Under Arts. 2 and 26 of the Telecommunication Law, individual licences can be granted only to a limited number of companies. These licences are required for the use of the radio-frequency spectrum, the allocation of numbering in accordance with the National Numbering Plan, and the provision of fixed-line public telephone services, public mobile telecommunications services, satellite telecommunications services and international telecommunications services.

It is reported that a minimum capital requirement exists for the acquisition of a telecommunications licence in the Syrian Arab Republic.

The Syrian Arab Republic has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments. In fact, the country is not a member of the WTO.

It is reported that the Syrian Telecommunications and Post Regulatory Authority (SY-TPRA), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Chapter VII of Syria’s Law No. 12 regarding the Protection of Electronic Personal Data on the Network regulates the cross-border transfer of personal data. Art. 15 prohibits the transfer, processing, or storage of personal data to any foreign or Arab state unless the receiving jurisdiction ensures an adequate level of protection, verified and authorised by the competent authority. However, paragraph (b) of the same article permits such transfers to jurisdictions lacking equivalent safeguards under specific conditions, including the explicit consent of the data subject, the preservation of life, provision of healthcare, fulfilment of contractual obligations, compliance with judicial requirements, protection of public interest, or implementation of bilateral or multilateral agreements to which Syria is a party. Art. 16 further allows controllers or processors to share personal data with counterparts abroad, subject to prior authorisation and the fulfilment of three conditions: compatibility of operational purposes, the existence of a legitimate interest, and assurance that the foreign entity maintains legal and technical protections equivalent to those prescribed in the law’s executive regulations.

The Syrian Arab Republic has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. 12 regarding the Protection of Electronic Personal Data on the Network establishes a comprehensive regime for data protection in the Syrian Arab Republic. It grants rights to data subjects and designates the authority responsible for enforcing personal data protection.

Art. 3.a.1 of the Cybercrime Law mandates that internet service providers (ISPs) retain traffic data pertaining to all subscribers for a duration specified by the competent authorities. In addition, Art. 4 of the same legislation obliges ISPs to preserve copies of both traffic data and hosted digital content.

Art. 61 of the Law on Media stipulates that online media outlets are required to retain a copy of all published content in its various forms, as well as traffic data enabling the verification of the identity of individuals contributing to such content on the network, for a period determined by the Council. These data and materials shall be subject to professional confidentiality; however, they must be disclosed to the judicial authority upon request.

Art. 9 of Law No. 12 on the Protection of Electronic Personal Data on the Network governs the appointment of a data protection officer (DPO), requiring that, where the controller or processor is a legal entity, a suitably qualified employee be designated to oversee personal data protection, while natural persons acting as controllers or processors must themselves be registered in the Authority’s official register of DPOs. Art. 10 outlines the DPO’s core responsibilities, including conducting regular assessments and audits of data protection systems, preventing breaches, documenting findings, issuing recommendations to strengthen safeguards, and ensuring their effective implementation.

The Cybercrime Law prescribes severe financial and criminal sanctions against internet service providers that fail to disclose users’ digital data upon a formal governmental request. Art. 39 stipulates that any proprietor, custodian, or administrator of an information system on which a cybercrime has been committed using their infrastructure must permit the judicial police to conduct searches, seize information and information technology equipment, and obtain copies thereof. Where necessary, the judicial police may confiscate the technological apparatus employed or components thereof. The judicial police force referenced was established within the Ministry of the Interior pursuant to Art. 38 of the Law, as such, there appears to be no court order or warrant required to access personal data held by private companies.

A basic legal framework on intermediary liability for copyright infringement is absent in Syria's law and jurisprudence.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Syria's law and jurisprudence.

It is reported that mobile network operators are required to collect and retain users’ personal data, along with proof of identity, for SIM registration. However, the pertinent legislative provisions could not be located.

Syrian Telecom, formally designated as the Syrian Telecommunications Establishment, functions as a telecommunications entity under the authority of the Syrian government. It is organised as a joint-stock company that is wholly owned by the state.