According to Art. 7 of the Investment Act 2021, the minister responsible for investment may prohibit a foreign direct investment for the protection of national security interests. A foreign investor intending to invest in a sector that may have potential effects on, inter alia (i) critical infrastructure such as energy, transport, communications, data storage or financial infrastructure; (ii) critical technologies such as artificial intelligence, robotics, semiconductors, technology with potential dual use application, cyber security; (iii) the security of supply of critical inputs; or (iv) access to sensitive information or the ability to control sensitive information, must submit a proposal of the investment to the Minister for an approval to invest in that sector.

Pursuant to Section 3 of the Investment (Reserved and Restricted Activities) Regulation 2022, the minimum capital requirement for foreign investment is set at FJD 300,000 (approx. USD 134,000). Certain activities listed as 'restricted' are subject to higher thresholds, but none of these are related to digital trade.

Fiji is not a party to the Patent Cooperation Treaty (PCT).

Fiji has a copyright regime under the Copyright Act 1999. However, the exceptions do not follow the fair use or fair dealing model, therefore limiting the lawful use of copyrighted work by others. Arts. 40-82 list the exceptions, which include use for criticism or review, news reporting, research or private study, educational purposes, and judicial proceedings. It is worth mentioning that the government refers to 'fair dealing' on its website; however, the text of the law does not explicitly mention this term.

Georgia has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

According to Art. 185 of the Customs Code of Georgia, the importation of goods whose total value does not exceed the threshold of GEL 300 (approx. USD 111), with the exception of alcoholic products, perfumes, toilet water, tobacco and tobacco products, are exempt from import duties. This threshold is lower than the USD 200 threshold recommended by the International Chamber of Commerce (ICC).

The Law on Consumer Rights provides a comprehensive framework for consumer protection that also applies to online transactions. Arts. 4(d), 10, and 12 include provisions for the protection of e-consumers.

Georgia has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Georgia has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

Art. 31 of Law No. 3144 requires data controllers to conduct data protection impact assessments (DPIAs) in cases where there is a high probability of a threat to the violation of fundamental human rights and freedoms during data processing, taking into account new technologies, categories, the volume of data, and the purposes and means of data processing. In addition, a DPIA is mandatory if the data controller : (i) makes decisions in a fully automated manner, including on the basis of profiling, which may have legal, financial, or other significant consequences for a data subject; (ii) processes data of a special category of a large number of data subjects; or (iii) carries out systematic and large-scale monitoring of data subjects' behaviour in places of public gathering. In the case of a substantial change in data processing, the controller is obliged to update the DPIA report and keep it for the entire period of data processing and for at least one year after termination of processing.

Pursuant to Art. 33(1) of Law No. 3144, certain entities are required to appoint or designate a personal data protection officer (DPO). These include public institutions, insurance organisations, commercial banks, microfinance organisations, credit bureaus, electronic communications companies, airlines, airports, and medical institutions, as well as controllers or processors that process the data of a significant number of data subjects or conduct systematic and large-scale monitoring of individuals’ behaviour. Other controllers and processors may appoint a DPO on a voluntary basis.

Art. 8 of the Law on Electronic Communications stipulates that the Operational and Technical Agency (OTA) shall have the capability to obtain real-time communications and their identification data transmitted through the infrastructure of an electronic communication company by using stationary or semi-stationary technical means.
For this purpose, the OTA is empowered to: a) place or install a lawful interception management system and/or any hardware and software required for its function, if necessary; b) require the electronic communication company to maintain the technical capacity, via stationary means, to provide the OTA with real-time communication content and its identification data, in accordance with the architecture and interface specified by the stationary technical capacity for obtaining real-time communication. The OTA functions under the authority of the State Security Service, an organisation subject to the direct oversight of the Prime Minister of Georgia.
An electronic communications company is defined as an authorised entity whose activities or services involve the provision of telephone networks, internet networks, or related services. Electronic communication identification data is defined as user identification data, data required for tracing and identifying the source of a communication; data necessary for identifying the recipient of a communication; data required for determining the date, time, and duration of a communication; data necessary for identifying the type of communication; data required for identifying the user's communication equipment or potential equipment; and data necessary for determining the location of mobile communication equipment.

Arts. 11–13 of Chapter V of the Law of Georgia on Electronic Commerce (No. 3110-XIms-Xmp) establish an intermediary liability framework covering the three core categories of intermediation services: mere conduit (transmission), caching, and hosting. Under Art. 11, transmission providers are exempt from liability for transmitted information where they do not initiate the transmission, select the recipient, or select or modify the content, and where any temporary storage is limited to what is technically necessary for transmission. Under Art. 12, caching providers are exempt where they do not modify the information, comply with conditions on access and updating, do not interfere with lawful usage-monitoring technologies, and remove or disable access to cached content expeditiously once they become aware that it has been removed at source or restricted by a court or competent authority. Under Art. 13, hosting providers are exempt where they lack actual knowledge of illegal activity or information, or, upon obtaining such knowledge, act expeditiously to remove or restrict access; this exemption does not apply where the recipient acts on the provider’s behalf or is under its control. Art. 2 clarifies that “actual knowledge” is linked to a court decision or a decision of a competent administrative or law-enforcement body.

Arts. 11–13 of Chapter V of the Law of Georgia on Electronic Commerce (No. 3110-XIms-Xmp) establish an intermediary liability framework covering the three core categories of intermediation services: mere conduit (transmission), caching, and hosting. Under Art. 11, transmission providers are exempt from liability for transmitted information where they do not initiate the transmission, select the recipient, or select or modify the content, and where any temporary storage is limited to what is technically necessary for transmission. Under Art. 12, caching providers are exempt where they do not modify the information, comply with conditions on access and updating, do not interfere with lawful usage-monitoring technologies, and remove or disable access to cached content expeditiously once they become aware that it has been removed at source or restricted by a court or competent authority. Under Art. 13, hosting providers are exempt where they lack actual knowledge of illegal activity or information, or, upon obtaining such knowledge, act expeditiously to remove or restrict access; this exemption does not apply where the recipient acts on the provider’s behalf or is under its control. Art. 2 clarifies that “actual knowledge” is linked to a court decision or a decision of a competent administrative or law-enforcement body.

According to Art. 5.1 of Resolution No. 3 of Georgian National Communications Commission on the Approval of the Regulations in respect to the Provision of Services and Protection of Consumer Rights in the Sphere of Electronic Communications, electronic-communication service providers must record and keep information concerning consumers, including the name and surname of the consumer. It is also reported that mobile network operators must collect and store a user's personal information and proof of identity for SIM card registration.