World map of encryption laws and policies

Encryption is a crucial enabler of the rights to privacy and freedom of expression. But around the world, its legal situation varies. Some countries guarantee a general right to encryption; in others, it is severely restricted. To help human rights defenders navigate this complicated landscape, GPD has created this easy-to-use interactive world map of national encryption laws and policies.

  • Looking for a birds’ eye view? By clicking the filters at the top of the map, you can see at a glance all the countries which have, for example, a general right to encryption guaranteed in law; or find out which countries place controls on the import and export of encryption technologies. (tip: hovering over the information symbol will give you more detail on what each filter means)
  • Want details on the situation in a specific country? Just click it on the map (or use the drop down in the bottom left corner) and you’ll find a full rundown of all the relevant policies and laws.

While we seek to make this map accurate and up to date, if you spot any inaccuracies (or have additional information), let us know by emailing richard{at}gp-digital.org.​

This map accompanies GPD’s Travel Guide to Encryption Policy for human rights defenders – a comprehensive, accessible guide to the technology behind encryption, the key debates, why it relates to human rights, and where – and how – you can engage.

List of Countries

Afghanistan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Albania

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Algeria

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

While there are no import or export controls relating specifically to encryption products, there is a general requirement in Article 41 of Law No. 2000-03 of 05 August 2000 laying down general rules relating to post and telecommunications requires all terminal equipment and radioelectric installation which is intended to be connected to a public communications network, made for the domestic market, offered for sale or distributed for free, to be approved prior to import. This approval must be obtained from the Regulatory Authority of Post and Electronic Communications under the Ministry of Post, Telecommunications, Technologies and Digitalization.

The law (in French) can be found here.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

Article 3 of Law No. 09-04 of 5 August 2009 laying down specific rules relating to the prevention and fight against crimes related to information and communication technologies allows among other things, for the search and seizures of computer systems, where necessary to protect public order or if necessary as part of ongoing investigations or for judicial information. Article 4 sets out the specific circumstances when this can be done and provides that judicial authorisation is required. Under Article 5, an authority conducting the search and seizure of a computer system is empowered to require any person who knows how to operate the computer system or the measures which have been applied to protect the data on the computer, to assist them and provide them with any information necessary to complete their task. While “measures which have been applied to protect the data” is not defined, this could include encryption of data.

Further, under Article 6, the authority is able to use “technical means” to format or reconstitute any data on a computer system to make them workable for the purposes of the investigation provides that this does not alter their contents. This could mean an authority being permitted to bring in external support to decrypt encrypted communications.

The law (in French) can be found here.

Other restrictions

No known legislation or policies.

Andorra

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Angola

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Antigua and Barbuda

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Argentina

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Armenia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Australia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

Under section 3LA of the Crimes Act 1914 (inserted by the Australian Cybercrime Act 2001), a constable may apply to a magistrate for an order requiring a specified person to provide any information or assistance that is reasonable and necessary to allow the constable to do one or more things in relation to data held in, or accessible from, a computer or data storage device which has been seized or is on property being searched under a warrant. These are to be able to access the data, to copy the data; or to convert the data into documentary form or another form intelligible to the constable.

In order to grant the order, the magistrate must be satisfied of three things. First, that there are reasonable grounds for suspecting that evidential material is held in, or is accessible from, the computer or data storage device. Second, that the specified person is reasonably suspected of having committed an offence, the owner or lessee of the computer or device (or an employee of them or a person engaged under a contract for services by them), a person who uses or has used that computer or device, or a person who is or was a system administrated for the system which includes the computer or device. Third, that the specified person has relevant knowledge of the computer or device or of measures applied to protect data held in, or accessible from, the computer or device. This could include knowledge of the password or other means by which the data has been encrypted and how it can be decrypted.

Failure to comply with such an order is a criminal offence, punishable by up to two years’ imprisonment.

The Crimes Act 1914 can be found here.

Other restrictions

No known legislation or policies.

Austria

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Azerbaijan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Bahamas

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

Under section 16(1) of the Computer Misuse Act, a police officer or a person authorised in writing by the Commissioner of Police, where they have a search warrant, is entitled to have access to and inspect and check the operation of a computer, to use or have someone else use a computer to search any data contained in it or available to it, and to have access to any information, code or technology which can retransform or unscramble encrypted data contained or available to the computer into a readable and comprehensible format or text. They are also entitled to require any person they have reasonable cause to suspect is using or has used the computer, or any person in charge of or concerned with the operation of the computer, to provide them with such reasonable technical and other assistance they may require for those purposes. Finally, they are also entitled to require any person in possession of decryption information to grant them access to such decrption information as it necessary to decrypt data.

The search warrant to exercise these powers must be obtained under section 70 of the Criminal Procedure Code which regulates search warrants more generally. Search warrants must be obtained from a magistrate, who must be satisfied that there is reasonable cause to believe that an offence has been committed on a particular property.

Furthermore, the powers under the Computer Misuse Act can only be used in relation to a computer where the police officer or person authorised in writing by the Commissioner of Police has reasonable cause to suspect is being used or has been used in connection with an offence under the Computer Misuse Act or diclosed in the course of the lawful exercise of the powers under section 16. They cannot be exercised in relation to criminal offences generally.

Additionally, where the powers to be exercised involve searching data on a computer, accessing decryption technology, or requiring a person to provide decryption information, the consent of the Attorney-General is required.

Failure to comply is a criminal offence, punishable by up to three years’ imprisonment or a fine of up to BSD 10,000.

The Computer Misuse Act can be found here.

Other restrictions

No known legislation or policies.

Bahrain

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

Article 9 of Law No. 60 of 2014 on Information Technology Crimes provides for a criminal offence of using encryption in order to commit or conceal any crime provided for in that law, or any other law, punishable by imprisonment or a fine of up to BHD 100,000, or both.

A copy of the law (in Arabic) can be found here.

Bangladesh

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Barbados

General right to encryption

Section 21(2) of the Electronic Transactions Act, 2001 provides that, subject to any regulations made under section 21(1), a person can use any encryption programme or product of any bit size or other of measure of strength that they lawfully possess. No such regulations have been made.

A copy of the law can be found here.

Mandatory minimum or maximum encryption strength

Section 21(1) of the Electronic Transactions Act, 2001 permits the government to make regulations (a) respecting the use, import and export of encryption programmes or other encryption products, and (b) prohibiting the export of encryption programmes or other encryption products from Barbados generally, or subject to such restrictions as may be prescribed. However, section 21(2) makes clear that, subject to any regulations made under section 21(1), a person can use any encryption programme or product of any bit size or other measure of strength that they lawfully possess. No such regulations have been made.

A copy of the law can be found here.

Licensing/registration requirements

Section 21(1) of the Electronic Transactions Act, 2001 permits the government to make regulations (a) respecting the use, import and export of encryption programmes or other encryption products, and (b) prohibiting the export of encryption programmes or other encryption products from Barbados generally, or subject to such restrictions as may be prescribed. However, section 21(2) makes clear that, subject to any regulations made under section 21(1), a person can use any encryption programme or product of any bit size or other measure of strength that they lawfully possess. No such regulations have been made.

A copy of the law can be found here.

Import/export controls

Section 21(1) of the Electronic Transactions Act, 2001 permits the government to make regulations (a) respecting the use, import and export of encryption programmes or other encryption products, and (b) prohibiting the export of encryption programmes or other encryption products from Barbados generally, or subject to such restrictions as may be prescribed. However, section 21(2) makes clear that, subject to any regulations made under section 21(1), a person can use any encryption programme or product of any bit size or other measure of strength that they lawfully possess. No such regulations have been made.

A copy of the law can be found here.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

Under section 15(1) of the Computer Misuse Act, magistrates are able to issue search warrants authorising police officers to enter and search places, including computers there, using such force as is necessary. In order to grant such a warrant, the magistrate must be satisfied that there are reasonable grounds for suspecting that an offence under the Act has been or is about to be committed in a particular place, and that evidence that such an offence has been or is about to be committed is in that place.

