whether legal or natural) to facilitate or provide access to encrypted data.
A copy of Law No 60/2018 of 22/8/2018 on Prevention and Punishment of Cyber Crimes can be found here.
Assessment Text Area
There is no legislation guaranteeing the general right to encryption in Rwanda. Per Rwandan law, all persons are required to comply with requests for data when requested for the purposes of investigating a cyber crime. The law requires that this data be “in a form in which it can be taken away and in which it is visible and legible”. While encryption is not explicitly mentioned within the law, these broad procedural powers could be interpreted as requiring persons (whether legal or natural) to facilitate or provide access to encrypted data.
Saint Kitts and Nevis
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Saint Lucia
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 21 of the Interception of Communications Act (Cap 3.12) enables the making of disclosure orders by a judge. Only the Attorney General or the Director of Public Prosecutions may apply to a judge for such a disclosure order, and only where protected information has come into the hands of a law enforcement agency, a key to the protected information is in the possession of any person, and disclosure of the information is necessary in the interests of national security public order.
The judge may make a disclosure order, taking into account the extent and the nature of any protected information to which the key is also a key, and any adverse effect that complying with the order might have on a business carried on by a person to whom the order is addressed. The judge must also only permit such disclosure as is proportionate to what is sought to be achieved, allowing, where appropriate, for disclosure in such a manner as would result in the putting of the information in intelligible form other than by disclosure of the key itself.
Under section 22, where a disclosure order is made, the subject must either disclose the key or the information which is encrypted in an intelligible format. Failure to comply with a disclosure order is a criminal offence, punishable by up to one year’s imprisonment and/or a fine of up to XCD 5,000 (s. 22(7)).
A copy of the law can be found here.
Obligations on providers to assist authorities
Section 21 of the Interception of Communications Act (Cap 3.12) enables the making of disclosure orders by a judge. Only the Attorney General or the Director of Public Prosecutions may apply to a judge for such a disclosure order, and only where protected information has come into the hands of a law enforcement agency, a key to the protected information is in the possession of any person, and disclosure of the information is necessary in the interests of national security public order.
The judge may make a disclosure order, taking into account the extent and the nature of any protected information to which the key is also a key, and any adverse effect that complying with the order might have on a business carried on by a person to whom the order is addressed. The judge must also only permit such disclosure as is proportionate to what is sought to be achieved, allowing, where appropriate, for disclosure in such a manner as would result in the putting of the information in intelligible form other than by disclosure of the key itself.
Under section 22, where a disclosure order is made, the subject must either disclose the key or the information which is encrypted in an intelligible format. Failure to comply with a disclosure order is a criminal offence, punishable by up to one year’s imprisonment and/or a fine of up to XCD 5,000 (s. 22(7)).
A copy of the law can be found here.
Assessment Text Area
The law in Saint Lucia permits judges to require disclosure orders subject to a range of safeguards, for example they must only permit such disclosure as is proportionate to what is sought to be achieved, allowing, where appropriate, for disclosure in such a manner as would result in the putting of the information in intelligible form other than by disclosure of the key itself.
Saint Vincent and the Grenadines
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Section 34 of the Electronic Communications Act 2007 establishes a register of all cryptography providers. Unless they are registered, a cryptography provide cannot provide cryptography products.
A copy of the law can be found here.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 75 of the Electronic Communications Act 2007 provides that a judicial officer may issue a warrant authorising a police officer to enter a particular place and search and seize data or things where there are reasonable grounds to believe that such data or things may constitute evidence in proving a criminal offence, or has been acquires by a person as a result of a criminal offence. Under section 76, a person who is in possession or control of an electronic data storage medium or information subject to a search under section 75 must permit, and assist if required, the person making the search.
The forms of assistance that must be provided are to access and use any information system or electronic data storage medium to search data, obtain and copy that data, use equipment to make copies, and obtain an intelligible output from an information system in a plain text format. “Assist” includes providing passwords, encryption keys and making available any other information necessary to access an information system.
Failure to permit a person to search or to assist a person making a search is a criminal offence punishable, in the case of an individual, to a fine not exceeding 5,000 XCD, imprisonment for up to two years, or both; and, in the case of a corporation, to a fine not exceeding 50,000 XCD.
A copy of the law can be found here.
Obligations on providers to assist authorities
Section 75 of the Electronic Communications Act 2007 provides that a judicial officer may issue a warrant authorising a police officer to enter a particular place and search and seize data or things where there are reasonable grounds to believe that such data or things may constitute evidence in proving a criminal offence, or has been acquires by a person as a result of a criminal offence. Under section 76, a person who is in possession or control of an electronic data storage medium or information subject to a search under section 75 must permit, and assist if required, the person making the search.
The forms of assistance that must be provided are to access and use any information system or electronic data storage medium to search data, obtain and copy that data, use equipment to make copies, and obtain an intelligible output from an information system in a plain text format. “Assist” includes providing passwords, encryption keys and making available any other information necessary to access an information system.
Failure to permit a person to search or to assist a person making a search is a criminal offence punishable, in the case of an individual, to a fine not exceeding 5,000 XCD, imprisonment for up to two years, or both; and, in the case of a corporation, to a fine not exceeding 50,000 XCD.
A copy of the law can be found here.
Assessment Text Area
In Saint Vincent and the Grenadines, all cryptography providers must be registered. In addition, a judicial officer may issue a warrant authorising a police officer to seize data and compel any person to assist by making available passwords, encryption keys and making available any other information necessary to access an information system.
Samoa
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Section 69(1) of the Telecommunications Act 2005 provides that a service provider “shall comply with any written request, direction or other requirement of the Attorney General regarding access to any part of the service provider’s telecommunications network or telecommunications services or related information in connection with national security requirements or the prevention, detection or prosecution of any breach of the laws of Samoa”. Under section 69(2), the service provider must provide any facilities or capabilities required to comply with this provision.
A copy of the Telecommunications Act 2005 can be found here.
Assessment Text Area
In Samoa, the law requires service providers to comply with any request of the Attorney General regarding access to any part of the service provider’s telecommunications network or telecommunications services or related information in connection with national security requirements or the prevention, detection or prosecution of any breach of the laws of Samoa. The service provider must provide any facilities or capabilities required to comply with this provision.
San Marino
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
São Tomé and Príncipe
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
While not a restriction on encryption, Article 239 of the Code of Criminal Procedure provides that where documents which have been seized are encrypted, they shall be decrypted by an expert.
A copy of the Code of Penal Procedure can be found (in Portuguese) here.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
While not a restriction on encryption, the law requires that where documents which have been seized for the purposes of a criminal investigation are encrypted, they shall be decrypted by an expert.
Saudi Arabia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Senegal
Assessment
Law and policy
General right to encryption
Article 12 of the Law on Cryptography (Law No. 2008-41) provides that the use of encryption services and methods is free, unless the encryption provides confidentiality (as opposed to simply integrity or authenticity) functions. In such cases, under Article 13 of Decree No. 2010-1209, as amended by Decree No. 2012-1508, its use is free only if the key length is less than or equal to 128 bits.
