Securiti Tops DSPM ratings by GigaOm

View

Data Privacy Laws and Regulations Around the World

By Securiti Research Team
Published May 23, 2024 / Updated September 4, 2024

Loading data

Data is the new economic driver as it brings more value and innovations. The same data can also expose companies to risks if left undiscovered, unmonitored, and unprotected. To ensure organizations are handling and processing users’ data transparently, regional privacy regulations have been established globally.

So far, 120 countries around the globe have established privacy and security regulations that protect residents’ data privacy and security. In fact, more local laws have been passed and are soon going into effect, enforcing obligations from data controllers and processors to protect consumers’ right to privacy.

The List of Top Data Privacy Laws Around the World:

Experts at Securiti have compiled a list of all privacy laws that are in legislation or going into effect soon. The list includes:

Flag of United StatesUnited States

California Privacy Rights Act (CPRA)

Effective Date: January 1, 2023
Region: NA (North America)

The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot by 56% of California voters. Amending the recently passed California Consumer Protection Act (CCPA) 2018, the CPRA imposes even more stringent privacy protection obligations on organizations and greatly increases the rights of consumers. The law applies to businesses and entities located in California or anywhere serving products or services to a California resident which meet one of the following criteria: they have a gross annual revenue of over $25 million in the preceding calendar year, or buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or derive 50% or more of their annual revenue from selling or sharing California residents' personal information. The CPRA has become effective since January 1, 2023, and enforcement will begin six months later, on July 1, 2023.

Resources:

California Consumer Privacy Act (CCPA)

Effective Date: Since January 1, 2020
Region: NA (North America)

The California Consumer Privacy Act (CCPA) governs companies and individuals that collect and process consumers’ personal information. The law mandates companies to ensure the secure management of data and gives consumers the right to access and control how their personal information is collected, used, or shared. The regulation doesn’t require companies to have a physical presence in California. It applies to all for-profit entities providing their goods and services to California residents which meet threshold criteria.

Resources:

Virginia’s Consumer Data Protection Act (VCDPA)

Effective Date: January 1, 2023
Region: NA (North America)

Virginia became the second state in the United States, after California, to pass a comprehensive data privacy law called Virginia Consumer Data Protection Act (VCDPA). The law provides comprehensive data privacy rights to state residents of Virginia and imposes new obligations and duties on businesses managing consumers’ personal data. The law is structurally very similar to the CPRA, even if its content diverges. It went into effect on January 1, 2023. The regulations apply to persons or entities conducting businesses in the commonwealth or offering products or services to Virginia residents which meet a threshold criterion.

Resources:

Colorado’s Privacy Act (CPA)

Effective Date: July 1, 2023
Region: NA (North America)

Soon after Virginia, Colorado became the third state in the United States to have passed a comprehensive data privacy law named Colorado Privacy Act (the “CPA”). The CPA applies to companies that conduct business in Colorado or sell products or services intentionally targeted to residents of Colorado which meet a threshold criteria. The Colorado law is very similar to the VCDPA, with very few but significant differences. The law will go into effect on July 1, 2023.

Resources:

Utah Consumer Privacy Act (UCPA)

Effective Date: December 31, 2023
Region: NA (North America)

Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) on March 24, 2022, making Utah the fourth state after California, Virginia, and Colorado to implement comprehensive privacy legislation. The UCPA will come into effect starting December 31, 2023, and applies to data controllers and processors. Compared to its predecessors, the UCPA takes a lighter, more business-friendly approach to consumer privacy.

Resources:

Wisconsin

Effective Date: None
Region: NA (North America)

On 23 February 2023, the Wisconsin House passed Assembly Bill 957, a bill relating to consumer data protection. This legislation is based on the Virginia Consumer Data Protection Act (VCDPA) and provides consumers with various rights about their data and imposes obligations on businesses to honor these rights. If adopted, the law will go into effect on January 1, 2024. The Wisconsin attorney general will have the exclusive authority to enforce the act, meaning thereby the bill does not provide for a private right of action.

Having passed the Assembly, the bill is currently pending approval before the Senate.

Ohio: HB 376

Effective Date: December 29, 2021
Region: EMEA (Europe, Middle East, Africa)

Ohio's House Bill 376, also known as the Ohio Personal Privacy Act makes Ohio one of the few US states to have its own data protection regulation in place for its citizens' data privacy. While it establishes strict data standards via obligations and requirements for all organizations collecting users' data, it also gives users a list of "data rights" allowing for better control over how their data is collected, managed, and used. One of the most standout aspects of the regulation is the encouragement for businesses subject to the law to adopt the National Institute of Standards and Technology (NIST) Privacy Framework as a standard for developing a privacy policy to appropriately inform users about their data processing and collection practices.

Flag of ChinaChina

China’s Personal Information Protection Law (PIPL)

Effective Date: November 1, 2021
Region: APAC (Asia-Pacific)

On 20 August 2021, China enacted its main data protection regulation, the Personal Information Protection Law (PIPL) came into effect on November 1, 2021. PIPL applies to organizations that are providing services within China, processing and analyzing personal information of Chinese citizens from within or outside the country. It imposes several stricter obligations on data controllers & processors and also provides extensive rights to individuals.

Resources:

China’s Data Security Law (DSL)

Effective Date: Since September 1, 2021
Region: APAC (Asia-Pacific)

The DSL applies to and regulates data processing activities by organizations and individuals, and security supervision of such activities within the territory of China. The DSL also regulates data processing activities conducted outside of China that harm China’s national security or the public interest, or the legal interests of citizens and organizations in China. It imposes a number of obligations on organizations and individuals, even those that are not based in China, regarding data categorization and classification, data risk controls and risk assessments, cross-border data transfers, and data export controls.

Resources:

China’s Cybersecurity Law (CSL)

Effective Date: Since June 1, 2017
Region: APAC (Asia-Pacific)

China Cybersecurity Law (the “CSL'') applies to the operation, maintenance, and use of information networks to protect the legal interests and rights of organizations as well as individuals in China. It also promotes the secure development of technology and the digitization of the economy in China. The CSL imposes several important cybersecurity obligations on network operators.

Resources:

Flag of ThailandThailand

Thailand’s Personal Data Protection Act (PDPA)

Effective Date: June 1, 2022
Region: APAC (Asia-Pacific)

Thailand's first consolidated Personal Data Protection Law (PDPA) aims to guarantee the protection of individuals' personal data and impose obligations on businesses that deal with the collection, usage, and disclosure of personal data. PDPA applies to any organization located inside Thailand and organizations with consumers in Thailand that deal with the personal data of Thai residents.

Resources:

Flag of SwitzerlandSwitzerland

Swiss Revised Federal Act on Data Protection (FADP)

Effective Date: 2023
Region: EMEA (Europe, the Middle East, and Africa)

The revised Swiss Federal Act on Data Protection 2020 (FADP) will replace Switzerland’s long-existing Federal Act on Data Protection of 1992. The revised law expands the definition of sensitive personal data by including genetic and biometric data. Organizations will have enhanced information obligations and will be required to conduct data protection impact assessments for high-risk data processing activities. The Revised Swiss FADP will come into effect on September 1, 2023.