A warrant issued under section 15(1) may authorised a police officer to:

(a) seize any computer, data, programme, information, document or thing if they reasonably believe that it is evidence that an offence under the Act has been or is about to be committed;

(b) inspect and check the operation of any such computer;

(c) use or requires someone else to use any such computer to search any programme or data held in or available to the computer;

(d) have access to any information, code or technology which has the capability of transforming or converting an encrypted programme or data held in or available to the computer into readable and comprehensible format or text, for the purpose of investigating any offence under the Act;

(e) convert an encrypted programme or data held in another computer system at the place specified in the warrant, where there are reasonable grounds for believing that computer data connected with the commission of the offence may be stored in that other system; and

(f) make and retain a copy of any programme or data held in the computer referred to in (a) or (e) and any other programme or data held in the computers.

Failure to comply with a request for assistance from a police officer is a criminal offence, punishable by up to eighteen months’ imprisonment or to a fine of up to BBD 15,000, or both.

Additionally, section 16(1) also allows a police officer to require access to decryption information necessary to decrypt computer data required for the purpose of investigating the commission of an offence from any person in possession or control of a computer data storage medium or computer system. Again, failure to comply with a request for assistance from a police officer is a criminal offence, punishable by up to eighteen months’ imprisonment or to a fine of up to BBD 15,000, or both.

The Computer Misuse Act can be found here.

Other restrictions

No known legislation or policies.

Belarus

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

Under Resolution of the Council of Ministers of the Republic of Belarus No. 218 of 18 March 1997, the import and export of cryptography is prohibited without a license from the Ministry of Foreign Affairs or the State Center for Information Security of the Security Council.

A copy of the Resolution (in Russian) can be found here.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Belgium

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Article 18/17 of the Law of 30 November 1998, Organic Law on the Intelligence and Security Services, allows the intelligence and security services to intercept communications and record them, although Article 18/10 requires prior authorisation in such cases from an independent commission. Under Article 18/17, if an operation on an electronic communications network is necessary for the interception and recording to take place, the head of the intelligence and security services can make a written request for technical assistance to a network operator or provider of an electronic communications service.

Failure to comply with such a request is a criminal offence punishable by a fine of between 26 EUR and 20,000 EUR.

A copy of the law (in French) can be found here.

Article 127 of the Law of 13 June 2005, Law on Electronic Communications, allows the King to establish technical and administrative measures with which operators must comply, in order to be able to identify end users, identify their location, listen to their communications, and record the communications. Under the Royal Order of 12 October 2010, these measures include being able to transmit the content of a call clearly in circumstances where operator of the electronic communications network or the provider of an electronic communications service has used encryption. As such, operators and service providers need to be able decrypt any encryption that they use with regards to communications.

A copy of the law (in French) can be found here.

A copy of the Royal Order (in French) can be found here.

Article 90ter of the Code of Criminal Procedure allows, limited circumstances, and only where authorised by the Royal Prosecutor, an examining magistrate to secretly intercept, take knowledge, explore and record non-publicly accessible communications or data from a computer system or part of it, or to search a computer system or part thereof. Where undertaken, the examining magistrate may also, without the knowledge or consent of the owner, to install technical devices in the relevant computer systems to decrypt data stored, processed or transmitted. Under the Royal Order of 9 January 2003, operators and electronic communications service providers must be technically able to transmit the content of communications clearly in circumstances where they have used encryption. As such, operators and service providers need to be able decrypt any encryption that they use with regards to communications. Article 90quartier allows the examining magistrate to require the assistance of an operator of an electronic communications work or a provider of an electronic communications service so as to be able undertake the measures. They must then do so to the best of their capabilities.

Refusal to provide such technical assistance, if requested, is a criminal offence punishable by a fine of between 26 EUR and 20,000 EUR.

A copy of the Code of Criminal Procedure (in French) can be found here.

A copy of the Royal Order (in French) can be found here.

Obligations on individuals to assist authorities

Article 88quater of the Code of Criminal Instruction provides a power for examining magistrates and other officials to order anyone with particular knowledge of a computer system that is the subject of a search warrant, or of services or applications which encrypt data to provide information on how to access content that has been encrypted and to make it accessible in a particular format. A further provision allows similar orders to be made to any appropriate person to operate the computer system themselves to make information accessible in a particular format. They must then do so to the best of their capabilities.

Refusal to provide such technical assistance, if requested, is a criminal offence punishable by imprisonment of between six months and three years, a fine of between 26 EUR and 20,000 EUR, or both. Where that assistance would prevent a crime, and they fail to provide it, the punishment is imprisonment of between one and five years, a fine of 500 EUR to 50,000 EUR, or both.

A copy of the Code of Criminal Instruction (in French) can be found here.

Other restrictions

No known legislation or policies.

Belize

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Benin

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Bhutan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Bolivia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Bosnia and Herzegovina

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Botswana

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Brazil

General right to encryption

Article 7(III) of the Marco Civil da Internet (Law No. 12.965) guarantees the inviolability and secrecy of user communications online, with exceptions only permitted by court order.

A copy of the law (in Portuguese) can be found here.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Brunei

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

Under section 18(1) of the Computer Misuse Act, a police officer or a person authorised in writing by the Commissioner of Police is entitled to have access to and inspect and check the operation of a computer, to use or have someone else use a computer to search any data contained in it or available to it, and to have access to any information, code or technology which can retransform or unscramble encrypted data contained or available to the computer into a readable and comprehensible format or text. They are also entitled to require any person they have reasonable cause to suspect is using or has used the computer, or any person in charge of or concerned with the operation of the computer, to provide them with such reasonable technical and other assistance they may require for those purposes. Finally, they are also entitled to require any person in possession of decryption information to grant them access to such decryption information as it necessary to decrypt data.

These powers can only be used in relation to a computer where the police officer or person authorised in writing by the Commissioner of Police has reasonable cause to suspect is being used or has been used in connection with an offence under the Computer Misuse Act or disclosed in the course of the lawful exercise of the powers under section 18. They cannot be exercised in relation to criminal offences generally.

Additionally, where the powers to be exercised involve searching data on a computer, accessing decryption technology, or requiring a person to provide decryption information, the consent of the Attorney-General is required.

Failure to comply is punishable by up to three years’ imprisonment, a fine of up to BND 10,000, or both.

A copy of the law can be found here.

Other restrictions

No known legislation or policies.

Bulgaria

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Burkina Faso

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Burundi

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Cambodia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Cameroon

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Canada

General right to encryption

Although the Canadian Charter of Rights and Freedoms doesn’t provide for a specific right to encryption, the Charter does protect the right to “freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication” (section 2(b)) and provides that “everyone has the right to be secure against unreasonable search or seizure” (section 8). The government of Canada has recognised that these rights would be engaged by any restrictions relating to encryption.

A copy of the Charter can be found here.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

Section 3 of the Export and Import Permits Act allows the government to establish an Export Control List, setting out restrictions on the export of certain articles. Items on the list must generally be authorised by an export permit before they can be exported from Canada, and include certain forms of cryptography. A permit is not required, however, if the cryptographic item is being exported to the USA, nor if the cryptographic item is one that is marketed to the general public.

A copy of the law can be found here.

Obligations on providers to assist authorities

There is no legislative power which can be used to require telecommunication or online service providers to facilitate the decryption of encrypted communications, although, more generally, and depending on the technical infrastructure in question, in certain cases assistance orders (section 487.014 of the Criminal Code) or production orders (section 487.02 of the Criminal Code) against third parties (including service providers) may be used to facilitate attempts by law enforcement to access to encrypted data.

A copy of the Criminal Code can be found here.

Obligations on individuals to assist authorities

There is no legislative power which can be used to require individuals to decrypt encrypted communications. Indeed, in R v. Boudreau-Fontaine (2010 QCCA 1108), the Quebec Court of Appeal found that an order compelling an individual to provide a password violated his constitutional rights, including his rights to silence and against self-incrimination. Various lower courts have followed this decision, although the Supreme Court of Canada has not ruled on this issue. The federal government has also recognised that it has no legislative authority to compel individuals to provide a password in the course of a criminal investigation.