A copy of the law (in French) can be found here.
A copy of the decree (in French) can be found here.
Mandatory minimum or maximum encryption strength
Article 13 of the Law on Cryptography (Law No. 2008-41) allows the National Cryptology Commission (NCC) to set down rules on the maximum size of encryption keys, and the NCC has set the maximum size at 128 bits (Article 13 of Decree No. 2010-1209, as amended by Decree No. 2012-1508). The use of encryption with a greater key length requires authorisation.
A copy of the law (in French) can be found here.
A copy of the decree (in French) can be found here.
Licensing/registration requirements
Article 16 of the Law on Cryptography (Law No. 2008-41) provides that bodies exercising cryptology services must be licenced by the National Cryptology Commission.
A copy of the law (in French) can be found here.
Import/export controls
Article 12 of the Law on Cryptography (Law No. 2008-41) provides that the supply, import and export of means of cryptology ensuring exclusively the functions of authentication and integrity control are free. Article 14 provides, however, that the supply or importation of a means of cryptology which does not solely perform functions of authentication and integrity control requires approval from the National Cryptology Commission.
A copy of the law (in French) can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
In Senegal, the free use of encryption is subject to restrictions on the strength of encryption. The use of encryption above a certain key length requires authorisation by the National Cryptology Commission (NCC).
Serbia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Seychelles
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 45(1) of the Electronic Transactions Act, 2001 provides that “Certifying Authorities” appointed under the Act may, by order, direct any government agency to intercept any information transmitted through any computer resource. Section 45(2) adds that the subscriber or any person in charge of the computer resource shall, when called upon by any agency which has been direct under subsection (1), extend all facilities and technical assistance to decrypt the information.
Failure to assist the agency is a criminal offence, punishable by imprisonment for seven years.
A copy of the Electronic Transactions Act, 2001 can be found here.
Obligations on providers to assist authorities
Section 45(1) of the Electronic Transactions Act, 2001 provides that “Certifying Authorities” appointed under the Act may, by order, direct any government agency to intercept any information transmitted through any computer resource. Section 45(2) adds that the subscriber or any person in charge of the computer resource shall, when called upon by any agency which has been direct under subsection (1), extend all facilities and technical assistance to decrypt the information.
Failure to assist the agency is a criminal offence, punishable by imprisonment for seven years.
A copy of the Electronic Transactions Act, 2001 can be found here.
Assessment Text Area
There is currently no legislation guaranteeing the general right to encryption in the Seychelles. By law, “certifying authorities” may order any government agency to “to intercept any information transmitted through any computer resource” and upon request, provide assistance to decrypt the information. Failure to assist the agency is a criminal offence, punishable by imprisonment for seven years.
Sierra Leone
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Singapore
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
Section 5 of the Strategic Goods (Control) Act prohibits the export of strategic goods and technologies, as set out in orders published by the government. Section 4A of the Act allows the government to, by order, prescribe military or dual-use goods and technology as strategic goods and technology for the purposes of the Act.
A copy of the law can be found here.
The Strategic Goods (Control) Order 2019, which prescribes certain military or dual-use goods and technology as strategic goods and technologies, includes certain forms of encryption technology.
A copy of the Order can be found here.
Other restrictions
No known legislation or policies. Section 261C of the Copyright Act explicitly prohibits the use of decryption as a means to circumvent technological measures used to preserve copyright. Section 261D provides for various exceptions, including where it is done when undertaking research on any encryption technology.
A copy of the law can be found here.
Obligations on individuals to assist authorities
Section 40 of the Criminal Procedure Code allows the Public Prosecutor, by order, to authorise a police officer or an authorised person to exercise certain powers to access decryption information. These are:
(a) to access any information, code or technology which has the capability of retransforming or unscrambling encrypted data into readable and comprehensible format or text for the purposes of investigating the arrestable offence;
(b) to require (i) any person whom he reasonably suspects of using a computer in connection with an arrestable offence or of having used it in this way; or (ii) any person having charge of, or otherwise concerned with the operation of, such computer, to provide him with such reasonable technical and other assistance as he may require for the purposes of paragraph (a); and
(c) require any person whom he reasonably suspects to be in possession of any decryption information to grant him access to such decryption information as may be necessary to decrypt any data required for the purposes of investigating the arrestable offence.
Failure to do so is a criminal offence punishable by up to three years’ imprisonment and/or a fine of up to 10,000 SGD.
A copy of the Code can be found here.
Section 13(1) of the Private Lotteries Act provides that where the Commissioner of Betting Duties has reasonable cause to believe that an offence under the Act has been committee, he (or any other officer of a public authority authorised by him), “may access any information, code or technology which has the capability of retransforming or unscrambling encrypted data contained in or available to such computers into readable and comprehensive format or text”. Section 13(1) also enables the person to search and seize, among other things, computers and other devices. The person may also require any person in charge of (or otherwise concerned with) the computer or device to provide them “with such reasonable assistance as he may require”; they may also require “any person in possession of decryption information to grant him access to such decryption information necessary to decrypt data required”.
Failure to comply is a criminal offence punishable by a fine of up to 1,000 SGD.
A copy of the law can be found here.
The Income Tax Act, the Goods and Services Tax Act, and the Property Tax Act all provide for similar powers for the relevant Comptrollers to have access to any information, code or technology which has the capability of retransforming or unscrambling encrypted data contained or available to such computers into readable and comprehensive format or text for any of the purposes of the relevant Act. The Comptrollers may also search and seize, among other things, computers and other devices; require any person in charge of (or otherwise concerned with) the computer or device to provide them reasonable assistance; and require any person in possession of decryption information to grant him access to such decryption information necessary to decrypt data required. In all cases, failure to comply is a criminal offence punishable by a fine not exceeding 10,000 SGD or to imprisonment for a term not exceeding 12 months or to both. In the case of a continuing offence, to a further fine not exceeding 100 SGD for every day or part of a day during which the offence continues after conviction.
A copy of the Income Tax Act can be found here.
A copy of the Goods and Services Tax Act can be found here.
A copy of the Property Tax Act can be found here.
Sections 48(2)(c) and 50(1)(d) of the Carbon Pricing Act provides a power to an authorised officer, in monitoring compliance with the Act, to require any person at a premises to provide them or grant them access to “any information, code, software or technology required to operate or access data” contained in particular computer, device or document and “to retransform, unscramble or decrypt data contained in such thing into readable and comprehensive format or text”.
Failure to comply is a criminal offence punishable by a fine not exceeding 10,000 SGD or to imprisonment for a term not exceeding 12 months or to both. In the case of a continuing offence, to a further fine not exceeding 100 SGD for every day or part of a day during which the offence continues after conviction.
A copy of the law can be found here.