Resources:

Flag of AustraliaAustralia

Australian Privacy Act 1988

Effective Date: Since 1988
Region: APAC (Asia-Pacific)

It has been over 20 years since the Privacy Act 1988 was enforced in Australia. The Privacy Act was enacted to protect the privacy of data subjects and regulate how Australian agencies and organizations with an annual turnover of more than $3 million handle their customers’ personal information. The Australia Privacy Act also includes 13 Australian Privacy Principles (APPs), which apply to private sector organizations, as well as most Australian Government agencies.

Resources:

Flag of BahrainBahrain

Bahrain’s Personal Data Protection Law (PDPL)

Effective Date: Since August 1, 2019
Region: EMEA (Europe, the Middle East and Africa)

The PDPL applies to every individual normally living or working in Bahrain (not just citizens of Bahrain), every business with a place of business in Bahrain, and individuals and businesses outside Bahrain who collect the personal data of individuals in Bahrain using means available in Bahrain. The PDPL recognizes the rights of individuals to have more control over their personal data and the needs of organizations to collect, use, or disclose personal data for legitimate purposes.

Resources:

Flag of BrazilBrazil

Brasil’s Lei Geral de Proteção de Dados (LGPD)

Effective Date: Since September 18, 2020
Region: LATAM (Latin America)

Lei Geral de Proteção de Dados (LGPD) is a comprehensive data protection law in Brazil that takes its inspiration from the EU’s GDPR. The data protection law applies to all data subjects located in Brazil and who are served different products or services from companies operating inside or outside Brazil and to public authorities in Brazil. The law establishes ten legal bases for the lawful processing and handling of data, as well as accountability requirements, mandatory breach notifications and DSRs - imposing heavy penalties upon violation.

Resources:

Flag of CanadaCanada

Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

Effective Date: Since January 1, 2004
Region: NA (North America)

PIPEDA is a federal law that governs the data collection, processing, and protection by federal works, undertakings or businesses operating within Canada. The data privacy and protection regulations were enacted to assure the global community of the data protection practices and compliance of the Canadian private sector. The regulations apply to for-profit federally regulated organizations offering commercial services in Canada, such as banks, radio and television studios, airports and airlines, inter-provincial trucking, telecommunication companies, railways, etc.

Resources:

Quebec's Bill 64

Effective Date: September 22, 2022
Region: NA (North America)

Bill 64 is Quebec's legislative Act to provide adequate protection for all its residents' personal information online. The Act is unique in the fact that rather than one date, it will come into effect in 3 stages. On September 22, 2022, the first set of requirements formally came into effect. These first requirements dealt with issues related to the organization's privacy officers, exemption from consent requirements, biometric information registration, and breach reports. The next two stages will come into effect in September 2023 and September 2024, respectively.

Flag of Hong KongHong Kong

Hong Kong Personal Data (Privacy) Ordinance (PDPO)

Effective Date: Since 1995
Region: APAC (Asia-Pacific)

The PDPO is the primary legislation in Hong Kong which was enacted to protect the privacy of individuals’ personal data, and regulate the collection, holding, processing, disclosure, or use of personal data by the organizations. The PDPO applies to private and public sector organizations that process, use, hold, or collect personal data. It covers any organization that deals with the collection and processing of personal data irrespective of the location of processing, provided that the personal data is controlled by the data user based in Hong Kong.

Resources:

Flag of IrelandIreland

Irish Data Protection Act (DPA)

Effective Date: May 24, 2018
Region: EMEA (Europe, the Middle East and Africa)

The Irish DPA implements the GDPR into the national law by incorporating most of the provisions of the GDPR with limited additions and deletions. It contains several provisions restricting data subjects’ rights that they generally have under the GDPR, for example, where restrictions are necessary for the enforcement of civil law claims.

Resources:

Flag of JapanJapan

Japan’s Act on the Protection of Personal Information (APPI)

Effective Date (Amended APPI): April 01, 2022
Region: APAC (Asia-Pacific)

Japan’s APPI regulates personal related information and applies to any Personal Information Controller (the “PIC''), that is a person or entity providing personal related information for use in business in Japan. The APPI also applies to the foreign PICs which handle personal information of data subjects (“principals”) in Japan for the purpose of supplying goods or services to those persons.The act ensures the individual’s rights to privacy and also the legal use of personal data for economic development.

Resources:

Flag of New ZealandNew Zealand

New Zealand’s Privacy Act

Effective Date: December 1, 2020
Region: APAC (Asia-Pacific)

New Zealand’s Privacy Act (NZPA) 2020 is the revised version of its older Privacy Act 1993. It applies not only to New Zealand entities but also to overseas entities in the course of carrying on business in New Zealand, irrespective of their size, geographical location and whether or not they are registered in New Zealand. The NZPA introduces mandatory breach notification requirements, including the obligation to notify even those privacy breaches that are caused by any outsourced third-party, in addition to other data protection obligations.

Resources:

Flag of PhilippinesPhilippines

Philippines' Data Privacy Act 2012 (DPA)

Effective Date: Since 2012
Region: APAC (Asia-Pacific)

The Philippines Data Privacy Act of 2012 sets the ground rules for organizations dealing with the personal information of Filipinos. The DPA is applicable to ‘the processing of all types of personal information and to any natural and juridical person involved in personal information processing’. It covers the processing of personal information in both the public and private sectors. The DPA provides data subjects the right to control the handling of their data and file complaints against the Personal Information Controller (PIC) for illegal access to or processing of their data.

Resources:

Flag of QatarQatar

Qatar’s Data Protection Law

Effective Date: Since 2016
Region: EMEA (Europe, the Middle East and Africa)

Qatar is the first member of the Gulf Cooperation Council (GCC) that has established data protection regulations that regulate the policies regarding how organizations treat personal information of data subjects within Qatar. The law was introduced in 2016, but a new set of regulations were later issued on January 31, 2021, to further strengthen data protection policies and guidelines.

Resources:

Flag of South KoreaSouth Korea

South Korea’s Personal Information Protection Act 2012 (PIPA)

Effective Date: Since 2012
Region: APAC (Asia-Pacific)

South Korea’s privacy protection law, PIPA, governs the collection and processing of personal information of data subjects in its strictest sense. The law requires strict opt-in consent compliance, timely breach notifications, and timely fulfillment of data subject requests. In case of any violations, local and foreign South Korean companies may face heavy fines and penalties. PIPA doesn’t explicitly hint at its territorial scope, but the law is mostly applicable to entities within South Korea.