In some cases, however, law enforcement may attempt, using various technical and investigative means to circumvent the protections afforded by encryption or to acquire an individual’s private key or password. When an individual has a reasonable expectation of privacy in the information sought, the constitution generally requires law enforcement to secure prior judicial authorisation (normally on a “reasonable grounds to believe” standard) for the search, seizure, or interception of the data sought. In some cases, additional legal safeguards may also apply.

Depending on the technical infrastructure in question, in certain cases assistance orders (section 487.014 of the Criminal Code) or production orders (section 487.02 of the Criminal Code) against third parties (including service providers) may be used to facilitate attempts by law enforcement to access to encrypted data.

Section 8 of the Canadian Charter of Rights and Freedoms requires not only that the search is reasonable, but that the search is conducted in a reasonable manner. This aspect of the section 8 analysis may serve to limit certain methods of circumventing encryption which are clearly disproportionate or prejudicial. Evidence obtained in breach of a Charter right can be excluded subject to section 24(2) of the Charter.

A copy of the Charter can be found here.

A copy of the Criminal Code can be found here.

Other restrictions

No known legislation or policies.

Cape Verde

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Article 25(1)(m) of Legislative Decree n.º7/2005 requires all providers of electronic communications networks and services to set up, at their own expense, the provision of legal interception systems and means of decryption where they provide encryption facilities.

A copy of the legislative decree (in Portuguese) can be found here.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Central African Republic

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Chad

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Chile

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

China

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

State Council Order No. 273 “Regulation of Commercial Encryption Codes” provides that manufacturers must obtain approval from the National Commission on Encryption Code Regulations/ State Cryptography Administration for the type and model (including key length) of their encryption products.

A copy of the Order can be found here.

Import/export controls

State Council Order No. 273 “Regulation of Commercial Encryption Codes” provides that the import and export of encryption products requires a license by the National Commission on Encryption Code Regulations/ State Cryptography Administration.

A copy of the Order can be found here.

Obligations on providers to assist authorities

Under the Counter-Terrorism Law, technology firms are required to help decrypt information.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

State Council Order No. 273 “Regulation of Commercial Encryption Codes” provides that organisations and individuals may not distribute encryption products produced abroad. People may only use encryption products approved by the National Commission on Encryption Code Regulations, and they may not use commercial encryption products developed by themselves or produced abroad. For this use, they must have approval by the National Commission on Encryption Code Regulations. Only foreign diplomatic missions and consulates are exempted from this approval.

A copy of the Order can be found here.

Colombia

General right to encryption

There is no general right to encryption, however Law No. 1621 of 2013, which regulates intelligence activities, provides at Article 44, paragraph 2, that telecommunications services providers must offer encrypted voice call service to high government and intelligence officials.

A copy of the law can be found here.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

Article 103, paragraph 4 of Law No. 104 of 1997 prohibits subscribers, licensees and other persons authorised to use certain radiocommunications systems (including pagers and mobile phones) from sending messages which are encrypted or in an “unintelligible language”. It is not clear if this prohibition extends to encrypted communications on the internet.

A copy of the law can be found here.

Comoros

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Costa Rica

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Cote d’Ivoire

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Croatia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

Article 257(1) of the Law on Criminal Procedure provides that searches permitted under the Law also include searches of computers and other devices for collecting, storing and transmitting data. If so requested, a person using or having access to such a computer or device must provide access to it and to provide the necessary information for uninterrupted use and to achieve the purposes of the search. It is not clear whether this would include a requirement to decrypt encrypted data.

A copy of the law (in Croatian) can be found here.

Other restrictions

No known legislation or policies.

Cuba

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Article 19(5) of Resolution No. 128/2011 (Regulation for Private Data Networks) requires official approval in order to use any type of application or service supported by a private network that involves encryption of the information which is transmitted.

A copy of the Resolution (in Spanish) can be found here.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

Article 19 of Resolution No. 179/08 (Regulation for Internet Access Service Providers) requires internet access service providers to guarantee that any software they use does not involve cryptographic systems or the transfer or encrypted files.

A copy of the Resolution (in Spanish) can be found here.

Cyprus

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Czech Republic

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Section 8 of the Criminal Procedure Code requires all state authorities, private entities and individuals to comply with any request of law enforcement bodies. It is not clear whether this would extend to decrypting encrypted information or providing decryption keys.

A copy of the law (in Czech) can be found here.

Section 75(1) of the Law on Electronic Communications (Law No. 127/2005) provides a power for the Police to request a mobile network providers to make it impossible, for a specified period of time, for encryption, coding or any other type of concealment to be used by users of the network to transmit messages. The request can only be made if it is technically feasible.

Further, under sections 97(1) and (5) of the same law, any private entity or individual who provides a public communications network or electronic communications service must install interfaces at specified points along the network to enable the tapping and recording of messages by the police. If that entity or individual uses coding, compression or encryption which renders the messages incomprehensible, they must ensure that, at the specified points, the messages (and associated traffic and location data) are comprehensible.

A copy of the law (in Czech) can be found here.

Obligations on individuals to assist authorities

Section 8 of the Criminal Procedure Code requires all state authorities, private entities and individuals to comply with any request of law enforcement bodies. It is not clear whether this would extend to decrypting encrypted information or providing decryption keys.

A copy of the law (in Czech) can be found here.

Section 75(1) of the Law on Electronic Communications (Law No. 127/2005) provides a power for the Police to request a mobile network providers to make it impossible, for a specified period of time, for encryption, coding or any other type of concealment to be used by users of the network to transmit messages. The request can only be made if it is technically feasible.

Further, under sections 97(1) and (5) of the same law, any private entity or individual who provides a public communications network or electronic communications service must install interfaces at specified points along the network to enable the tapping and recording of messages by the police. If that entity or individual uses coding, compression or encryption which renders the messages incomprehensible, they must ensure that, at the specified points, the messages (and associated traffic and location data) are comprehensible.

A copy of the law (in Czech) can be found here.

Other restrictions

No known legislation or policies.

Democratic Republic of the Congo

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Denmark

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Article 10 of the Law on Electronic Communications Networks and Services requires providers of electronic communications networks and services to ensure that any technical equipment or systems that they use are set up in such a way so that the police are able to access information about telecommunications traffic and to intervene in the “secrecy of communications” in the form of historical and future telecommunications data, and interception of telecommunications, including access to data directly after its recording.

A copy of the law (in Danish) can be found here.

Under section 804 of the Law on the Administration of Justice, persons other than suspects and accused persons (including private entities) who are in possession of information relevant to an investigation can be required to hand over information. It is not clear whether this would include decryption keys.

A copy of the law (in Danish) can be found here.

Obligations on individuals to assist authorities

Under section 804 of the Law on the Administration of Justice, persons other than suspects and accused persons (including private entities) who are in possession of information relevant to an investigation can be required to hand over information. It is not clear whether this would include decryption keys.

A copy of the law (in Danish) can be found here.

Other restrictions

No known legislation or policies.

Djibouti

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Dominic

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Dominic Republic

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Ecuador

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Egypt

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Telecommunication Regulation Law: Article 64 provides that “Telecommunication Services Operators, Providers, their employees and Users of such services shall not use any Telecommunication Services encryption equipment except after obtaining a written consent from each of the NTRA, the Armed Forces and National Security Entities, and this shall not apply to encryption equipment of radio and television broadcasting.”

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

El Salvador

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Law on Telecommunications (Legislative Decree No. 142 of 6 November 1997): Article 42-D provides that operators of commercial telecommunications networks must decode, or ensure that the authorities can decode, any communication from a subscriber or client for the purpose of obtaining the information referred to in the previous two articles, in cases where the encryption has been provided by the service operator.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

Special Law for the Interception of Telecommunications (Legislative Decree No. 285 of 18 February 2010): Article 21 provides that if material recorded in the course of an interception authorised by the law could not be translated or interpreted, in full or in part, due to encryption, protection by passwords or another similar reason, the Interception Centre shall keep the material until its translation or interpretation. The prosecutor shall indicate in detail this circumstance to the authorising judge, giving him the complete recording of the said material. Once the material is revealed, the prosecutor shall transmit a copy of it to the authorising judge.