Obligations on providers to assist authorities
Section 40 of the Criminal Procedure Code allows the Public Prosecutor, by order, to authorise a police officer or an authorised person to exercise certain powers to access decryption information. These are:
(a) to access any information, code or technology which has the capability of retransforming or unscrambling encrypted data into readable and comprehensible format or text for the purposes of investigating the arrestable offence;
(b) to require (i) any person whom he reasonably suspects of using a computer in connection with an arrestable offence or of having used it in this way; or (ii) any person having charge of, or otherwise concerned with the operation of, such computer, to provide him with such reasonable technical and other assistance as he may require for the purposes of paragraph (a); and
(c) require any person whom he reasonably suspects to be in possession of any decryption information to grant him access to such decryption information as may be necessary to decrypt any data required for the purposes of investigating the arrestable offence.
Failure to do so is a criminal offence punishable by up to three years’ imprisonment and/or a fine of up to 10,000 SGD.
A copy of the Code can be found here.
Section 13(1) of the Private Lotteries Act provides that where the Commissioner of Betting Duties has reasonable cause to believe that an offence under the Act has been committee, he (or any other officer of a public authority authorised by him), “may access any information, code or technology which has the capability of retransforming or unscrambling encrypted data contained in or available to such computers into readable and comprehensive format or text”. Section 13(1) also enables the person to search and seize, among other things, computers and other devices. The person may also require any person in charge of (or otherwise concerned with) the computer or device to provide them “with such reasonable assistance as he may require”; they may also require “any person in possession of decryption information to grant him access to such decryption information necessary to decrypt data required”.
Failure to comply is a criminal offence punishable by a fine of up to 1,000 SGD.
A copy of the law can be found here.
The Income Tax Act, the Goods and Services Tax Act, and the Property Tax Act all provide for similar powers for the relevant Comptrollers to have access to any information, code or technology which has the capability of retransforming or unscrambling encrypted data contained or available to such computers into readable and comprehensive format or text for any of the purposes of the relevant Act. The Comptrollers may also search and seize, among other things, computers and other devices; require any person in charge of (or otherwise concerned with) the computer or device to provide them reasonable assistance; and require any person in possession of decryption information to grant him access to such decryption information necessary to decrypt data required. In all cases, failure to comply is a criminal offence punishable by a fine not exceeding 10,000 SGD or to imprisonment for a term not exceeding 12 months or to both. In the case of a continuing offence, to a further fine not exceeding 100 SGD for every day or part of a day during which the offence continues after conviction.
A copy of the Income Tax Act can be found here.
A copy of the Goods and Services Tax Act can be found here.
A copy of the Property Tax Act can be found here.
Sections 48(2)(c) and 50(1)(d) of the Carbon Pricing Act provides a power to an authorised officer, in monitoring compliance with the Act, to require any person at a premises to provide them or grant them access to “any information, code, software or technology required to operate or access data” contained in particular computer, device or document and “to retransform, unscramble or decrypt data contained in such thing into readable and comprehensive format or text”.
Failure to comply is a criminal offence punishable by a fine not exceeding 10,000 SGD or to imprisonment for a term not exceeding 12 months or to both. In the case of a continuing offence, to a further fine not exceeding 100 SGD for every day or part of a day during which the offence continues after conviction.
A copy of the law can be found here.
Assessment Text Area
In Singapore, a police officer or an authorised person to exercise certain powers to access decryption information by the Public Prosecutor. Failure to do so is a criminal offence punishable by imprisonment and/or a fine. Comptrollers are also provided with the power to have access to any encrypted information, code or technology and require any person in charge of (or otherwise concerned with) the computer or device to provide them reasonable assistance; and require any person in possession of decryption information to grant access to decryption information necessary to decrypt data required.
Slovakia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Slovenia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Solomon Islands
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Section 24(1) of the Counter-Terrorism Act 2009 allows the Minister responsible for National Security, for the prevention and detection of offences or the prosecution of offenders under the Act, to give such directions to communication service providers as they deem necessary. Under section 24(2), a direction given under this section must specify the maximum period the service provider may be required to retain communication data.
Under section 25, failure to comply with a direction under section 24 is a criminal offence, punishable with imprisonment of up to two years.
Section 97 of the Telecommunications Act 2009 requires any person who owns or controls a telecommunications network, to the extent technically feasible, to intercept and produce the transcripts of specified messages when directed to by a warrant issued by a court upon the application of the Prime Minister in the public interest.
A copy of the Counter-Terrorism Act 2009 can be found here.
A copy of the Telecommunications Act 2009 can be found here.
Assessment Text Area
In the Solomon Islands, the Minister responsible for National Security can direct communication service providers “as necessary” for the prevention and detection of offences or the prosecution of offenders. The law also requires those who own or operate telecommunications network, to the extent technically feasible, to intercept and produce the transcripts of specified messages when directed to by a warrant issued by a court upon the application of the Prime Minister.
Somalia
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
South Africa
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Section 29 of the Electronic Communications and Transactions Act 25 of 2002: establishes a register of all cryptography providers. Unless they are registered, a cryptography provide cannot provide cryptography products.
A copy of the law can be found here.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 21 of the Regulation of Interception of Communications and Provision of Communication-Related Information Act 2002 allows for security and law enforcement agencies to make an application to a judge for a “decryption direction” which would compel a person to provide a decryption key (if they have it) or decryption assistance (access to the encrypted information or facilitate the putting of encrypted information into an intelligible form).
The judge may only make a decryption order if he or she is satisfied that particular communications consist of encrypted information, there is a specified decryption key holder in possession of the encrypted information and the key, and it is not reasonably practicable to obtain possession of the encrypted information in an intelligible form without issuing a decryption direction.
Failure to comply with a decryption direction is a criminal offence punishable, in the cases of natural persons, with up to ten years’ imprisonment or a fine of up to ZAR 2,000,000; and, for a legal person, a fine of up to ZAR 5,000,000.
A copy of the law can be found here.
Obligations on providers to assist authorities
Section 21 of the Regulation of Interception of Communications and Provision of Communication-Related Information Act 2002 allows for security and law enforcement agencies to make an application to a judge for a “decryption direction” which would compel a person to provide a decryption key (if they have it) or decryption assistance (access to the encrypted information or facilitate the putting of encrypted information into an intelligible form).
The judge may only make a decryption order if he or she is satisfied that particular communications consist of encrypted information, there is a specified decryption key holder in possession of the encrypted information and the key, and it is not reasonably practicable to obtain possession of the encrypted information in an intelligible form without issuing a decryption direction.
Failure to comply with a decryption direction is a criminal offence punishable, in the cases of natural persons, with up to ten years’ imprisonment or a fine of up to ZAR 2,000,000; and, for a legal person, a fine of up to ZAR 5,000,000.
A copy of the law can be found here.
