Equatorial Guinea has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. 1/2016 on the Protection of Personal Data provides a comprehensive regime of data protection in Equatorial Guinea. The Data Protection Authority (the Governing Body for the Protection of Personal Data) established by Law No. 1/2016, however, is not yet operational and, as such, many provisions within the Data Protection Law are of limited effect.
Apart from Law No. 1/2016, the Electronic Communications Law (Law No. 2/2016 of 22 July 2016) regulates the domestic handling of data in the framework of electronic communications and networks, as well as several other laws and sectoral directives containing relevant provisions.

According to Art. 1 of the Law on Data Retention in Electronic Communications and Public Communication Networks, providers and operators of electronic communications services and public communication networks must retain the data generated, produced or processed in their activities of electronic communications services or public communication networks. According to Art. 5, these providers must retain the following data: (i) data necessary to trace and identify the origin of communication for fixed network telephony and mobile telephony, Internet access, e-mail and Internet telephony; (ii) data necessary to identify the destination of communication for fixed network telephony and mobile telephony, e-mail and Internet telephony; (iii) data necessary to determine the date, time and duration of a communication; (iv) data necessary to identify the type of communication; (v) data necessary to identify the communication equipment of the users; and (vi) data necessary to identify the location of the communication equipment. According to Art. 9, the obligation of electronic storage of data ceases after one year, computed from the date on which the communication took place, except in cases of particular interest for the criminal investigation, in which case the duration may be extended up to a maximum period of two years through the corresponding court order.

Art. 19 of Law No. 1/2017 provides that information society service providers, registries and domain name registration agents and the owners of domain names are obliged to provide the public authorities with the data requested or required in the exercise of their powers of inspection, control and sanction, as well as when necessary for the investigation of cybersecurity incidents. The need for a court order is not specified in the law. Information society services are defined as any business, activity or product thereof provided electronically for consideration at the request of the recipient or on an unremunerated basis, provided that it constitutes an economic activity for the service provider.

Art. 42 of Law No. 1/2017 states that service providers and recipients shall have an obligation to provide the government with all the information and collaboration necessary for the exercise of their legal powers, allowing their agents and inspecting or controlling personnel access to their facilities, the consultation of any documentation and the manipulation of their electronic equipment, systems and applications. The need for a court order is not specified in the law. Service providers are defined as the natural or legal persons who provide communication or information services via the Internet or the information society.

Art. 41 of the Ministerial Order No. 3/2020 states that the judicial authority and other bodies authorised by Equatoguinean legislation can authorise interception by telecom licence holders, subject to public service obligations. Obligated subjects must configure their equipment in such a way as to facilitate access by authorised agents to all communications transmitted, generated for transmission or received by the subject of a lawful interception, as well as to the traffic data associated with these communications. Also, Art. 42.6 provides that where obliged entities apply compression, encryption, digitisation or any other type of encoding to communications subject to lawful interception, they shall hand over those communications without the effects of such processes, provided that they are reversible. In addition, Art. 42.7 stipulates that interception must take place in real-time. Art. 42.3 also stipulates that the obligated parties must communicate to the authorised agent, among other data, the identity or identities of the subject of the interception measure and the other parties involved in the electronic communication.
According to 6 and Art. 34 of the Ministerial Order, the companies subject to public service obligations include fixed telephony, broadband, 2G, 3G, 4G and 5G mobile telephony and data services. In addition, carrier services for the provision of voice, data and broadband, as well as broadcasting services and their respective networks, are also considered essential.

Chapter I of Title IV of Law No. 1/2017 establishes a safe harbour regime for intermediaries for copyright infringements. According to Art. 35, all providers of Internet communication services and network operators are subject to the regime of responsibility established by this law. The following articles explain the responsibilities of the different service providers:
- Art. 36: Responsibility of network access providers and telecommunications network operators.
- Art. 37: Responsibility of the service provider for temporary copies of data requested by users.
- Art. 38: Responsibility of the provider of data hosting or storage services.
- Art. 39: Responsibility of providers of linking services or search tools.

Chapter I of Title IV of Law No. 1/2017 establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Art. 35, all providers of Internet communication services and network operators are subject to the regime of responsibility established by this law. The following articles explain the responsibilities of the different service providers:
- Art. 36: Responsibility of network access providers and telecommunications network operators.
- Art. 37: Responsibility of the service provider for temporary copies of data requested by users.
- Art. 38: Responsibility of the provider of data hosting or storage services.
- Art. 39: Responsibility of providers of linking services or search tools.

It is reported that Equatorial Guinea's approach to SIM registration requires mobile network operators to collect and store a user's personal information and proof of identity. The relevant legislation could not be found.

Equatorial Guinea has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments as it is not a member of the WTO.

Equatorial Guinea is not a party to the World Trade Organization (WTO) Agreement on Government Procurement (GPA), nor does it have observer status, as it is not a member of the WTO.

Equatorial Guinea's foreign investment is regulated by Law No. 7/1992 and Decree No. 54/1.994, which allow open investment. Some limitations apply to a selected list of sectors listed in Art. 40 of Decree No. 54/1.994, which are not relevant to digital trade.

In accordance with Art. 5.4 of Law No. 7/1992 on the Investment Regime in the Republic of Equatorial Guinea, the Ministry of Planning issues a certificate approving or rejecting foreign investment projects after conducting background checks on the foreign investors involved in the investment projects. The background checks cover: (i) credit references; (ii) commercial background; and (iii) the moral solvency of the investors.

The only article of Decree No. 45/2020 establishes the amount of XAF 100,000 (approx. USD 165) as the minimum share capital for the incorporation of limited liability companies in Equatorial Guinea. Previously, under Art. 311 of the Uniform Act on Commercial Companies and Economic Interest Groups of the OHADA (organisation for the Harmonization of Business Law in Africa), the minimum capital required to register a limited liability company was one million XAF (approx. USD 1,650).

According to the Bangui Agreement, ratified by 17 States, including Equatorial Guinea, applicants resident outside the territory of the Member States must file through an agent selected in one of those Member States (Section III, Art. 8). The professional status of agent accredited to the African Intellectual Property Organization (OAPI) is governed by the Regulations on the Profession of Authorised Agent before the OAPI.