Equatorial Guinea

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Eritrea

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Estonia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Criminal Procedure Code: Article 215 allows investigative authorities and prosecutors’ offices to order the production of data from any person. However, there is no requirement that such persons disclose encryption keys or passwords.

Obligations on individuals to assist authorities

Criminal Procedure Code: Article 215 allows investigative authorities and prosecutors’ offices to order the production of data from any person. However, there is no requirement that such persons disclose encryption keys or passwords.

Other restrictions

No known legislation or policies.

Ethiopia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Proclamation on Telecom Fraud Offences (Proclamation No. 761/2012): Article 3(1) of the Proclamation criminalises the manufacture, assembly or import of any telecommunications equipment without a permit, punishable by “rigorous imprisonment” for between 10 and 15 years and a fine of between ETB 100,000 and ETB 150,000.

Import/export controls

Proclamation on Telecom Fraud Offences (Proclamation No. 761/2012): Article 3(1) of the Proclamation criminalises the manufacture, assembly or import of any telecommunications equipment without a permit, punishable by “rigorous imprisonment” for between 10 and 15 years and a fine of between ETB 100,000 and ETB 150,000.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

Proclamation on Telecom Fraud Offences (Proclamation No. 761/2012): Article 3(1) of the Proclamation criminalises the manufacture, assembly or import of any telecommunications equipment without a permit, punishable by “rigorous imprisonment” for between 10 and 15 years and a fine of between ETB 100,000 and ETB 150,000.

Fiji

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Finland

General right to encryption

Act on the Protection of Privacy in Electronic Communications: Section 5 provides that “a user and a subscriber has the right to protect its telecommunications in the desired manner by using for this purpose the available technical possibilities”.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Coercive Measures Act: Section 23 provides that persons (including persons who maintain information systems) other than suspects/accused persons can be required to hand over passwords and decryption keys if it is necessary to conduct a search of data contained in a device.

Obligations on individuals to assist authorities

Coercive Measures Act: Section 23 provides that persons (including persons who maintain information systems) other than suspects/accused persons can be required to hand over passwords and decryption keys if it is necessary to conduct a search of data contained in a device.

Other restrictions

No known legislation or policies.

France

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Criminal Procedure Code: Article 230, modified by Law No. 2001-1062 and Law No. 2014-1353 requires the disclosure of encryption keys upon the authorisation of a judge.

Obligations on individuals to assist authorities

Criminal Procedure Code: Article 230, modified by Law No. 2001-1062 and Law No. 2014-1353 requires the disclosure of encryption keys upon the authorisation of a judge.

Other restrictions

No known legislation or policies.

Gabon

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Gambia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Georgia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Germany

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Criminal Procedure Law: There is no specific obligation with respect to providing encryption keys. However, Section 48 requires witnesses to disclose encryption keys as far as they have knowledge of them when questioned by a judge or prosecutor, and section 94 requires witnesses to provide documents or devices which contain such encryption keys when ordered to by a judge or, in certain circumstances, the police. Section 100 places a similar obligation upon service providers to provide passwords or access codes if they have them, but again only if ordered to by a judge or, in certain circumstances, the police.

Obligations on individuals to assist authorities

Criminal Procedure Law: There is no specific obligation with respect to providing encryption keys. However, Section 48 requires witnesses to disclose encryption keys as far as they have knowledge of them when questioned by a judge or prosecutor, and section 94 requires witnesses to provide documents or devices which contain such encryption keys when ordered to by a judge or, in certain circumstances, the police. Section 100 places a similar obligation upon service providers to provide passwords or access codes if they have them, but again only if ordered to by a judge or, in certain circumstances, the police.

Other restrictions

No known legislation or policies.

Ghana

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Greece

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Grenada

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Guatemala

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Guinea

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Guinea-Bissau

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Guyana

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Honduras

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Hungary

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Iceland

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

India

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

Information Technology Act 2000: Section 84A allows the government to set nationally permitted methods and modes for encryption.

The Government of India, Ministry of Communications and IT, Licence Agreement for Provision of Internet Services (2007) stipulates that service providers may not deploy “bulk encryption” on their networks, while the law has also restricted individuals from using encryption greater than an easily breakable 40-bit key length without prior permission and required anyone using stronger encryption to provide the government with a copy of the encryption keys.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Information Technology Act 2000: Section 69, as amended by the Information Technology (Amendment) Act 2008, requires persons to decrypt encrypted data if called upon. Failure to do so is punishable by up to seven years’ imprisonment and/or a fine.

Obligations on individuals to assist authorities

Information Technology Act 2000: Section 69, as amended by the Information Technology (Amendment) Act 2008, requires persons to decrypt encrypted data if called upon. Failure to do so is punishable by up to seven years’ imprisonment and/or a fine.

Other restrictions

No known legislation or policies.

Indonesia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Iran

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

Computer Crime Law: Article 10 criminalises “concealing data, changing passwords, and/or encoding data that could deny access of authorised individuals to data, computer and telecommunication systems.” The offence is punishable by imprisonment of between 91 days and one year or a fine of between between IRR 5,000,000 and IRR 20,000,000.

Iraq

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Ireland

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Electronic Commerce Act, 2000: Section 27(1) allows a District Court to issue a search warrant. Section 27(2) provides that such warrants authorise named officers to “seize anything found there, or anything found in the possession of a person present there at the time of the search, which that officer or member reasonably believes to be evidence of or relating to an offence under this Act and, where the thing seized is or contains information or an electronic communication that cannot readily be accessed or put into intelligible form, to require the disclosure of the information or electronic communication in intelligible form.” However, section 28 provides that this cannot be construed so as to require “the disclosure or enabling the seizure of unique data, such as codes, passwords, algorithms, private cryptographic keys, or other data, that may be necessary to render information or an electronic communication intelligible.” Failure to comply with a requirement under section 27(1) is punishable by imprisonment of up to 12 months and/or a fine.

Obligations on individuals to assist authorities

Electronic Commerce Act, 2000: Section 27(1) allows a District Court to issue a search warrant. Section 27(2) provides that such warrants authorise named officers to “seize anything found there, or anything found in the possession of a person present there at the time of the search, which that officer or member reasonably believes to be evidence of or relating to an offence under this Act and, where the thing seized is or contains information or an electronic communication that cannot readily be accessed or put into intelligible form, to require the disclosure of the information or electronic communication in intelligible form.” However, section 28 provides that this cannot be construed so as to require “the disclosure or enabling the seizure of unique data, such as codes, passwords, algorithms, private cryptographic keys, or other data, that may be necessary to render information or an electronic communication intelligible.” Failure to comply with a requirement under section 27(1) is punishable by imprisonment of up to 12 months and/or a fine.

Other restrictions

No known legislation or policies.

Israel

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Order Governing the Control of Commodities and Services (Engagement in Encryption Items) 1974: The Ministry of Defense has instituted a system of control and licensing for items of encryption.

Import/export controls

Order Governing the Control of Commodities and Services (Engagement in Encryption Items) 1974: The Ministry of Defense has instituted a system of control and licensing for items of encryption.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Italy

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Internet services providers are legally obliged to provide any available information regarding customers who are under investigation, following a court order.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Jamaica

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Interception of Communications Act: Sections 12 and 13 allow for the police, after obtaining a “disclosure order” from a magistrate, to require persons who are in possession of a key to decrypt data, to provide the decrypted data in an intelligible form or to provide the key. Failure to comply with a disclosure order is punishable with up to six months’ imprisonment and/or a fine of JMD 500,000.

Obligations on individuals to assist authorities

Interception of Communications Act: Sections 12 and 13 allow for the police, after obtaining a “disclosure order” from a magistrate, to require persons who are in possession of a key to decrypt data, to provide the decrypted data in an intelligible form or to provide the key. Failure to comply with a disclosure order is punishable with up to six months’ imprisonment and/or a fine of JMD 500,000.