Assessment Text Area
In South Africa, all cryptography providers must be registered. Security and law enforcement agencies to make an application to a judge for a “decryption direction” which would compel a person to provide a decryption key or assistance. Failure to comply is an offence punishable by imprisonment and/or a fine.
South Korea
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
South Sudan
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Spain
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Sri Lanka
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Sudan
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Suriname
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Swaziland
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Sweden
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Switzerland
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Article 26 of the Federal Act on the Surveillance of Post and Telecommunications requires that the providers of telecommunications services supply both the content and metadata of communications of the person under surveillance to the Post and Telecommunication Surveillance Service or other designated authority. Service providers must also provide the information required to carry out the surveillance (including content data and metadata of communications to and from the person under surveillance), grant immediate access to facilities, and remove any encryption they have applied.
A copy of the Federal Act on the Surveillance of Post and Telecommunications (SPTA) can be found here.
Assessment Text Area
There is currently no legislation in Switzerland regarding the general right to encryption, nor regulations on the strength of encryption technology, its licensing, or sale. However, Swiss law requires that providers of telecommunications services supply both the content and metadata of communications of the person under surveillance They must also provide the information required to carry out the surveillance, grant immediate access to facilities, and remove any encryption they have applied.
Syria
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Article 51(e) of the Telecommunication Law (Law No. 18 of 2010) prohibits telecommunications network operators, service providers, their affiliates, and the users of such services, from using encryption of telecommunications service devices without the approval of the Telecommunications Regulatory Authority, the Ministry of Defence and relevant security agencies.
A copy of the law can be found (in Arabic) here and in English here.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Article 51(b) of the Telecommunication Law (Law No. 18 of 2010) requires all licensed telecommunications service providers to ensure that they have all necessary technical capabilities for installing and using interception and tracing equipment within their telecommunications networks to enable the security agencies to carry out their duties in realisation of national security requirements. Though this does not refer to encryption, it could be interpreted to require the service providers to be able to decrypt any encrypted communications.
A copy of the law can be found (in Arabic) here and in English here.
Assessment Text Area
In Syria, the use of encryption by telecommunications network operators, service providers, their affiliates, and the users of such services requires the approval of the Telecommunications Regulatory Authority, the Ministry of Defence and relevant security agencies. Telecommunications service providers are also required to ensure that they have all necessary technical capabilities for installing and using interception and tracing equipment within their telecommunications networks to enable the security agencies to carry out their duties. This could be interpreted as a requirement that the service providers be able to decrypt any encrypted communications.
Taiwan
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Section 14 of the Communications Security and Surveillance Act provides that telecommunication companies are obligated to assist with communications surveillance. This includes providing communication surveillance related facilities for the use of the enforcement authority, and personnel assistance. Section 14 further requires that the communication systems of telecommunication companies be equipped with the functions required to provide surveillance assistance. However, its obligations are limited to having reasonable technology and economic development at the time of setup, and expectations should not exceed the possibilities. It is unclear whether this would also require telecommunications companies to decrypt communications.
A copy of the Communications Security and Surveillance Act can be found here.
Assessment Text Area
In Taiwan, there is currently no legislation guaranteeing the general right to encryption, nor regulations on the strength of encryption technology, its licensing, or sale. However, the country’s Communications Security and Surveillance Act obligates telecommunications companies to assist with communications surveillance. This includes providing facilities for the use of the enforcement authority, and personnel assistance. It is unclear whether this would also require telecommunications companies to decrypt communications.
Tajikistan
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Tanzania
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 32 of the Cybercrimes Act, 2015 provides that a law enforcement officer may apply to the court for an order compelling a person to submit specific data that is in their possession or control, or a service provider to submit subscriber information in their possession or control, when required for an investigation or prosecution of an offence.
While encryption is not explicitly mentioned within the law, section 32 provides that where any material to which an investigation relates consists of data stored in a computer system or device, the request shall be deemed to require the person to produce or give access to it in a form which it is legible and can be taken away.
Section 22 provides that any person who intentionally and unlawfully prevents the execution or fails to comply with an order commits an offence and is liable to a fine of not less than three million shillings or to imprisonment for a term of not less than one year or to both.
These broad procedural powers could be interpreted as requiring persons (whether natural or legal) to provide access to encrypted data.
A copy of the Cybercrimes Act, 2015 can be found here.
Obligations on providers to assist authorities
Section 32 of the Cybercrimes Act, 2015 provides that a law enforcement officer may apply to the court for an order compelling a person to submit specific data that is in their possession or control, or a service provider to submit subscriber information in their possession or control, when required for an investigation or prosecution of an offence.
While encryption is not explicitly mentioned within the law, section 32 provides that where any material to which an investigation relates consists of data stored in a computer system or device, the request shall be deemed to require the person to produce or give access to it in a form which it is legible and can be taken away.
Section 22 provides that any person who intentionally and unlawfully prevents the execution or fails to comply with an order commits an offence and is liable to a fine of not less than three million shillings or to imprisonment for a term of not less than one year or to both.
These broad procedural powers could be interpreted as requiring persons (whether natural or legal) to provide access to encrypted data.
A copy of the Cybercrimes Act, 2015 can be found here.
Assessment Text Area
There is currently no legislation in Tanzania regarding the general right to encryption, nor regulations on the strength of encryption technology, its licensing, or sale. However, the country’s cybercrime act allows law enforcement officers to apply for a court order to compel a person or service provider to submit data for the purposes of an investigation or prosecution of an offence. While encryption is not explicitly mentioned in the law, the broad procedural powers of the law could be interpreted as requiring persons (whether natural or legal) or service providers to provide access to encrypted data.
Thailand
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 18 of the Computer Crimes Act 2007, as amended by the Computer Crimes Act (No. 2) 2017, grants authorities designated by a government minister various powers in relation to the investigation and inquiry of potential offences under the Act, but only to the extent necessary for the for the production of evidence concerning the commission of the crime and for the identification of the person responsible. These include the power to decrypt computer data of any person, or to order persons concerning the encryption of computer data to conduct decryption or to provide cooperation to competent authorities with respect to the said decryption. Under section 19, the competent authority must obtain a court order authorising the use of the power.
Failure to comply with such an order is a criminal offence, punishable with a fine of up to 200,000 THB and a further daily fine of up to THB 5,000 until they have so complied.
A copy of the law (in Thai) can be found here and an English translation of the law can be found here.
Obligations on providers to assist authorities
Section 18 of the Computer Crimes Act 2007, as amended by the Computer Crimes Act (No. 2) 2017, grants authorities designated by a government minister various powers in relation to the investigation and inquiry of potential offences under the Act, but only to the extent necessary for the for the production of evidence concerning the commission of the crime and for the identification of the person responsible. These include the power to decrypt computer data of any person, or to order persons concerning the encryption of computer data to conduct decryption or to provide cooperation to competent authorities with respect to the said decryption. Under section 19, the competent authority must obtain a court order authorising the use of the power.
