According to the Law on Cryptology in Senegal, the private use by a natural person of cryptographic software is limited to software with a key length inferior or equal to 128 Bits. Beyond this limit, the private use of cryptography is subject to a declaration regime.

The supply and importation of a cryptology means that do not exclusively ensure authentication and integrity control functions requires prior declaration to the National Cryptology Commission and the submission of a description of technical characteristics (Art.14).

The ARTP (Telecommunications and Postal Regulation Agency) has the exclusive mandate to examine ICT products. It is reported that foreign companies cannot participate in standards setting.

The ARTP (Telecommunications and Postal Regulation Agency) is the only body authorised to approve and certify radio equipment imported into the country. This procedure is expressly required and the certification is carried out according to the standards defined by the ARTP in accordance with the Decree on frequencies and frequency bands, radioelectric equipment and the operators of such equipment.

According to Art. 14 of Law No. 2008-41 of 20 August 2008 on cryptology, the supply and importation of a cryptology means that do not exclusively ensure authentication and integrity control functions requires prior declaration to the National Cryptology Commission and the submission of a description of technical characteristics.

Senegalese legislation does not impose any blocking or filtering except for illegal content or child pornography. However, it is reported that, as the notion of illegal content is not specified, the Government uses this exception to block certain web content. This was the case, for example, during the events of March 2021 in Dakar when the Government blocked some websites and applications such as Whatsapp, Facebook, Telegram, YouTube and stopped the signal of some television channels (Sen TV, Walf TV) on March 2021.

According to Art. 27 of the Electronic Communications Code, internet service providers are required to "prevent imminent network congestion and mitigate the effects of exceptional or temporary congestion as long as equivalent categories of traffic are treated equally. In addition, the Regulatory Authority (ARTP) may authorise or impose any traffic management measure it deems useful to preserve competition in the electronic communications sector and to ensure the equitable treatment of similar services". Under this provision, Internet service providers may reduce the speed of Internet connections or interrupt access in order to prevent network congestion. It is reported that this provision gives the regulatory authority the power to authorise or impose restrictions on the availability of electronic communication.

According to Decree 2007-937 of 7 August 2007 on the identification of purchasers and users of mobile telephone services offered to the public, operators holding a telecommunication licence open to the public are required to identify the purchasers and users of SIM cards when signing up for mobile telephony services.

Senegal has a safe harbour regime in place for intermediaries for copyright infringements. According to Article 3(2) of the Law on Electronic Transactions, intermediaries may not be held civilly liable for activities or information stored at the request of a recipient of such services if they did not have actual knowledge of their unlawful nature or of facts or circumstances indicating such a nature, or if, as soon as they became aware of such knowledge, they acted promptly to remove such data or to prevent access to them.

The Law on Electronic Transactions establishes a framework that limits the liability of intermediaries. According to Article 3(2) of the law, "intermediaries may not be held civilly liable for activities or information stored at the request of a recipient of such services if they did not have actual knowledge of their unlawful nature or of facts or circumstances indicating such a nature, or if, as soon as they became aware of such knowledge, they acted promptly to remove such data or to prevent access to them".

Art. 4 of Law No. 2008-12 provides that legally entitled public authorities, in the context of a particular task or the exercise of a right of communication, may request the controller to communicate personal data to them. It is not clear whether a court order is required.

In theory, the government has no direct access to the data without a judicial authorisation in compliance with the rights and freedoms guaranteed by the Constitution. However, the Intelligence Services Law provides that in the event of a threat to national interests and in the absence of any other means, the intelligence services may use intrusive technical surveillance and location procedures to collect information useful for neutralising the threat (Art. 10). To this end, the entities holding the data are obliged to provide the necessary assistance to the intelligence services without delay.

Senegal has a comprehensive data protection framework under the Law No. 2008-12 of 25 January 2008 Concerning the Personal Data Protection.

Senegal has not joined any free trade agreement committing to open transfers of cross-border data flows.

Law No. 2008-12 lays down the principle that data may only be transferred to a third country if that country ensures a sufficient level of protection of the privacy, freedoms and fundamental rights of individuals. The adequacy of the level of protection is assessed under Senegalese law (Art. 49 of the Personal Data Act). Conditions also apply to the local exporter who, under Arts. 50 and 51, may transfer data to a third country that does not guarantee a sufficient level of protection, subject to certain safeguards such as the consent of the data subject, the necessity of the transfer, etc.