Other restrictions

No known legislation or policies.

Japan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Jordan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Kazakhstan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

Law on Communications: Regulations made under new provisions in the Law on Communications require every internet user in the country to install a backdoor, allowing the government to conduct surveillance. KazakhTelecom, the country’s largest telecommunications company, has said that citizens are “obliged” to install a “national security certificate” on every device, including desktops and mobile devices. This allows the government to conduct a so-called “man-in-the-middle” attack, which allows the government to intercept every secure connection in the country and see web browsing history, usernames and passwords, and even secure and HTTPS-encrypted traffic.

Other restrictions

No known legislation or policies.

Kenya

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Kiribati

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Kuwait

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Kyrgyzstan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Laos

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Latvia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Lebanon

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Lesotho

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Liberia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Libya

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Liechtenstein

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Lithuania

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Luxembourg

General right to encryption

Law of 14 August 2000 on Electronic Commerce: Article 3 provides that “The use of cryptographic techniques is free.”

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Code of Criminal Procedure: Article 66(4) provides that an investigating judge may require a person – other than the subject of the person to whom a direction relates – who has knowledge of encryption mechanisms to provide understanding of the seized protected or encrypted data.

Obligations on individuals to assist authorities

Code of Criminal Procedure: Article 66(4) provides that an investigating judge may require a person – other than the subject of the person to whom a direction relates – who has knowledge of encryption mechanisms to provide understanding of the seized protected or encrypted data.

Other restrictions

No known legislation or policies.

Macedonia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Madagascar

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Malawi

General right to encryption

Electronic Transactions and Cyber Security Act, 2016: Section 52(4) provides that, subject to any regulations made under subregulation (1), it is lawful for any person to use encryption programme or product provided that it has lawfully come into possession of that person.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Electronic Transactions and Cyber Security Act, 2016: Section 54(1) prohibits the provision of cryptography services or products without registration. Applications must be made to the Malawi Communications Regulatory Authority (s.54(2)). The government must issue regulations (a) in respect of use, importation and exportation of encryption programmes and encryption products; and (b) prohibiting the exportation of encryption programmes or other encryption products from Malawi generally or subject to such restrictions as may be prescribed (s.54(3)).

Section 67(1) further requires a person who provides encryption services to declare to the Malawi Communications Regulatory Authority “the technical characteristics of the encryption means as well as the source code of the software used”. The government must issue regulations defining the conditions for such declarations and “may define encryption services whose technical characteristics or conditions of supply are such that, with regard to national defence or internal security interests, their provision shall not require any prior formality” (s. 67(2)).

Violation of either of these provisions is punishable by up to seven years’ imprisonment and a fine of MWK 5,000,000.

Import/export controls

Electronic Transactions and Cyber Security Act, 2016: Section 54(1) prohibits the provision of cryptography services or products without registration. Applications must be made to the Malawi Communications Regulatory Authority (s.54(2)). The government must issue regulations (a) in respect of use, importation and exportation of encryption programmes and encryption products; and (b) prohibiting the exportation of encryption programmes or other encryption products from Malawi generally or subject to such restrictions as may be prescribed.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Malaysia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Criminal Procedure Code (Act 593): Section 116B(1) requires a police officer conducting a search under the Code to be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of the computerized data” (s. 116B(3)).

Computer Crimes Act 1997 (Act 563): Section 10(1)(c) allows a police officer, upon obtaining a warrant from a magistrate, to require any information contained in a computer and accessible from the premises to be produced in a form in which it can be taken away and in which it is visible and legible. Section 11 provides that failure to comply is punishable by up to three years’ imprisonment and/or a fine of up to MYR 25,000.

Digital Signature Act 1997 (Act 562): Section 79(1) requires that a police officer conducting a search under section 77 or 78 of the Act, or an authorised officer conducting a search under section 77 of the Act, be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data (s.79(2))”. Failure to comply is punishable by imprisonment for up to four years and/or a fine of up to MYR 200,000 (s. 83(1)).

Communications and Multimedia Act 1998 (Act 588): Section 249(1) requires that a police officer conducting a search under section 247 or 248 of the Act, or an authorised officer conducting a search under section 247 of the Act, be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data” (s.79(2)). Failure to comply is punishable by imprisonment for up to six months years and/or a fine of up to MYR 20,000 (s. 253).

Anti-Trafficking in Persons and Anti-Smuggling of Migrants Act 2007 (Act 670): Section 32(1) requires that an enforcement officer conducting a search under the Act be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data” (s.32(2)). Failure to comply is punishable by imprisonment for up to three years and/or a fine of up to MYR 150,000 (s. 63(1)).

Obligations on individuals to assist authorities

Criminal Procedure Code (Act 593): Section 116B(1) requires a police officer conducting a search under the Code to be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of the computerized data” (s. 116B(3)).

Computer Crimes Act 1997 (Act 563): Section 10(1)(c) allows a police officer, upon obtaining a warrant from a magistrate, to require any information contained in a computer and accessible from the premises to be produced in a form in which it can be taken away and in which it is visible and legible. Section 11 provides that failure to comply is punishable by up to three years’ imprisonment and/or a fine of up to MYR 25,000.

Digital Signature Act 1997 (Act 562): Section 79(1) requires that a police officer conducting a search under section 77 or 78 of the Act, or an authorised officer conducting a search under section 77 of the Act, be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data (s.79(2))”. Failure to comply is punishable by imprisonment for up to four years and/or a fine of up to MYR 200,000 (s. 83(1)).

Communications and Multimedia Act 1998 (Act 588): Section 249(1) requires that a police officer conducting a search under section 247 or 248 of the Act, or an authorised officer conducting a search under section 247 of the Act, be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data” (s.79(2)). Failure to comply is punishable by imprisonment for up to six months years and/or a fine of up to MYR 20,000 (s. 253).

Anti-Trafficking in Persons and Anti-Smuggling of Migrants Act 2007 (Act 670): Section 32(1) requires that an enforcement officer conducting a search under the Act be given access to computerised data whether stored in a computer or otherwise. “Access” includes “being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data” (s.32(2)). Failure to comply is punishable by imprisonment for up to three years and/or a fine of up to MYR 150,000 (s. 63(1)).

Other restrictions

No known legislation or policies.

Maldives

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Mali

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Malta

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Criminal Code: Section 355Q provides that the police may, in addition to the power of seizing a computer machine, require any information which is contained in a computer to be delivered in a form in which it can be taken away and in which it is visible and legible.

Obligations on individuals to assist authorities

Criminal Code: Section 355Q provides that the police may, in addition to the power of seizing a computer machine, require any information which is contained in a computer to be delivered in a form in which it can be taken away and in which it is visible and legible.

Other restrictions

Electronic Commerce Act: Section 23(7) provides that no person shall use cryptographic or other similar techniques for any illegal purpose. Doing so is an offence punishable by imprisonment of up to six months and/or a fine of up to EUR 232,935 (s. 24).

Marshall Islands

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Mauritania

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Mauritius

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Mexico

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Micronesia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Moldova

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Monaco

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Mongolia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Montenegro

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Morocco

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Law No. 53-05: Article 13 requires prior approval from the authorities in order to use cryptography (including to import or export encryption services). Use of cryptography in breach of Article 13 is punishable by up to one year’s imprisonment and a fine of MAD 100,000. Article 13 also allows the government to provide a simplified system of reporting or authorisation or exemption of the declaration or authorisation for certain types of means or cryptographic services or for certain categories of users.

Import/export controls

Law No. 53-05: Article 13 requires prior approval from the authorities in order to use cryptography (including to import or export encryption services). Use of cryptography in breach of Article 13 is punishable by up to one year’s imprisonment and a fine of MAD 100,000. Article 13 also allows the government to provide a simplified system of reporting or authorisation or exemption of the declaration or authorisation for certain types of means or cryptographic services or for certain categories of users.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Mozambique

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Myanmar

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Telecommunications Law: Section 69 suggests that decryption of encrypted data can only be required for a telecommunications-related matter prosecution and only when authorised by a court order.