Failure to comply with such an order is a criminal offence, punishable with a fine of up to 200,000 THB and a further daily fine of up to 5,000 THB until they have so complied.
A copy of the law (in Thai) can be found here and an English translation of the law can be found here.
Assessment Text Area
In Thailand, authorities designated by a government minister, and in possession of a court order, have the power to decrypt computer data of any person, or to order persons concerning the encryption of computer data to conduct decryption or to provide cooperation to competent authorities with respect to the said decryption.
Timor-Leste
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Togo
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Tonga
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 9 of the Computer Crimes Act allows for a Magistrate to issue a warrant to a police officer to search and seize computers, computer systems, and computer data or data storage medium if there are reasonable grounds to suspect that they may be material evidence in proving a criminal offence or acquired by a person as a result of a criminal offence.
Under section 10(1)(d), a person who is in possession or control of a computer, computer system, computer data or data storage medium that is the subject of a search under section 9 must permit, and, if required, assist the person making the search to obtain an intelligible output from a computer system in a format that can be read.
Failure to do so is a criminal offence punishable by up to two years’ imprisonment, a fine of up to 10,000 TOP, or both.
A copy of the law can be found here.
Obligations on providers to assist authorities
Section 14 of the Computer Crimes Act provides that where a Magistrate is satisfied on the evidence that there are reasonable grounds to suspect that the content of electronic communications is reasonably required for the purposes of a criminal investigation, they may order an internet service provider to collect or record the content of specified electronic communications (or assist authorities with collecting or recording this data), and to authorise any police officer to collect or record that data through application of technical means.
Section 17 provides that it is a criminal offence for an internet service provider to disclose the fact that an order has been made, anything has been done under that order, and any data that has been collected or recorded under that order, punishable by up to 10 years’ imprisonment, a fine of up to 50,000 TOP, or both.
A copy of the law can be found here.
Assessment Text Area
In Tonga, a Magistrate can authorise any police officer to collect or record that data through application of technical means. It is a criminal offence for an internet service provider to disclose the fact that an order has been made, anything has been done under that order, and any data that has been collected or recorded under that order.
Trinidad and Tobago
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 15(1) of the Interception of Communications Act provides that where an authorised officer has come into the possession of an encrypted communication by virtue of a warrant, or is likely to do so, and the officer has reasonable grounds to believe that a key to the communication is in the possession of a person and disclosure of that key is necessary for the purposes of the investigation under which the warrant was issued, the officer may apply to a judge for an order requiring that person to provide disclosure of the encrypted communication.
Under section 15(4), the judge must consider the extent and nature of any protected communication, the key to which is the same as that to the intercepted communication, and any adverse effect that complying with the order might have on a business carried on by the person to whom the order is addressed. Any order must require only such disclosure as is proportionate to what is sought to be achieved, allowing, where appropriate, for disclosure in such manner as would result in the putting of the communication in intelligible form other than by disclosure of the key itself.
Failure to comply with a disclosure order is a criminal offence, punishable by up to one year’s imprisonment and a fine of up to TTD 5,000.
A copy of the law can be found here.
Section 16 of the Computer Misuse Act applies in relation to offences committee under the Computer Misuse Act or about to be so committed. Section 16(2) allows a magistrate to issue a search warrant to a police officer where there are reasonable grounds for believing that an offence under the Act has been or is about to be committed in any place and that evidence that such an offence has been or is about to be committed is in that place. Under section 16(4), any such warrant allows the police officer to seize any computer, data, program, information, document or thing if he reasonably believes that it is evidence that an offence under the Act has been or is about to be committed.
Under section 16(5)(a)(iii), that a police officer executing a search warrant must be given access to “any information, code or technology which has the capability of retransforming or unscrambling encrypted program or data held in or available to such computer into readable and comprehensible format or text for the purpose of investigating any offence under this Act or any other offence which has been disclosed in the course of the lawful exercise of the powers under this section.” Section 16(5)(c) provides that the police officer may also require “any person in possession of decryption information to grant him or the authorised person access to such decryption information necessary to decrypt data required for the purpose of investigating an offence.”
Failure to comply with such a request is a criminal offence punishable with up to two years’ imprisonment and a fine of TTD 15,000.
A copy of the law can be found here.
Obligations on providers to assist authorities
Section 15(1) of the Interception of Communications Act provides that where an authorised officer has come into the possession of an encrypted communication by virtue of a warrant, or is likely to do so, and the officer has reasonable grounds to believe that a key to the communication is in the possession of a person and disclosure of that key is necessary for the purposes of the investigation under which the warrant was issued, the officer may apply to a judge for an order requiring that person to provide disclosure of the encrypted communication.
Under section 15(4), the judge must consider the extent and nature of any protected communication, the key to which is the same as that to the intercepted communication, and any adverse effect that complying with the order might have on a business carried on by the person to whom the order is addressed. Any order must require only such disclosure as is proportionate to what is sought to be achieved, allowing, where appropriate, for disclosure in such manner as would result in the putting of the communication in intelligible form other than by disclosure of the key itself.
Failure to comply with a disclosure order is a criminal offence, punishable by up to one year’s imprisonment and a fine of up to TTD 5,000.
A copy of the law can be found here.
Section 16 of the Computer Misuse Act applies in relation to offences committee under the Computer Misuse Act or about to be so committed. Section 16(2) allows a magistrate to issue a search warrant to a police officer where there are reasonable grounds for believing that an offence under the Act has been or is about to be committed in any place and that evidence that such an offence has been or is about to be committed is in that place. Under section 16(4), any such warrant allows the police officer to seize any computer, data, program, information, document or thing if he reasonably believes that it is evidence that an offence under the Act has been or is about to be committed.
Under section 16(5)(a)(iii), that a police officer executing a search warrant must be given access to “any information, code or technology which has the capability of retransforming or unscrambling encrypted program or data held in or available to such computer into readable and comprehensible format or text for the purpose of investigating any offence under this Act or any other offence which has been disclosed in the course of the lawful exercise of the powers under this section.” Section 16(5)(c) provides that the police officer may also require “any person in possession of decryption information to grant him or the authorised person access to such decryption information necessary to decrypt data required for the purpose of investigating an offence.”
Failure to comply with such a request is a criminal offence punishable with up to two years’ imprisonment and a fine of TTD 15,000.
A copy of the law can be found here.
Assessment Text Area
An authorised officer in the course of an investigation may apply to a judge for an order requiring that person to provide disclosure of encrypted communication. A magistrate can also issue a search warrant to a police officer to be given access to any information, code or technology which has the capability of retransforming or unscrambling encrypted program or data held in or available to such computer into readable and comprehensible format or text for the purpose of investigating any offence. The officer may also require any person in possession of decryption information to grant him or the authorised person access to such decryption information necessary to decrypt data required for the purpose of investigating an offence.