Resources:

Flag of Saudi ArabiaSaudi Arabia

Saudi Arabia’s Personal Data Protection Law (PDPL)

Effective Date: March 23, 2023
Region: EMEA (Europe, the Middle East and Africa)

Saudi Arabia has enacted a data privacy law to protect the personal data of individuals in Saudi Arabia. This law was approved by the Council of Ministers in Saudi Arabia and is named the Personal Data Protection Law (the “PDPL”). The PDPL aims to protect the privacy of individuals’ personal data, and regulate the collection, holding, processing, disclosure, or use of personal data by organizations. The law is applicable to entities within or outside Saudi Arabia processing the personal information of Saudi Arabia residents.

Resources:

Saudi Arabian E-Commerce Law (ECL)

Effective Date: Since October 2019
Region: EMEA (Europe, the Middle East and Africa)

On January 31, 2020, the government of Saudi Arabia issued the Executive Regulations to the Saudi E-Commerce Law 2019 (“ECL”) that was in effect since October 2019. The Executive Regulations together with the ECL, aim to protect consumers’ personal data by requiring organizations to take appropriate technical and administrative measures. The regulations are applicable to entities conducting businesses within or outside Saudi Arabia, and offering services to Saudi Arabia residents.

Resources:

Flag of SingaporeSingapore

Singapore’s Personal Data Protection Act (PDPA)

Effective Date: Since November 2012
Region: APAC (Asia-Pacific)

Singapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were enforced on 2nd July 2014. PDPA recognizes the rights of individuals to have more control over their personal data and the needs of organizations to collect, use, or disclose personal data for legitimate and reasonable purposes. The PDPA covers personal data stored in electronic and non-electronic forms. Anonymised' data (where the data can no longer be used to identify the data subject) does not come under the scope of the PDPA.

Resources:

Flag of South AfricaSouth Africa

South Africa’s Protection of Personal Information Act (POPIA)

Effective Date: Since July 1, 2021
Region: EMEA (Europe, the Middle East and Africa)

POPIA is established to empower data subjects to have better control over the free flow of their personal information. It applies to public and private bodies that are domiciled in South Africa and not domiciled in South Africa if they process personal information in South Africa, unless such processing is only used to forward the information through the country. POPIA sets out eight conditions that organizations must comply with while processing personal data. These conditions are accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, data security & breach notification and data subject participation. Violators may be fined up to ZAR10 million or get sentenced to up to 10 years in jail for certain non-compliance actions.

Resources:

Flag of TurkeyTurkey

Turkey’s Law on the Protection of Personal Data (LPPD)

Effective Date: Since April 7, 2016
Region: EMEA (Europe, the Middle East and Africa)

Turkey was one of the first countries to start the trend of legislating data protection. Turkey published “Law on the Protection of Personal Data No. 6698 (LPPD) covering personal data protection on April 07, 2016.” The LPPD is based on the European Union Data Protection Directive 95/46/EC and has several similarities with the GDPR. It aims to give data subjects’ control over their personal data and outlines obligations that organizations and individuals dealing with personal data must comply with.The LPPD applies to Turkey's entities and any foreign natural or legal entity collecting or processing Turkish-originated data or Turkish data subjects' personal information regardless of their physical location.

Resources:

Flag of United Arab EmiratesUnited Arab Emirates

UAE’s TRA’s Consumer Protection Regulations (CPR)

Effective Date: 31 December 2021
Region
: EMEA (Europe, the Middle East and Africa)

The Telecommunications Regulatory Authority (TRA) of UAE established Consumer Protection Regulations (CPR) mandating all licensed companies in the UAE to strictly protect the PI of consumers. The laws require licensed companies to take measures against PI data leakage, unauthorized access, privacy risks, inappropriate use of PI, etc.

UAE’s CBUAE SVF Regulation

Effective Date: 15 November 2020
Region
: EMEA (Europe, the Middle East and Africa)

The Central Bank of UAE (CBUAE) established Stored Value Facilities (SVF) Regulations. Apart from fostering digital payment systems in the region, the regulations also mandate licensed companies to protect the personal information of their customers and protect their systems and data with strict security measures against unauthorized access, inappropriate, misuse, and any tempering.

DIFC’s Data Protection Law 2020

Effective Date: July 1, 2020

Region: EMEA (Europe, the Middle East and Africa)

The Dubai International Financial Center (DIFC) Data Protection Law 2020 supersedes the Data Protection Law 2007. The DIFC Data Protection Law lays down obligations for organizations regarding the collection, disclosure and processing of personal data in the DIFC, a special economic zone in Dubai. The DIFC Data Protection Law takes reference from the best practice standards on data protection from international laws, and is consistent with EU regulations (GDPR) and OECD guidelines. It is designed to balance the legitimate needs of businesses and organizations to process personal information while upholding an individual’s right to privacy.

Resources:

Flag of FranceFrance

France Data Protection Act

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East and Africa)

As a member of the European Union (EU), France is subject to the General Data Protection Regulation (GDPR). However, like all other EU nations, the country has implemented the GDPR via the Act on Information Technology, Data Files and Civil Liberties (Data Protection Act). The Act recognizes that information technology serves the needs of every citizen and must not violate human identity, human rights, privacy, or civil liberties.

Resources:

Flag of GermanyGermany

Germany Federal Data Protection Act (BDSG)

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East and Africa)

As a member of the European Union (EU), Germany is subject to the General Data Protection Regulation (GDPR). However, like all other EU nations, the country has implemented the GDPR via its domestic law, the German Federal Data Protection Act (BDSG). s. The BDSG provides the same rights to data subjects as that provided under the GDPR with several limitations under certain circumstances. It also contains specific provisions for the processing of employees’ personal data.

Resources:

Flag of ItalyItaly

Italian Data Protection Law

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East and Africa)

Italy is a member state of the European Union where the GDPR is fully effective. Italy implemented the GDPR on 19 December 2018 by revising its Personal Data Protection Code as certain sections directly conflicted with the GDPR. In short, the old legislation has been updated to meet the requirements of the GDPR.

Resources:

Legislative Decree no. 101 of 10 August 2018

Effective Date: September 19, 2018
Region: EMEA (Europe, the Middle East and Africa)

Italy enacted Legislative Decree 101/2018 in September 2018, significantly amending the earlier Legislative Decree 196/2003 (Privacy Code) for the harmonious application of the GDPR in the country. The Legislative Decree 101/2018 amended and incorporated the Italian Privacy Code with respect to matters delegated to the EU member states under the GDPR. The amended Privacy Code provides that the Garante per la protezione dei dati personali (Garante) is the supervisory authority in terms of the GDPR and is responsible for regulating data protection-related matters in the country.

Flag of SpainSpain

Spain’s Data Protection Organic Law

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East and Africa)

Spain was one of the first countries globally to take active legislative measures to protect the rights of its citizens in relation to their personal data. The Spanish Data Protection and Digital Rights Organic Law 3/2018 implements the GDPR in Spain. It provides data subjects the right to data portability for social media data, the right to be delisted from internet searches and social media, the right to digital security, and the right to universal access to the internet in addition to the rights granted under the GDPR. Spanish law also emphasizes transparency and requires data controllers to provide granular and layered information to data subjects in their privacy notices.