Obligations on individuals to assist authorities

Telecommunications Law: Section 69 suggests that decryption of encrypted data can only be required for a telecommunications-related matter prosecution and only when authorised by a court order.

Other restrictions

No known legislation or policies.

Namibia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Nauru

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Nepal

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

New Zealand

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Section 9(1) of the Telecommunications (Interception Capability and Security) Act 2013 requires all network operators to ensure that public telecommunications networks and telecommunications services have “full interception capability”. This includes a duty to ensure that the interception capability is developed, installed, and maintained (section (9(3)).

The duty is only complied with if every surveillance agency that is authorised under an interception warrant or any other lawful interception authority to intercept telecommunications or services on that network, or the network operator concerned, is able to – amongst other things – identify and intercept telecommunications, and obtain call associated data and the content of those telecommunications (section 10(1)). Network operators must decrypt telecommunications on that operator’s public telecommunications network or telecommunications service if they have been encrypted and the network operators provided that encryption (section 10(3)). However this does not require them to decrypt telecommunications that were encrypted by a product supplied by a person other than the operator and is available to the public, or was supplied by the operator as an agent for that product (section 10(4)). Nor does it require them to ensure that surveillance agencies have the ability to decrypt any telecommunication (section 10(4)).

Together, these duties mean that network operators cannot design and implement end-to-end encryption.

Under section 24 of the Act, where a network operator or service provider is shown an interception warrant which has been issued to a surveillance authority, it must assist the surveillance agency. This assistance includes “taking all other reasonable steps that are necessary for the purpose of giving effect to the warrant or lawful authority”, including decrypting telecommunications where they have provided the encryption. As with the duties under sections 9 and 10, this does not, however, require them to decrypt telecommunications that were encrypted by a product supplied by them as an agent for that product, or supplied by another person where the product is available to the public (section 24(4)). Nor does it require them to ensure that surveillance agencies have the ability to decrypt any telecommunication (section 24(4)).

Under section 130 of the Search and Surveillance Act 2012, a person with a search power in respect of data held in a computer system or other data storage device may require a specified person to provide access information and other information or assistance that is reasonable and necessary to allow the person exercising the search power to access that data. This could include a requirement that they decrypt information which is necessary to access a particular device. The search power cannot be used to require the specified person give any information tending to incriminate them (section 130(2)), however this does not prevent a person exercising a search power from requiring the specified person to provide information or providing assistance that is reasonable and necessary to allow the person exercising the search power to access data held in, or accessible from, a computer system or other data storage device that contains or may contain information tending to incriminate the specified person (section 130(3)).

It is an offence to fail to assist a person exercising a search power when requested to do so under section 130(1), without reasonable excuse, punishable with imprisonment for up to three months (section 178).

Obligations on individuals to assist authorities

Under section 130 of the Search and Surveillance Act 2012, a person with a search power in respect of data held in a computer system or other data storage device may require a specified person to provide access information and other information or assistance that is reasonable and necessary to allow the person exercising the search power to access that data. This could include a requirement that they decrypt information which is necessary to access a particular device. The search power cannot be used to require the specified person give any information tending to incriminate them (section 130(2)), however this does not prevent a person exercising a search power from requiring the specified person to provide information or providing assistance that is reasonable and necessary to allow the person exercising the search power to access data held in, or accessible from, a computer system or other data storage device that contains or may contain information tending to incriminate the specified person (section 130(3)).

It is an offence to fail to assist a person exercising a search power when requested to do so under section 130(1), without reasonable excuse, punishable with imprisonment for up to three months (section 178).

Other restrictions

No known legislation or policies.

Nicaragua

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Niger

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Nigeria

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Cybercrimes (Prohibition, Prevention, etc) Act 2015: Section 45 allow a law enforcement officer, after obtaining a warrant from a judge, to “use any technology to decode or decrypt any coded or encrypted data contained in a computer into readable text or comprehensible format”. While there is no compulsion on individuals to assist by providing a key or otherwise decrypting any data, section 46 provides that wilfully obstructing any law enforcement officer in the exercise of any powers conferred by the Act or failing to comply with any lawful inquiry or resists made by any law enforcement agency in accordance with provisions of the Act is a criminal offence, punishable by imprisonment for up to two years and/or a fine of up to NGN 500,000.

Obligations on individuals to assist authorities

Cybercrimes (Prohibition, Prevention, etc) Act 2015: Section 45 allow a law enforcement officer, after obtaining a warrant from a judge, to “use any technology to decode or decrypt any coded or encrypted data contained in a computer into readable text or comprehensible format”. While there is no compulsion on individuals to assist by providing a key or otherwise decrypting any data, section 46 provides that wilfully obstructing any law enforcement officer in the exercise of any powers conferred by the Act or failing to comply with any lawful inquiry or resists made by any law enforcement agency in accordance with provisions of the Act is a criminal offence, punishable by imprisonment for up to two years and/or a fine of up to NGN 500,000.

Other restrictions

No known legislation or policies.

North Korea

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Norway

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Oman

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Pakistan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

The Pakistan Telecommunication Authority requires prior approval for the use of VPNs and encryption.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Prevention of Electronic Crimes Ordinance, 2007 (Ordinance LXXII of 2007): Section 26 provides that an investigation officer, after obtaining a search warrant, shall be entitled to require any person who is in possession of decryption information of under investigation electronic system, device or data to grant him access to such decryption information necessary to decrypt data required for the purpose of investigating any such offence. Failure to do so is punishable by up to one year’s imprisonment and/or a fine of up to PKR 100,000.

Obligations on individuals to assist authorities

Prevention of Electronic Crimes Ordinance, 2007 (Ordinance LXXII of 2007): Section 26 provides that an investigation officer, after obtaining a search warrant, shall be entitled to require any person who is in possession of decryption information of under investigation electronic system, device or data to grant him access to such decryption information necessary to decrypt data required for the purpose of investigating any such offence. Failure to do so is punishable by up to one year’s imprisonment and/or a fine of up to PKR 100,000.

Other restrictions

No known legislation or policies.

Palau

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Palestine

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Panama

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Papua New Guinea

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Paraguay

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Peru

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Philippines

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Poland

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Portugal

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Qatar

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Republic of the Congo

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Romania

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Russia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Federal Law No. 128-FZ “On Licensing Specific Types of Activity”: Article 17 provides that a licence is required for distributing encryption facilities, maintaining encryption facilities, providing encryption services, and developing and manufacturing encryption facilities protected by means of encryption.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Federal Law No. 149-FZ “On Information, Information Technologies and Protection of Information”: Article 10-1, paragraph 4-1 requires “organisers of information distribution” that add “additional coding” to transmitted electronic messages to provide the Federal Security Service with any information necessary to decrypt those messages.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Rwanda

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Saint Kitts and Nevis

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Saint Lucia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Interception of Communications Act (Cap 3.12)

Section 21 enables the making of disclosure orders. Either the Attorney General or the Director of Public Prosecutions may apply to a judge for such a disclosure order. Where a disclosure order is made, the subject must either disclose the key or the information which is encrypted in an intelligible format. Failure to comply with a disclosure order commits is an offence punishable by up to one year’s imprisonment and/or a fine of up to XCD 5,000 (s. 22(7)).

Obligations on individuals to assist authorities

Interception of Communications Act (Cap 3.12)

Section 21 enables the making of disclosure orders. Either the Attorney General or the Director of Public Prosecutions may apply to a judge for such a disclosure order. Where a disclosure order is made, the subject must either disclose the key or the information which is encrypted in an intelligible format. Failure to comply with a disclosure order commits is an offence punishable by up to one year’s imprisonment and/or a fine of up to XCD 5,000 (s. 22(7)).

Other restrictions

No known legislation or policies.