Tunisia
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Article 9 of the Telecommunications Code provides that the government may, by decree, set out the conditions and procedures for the use of encryption facilities or services through public telecommunications networks and the exercise of related activities. Article 4 of Decree N° 2008-2639 dated 21 July 2008 regulates the importation and commercialisation of encryption systems for telecommunications networks and provides that the National Agency of Digital Certification is responsible for technical approval of the commercialisation and importation of such systems. Article 7 of the Decree provides that Centre for Studies and Researches of Telecommunications, comprising members appointed by the Minister of Communications, is responsible for administrative approval of the the commercialisation and importation of systems.
Article 3 sets out exceptions to these general requirements for technical and administrative approval. These are those that have already been approved by the National Agency of Digital Certification under Article 4, as set out in a list published by the Agency, and those imported by business enterprises for their own purposes and for temporary use, with a list of such enterprises published by the Agency. Additionally, Article 1 provides that the Decree does not apply to encryption used to transmit data through telecommunications networks, nor to any encryption used by the Ministries of National Defence, the Interior, or Foreign Affairs, or by diplomatic and consular missions in Tunisia.
The use, manufacture, import, expert, selling or distribution of cryptographic means or services in violation of the requirements of the decree is a criminal offence, punishable by up to six months’ imprisonment, a fine of between 1,000 and 5,000 TND, or both.
A copy of the Code in Arabic can be found here and in French here.
A copy of the decree in English, French and Arabic can be found here.
Import/export controls
Article 9 of the Telecommunications Code provides that the government may, by decree, set out the conditions and procedures for the use of encryption facilities or services through public telecommunications networks and the exercise of related activities. Article 4 of Decree N° 2008-2639 dated 21 July 2008 regulates the importation and commercialisation of encryption systems for telecommunications networks and provides that the National Agency of Digital Certification is responsible for technical approval of the commercialisation and importation of such systems. Article 7 of the Decree provides that Centre for Studies and Researches of Telecommunications, comprising members appointed by the Minister of Communications, is responsible for administrative approval of the the commercialisation and importation of systems.
Article 3 sets out exceptions to these general requirements for technical and administrative approval. These are those that have already been approved by the National Agency of Digital Certification under Article 4, as set out in a list published by the Agency, and those imported by business enterprises for their own purposes and for temporary use, with a list of such enterprises published by the Agency. Additionally, Article 1 provides that the Decree does not apply to encryption used to transmit data through telecommunications networks, nor to any encryption used by the Ministries of National Defence, the Interior, or Foreign Affairs, or by diplomatic and consular missions in Tunisia.
The use, manufacture, import, expert, selling or distribution of cryptographic means or services in violation of the requirements of the decree is a criminal offence, punishable by up to six months’ imprisonment, a fine of between 1,000 and 5,000 TND, or both.
A copy of the Code in Arabic can be found here and in French here.
A copy of the decree in English, French and Arabic can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
In Tunisia, the use of encryption facilities or services through public telecommunications networks is regulated by the country’s Telecommunications Code. The law also regulates the importation and commercialisation of encryption systems for telecommunications networks and requires the government’s approval of the commercialisation and importation of such systems. The conditions and exceptions to these general requirements for technical and administrative approval is listed in the regulation.
Turkey
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Turkmenistan
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Tuvalu
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 61(1)(p) of the Police Powers and Duties Act 2009 provides that police officers, under a warrant, have the power to direct a person to provide any password so that the police officer may access to a computer to either examine or copy the information related to the commission of an offence. Section 61(2) clarifies that “computer” includes any electronic device upon which information may be stored and “password” means any information that a person needs to access and read information stored on a computer.
A copy of the law can be found here.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
In Tuvalu, police officers, under a warrant, have the power to direct a person to provide any password (any information that a person needs to access and read information stored on a computer) so that the police officer may access to a computer to either examine or copy the information related to the commission of an offence.
Uganda
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 10(1) of Regulation of Interception of Communications Act, 2010 allows the security and law enforcement agencies to impose “disclosure requirements” to persons in respect of encrypted information where they believe that a key to encrypted information is in the possession of that person, and that a disclosure requirement is necessary for in the interests of national security, to prevent or detect a criminal offence which puts a person’s life at risk, to prevent or detect an offence of drug trafficking or human trafficking, or in the interests of the country’s economic wellbeing.
A person subject to a disclosure requirement use any key in their possession to get access to the information and disclosure it in an intelligible form (s. 10(4)). If the person no longer possess the key but has information that will facilitate the obtaining or discovery of the key, they must disclose that information to the agency (s. 10(5)).
Failure to comply with a disclosure requirement is a criminal offence, punishable with up to five years’ imprisonment, a fine, or both.
A copy of the law can be found here.
Obligations on providers to assist authorities
Section 10(1) of Regulation of Interception of Communications Act, 2010 allows the security and law enforcement agencies to impose “disclosure requirements” to persons in respect of encrypted information where they believe that a key to encrypted information is in the possession of that person, and that a disclosure requirement is necessary for in the interests of national security, to prevent or detect a criminal offence which puts a person’s life at risk, to prevent or detect an offence of drug trafficking or human trafficking, or in the interests of the country’s economic wellbeing.
A person subject to a disclosure requirement use any key in their possession to get access to the information and disclosure it in an intelligible form (s. 10(4)). If the person no longer possess the key but has information that will facilitate the obtaining or discovery of the key, they must disclose that information to the agency (s. 10(5)).
Failure to comply with a disclosure requirement is a criminal offence, punishable with up to five years’ imprisonment, a fine, or both.
A copy of the law can be found here.
Assessment Text Area
In Uganda, the security and law enforcement agencies can impose “disclosure requirements” to persons in respect of encrypted information where they believe that a key to encrypted information is in the possession of that person, and that a disclosure requirement is necessary for in the interests of national security, to prevent or detect a criminal offence which puts a person’s life at risk, to prevent or detect an offence of drug trafficking or human trafficking, or in the interests of the country’s economic wellbeing.
Ukraine
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
United Arab Emirates
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
While the legal basis is unknown, the Telecommunications Regulatory Authority has banned a number of Voice over Internet Protocol providers which use encryption, including Skype and WhatsApp.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
United Kingdom
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
Section 49 of the Regulation of Investigatory Powers Act 2000 contains powers for the security and law enforcement agencies in relation to “protected information” i.e. electronic data which, without the key to the data, cannot, or cannot readily, be accessed or put into an intelligible form.
Where protected information has come into the hands of an agency, they may, usually with a requirement for written permission from a judge, impose a disclosure requirement upon a person if they reasonably believe that:
- a key to the protected information is in the possession of a person;
- that a disclosure requirement in respect of the protected information is necessary in the interests of national security, for the purpose of preventing or detecting crime, in the interests of the economic well-being of the United Kingdom, or to secure the effective exercise or proper performance of any statutory power or duty;
- that a disclosure requirement is proportionate to what is sought to be achieved by its imposition; and
- it is not reasonably for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without a disclosure requirement.
