Under Part IV of the E-Business Act, companies engaging in electronic business must appoint a data protection officer.

Section 21 of the Cybercrime Act authorises the Commissioner of Police, by written notice, to require a service provider to disclose subscriber data where the Commissioner is satisfied that such disclosure is necessary for law enforcement purposes or for the enforcement of a serious foreign offence, and obliges the service provider to comply with the request as soon as practicable after it is received; however, the provision does not clarify whether a warrant or court order is required. The Act defines a service provider as any public or private entity that enables users to communicate by means of a computer system, as well as any entity that processes or stores computer data on behalf of such an entity or its users, including service providers regulated under the Telecommunications, Radiocommunications and Broadcasting Regulation Act No. 30 of 2009. Subscriber data is defined as any data held by a service provider, in electronic or other form, relating to a person who uses or rents its services, by which the type of service used, the relevant technical arrangements, and the period of service may be established, together with the subscriber’s identity and contact details, including postal or geographic address, telephone and other access numbers, billing and payment information, and information concerning the location of equipment required to use the service, insofar as such information is available under the service agreement or arrangement; the definition expressly excludes traffic and content data.

The Electronic Transactions Act establishes a safe harbour regime for intermediaries for copyright infringements. According to Art. 26 of the Act, an intermediary is not subject to any civil or criminal liability in respect of any information contained in an electronic record in respect of which the intermediary provides services if the intermediary was not the originator of that electronic record and the intermediary: (a) has no actual knowledge that the information gives rise to civil or criminal liability, or (b) is not aware of any facts or circumstances from which the likelihood of civil or criminal liability in respect of the information ought reasonably to have been known; or (c) follows the procedure set out in section 27 if the intermediary: (i) acquires knowledge that the information gives rise to civil or criminal liability; or (ii) becomes aware of facts or circumstances from which the likelihood of civil or criminal liability in respect of the information ought reasonably to have been known.

The Electronic Transactions Act establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Art. 26 of the Act, an intermediary is not subject to any civil or criminal liability in respect of any information contained in an electronic record in respect of which the intermediary provides services if the intermediary was not the originator of that electronic record and the intermediary: (a) has no actual knowledge that the information gives rise to civil or criminal liability, or (b) is not aware of any facts or circumstances from which the likelihood of civil or criminal liability in respect of the information ought reasonably to have been known; or (c) follows the procedure set out in section 27 if the intermediary: (i) acquires knowledge that the information gives rise to civil or criminal liability; or (ii) becomes aware of facts or circumstances from which the likelihood of civil or criminal liability in respect of the information ought reasonably to have been known.

Clause 10 of the SIM Card Registration Regulation Order No. 105 stipulates that individuals intending to purchase a SIM card are required to present a valid identification card or document to the licensed provider.

Pursuant to Art. 16 of the Vanuatu Foreign Investment Promotion Act No. 25 of 2019, a foreign investor may not carry out a restricted activity unless it has been issued an investment registration certificate authorising that activity. Under Art. 25, the restricted list of investment activities is set out in Part 3 of the Schedule, which includes advertising and marketing services.

According to Section 2 of Decision 01 of 2020, local importers need to obtain a type approval import permit from the Telecommunications, Radiocommunications & Broadcasting Regulator for the approval of importation, use, and sale of a particular model each time a consignment of relevant equipment is imported to Vanuatu.

Pursuant to Section 12 of the Business License (Amendment) Act No. 35 of 2010, a Category D1 licence is required for businesses that import merchandise with the intention of re-exporting it without substantial transformation. For these purposes, “transformation” refers to the creation of a new good that is distinct from the raw materials used to produce it.

Section 15 of the Data Protection and Privacy Act No. 13 of 2024 prohibits the transfer of personal data generated or collected in Vanuatu to another country without prior authorisation from the Minister, unless the destination is listed by Ministerial Order, on the recommendation of the Deputy Commissioner, as providing an appropriate level of data protection. Section 16 allows the Minister to prescribe additional safeguard procedures for transfers to approved countries or organisations when the data is considered urgent and sensitive. Section 17 permits transfers to non-approved destinations only under specific conditions: if the data subject gives explicit, informed, and freely given consent; if the transfer is necessary to serve the specific interests of the data subject; or if it is required for a purpose approved by the Commission.

Vanuatu has not joined any agreement with binding commitments to open transfers of data across borders.

Pursuant to Art. 16 of the Vanuatu Foreign Investment Promotion Act No. 25 of 2019, a foreign investor may undertake any investment activity in Vanuatu unless the activity is classified as a prohibited or reserved activity. However, none of the sectors included is relevant for digital trade.

Art. 45.9 of the Foreign Investment Act No. 25 of 2019 stipulates that foreign investors must establish a joint partnership with a citizen of Vanuatu if their business activities are expanded more than three times through variations.

According to Art. 83(5) of the Companies Act, as amended in December 2018, requires companies to ensure that at least one director must be a natural person who ordinarily resides in Vanuatu.

According to Art. 35.2 of the Foreign Investment Act No. 25 of 2019, foreign investors must not carry out an investment without a valid certificate. Moreover, Art. 46.1 establishes that foreign investors are subject, among other conditions, to employing locals and capacity building.

Vanuatu is not a party to the Patent Cooperation Treaty (PCT).