Processing of special categories of data (including sensitive data) is prohibited unless consent of the data subject is obtained (Chapter V of Law No. 007/PR/2015 on the Protection of Personal Data). According to Art. 52, authorisation of the "Agence Nationale de Sécurité Informatique et de Certification Électronique" (ANSICE) is mandated to process this data. It is not clear how this requirement affects the capacity of companies to transfer data across borders.

Art. 29 of Law No. 007/PR/2015 on the Protection of Personal Data prohibits the transfer of personal data to a country that is not a member of the Economic and Monetary Community of Central Africa (CEMAC) or the Economic Community of Central African States (ECCAS) unless that state ensures a sufficient level of protection of the privacy, freedoms and fundamental rights of individuals. Certain exceptions apply (Arts. 30-33). Before any transfer of personal data abroad, it is required that the data controller informs the regulatory authority, the National Agency for Information Security and Electronic Certification (ANSICE).

Chad has not joined any free trade agreement committing to open transfers of cross-border data flows.

Law Law No. 007/PR/2015 on the Protection of Personal Data provides a comprehensive regime of data protection in Chad. The Law encompasses various aspects, including general notifications related to data processing, the rights of data subjects, security obligations, and contractual requirements for data controllers and processors. Additionally, relevant regulations can be found in Decree No. 075/PR/2019, which implements the provisions of Law No. 007/PR/2015, as well as in Law No. 008/PR/2015 concerning electronic transactions, and Law No. 009/PR/ on cybersecurity and cybercrime.

Art. 61 of Law No. 009 of 2015 on Cybersecurity and Cybercrime mandates operators of information systems to retain connection and traffic data for ten years. According to Art. 4, an information system means any isolated device or set of interconnected or related devices, ensuring by itself or by one or more of its elements, according to a program, an automated data processing. This is despite the sub-regional legislation of CEMAC, to which Chad belongs, providing for a maximum duration of two years, during which the States can allow operators to keep traffic data for security reasons.

Art. 51 of Law No. 009 of 2015 on Cybersecurity and Cybercrime mandates communications service providers to retain data that enables the identification of any person who contributed to content creation in services they provide for ten years. According to Art. 4, a communication service is a service consisting entirely or mainly of the provision of electronic communications, excluding the contents of audiovisual communication services). This is despite the sub-regional legislation of CEMAC, to which Chad belongs, providing for a maximum duration of two years, during which the States can allow operators to keep traffic data for security reasons.

Law No-08-PR-2015 establishes a safe harbour regime for intermediaries for copyright infringements. Art. 92 prescribes for immunity of internet intermediaries provided that the service provider: (a) is not the source of the transmission; (b) does not select the recipient of the transmission; (c) does not select or modify the information that is the subject of the transmission. Under Art. 94, an intermediary service provider is not responsible for the information stored at the request of a recipient of the service provided that:
- the service provider has no actual knowledge of the illicit nature of the activity or information
- the service provider, as soon as it has such knowledge, following voluntary checks or based on serious information communicated by a third party, acts promptly to remove the information or to restore access to it impossible.
In addition, when the intermediary service provider becomes aware of the illicit content, Art. 95 mandates that they should communicate it immediately to the certification authority, which in turn approaches the public prosecutor to take necessary measures to seize the data. As long as the judicial authority has not made any decisions on the matter, the service provider can only take measures to prevent access to the information. A similar degree of safe harbour is provided under Art. 55 of Law No. 09 of 2015 on Cybersecurity and the fight against Cybercrime.

Law No-08-PR-2015 establishes a safe harbour regime for intermediaries beyond copyright infringements. Art. 92 prescribes for immunity of internet intermediaries provided that the service provider: (a) is not the source of the transmission; (b) does not select the recipient of the transmission; (c) does not select or modify the information that is the subject of the transmission. Under Art. 94, an intermediary service provider is not responsible for the information stored at the request of a recipient of the service provided that:
- the service provider has no actual knowledge of the illicit nature of the activity or information
- the service provider, as soon as it has such knowledge, following voluntary checks or based on serious information communicated by a third party, acts promptly to remove the information or to restore access to it impossible.
In addition, when the intermediary service provider becomes aware of the illicit content, Art. 95 mandates that they should communicate it immediately to the certification authority, which in turn approaches the public prosecutor to take necessary measures to seize the data. As long as the judicial authority has not made any decisions on the matter, the service provider can only take measures to prevent access to the information. A similar degree of safe harbour is provided under Art. 55 of Law No. 09 of 2015 on Cybersecurity and the fight against Cybercrime.

Chad does not have comprehensive trade secret legislation. Yet, there are provisions addressing disclosure, acquisition or use of confidential information in the course of industrial or commercial activities by third parties in Art. 6 of Annex VIII of the Bangui Agreement ratified by 17 French-speaking States, including Chad, since 2002.

According to Art. 95 of Law No. 14 of 2014, telephone operators and internet access providers are required to ensure the identification of their subscribers. If they do not comply, they are liable to the criminal and pecuniary sanctions.

It is reported that there is an obligation for passive infrastructure sharing in Chad to deliver telecom services to end users. It is practised in the mobile and fixed sectors based on commercial agreements.

Law No. 006/PR/2008 defines the regulation of foreign investment in Chad. It has been reported that certain sectors are closed or restricted de facto under this legislation. These include fixed telephony services, which are reserved for state enterprises. It is also reported that the only limit on foreign control is on ownership of companies deemed related to national security. Art. 11 stipulates that private investments are permitted in Chad, subject to specific provisions designed to ensure that the State's economic and social policy is respected, particularly regarding the protection of health, safety and public hygiene, social protection and environmental protection.

Chad is not a signatory of the 1996 World Trade Organization (WTO) Information Technology Agreement (ITA) nor the 2015 expansion (ITA II).