Under section 50, where a disclosure requirement has been made, the person to whom it is directed must use any key in his possession to obtain access to the information, or to put it into an intelligible form, and make a disclosure of the information in an intelligible form. Alternatively, the person can disclosure the key itself.
Failure to comply with a disclosure requirement is a criminal offence punishable in ordinary cases by imprisonment of up to two years’, a fine, or both. In cases involving national security or child indecency, the punishment is imprisonment of up to five years’, a fine, or both.
A copy of the Regulation of Investigatory Powers Act 2000 can be found here.
Obligations on providers to assist authorities
Under section 253 of the Investigatory Powers Act 2016, the Secretary of State may give a telecommunications service provider a ‘technical capability notice’. Such a notice may impose on the provider any applicable obligations specified, and require them to take all steps specified in order to comply with those obligations. A technical capability notice may be issued if three requirements are met (s. 253(2)).
First, the Secretary of State must considers that the notice is necessary to ensure that the provider has the capability to provide any assistance that they may be required to provide in relation to interception, obtaining communications data or equipment interference authorised by the Act (s. 253(1)(a)).
Second, the Secretary of State must considers that the conduct required by the notice is proportionate to what is sought to be achieved by that conduct (s. 253(1)(b)).
Third, the decision to give the notice must have been approved by a Judicial Commissioner. A Judicial Commissioner is a specially appointed judge, and, when deciding whether to approve a notice, must consider whether the notice is necessary and proportionate (s. 253(1)(c)).
The obligations that can be included in a technical capability notice are to set out in secondary legislation, the Investigatory Powers (Technical Capability) Regulations 2018. While the Regulations don’t explicitly refer to the ability to decrypt communications, they do include the capability to “disclose the content of communications or secondary data in an intelligible form where reasonably practicable” and to “remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data where reasonably practicable”.
Where the Secretary of State is considering whether to issue a notice which requires the removal of electronic protection, they must take into account the technical feasibility and likely cost of compliance. (s. 255(4)).
Failure to comply with obligations in a technical capability notice is not a criminal offence, but can be enforced through the civil courts.
Section 49 of the Regulation of Investigatory Powers Act 2000 contains powers for the security and law enforcement agencies in relation to “protected information” i.e. electronic data which, without the key to the data, cannot, or cannot readily, be accessed or put into an intelligible form.
Where protected information has come into the hands of an agency, they may, usually with a requirement for written permission from a judge, impose a disclosure requirement upon a person if they reasonably believe that:
- a key to the protected information is in the possession of a person;
- that a disclosure requirement in respect of the protected information is necessary in the interests of national security, for the purpose of preventing or detecting crime, in the interests of the economic well-being of the United Kingdom, or to secure the effective exercise or proper performance of any statutory power or duty;
- that a disclosure requirement is proportionate to what is sought to be achieved by its imposition; and
- it is not reasonably for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without a disclosure requirement.
Under section 50, where a disclosure requirement has been made, the person to whom it is directed must use any key in his possession to obtain access to the information, or to put it into an intelligible form, and make a disclosure of the information in an intelligible form. Alternatively, the person can disclosure the key itself.
Failure to comply with a disclosure requirement is a criminal offence punishable in ordinary cases by imprisonment of up to two years’, a fine, or both. In cases involving national security or child indecency, the punishment is imprisonment of up to five years’, a fine, or both.
A copy of the Investigatory Powers Act 2016 can be found here.
A copy of the Investigatory Powers (Technical Capability) Regulations 2018 can be found here.
A copy of the Regulation of Investigatory Powers Act 2000 can be found here.
Assessment Text Area
In the United Kingdom, telecommunication service providers may be served with a ‘technical capability notice’ by the Secretary of State who must ensure certain requirements are met. These notices impose on the provider any applicable obligations specified, and require them to take all steps specified in order to comply with those obligations. The obligations that can be included in a technical capability notice are to set out in secondary legislation and capability to decrypt encrypted data. Where the Secretary of State is considering whether to issue a notice which requires the removal of electronic protection, they must take into account the technical feasibility and likely cost of compliance. Failure to comply with obligations in a technical capability notice is not a criminal offence, but can be enforced through the civil courts. Security and law enforcement agencies, with a requirement for written permission from a judge, may also impose disclosure requirements to allow for access to encrypted data, subject to certain criteria. Failure to comply with a disclosure requirement is a criminal offence punishable in by imprisonment, a fine, or both.
United States of America
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
The International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) both impose controls on the export of certain forms of encryption.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
There is no legislative power which can be used to require telecommunication or online service providers to facilitate the decryption of encrypted communications.
However, section 103(a) of the Communications Assistance for Law Enforcement Act of 1994 requires all telecommunications carriers to ensure that their equipment, facilities or services that provide a customer or subscriber with the ability to originate, terminate or direct communications have certain capabilities. These include interception of communications and delivering intercepted communications to the government, where the government obtains a court order or there is some other lawful authorisation. This means that telecommunications carriers cannot use encryption themselves in a way which would prevent them from being able to intercept communications or deliver them to the government. Section 103(b)(3) does, however, provide that telecommunications carriers cannot be required to decrypt, or to ensure the government’s ability to decrypt, any communications which are encrypted by the subscriber or customer unless the encryption was provided by the carrier and they are able to decrypt it.
A copy of the law can be found here.
Assessment Text Area
In the United States, the law imposes controls on the export of certain forms of encryption. There is no legislative power which can be used to require telecommunication or online service providers to facilitate the decryption of encrypted communications. However, all telecommunications carriers are required to ensure that their equipment, facilities or services that provide a customer or subscriber with the ability to originate, terminate or direct communications have certain capabilities which includes interception of communications and delivering intercepted communications to the government, where the government obtains a court order or there is some other lawful authorisation. Telecommunications carriers however cannot be required to decrypt, or to ensure the government’s ability to decrypt, any communications which are encrypted by the subscriber or customer unless the encryption was provided by the carrier and they are able to decrypt it.
Uruguay
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Uzbekistan
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Vanuatu
Assessment
Law and policy
General right to encryption
Section 24(2) of the Electronic Transactions Act provides that, subject to any regulations made under section 24(1), it is lawful for a person to use any encryption program or other encryption product if it has lawfully come into the possession of that person.
A copy of the law can be found here.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Section 24(1) of the Electronic Transactions Act allows the Minister to make regulations in relation to the use, import and export of encryption programmes and products, and to prohibit the export of encryption programmes and products. None, however, appear to have been made.
A copy of the law can be found here.
Import/export controls
Section 24(1) of the Electronic Transactions Act allows the Minister to make regulations in relation to the use, import and export of encryption programmes and products, and to prohibit the export of encryption programmes and products. None, however, appear to have been made.
A copy of the law can be found here.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
The law stipulates that is lawful for a person to use any encryption program or other encryption product if it has lawfully come into the possession of that person. It also allows the Minister to make regulations in relation to the use, import and export of encryption programmes and products, and to prohibit the export of encryption programmes and products. None, however, appear to have been made.