Resources:

Flag of ZimbabweZimbabwe

Zimbabwe Data Protection Act

Effective Date: Since December 3, 2021
Region: EMEA (Europe, the Middle East and Africa)

Zimbabwe formally enacted the Data Protection Act in December 2021. The DPA focuses on data privacy as well as cybersecurity and the prevention of cybercrime. It applies to any organization established within or outside Zimbabwe if the means used to process data were located in Zimbabwe and the processing of data was not done for transit of data purposes.

Resources:

Flag of RwandaRwanda

Rwanda’s Data Protection Law

Effective Date: Since Oct 15, 2021
Region: EMEA (Europe, the Middle East and Africa)

Rwanda’s Data Privacy Law comes into enactment after a comprehensive consultation process in October 2021. It applies to data controllers, processors, or third parties that are established or ordinarily residing in Rwanda (not just citizens) and processing personal data while in Rwanda. It also applies to those that are not established or resided in Rwanda but process the personal data of data subjects located in Rwanda. Organizations that are subject to the law are required to register with the National Cyber Security Authority, the regulatory authority established as per the law.

Resources:

Flag of IndonesiaIndonesia

Indonesia’s Data Protection Law

Effective Date: -: September 20, 2022

Region: APAC (Asia-Pacific)

Indonesia's Protection of Personal Data Law (PDPL) came into effect in September 2022, while providing organizations two years to ensure their data processing activities are fully compliant with the law’s provisions. The PDPL ensures users’ privacy online is adequately protected by giving them data subject rights. Upholding these rights is one of the several data-related obligations placed on organizations that will be subject to this law.

Resources:

Flag of GhanaGhana

Ghana’s Data Protection Law

Effective Date: Since Oct, 2012
Region: EMEA (Europe, the Middle East and Africa)

Ghana Data Protection Act 2012 establishes a comprehensive set of provisions governing the collection, processing, use, and protection of personal data by the data controller or data processor. Ghana’s DPA 2012 applies to organizations that process Ghana’s residents’ personal data across the region and beyond.

Resources:

Flag of KenyaKenya

Kenya’s Data Protection Act

Effective Date: Since Nov, 2019
Region: EMEA (Europe, the Middle East and Africa)

Kenya’s Data Protection Act, 2019 (DPA) is based on the framework of the EU’s General Data Protection Regulation (GDPR), making it the third region in East Africa to have enacted and enforced data protection regulations. The DPA seeks to protect the personal data of individuals by obligating data controllers and data processors and regulating the processing of personal data. The DPA protects the personal data of individuals residing in Kenya.

Resources:

Flag of UgandaUganda

Uganda’s Data Protection Act

Effective Date: Since 1st Mar, 2019
Region: EMEA (Europe, the Middle East and Africa)

Uganda’s Data Protection and Privacy Act 2019 seeks to protect Uganda’s citizens and their personal data by outlining and implementing rules for processing personal data and sensitive personal data by entities within or outside the country. Uganda’s data protection law further bestows rights upon individuals, allowing them to control how their data is collected and processed. The Data Protection and Privacy Act 2019 applies to both public and private entities.

Resources:

Flag of MalaysiaMalaysia

Malaysia Personal Data Protection Act (PDPA)

Effective Date: Since 15 Nov, 2013
Region: APAC (Asia-Pacific)

Malaysia’s Personal Data Protection Act (PDPA) was passed by the Parliament of Malaysia on 2 June 2010. The PDPA sets out a complete cross-sectoral framework to protect the personal data of individuals with respect to commercial transactions. The PDPA applies to any person or data user (organization) who processes or has control over a data subject’s personal data. The PDPA aims to protect any misuse of individuals’ personal data by organizations.

Resources:

Flag of ArgentinaArgentina

Argentina – Personal Data Protection Law (Act 25.326)

Effective Date: 2000
Region: LATAM (Latin America)

Argentina’s Personal Data Protection Law (PDPL) has been in force since 2000 and applies to persons or legal entities carrying out the treatment or processing of personal data. The law, along with Decree No. 1160/10 (for implementation of the law), establishes general data protection and habeas data standards. Penalties under the PDPL range from ARS 1,000 to ARS 5 million and imprisonment of a minimum of 6 months to a maximum of 2 years. A new bill ‘Bill No. MEN-2018-147-APN-PTE’ more closely aligned to the EU GDPR is submitted to the Argentina Senate for approval and is intended to replace the PDPL.

Flag of ChileChile

Chile – Protection of Private Life (Law No. 19.628 of 1999)

Effective Date: 1999
Region: LATAM (Latin America)

Chile’s Law 19,628/1999 ‘Protection of Private Life', commonly referred to as Personal Data Protection Law (PDPL) applies to public and private organizations responsible for decisions related to the processing of personal data. There is no data protection authority which means penalties for non-compliance (which may amount to $3500) must be granted by a court in a private claim. However, since the entry into force of a Pro-Consumer Law, consumers can lodge complaints alleging the violation of the data protection law to the consumer protection agency, SERNAC. SERNAC cannot impose fines, but may initiate and participate in judicial proceedings and collective voluntary proceedings.

Flag of ColombiaColombia

Colombia – Statutory Law 1581 of 2012

Effective Date: October 17, 2012
Region: LATAM (Latin America)

In Colombia, the general legal framework for managing personal data is Law 1581 of 2012. The law regulates all individuals, private and public companies, and governmental entities which collect the personal data of persons domiciled in Colombia or process any individual’s personal data in Colombia. Its main goal is to preserve people's right to know, update, and correct information on them stored in databases or files.

Flag of EcuadorEcuador

Ecuador – Ley Orgánica de Protección de Datos Personales (LOPD)

Effective Date: 26 May 2021
Region: LATAM (Latin America)

Ecuador’s Ley Orgánica de Protección de Datos Personales (LOPD) in Spanish or Organic Law on Personal Data Protection in English, applies to organizations or entities that are domiciled in Ecuador and process personal data there, as well as firms or entities that are not domiciled in Ecuador but process personal data of Ecuador residents by selling them goods or services or regulating their behavior. For minor infractions, sanctions range from 0.3% to 0.7% of an organization's yearly revenue from the preceding year, while for serious infractions, sanctions range from 0.3% to 0.7%.

Flag of PeruPeru

Peru – Law No. 29733 On the Protection of Personal Data

Effective Date: June 7, 2011
Region: LATAM (Latin America)

Peru’s Personal Data Protection along with its associated regulation, the Supreme Decree N° 003-2013-JUS-Regulation of the PDLP is the primary data protection legislation in Peru. Another law, Law Nº 27489 enacted in 2001 (and later amended several times) deals with entities that deal with sensitive personal data and riskier data processing activities such as processing related to financial, commercial, tax, employment, or insurance obligations or background of a natural or legal person that allows evaluating his/her economic solvency.