Saint Vincent and the Grenadines

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Electronic Communications Act 2007: Section 34 establishes a register of all cryptography providers. Unless they are registered, a cryptography provide cannot provide cryptography products.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Samoa

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

San Marino

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

São Tomé and Príncipe

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Saudi Arabia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Senegal

General right to encryption

Law on Cryptography (Law No. 2008-41): Article 12 provides that the use of encryption services and methods is free.

Mandatory minimum or maximum encryption strength

Law on Cryptography (Law No. 2008-41): Article 13 allows the National Cryptology Commission (NCC) to set down rules on the maximum size of encryption keys, and the NCC has set the maximum size at 128 bits (Article 13 of Decree No. 2010-1209, as amended by Decree No. 2012-1508).

Licensing/registration requirements

Law on Cryptography (Law No. 2008-41): Article 16 provides that bodies exercising cryptology services must be licenced by the National Cryptology Commission.

Import/export controls

Law on Cryptography (Law No. 2008-41): Article 12 provides that the supply, import and export of means of cryptology ensuring exclusively the functions of authentication and integrity control are free. However, Article 14 provides that the supply or importation of a means of cryptology which does not solely perform functions of authentication and integrity control requires approval from the National Cryptology Commission.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Serbia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Seychelles

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Sierra Leone

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Singapore

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Criminal Procedure Code: Section 40 allows the Public Prosecutor, by order, to authorise a police officer or an authorised person to exercise the power to (a) access any information, code or technology which has the capability of retransforming or unscrambling encrypted data into readable and comprehensible format or text for the purposes of investigating the arrestable offence; (b) require (i) any person whom he reasonably suspects of using a computer in connection with an arrestable offence or of having used it in this way; or (ii) any person having charge of, or otherwise concerned with the operation of, such computer, to provide him with such reasonable technical and other assistance as he may require for the purposes of paragraph (a); and (c) require any person whom he reasonably suspects to be in possession of any decryption information to grant him access to such decryption information as may be necessary to decrypt any data required for the purposes of investigating the arrestable offence. Failure to do so is punishable by up to three years’ imprisonment and/or a fine of up to SGD 10,000.

Obligations on individuals to assist authorities

Criminal Procedure Code: Section 40 allows the Public Prosecutor, by order, to authorise a police officer or an authorised person to exercise the power to (a) access any information, code or technology which has the capability of retransforming or unscrambling encrypted data into readable and comprehensible format or text for the purposes of investigating the arrestable offence; (b) require (i) any person whom he reasonably suspects of using a computer in connection with an arrestable offence or of having used it in this way; or (ii) any person having charge of, or otherwise concerned with the operation of, such computer, to provide him with such reasonable technical and other assistance as he may require for the purposes of paragraph (a); and (c) require any person whom he reasonably suspects to be in possession of any decryption information to grant him access to such decryption information as may be necessary to decrypt any data required for the purposes of investigating the arrestable offence. Failure to do so is punishable by up to three years’ imprisonment and/or a fine of up to SGD 10,000.

Other restrictions

No known legislation or policies.

Slovakia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Slovenia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Solomon Islands

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Somalia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

South Africa

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Electronic Communications and Transactions Act 25 of 2002: Section 29 establishes a register of all cryptography providers. Unless they are registered, a cryptography provide cannot provide cryptography products.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Regulation of Interception of Communications and Provision of Communication-Related Information Act 2002: Section 21 allows for application to be made to a judge for a “decryption order” which would compel a person who has a decryption key to provide it. Failure to do is punishable with up to ten years’ imprisonment or a fine of up to ZAR 2,000,000(and, for a legal entity, a fine of up to ZAR 5,000,000).

Obligations on individuals to assist authorities

Regulation of Interception of Communications and Provision of Communication-Related Information Act 2002: Section 21 allows for application to be made to a judge for a “decryption order” which would compel a person who has a decryption key to provide it. Failure to do is punishable with up to ten years’ imprisonment or a fine of up to ZAR 2,000,000(and, for a legal entity, a fine of up to ZAR 5,000,000).

Other restrictions

No known legislation or policies.

South Korea

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

South Sudan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Spain

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Law on Telecommunications 25/2007: The law requires the disclosure of encryption keys.

Obligations on individuals to assist authorities

Law on Telecommunications 25/2007: The law requires the disclosure of encryption keys.

Other restrictions

No known legislation or policies.

Sri Lanka

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Sudan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Suriname

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Swaziland

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Sweden

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Switzerland

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Syria

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Taiwan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Tajikistan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Tanzania

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Thailand

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Computer Crime Act: Section 18 allows a police officer, if they have received a warrant under section 19, to decode any person’s computer data or instruct any person related to the encryption of computer data to decode the computer data or cooperate with a relevant competent official in such decoding. Failure to comply with such an order is punishable with a fine of up to THB 200,000 and a further daily fine of up to THB 5,000 until they have so complied. In 2017, the Computer Crime Act was amended by the Computer Crime (No. 2) Act but sections 18 and 19 were not materially amended as they relate to encryption.

Obligations on individuals to assist authorities

Computer Crime Act: Section 18 allows a police officer, if they have received a warrant under section 19, to decode any person’s computer data or instruct any person related to the encryption of computer data to decode the computer data or cooperate with a relevant competent official in such decoding. Failure to comply with such an order is punishable with a fine of up to THB 200,000 and a further daily fine of up to THB 5,000 until they have so complied. In 2017, the Computer Crime Act was amended by the Computer Crime (No. 2) Act but sections 18 and 19 were not materially amended as they relate to encryption.

Other restrictions

No known legislation or policies.

The Netherlands

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Criminal Procedure Code: Article 126nh allows an investigating judge to order someone (although not a suspect) to decrypt any encrypted data.

Obligations on individuals to assist authorities

Criminal Procedure Code: Article 126nh allows an investigating judge to order someone (although not a suspect) to decrypt any encrypted data.

Other restrictions

No known legislation or policies.

Timor-Leste

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Togo

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Tonga

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Computer Crimes Act, 2003: Section 10(1) provides that a person who is in possession or control of a computer, computer system, computer data or data storage medium that is the subject of a search under section 9 shall permit, and assist if required, the person making the search to (…) (d) obtain an intelligible output from a computer system in a format that can be read. Failure to do so is punishable by up to two years’ imprisonment and/or a fine of up to 10,000 TOP.

Obligations on individuals to assist authorities

Computer Crimes Act, 2003: Section 10(1) provides that a person who is in possession or control of a computer, computer system, computer data or data storage medium that is the subject of a search under section 9 shall permit, and assist if required, the person making the search to (…) (d) obtain an intelligible output from a computer system in a format that can be read. Failure to do so is punishable by up to two years’ imprisonment and/or a fine of up to 10,000 TOP.

Other restrictions

No known legislation or policies.

Trinidad and Tobago

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Interception of Communications Act: Section 15 allows for application to be made to a judge for a “disclosure order”. Where a disclosure order is made, the subject must either disclose the key or the information which is encrypted in an intelligible format. Failure to comply with a disclosure order commits is an offence punishable by up to one year’s imprisonment and a fine of up to TTD 5,000 (s. 16(7)).

Computer Misuse Act: Section 16 applies in relation to offences committee under the Computer Misuse Act or about to be so committed. Section 16(2) allows a magistrate to issue a search warrant to a police officer. Section 16(5)(a)(iii) provides that a police officer executing a search warrant shall have access to “any information, code or technology which has the capability of retransforming or unscrambling encrypted program or data held in or available to such computer into readable and comprehensible format or text for the purpose of investigating any offence under this Act or any other offence which has been disclosed in the course of the lawful exercise of the powers under this section.” Section 16(5)(c) provides that the police officer is also “entitled to require any person in possession of decryption information to grant him or the authorised person access to such decryption information necessary to decrypt data required for the purpose of investigating an offence.” Failure to comply with such a request is an offence punishable with up to two years’ imprisonment and a fine of TTD 15,000 (s. 16(6)).

Obligations on individuals to assist authorities

Interception of Communications Act: Section 15 allows for application to be made to a judge for a “disclosure order”. Where a disclosure order is made, the subject must either disclose the key or the information which is encrypted in an intelligible format. Failure to comply with a disclosure order commits is an offence punishable by up to one year’s imprisonment and a fine of up to TTD 5,000 (s. 16(7)).