Vatican City
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Venezuela
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Vietnam
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Article 31 of the Law on Network Information Security requires businesses trading in civil encryption products (defined as encryption products, technical equipment and cryptographic skills) to obtain a licence to do so from the Government Cipher Committee.
To obtain a licence, a business must meet various criteria relating to staff skills, appropriate equipment and facilities, feasible technical and sales plans, a plan for network information confidentiality and security for the process, management and supply of cryptographic products, and an appropriate business plan.
A copy of the law (in Vietnamese) can be found here and in English here.
Import/export controls
Article 34 of the Law on Network Information Security provides that the importation or exportation of cryptographic products by a company requires a licence. In order to obtain a licence, a company must hold a licence to trade in civil cryptographic products, the products must be certified as conforming with standards and norms of network information security, and the the subject and purpose of using the civil cryptographic product must not cause damage to national defence, security and social discipline and safety.
A copy of the law (in Vietnamese) can be found here and in English here.
Other restrictions
Article 36 of the Law on Network Information Security requires organisations and individuals using a civil cryptographic product which is provided by a provider not licensed for trading in civil cryptographic products to declare it with the Government Cipher Committee. There are exceptions for diplomatic agencies, foreign consulates and representative agencies of intergovernmental organisations in Vietnam.
A copy of the law (in Vietnamese) can be found here and in English here.
Obligations on individuals to assist authorities
Article 36 of the Law on Network Information Security requires individuals to provide information relating to cryptographic keys to competent state bodies upon request, as well as to cooperate with and help competent state bodies take measures to prevent crimes involving stealing information or cryptographic keys, or using civil cryptographic products, for illegal purposes.
A copy of the law (in Vietnamese) can be found here and in English here.
Obligations on providers to assist authorities
Article 36 of the Law on Network Information Security requires organisations to provide information relating to cryptographic keys to competent state bodies upon request, as well as to cooperate with and help competent state bodies take measures to prevent crimes involving stealing information or cryptographic keys, or using civil cryptographic products, for illegal purposes.
A copy of the law (in Vietnamese) can be found here and in English here.
Assessment Text Area
The law requires anyone trading in civil encryption products (defined as encryption products, technical equipment and cryptographic skills) to meet certain requirements and to obtain a licence to do so from the government. The law also requires a license for the importation or exportation of cryptographic products. Individuals are required to provide information relating to cryptographic keys to competent state bodies upon request, as well as to cooperate with and help competent state bodies take measures to prevent crimes involving stealing information or cryptographic keys, or using civil cryptographic products, for illegal purposes.
Yemen
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
Zambia
Assessment
Law and policy
General right to encryption
Section 85 of the Electronic Communications and Transactions Act, 2009 provides that individuals may use encryption, regardless of the algorithm, key length or implementation technique or medium, provided that they do so in accordance with the Act.
A copy of the law can be found here.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
Sections 22 and 23 Electronic Communications and Transactions Act, 2009 establish a register of all cryptography providers. Unless they are registered with the Communications Authority, a person cannot provide cryptograph services or products.
Provision of cryptograph services or productions without registration is a criminal offence, punishable by imprisonment for up to seven years, a fine of up to 700,000 penalty units (210,000 ZMK) or both.
A copy of the law can be found here.
Import/export controls
No known legislation or policies.
Other restrictions
Section 85 of the Electronic Communications and Transactions Act, 2009 creates a criminal offence of using encryption to obstruct or impede a law enforcement officer, or to interfere with the performance by a law enforcement officer of any functions under the Act, punishable by up to two years’ imprisonment, a fine of up to 200,000 penalty units (60,000 ZMK), or both.
A copy of the law can be found here.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
No known legislation or policies.
Assessment Text Area
The law in Zambia requires that anyone providing cryptograph services or products be registered with the Communications Authority. Provision of cryptograph services or productions without registration is a criminal offence, punishable by imprisonment, a fine or both. It is also a criminal offence of using encryption to obstruct or impede a law enforcement officer, or to interfere with the performance by a law enforcement officer, punishable by imprisonment and/or a fine.
Zimbabwe
Assessment
Law and policy
General right to encryption
No known legislation or policies.
Mandatory minimum or maximum encryption strength
No known legislation or policies.
Licensing/registration requirements
No known legislation or policies.
Import/export controls
No known legislation or policies.
Other restrictions
No known legislation or policies.
Obligations on individuals to assist authorities
No known legislation or policies.
Obligations on providers to assist authorities
Section 11(1) of Interception of Communications Act allows the security and law enforcement agencies to impose “disclosure requirements” to persons in respect of encrypted information where they believe that a key to encrypted information is in the possession of that person, and that a disclosure requirement is necessary for in the interests of national security, to prevent or detect a serious criminal offence, or in the interests of the country’s economic wellbeing. They must also believe that the requirement is proportionate to what is sought to be achieved by its imposition and that it is not reasonably practicable for them to obtain possession of the encrypted information in an intelligible form without a disclosure requirement.
A person subject to a disclosure requirement must use any key in his or her possession to provide access to the information, and, in providing such information, make a disclosure of the information in an intelligible form (s. 11(4)). If the person no longer possess the key but has information that will facilitate the obtaining or discovery of the key, they must disclose that information to the agency (s. 11(6)).
Failure to comply with a disclosure requirement is a criminal offence, punishable with up to five years’ imprisonment, a fine, or both.
A copy of the law can be found here.
Assessment Text Area
The law in Zimbabwe allows security and law enforcement agencies to impose “disclosure requirements” to persons in respect of encrypted information where they believe that a key to encrypted information is in the possession of that person, and that a disclosure requirement is necessary for in the interests of national security, to prevent or detect a serious criminal offence, or in the interests of the country’s economic wellbeing. They must also believe that the requirement is proportionate to what is sought to be achieved by its imposition and that it is not reasonably practicable for them to obtain possession of the encrypted information in an intelligible form without a disclosure requirement. Failure to comply with is a criminal offence punishable by imprisonment, a fine, or both.
Depending on where you are in the world, the legal status of encryption varies significantly. In some countries, the use of encryption-related technologies is relatively unconstrained; in others, companies and users face significant restrictions.
To help make sense of this complex and ever-evolving picture, we’ve created this interactive world map, which you can explore through two distinct views:
- Assessment view: Here, each country has been assigned a colour-coded score, based on our assessment of its overall approach to encryption (green = minimal restrictions, red = significant restrictions).
- Law and policy view: This allows you to filter according to specific measures: e.g. to find out which countries have a general right to encryption, and which place controls on the import and export of encryption technologies.
Clicking on a specific country provides an in-depth breakdown and analysis—including an expanded assessment, and details on the relevant laws and policies.
We review and update this map on a regular basis. If you spot any inaccuracies (or have additional information), tell us here.
For more resources and information on encryption policy, visit our Encryption Policy Hub.