Flag of UruguayUruguay

Uruguay – Ley de Protección de Datos Personales y Acción de Habeas Data (Law No. 18.331)

Effective Date: August 11, 2008
Region: LATAM (Latin America)

Uruguay’s Ley de Protección de Datos Personales y Acción de Habeas Data in Spanish or Law on Protection of Personal Data and Action of Habeas Data in English along with its regulatory Decree No. 414/009, dated August 31, 2009, applies to individuals, government departments, public or private organizations processing personal data whether established in Uruguay or not, but supplying goods and services or analyzing the behavior of individuals in Uruguay or using means of processing located in Uruguay. The law is enforced by the Personal Data Regulatory and Control Unit (Unidad Reguladora y de Control de Datos Personales) (the “URCDP”) a decentralized agency that acts as the data protection authority of Uruguay.

Flag of ParaguayParaguay

Paraguay – Personal Credit Data Protection Law or Credit Data Law

Effective Date: October 28, 2020
Region: LATAM (Latin America)

Paraguay’s current data protection law is Law No. 6534/2020 “For the protection of personal credit data” (“Personal Credit Data Protection Law”) which has replaced the earlier Law No. 1682/2001 “which regulates the use of private information”. Under the new law, it is prohibited to publicize or diffuse sensitive data of people that are explicitly identified or identifiable. The collection, storage and processing of personal information for private use is allowed when it is lawful, exact, complete, true and updated for the specific purpose for which the data was collected.

Flag of EgyptEgypt

Egypt’s Data Protection Law

Effective Date: 14 October 2020
Region: EMEA (Europe, the Middle East and Africa)

Egypt’s Data Protection Law (DPL) is largely modeled on the GDPR. It applies to both data controllers and processors that process personal data belonging to Egyptian residents, whether or not they are based in Egypt. Under the DPL, all data breaches or cyber-attacks must be reported to the Personal Data Protection Center as well as impacted data subjects within 72 hours. The processing of personal data is allowed only if there exists a legal basis to do so.

Flag of IsraelIsrael

Israel's Protection of Privacy Law

Effective Date: 1981
Region: EMEA (Europe, the Middle East and Africa)

Israel's Protection of Privacy Law of 1981 is one of the oldest privacy laws still in effect today. It has since been supplemented with the Privacy Protection (Data Security) Regulations that contain guidance on obligations relating to data security and international data transfers. It applies to companies that do business in Israel. Key data processing principles are transparency, the lawful basis for processing, purpose limitation, data minimization, proportionality, and data retention.

Flag of AndorraAndorra

Andorra Personal Data Protection Act

Effective Date: Since May 17, 2022
Region: EMEA (Europe, the Middle East and Africa)

The Andorra personal data protection act came into force on May 17, 2022, by the Andorra Data Protection Authority (ADPA). The law applies to the fully or partially automated and non-automated processing of personal data by individuals or companies located in Andorra. It also applies to individuals or companies outside of Andorra that are using devices for personal data processing located in Andorran territory. The key highlights of the law include provisions regarding the personal data processing of a deceased person, the data subject’s consent, the appointment of a data protection officer, data subject rights, security breach notifications, and cross-border data transfers.

Flag of United KingdomUnited Kingdom

UK Data Protection Act (DPA)

Effective Date: Since May 25, 2018
Region: EMEA (Europe, the Middle East and Africa)

The UK Data Protection Act (DPA) 2018 is the amended version of the Data Protection Act that was passed in 1998. The DPA 2018 implements the GDPR with several additions and restrictions. The DPA 2018 is divided into three kinds of processing including general data processing, processing by law enforcement agencies, and processing by intelligence services. The DPA 2018 must be read together with the UK GDPR, which is the GDPR as it was on 31st December 2020, and any applicable case law at that point.

Flag of BotswanaBotswana

Botswana Data Protection Act No. 32

Effective Date: Since October 15, 2021
Region: EMEA (Europe, the Middle East and Africa)

The Botswana Government Gazette announced on October 15, 2021, that the Data Protection Act (Act No. 32 of 2018), the first significant data protection regulation of its kind within the country, had come into effect after the issuance of the Data Protection Act (Commencement Date) Order 2021 by the Minister of Presidential Affairs, Governance and Public Administration, Kabo Morwaeng. The law contains all major data provisions necessary to protect online Botswana citizens' data rights adequately.

Flag of ZambiaZambia

Zambia Data Protection Act No. 3 of 2021

Effective Date: March 31, 2021
Region: EMEA (Europe, the Middle East and Africa)

On March 31, 2021, the Zambian parliament formally passed the Data Protection Act No. 3 of 2021 and the Electronic Communications and Transactions Act No. 4 of 2021. It regulates the use, protection, transmission, storage, and potential sale of all collected data and establishes a central Office of Data Protection Commissioner as the regulatory authority responsible for enforcing the Act. Furthermore, the Commissioner is responsible for registering all data controllers and data processors within the country and resolving any user complaints related to their data rights.

Flag of JamaicaJamaica

Jamaica Data Protection Act No. 7

Effective Date: November 30, 2020
Region: LATAM (Latin America)

On November 30, 2020, the First Schedule of the Data Protection Act No. 7 of 2020 came into effect following the publication of Supplement No. 160 of Volume CXLIV in the Jamaica Gazette Supplement. The Senate had previously approved the Data Protection Act in June 2020. The Act defines the roles and responsibilities of a data controller and gives data rights to people who have been deceased for less than 30 years. Additionally, it establishes the Office of the Information Commissioner and provides guidelines on how and when data is to be transferred outside Jamaica if necessary.

Flag of BelarusBelarus

Belarus Law on Personal Data Protection No. 99-Z

Effective Date: November 15, 2021
Region: EMEA (Europe, the Middle East and Africa)

The Law on Personal Data Protection of May 7, 2021, No. 99-Z, entered into effect within Belarus on November 15, 2021. The first act of its kind within Belarus, it is designed to implement the provisions laid down within the Protocol on Information and Communication Technologies and Informational Interaction within the Eurasian Economic Union, Annex 3 to the Treaty on the Eurasian Economic Union of May 29, 2014.

Flag of Russian FederationRussian Federation

Russia Federal Law No. 152-FZ

Effective Date: July 27, 2006
Region: EMEA (Europe, the Middle East and Africa)

The primary Russian law on data protection, Federal Law No. 152-FZ has been in effect since July 2006. However, the State Duma recently announced amendment 266-FZ which came into effect on September 1, 2022, that would introduce several provisions that would ensure the law is well-equipped to deal with the current technological and data privacy challenges. Some of the major aspects introduced by the amendments include the redefinition of user consent, time to respond to a data subject rights request, documentation requirements, data localization, and the requirements to inform regulatory bodies about any potential unlawful transfers of data.

