Online safety & content laws in Sao Tome and Principe (2026)

Law 15/2017 of 6 October 2017 criminalises illegal access, interception, system/data interference, computer forgery, and cyber fraud. It grants authorities procedural powers including data preservation, disclosure of traffic data, and communication interception, and establishes a permanent contact point for international cooperation.

Law 03/2016 closely mirrors the EU Data Protection Directive 95/46/EC, requiring entities to notify the ANPDP before processing personal data and obtain prior authorisation for cross-border transfers. Penalties for non-compliance range from approximately USD 1,250 to USD 50,000.

There is no legislation equivalent to the EU Digital Services Act or the UK Online Safety Act. Platform liability, content moderation obligations, age verification requirements, and algorithmic transparency duties are not addressed by any standalone law as of May 2026.

Launched in December 2023, the strategy aims to establish a Cybersecurity Committee and a National CERT (CERT-STP), promote digital literacy, and explicitly calls for updating laws on cybercrime, data protection, and digital identity — signalling that the legal framework is acknowledged as incomplete.

São Tomé and Príncipe is a signatory to the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), providing an international normative anchor for cybersecurity and data protection obligations.

Freedom House's Freedom in the World 2024 report notes no restrictions on online media in São Tomé and Príncipe. Internet access is limited by infrastructure and affordability rather than state censorship or blocking.