Computer Misuse Act: Section 16 applies in relation to offences committee under the Computer Misuse Act or about to be so committed. Section 16(2) allows a magistrate to issue a search warrant to a police officer. Section 16(5)(a)(iii) provides that a police officer executing a search warrant shall have access to “any information, code or technology which has the capability of retransforming or unscrambling encrypted program or data held in or available to such computer into readable and comprehensible format or text for the purpose of investigating any offence under this Act or any other offence which has been disclosed in the course of the lawful exercise of the powers under this section.” Section 16(5)(c) provides that the police officer is also “entitled to require any person in possession of decryption information to grant him or the authorised person access to such decryption information necessary to decrypt data required for the purpose of investigating an offence.” Failure to comply with such a request is an offence punishable with up to two years’ imprisonment and a fine of TTD 15,000 (s. 16(6)).

Other restrictions

No known legislation or policies.

Tunisia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Telecommunications Code: Article 9 allows the government to set down by decree permissible conditions and procedures for the use of encryption means or services through the public telecommunications networks and the exercise of the related activities. The use, manufacturer, importation, exportation, holding for sale, distribution for free or sale of cryptological methods or services contrary to any such decree is punishable by between six months’ and five years’ imprisonment and/or a fine of between TND 1,000 and TND 5,000 (Article 87).

Decree No. 97-501 of 14 March 1997: Article 11 prohibits the provision of encryption technologies without prior approval from the relevant minister.

Decree No. 2001-2727 of 20 November 2001: This Decree sets out the permissible conditions and procedures for the use of encryption means or services through the public telecommunications networks.

Import/export controls

Telecommunications Code: Article 9 allows the government to set down by decree permissible conditions and procedures for the use of encryption means or services through the public telecommunications networks and the exercise of the related activities. The use, manufacturer, importation, exportation, holding for sale, distribution for free or sale of cryptological methods or services contrary to any such decree is punishable by between six months’ and five years’ imprisonment and/or a fine of between TND 1,000 and TND 5,000 (Article 87).

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Turkey

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Turkmenistan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Tuvalu

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Uganda

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Regulation of Interception of Communications Act, 2010: Section 10(1) allows an authorised person, where they believe that a key to protected information is in the possession of any person and that a requirement that they get access to that information is necessary for a specified reason, they may impose a “disclosure requirement” in respect of that information. A disclosure requirement requires that person to use the key to get access to the information and provide it in an intelligible form (s. 10(3)). Failure to comply is punishable with up to five years’ imprisonment and/or a fine.

Obligations on individuals to assist authorities

Regulation of Interception of Communications Act, 2010: Section 10(1) allows an authorised person, where they believe that a key to protected information is in the possession of any person and that a requirement that they get access to that information is necessary for a specified reason, they may impose a “disclosure requirement” in respect of that information. A disclosure requirement requires that person to use the key to get access to the information and provide it in an intelligible form (s. 10(3)). Failure to comply is punishable with up to five years’ imprisonment and/or a fine.

Other restrictions

No known legislation or policies.

Ukraine

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

United Arab Emirates

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

United Kingdom

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Regulation of Investigatory Powers Act 2000: Part III regulates the investigation of electronic data protected by encryption. It allows for certain law enforcement agencies, normally with judicial authorisation, to require a person holding encrypted information to produce the data in an intelligible format or to provide the key for its disclosure. Failure to so is a criminal offence (punishable by up to five years’ imprisonment in cases involving national security or child indecency, and by up to two years’ imprisonment in all other cases).

Investigatory Powers Act 2016: Sections 254 to 259 regulate “technical capability notices”. They allow the Secretary of State, where they consider it to be “necessary” and “proportionate”, and with the authorisation of a Judicial Commissioner, to impose a “technical capability notice” on a service provider imposing certain obligations. Such an obligation could include that they to remove encryption that they have applied on communications (but not encryption that those communicating have applied).

Obligations on individuals to assist authorities

Regulation of Investigatory Powers Act 2000: Part III regulates the investigation of electronic data protected by encryption. It allows for certain law enforcement agencies, normally with judicial authorisation, to require a person holding encrypted information to produce the data in an intelligible format or to provide the key for its disclosure. Failure to so is a criminal offence (punishable by up to five years’ imprisonment in cases involving national security or child indecency, and by up to two years’ imprisonment in all other cases).

Other restrictions

No known legislation or policies.

United States of America

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

The International Traffic in Arms Regulations and the Export Administration Regulations both impose controls on the export of certain forms of encryption.

Obligations on providers to assist authorities

There is no legislative power which can be used to require telecommunication or online service providers to facilitate the decryption of encrypted communications.

However, section 103(a) of the Communications Assistance for Law Enforcement Act of 1994 requires all telecommunications carriers to ensure that their equipment, facilities or services that provide a customer or subscriber with the ability to originate, terminate or direct communications have certain capabilities. These include interception of communications and delivering intercepted communications to the government, where the government obtains a court order or there is some other lawful authorisation. This means that telecommunications carriers cannot use encryption themselves in a way which would prevent them from being able to intercept communications or deliver them to the government. Section 103(b)(3) does, however, provide that telecommunications carriers cannot be required to decrypt, or to ensure the government’s ability to decrypt, any communications which are encrypted by the subscriber or customer unless the encryption was provided by the carrier and they are able to decrypt it.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Uruguay

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Uzbekistan

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Vanuatu

General right to encryption

Electronic Transactions Act: Section 24(2) provides that, subject to any regulations made under section 24(1), it is lawful for a person to use any encryption program or other encryption product if it has lawfully come into the possession of that person.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Electronic Transactions Act: Section 24(1) allows the Minister to make regulations in relation to the use, import and export of encryption programmes and products, and to prohibit the export of encryption programmes and products. None, however, appear to have been made.

Import/export controls

Electronic Transactions Act: Section 24(1) allows the Minister to make regulations in relation to the use, import and export of encryption programmes and products, and to prohibit the export of encryption programmes and products. None, however, appear to have been made.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Vatican City

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Venezuela

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Vietnam

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Law on Network Information Security: Article 31 requires businesses trading in encryption products to obtain a licence to do so from the Government Cipher Committee. Articles 31 and 32 set out the requirements and the process for doing so.

Import/export controls

Law on Network Information Security: Article 34 provides that the importation or exportation of cryptographic products requires a licence.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Yemen

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

No known legislation or policies.

Zambia

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

Electronic Communications and Transactions Act, 2009: Sections 22 and 23 establish a register of all cryptography providers. Unless they are registered with the Communications Authority, a cryptography provide cannot provide cryptography products.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

No known legislation or policies.

Obligations on individuals to assist authorities

No known legislation or policies.

Other restrictions

Electronic Communications and Transactions Act, 2009: Sections 85 to 92 regulate the use of encryption but place no limitations on its use, save that a person cannot release decrypted data belonging to another person without their consent or if there is a court order so requiring.

Zimbabwe

General right to encryption

No known legislation or policies.

Mandatory minimum or maximum encryption strength

No known legislation or policies.

Licensing/registration requirements

No known legislation or policies.

Import/export controls

No known legislation or policies.

Obligations on providers to assist authorities

Interception of Communications Act: Part III regulates the investigation of electronic data protected by encryption. It allows for certain law enforcement agencies, upon permission from the Minister of Transport and Communications, to require a person holding encrypted information to provide the keys for its disclosure or the data itself in an intelligible format. Failure to provide the key is a criminal offence punishable by up to five years’ imprisonment and/or a fine.

Obligations on individuals to assist authorities

Interception of Communications Act: Part III regulates the investigation of electronic data protected by encryption. It allows for certain law enforcement agencies, upon permission from the Minister of Transport and Communications, to require a person holding encrypted information to provide the keys for its disclosure or the data itself in an intelligible format. Failure to provide the key is a criminal offence punishable by up to five years’ imprisonment and/or a fine.

Other restrictions

No known legislation or policies.