Flag of EswatiniEswatini

Eswatini Data Protection Act

Effective Date: March 4, 2022
Region: EMEA (Europe, the Middle East and Africa)

On March 4, 2022, the Eswatini Communications Commission published the Data Protection Act No. 5 of 2022, simultaneously announcing its immediate enforcement. The Act also provides a period of two years for all organizations to comply with the law, as well as the possibility of a third year if deemed necessary by the Information Communications and Technology Minister.

Flag of OmanOman

Oman's Personal Data Protection Law

Effective Date: February 9, 2023
Region: EMEA (Europe, the Middle East and Africa)

The Royal Decree 6/2022 promulgating the Personal Data Protection Law (PDPL) was passed on February 9, 2022. Enforced by the Ministry of Transport, Communication, and Information Technology (MTCIT), the PDPL will give Omanian residents data privacy on par with the rest of the world. The PDPL covers almost all major statutes found in other major data regulations globally.

Flag of Sri LankaSri Lanka

Sri Lanka's Personal Data Protection Act

Effective Date: March 19, 2022
Region: APAC (Asia-Pacific)

Sri Lanka's parliament formally passed the Personal Data Protection Act (PDPA), No. 9 Of 2022, on March 19, 2022. The legislation covers all significant bases by empowering Sri Lankans with data subject rights while placing several data-related obligations upon organizations processing users' data inside the country. Strict penalties can also be levied on organizations found to be non-compliant with the PDPA.

Flag of KuwaitKuwait

Kuwait's Data Privacy Protection Regulation

Effective Date: July 1, 2022
Region: EMEA (Europe, the Middle East, and Africa)

Kuwait's Data Privacy Protection Regulation (DPPR) was formally introduced by the Communication and Information Technology Regulatory Authority (CITRA) to ensure the Gulf country's data privacy infrastructure is adequately structured in line with its New Kuwait 2035 vision. The DPPR contains essential provisions related to organizations' responsibility towards their users and other aspects related to encryption, data centers, and data processing conditions.

Flag of Brunei DarussalamBrunei Darussalam

Brunei Darussalam: Draft Personal Data Protection Order

Effective Date: December 1, 2021
Region: APAC (Asia-Pacific)

Brunei’s Authority for Info-Communications Technology Industry of Brunei Darussalam (AITI) requested public consultation and responses on its proposed Personal Data Protection Order in May 2021. A response paper in relation to this consultation was published in December 2021. AITI is creating a new Personal Data Protection law to control the gathering, use, and disclosure of personal data by private entities. The right of individuals to protect their personal data is recognized by the law as are the responsibilities of private sector entities. Brunei’s proposed data protection law is fairly comprehensive as it addresses all major requisites of such a regulation with its consent requirements, purpose limitations, organizational obligations, data breach requirements, and data transfer provisions. What sets it apart from most other regulations is that there is no distinction between types of personal data such as sensitive personal data. As a result, organizations must undertake uniform measures to ensure all data in its possession is adequately protected.

Flag of IndiaIndia

India: Digital Personal Data Protection Bill 2022

Effective Date: Under discussion
Region: APAC (Asia-Pacific)

India has been in a long and exhaustive process to draft a data privacy regulation on par with other major similar regulations globally both in terms of scope and the protection it extends to its citizens. While the Information Technology Act of 2000 remains the active legislative dealing with data privacy, the Ministry of Electronics and Information Technology began drafting the Personal Data Protection Bill in 2018 after the country’s Supreme Court declared data privacy a fundamental human right in the landmark Puttaswamy case in 2017. While the Bill was adopted and tabled in December 2021 with major amendments and revisions, it was withdrawn in August 2022. A new draft, titled, “Digital Personal Data Protection Bill” was published for public consultation in November 2022.

Flag of MyanmarMyanmar

Myanmar: Amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004)

Effective Date: March 8, 2017 and April 30, 2004
Region: APAC (Asia-Pacific)

Myanmar lacks a comprehensive data protection law. Instead, data protection and privacy regulations are scattered across multiple legislations, such as the Financial Institutions Law, Telecommunications Law, Notification 116/97, Law Relating to Private Health Care Services, and the Electronic Transactions Law and its 2021 amendment.

Additionally, the Law Protecting the Privacy and Security of Citizens (2017), better known as simply the “Privacy Law” seems to be the primary data protection regulation within Myanmar. It saw several amendments added to its provisions in February 2021. These provisions allowed for broad surveillance and investigations by the government in the interest of national interest. Several provisions guaranteeing individual digital privacy were suspended as long as the State Administration Council saw fit.

Similarly, the Electronic Transactions Law (2004) was amended in February 2021, introducing several exceptions for government confiscation of personal data in the interest of the country's cybersecurity. The draft Cyber Security Law that was supposed to have been passed in the country, originally intended to repeat the Electronic Transactions Law entirely.

Flag of MongoliaMongolia

Mongolia: Personal Data Protection Law

Effective Date: May 1, 2022
Region: APAC (Asia-Pacific)

The State Great Khural of Mongolia, also known as the Parliament of Mongolia, passed the Law on Protection of Personal Information back in December 2021. It came into effect in May 2022. The new law replaces the Law on Personal Secrets which was passed in 1995 and had been the primary regulation dealing with users’ personal information and their right to privacy. The new law brings much-needed protection for users’ biometric, genetic, and other modern forms of data as well as placing several crucial obligations upon organizations to ensure any transfer, sale, collection, sharing, or disposal of data only occurs after the express consent of the user.
Mongolia PDPL works in conjunction with Cybersecurity Law (2021), Public Information Transparency Law (2021), and Electronic Signature Law (2021) to create a comprehensive data privacy and protection framework.

Flag of PakistanPakistan

Pakistan: Personal Data Protection Bill 2021

Effective Date: Under discussion
Region: APAC (Asia-Pacific)

Pakistan has no existing data privacy and protection regulations in place. Hence, the 2021 Bill was the first legislative attempt within the country to extend data rights to all Pakistani citizens. The proposed draft was to provide an extension to the Prevention of Electronic Crimes Act 2016 (Act No. XL of 2016) where a legal framework would be established to deal with any matters related to unauthorized access to users’ data. It was proposed to come into effect two years after its promulgation through a notification in the Official Gazette with at least a three-month notice before it eventually came into effect. However, owing to a change in government, there has been no update on the Bill as of 2022.

Flag of Virgin Islands, BritishVirgin Islands, British

British Virgin Islands: Data Protection Act, 2021

Effective Date: July 9, 2021
Region: LATAM (Latin America)

The Data Protection Act of 2021 came into effect within the British Virgin Islands in July 2021. The first legislation of its kind in the territory, it is meant to ensure the BVI has an appropriate set of data privacy measures in place equivalent to the UK and EU standards, as a multitude of EU and UK firms rely on the territory for seamless financial operations.

Flag of JamaicaJamaica

Jamaica: Data Protection Act no. 7 of 2020

Effective Date: December 1, 2021
Region: LATAM (Latin America)

Jamaica became the 15th Caribbean nation to have its own data protection law - Data Protection Act, 2020 - after it was signed into law by the Governor-General in July 2020 following approvals by both the Lower House and the Senate. The Act defines the territorial and material scope of the regulation as well as the relevant responsibilities of the organizations collecting Jamaicans’ data. Additionally, it establishes the Office of the Information Commissioner to both monitor and enforce the regulation around the country.

Flag of UkraineUkraine

Ukraine: Law on Personal Data Protection

Effective Date: July 1, 2010
Region: EMEA (Europe, Middle East, and Africa)

The Law of 1 June 2010 No. 2297-VI on Personal Data Protection, better known as the Personal Data Protection Law, is the primary data protection law within Ukraine. It contains all the major facets of modern data privacy regulations, such as data subject rights, general requirements that need to be met before organizations can begin data processing, and the obligations for both data processors and controllers. ​​The Ukrainian Parliament Commissioner for Human Rights has been primarily responsible for enforcing the Law on Personal Data Protection since January 2014.

Flag of UzbekistanUzbekistan

Uzbekistan

Effective Date: October 5, 2022
Region: APAC (Asia-Pacific)

Law on Personal Data

Uzbekistan adopted Law of the Republic of Uzbekistan No. ZRU-547 “On Personal Data” on 2nd July 2019. It designates the Cabinet of Ministers of the Republic of Uzbekistan (the 'Cabinet of Ministers') and the State Personalization Center under the Cabinet of Ministers (‘State Personalization Centre’) as the main regulatory authorities in respect of the protection of personal data. State Inspection of the Republic of Uzbekistan on Informatization and Telecommunication is also an authority empowered to:

  • implement the state control over the activity of personal database owners and operators by monitoring their activities;
  • issue notifications, instructions, as well as orders that are to be fulfilled by public authorities, individuals and/or legal entities, in order to ensure compliance with the data protection laws;
  • maintain the register of infringers of the data subject rights.

Bill to Improve the Legal Framework for Personal Data

In October 2022, Uzbekistan's Cabinet of Ministers adopted a Decree "On approval of some legal acts in the field of processing personal data". The regulation that will come into effect as a result of the decree obligates all data processors to take organizational and technical measures to protect the collected data as well as install appropriate levels of data protection.

Draft Law on Advertising

In May 2021, the Legislative Chamber of the Oliy Majlis of Uzbekistan submitted a draft proposal for a law on advertising for public consultation. It is meant to replace the Law of the Republic of Uzbekistan of 25 December 1998 No. 723-I on Advertising. The new law takes several technological advancements made into account such as mobile networks as well as placing several user consent-related obligations upon organizations processing users' data.

Law on Cybersecurity (No. RK-764)

The Law of the Republic of Uzbekistan “On Cybersecurity” No. ЗРУ-764 dated April 15, 2022, also known as the Cybersecurity Law came into effect within the country in July 2022. Meant to regulation aspects surrounding cybersecurity within the country's public and private organizational frameworks, the law redefines essential elements related to cybersecurity with a modern context. The State Security Service is the authority responsible for overseeing the enforcement and implementation of the law, with the President of the country having the power to set the state's policy as critical information infrastructure is concerned.

Flag of MonacoMonaco

Monaco: Act No. 1.165 on the Protection of Personal Data

Effective Date: December 23, 1993
Region: EMEA (Europe, Middle East, Africa)

The Act No. 1.165 on the Protection of Personal Data is the primary data protection law in Monaco, whereas the Commission for Control of Personal Data (CCIN) is the data protection regulatory authority, also responsible for the enforcement of the Act on the Protection of Personal Data. It is expected that Monaco will enact a new data protection law, replacing the current Act on the Protection of Personal Data, to integrate the international legal standards stemming from Convention 108+ of the Council of Europe and the GDPR into its national legal framework.

Flag of El SalvadorEl Salvador

El Salvador

Effective Date: None
Region: LATAM (Latin America)

El Salvador's Congress approved the Personal Data Protection Act in April 2021. As part of the process of creation of a Law in El Salvador, all Acts approved by Congress are later referred to the President of the Republic for his review/veto/approval. In this case, the Act was vetoed and sent back to Congress for review but no further action has been taken in order to review the causes for the veto and/or make any amendments for its further approval.

Hence, data protection regulation in El Salvador remains disseminated in many other Acts that briefly regulate the confidentiality of a person’s information but no specific regulation is in place for personal data protection till date.

Flag of PanamaPanama

Panama: Executive Decree No. 285 of 28 May 2021 that regulates Law No. 81 on Personal Data Protection

Effective Date: March 29, 2021
Region: LATAM (Latin America)

The Personal Data Protection Law in Panama, Law No. 81, came into full effect in March 2021 and is regulated by the Executive Decree No. 285 of 28 May 2021. As a data protection regulation, the Law governs, among others, the data protection principles, the rights of the data subjects, the obligations of the data controllers and data processors, and the enforcement mechanisms. Prior to this regulation, various other laws such as the Banking Law, Insurance Law, Securities Law, Trust Law, and Law regulating the Rights and Obligations of Patients dealt with matters related to users' personal data and information.

Flag of JordanJordan

Jordan: Law on the protection of personal data of 2021

Effective Date: December 29, 2021
Region: EMEA (Europe, Middle East, Africa)

In December 2021, the Jordanian Council of Ministers approved the Draft Personal Data Protection Law(PDPL). The law had been under deliberation since 2013, going through multiple rounds of consultations and amendments before being submitted in the House of Representatives. In January 2022, the Parliamentary Economic and Investment Committee carried out the necessary final constitutional deliberations that would provide Jordanians appropriate data privacy on par with other major similar regulations globally, with aspects such as individual data rights, limits on information processing, and cyberspace storage mandates, among others. Once the parliament approves, the draft PDPL will come into force within 6 months.

Flag of Puerto RicoPuerto Rico

Puerto Rico: House Bill 655 and Senate Bill 882

Effective Date: Under discussion
Region: NA (North America)

Introduced back on 20 April 2021, House Bill 655 aims to establish ‘the Electronic Information Privacy Law’ to protect people’s right to privacy about information stored on an electronic device or transmitted to a remote computer service provider. On the other hand, Senate Bill 882, introduced on 06 May 2022, aims to create ‘the Law for the Protection of Digital Privacy’ to protect the personal information of consumers and guarantee the right to privacy in the digital age; and for other related purposes

Flag of DenmarkDenmark

Denmark

Effective Date: May 25, 2018
Region: EMEA (Europe, Middle East, Africa)

Similar to other EU countries, Denmark has enacted a data protection act for the purpose of implementing the GDPR in the country. The Danish Data Protection Act (Act No. 502 of 23 May 2018) was enacted for the protection of natural persons with respect to personal data processing and to regulate the free movement of personal data. The Act replaced the previous Danish Act on Processing of Personal Data (Act no. 429 of 31/05/2000). Under the new Act, the Danish Data Protection Authority (Datatilsynet) oversees all aspects related to the supervision and enforcement of the Data Protection Act and the GDPR within the country as well as representing Denmark in the European Data Protection Board.

Flag of FinlandFinland

Finland

Effective Date: January 1, 2019
Region: EMEA (Europe, Middle East, Africa)

Finland formally enacted the supplementary implementation act of the GDPR, known as Tietosuojalaki, or the Data Protection Act of Finland (1050/2018), in January 2019. It should be noted that while the GDPR and Tietosuojalaki are the primary legislations governing matters related to data privacy and protection within the country, there are some other laws that have been enacted to deal with various other subject matters directly or indirectly related to data privacy, such as the Act on Electronic Communication Services 917/2014, Act on the Protection of Privacy in Working Life 759/2004, and Act on the Processing of Personal Data in Criminal Cases and in connection with Maintaining National Security 1054/2018. The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) is the primary body responsible for supervising the enforcement and implementation of the GDPR and the Tietosuojalaki.

Flag of GreeceGreece

Greece

Effective Date: August 28, 2019
Region: EMEA (Europe, Middle East, Africa)

Greek Law 4624/2019 was enacted to implement the GDPR and Directive (EU) 2016/680. The Hellenic Data Protection Agency (Αρχή προστασίας δεδομένων προσωπικού χαρακτήρα) is primarily responsible for overseeing the enforcement and implementation of Law 4624/2019 as well as the ePrivacy Directive within Greece.

Flag of IcelandIceland

Iceland

Effective Date: July 15, 2018
Region: EMEA (Europe, Middle East, Africa)

​​Act 90/2018 on Data Protection and Processing of Personal Data (The Data Protection Act) was passed by the Icelandic Parliament in July 2018 to ensure the implementation of the GDPR within the country. The Data Protection Act contains certain exemptions and derogations from the GDPR. The Icelandic Data Protection Authority is the primary supervisory body overseeing the implementation of the GDPR and the Data Protection Act within the country while also representing Iceland in the European Data Protection Board.

Flag of MexicoMexico

Mexico

Effective Date: July 6, 2010
Region: NA (North America)

​​The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) is the primary data protection law within Mexico which came into effect on July 06, 2010. In addition to several other guidelines and recommendations, the primary law is supplemented by the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (the Regulations), which entered into force on December 22, 2011.The National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales), or INAI, and the Mexican Ministry of Economy share the enforcement responsibilities related to the implementation of these various data protection laws and regulations within Mexico.

Flag of SwedenSweden

Sweden

Effective Date: May 25, 2018
Region: EMEA (Europe, Middle East, Africa)

​​The Act with Supplementary Provisions to the GDPR (2018:218) and the Ordinance with Supplementary Provisions to the GDPR (2018:219) incorporate the GDPR within the Swedish legal framework and primarily regulate data protection related matters. Additionally, there are several other sector and processing-purpose-specific laws, such as the Camera Surveillance Act (2018:1200), Credit Information Act (1973:1173), and Patient Data Act (2008:355). The Swedish Authority for Privacy Protection (ntegritetsskyddsmyndigheten) is the primary supervisory body overseeing the implementation of the GDPR and other data protection laws within the country as well as representing Sweden in the European Data Protection Board.

Flag of VenezuelaVenezuela

Venezuela

Effective Date: None
Region: LATAM (Latin America)

​​Unlike most other countries, Venezuela does not have a unified data protection regulation. Instead, there are several different isolated regulations and provisions in the existing laws that regulate different aspects related to data privacy and protection within the country.

Flag of AlbaniaAlbania

Albania

Effective Date: April 1, 2008
Region: EMEA (Europe, Middle East, Africa)

​​Law No. 9887 on Protection of Personal Data in Albania precedes the GDPR. Albania’s independent authority, the Office of the Information and Data Protection Commissioner (IDP), is responsible for enforcing Law No. 9887 within the country and ensuring the protection of personal data. The harmonization of Albania’s legal framework with the GDPR is one of the main objectives of the IDP. For this purpose, a draft law has been introduced which is currently in the legislative process.

Flag of ArmeniaArmenia

Armenia

Effective Date: January 1, 2016
Region: EMEA (Europe, Middle East, Africa)

​​Law No. HO-49-N of 18 May 2015 on the Protection of Personal Data is the primary data protection regulation within the country. It regulates several aspects related to the data privacy of Armenian citizens as well as the responsibilities of all public and private authorities collecting, processing, storing, sharing, and selling Armenians’ personal data. Curiously, the data protection regulation does not designate a particular body in charge of overseeing the regulation within the country. Instead, Decision N 573-A of the RA Prime Minister as of July 3, 2015, made the Personal Data Protection Agency of the RA Ministry of Justice responsible for supervising all data protection-related aspects within the country.

Flag of AzerbaijanAzerbaijan

Azerbaijan

Effective Date: May 11, 2010
Region: EMEA (Europe, Middle East, Africa)

​​The Law on Personal Information, passed in 2010 is the primary data protection regulation within the country. The law introduced two separate categories of all data; personal and sensitive. Organizations that needed to collect or process personal or sensitive data were required to gain users’ prior consent in case the data in question was not of the open category. The Ministry of Digital Development and Transport is directly responsible for supervising the Law on Personal Information within the country with powers to not only enforce the law but also define their scope and liaising with other Ministries in matters involving Azerbaijani citizens’ personal data.

Flag of BahamasBahamas

Bahamas

Effective Date: April 2, 2007
Region: LATAM (Latin America)

​​The Data Protection (Privacy of Personal Information) Act of 2007 is the primary data protection regulation in the Bahamas. It gives Bahamas’ citizens the right to access, rectification, erasure, and the right to prohibit any form of data processing for direct marketing purposes. The Data Protection Commissioner, operating out of the Office of the Data Protection Commissioner, is the primary supervisory authority incharge of overseeing the implementation of the country’s data protection regulation.

Flag of BarbadosBarbados

Barbados

Effective Date: March 31, 2021
Region: LATAM (Latin America)

​​The Data Protection Act, 2019 is the primary data protection regulation within Barbados. Passed in August 2019, it came into effect in March 2021. Protecting the privacy of individuals, the Act regulates the collection, keeping, processing, use, and dissemination of personal data. From July 2021 onward, the Data Protection Commissioner is responsible for general administration and the implementation of the Act across the country.

Flag of BelgiumBelgium

Belgium

Effective Date: July 30, 2018
Region: EMEA (Europe, Middle East, Africa)

​​The Act on the protection of natural persons with regard to the processing of personal data (Data Protection Act) of 2018 is the primary data protection law in Belgium that provides for the implementation of such provisions of the GDPR which require further clarifications, requirements, or any derogations. The Belgian Data Protection Authority was established by the Belgian Federal Chamber of Representatives as a successor to the Belgian Privacy Commission, through the Act of December 03, 2017, to oversee the adaptation and implementation of the GDPR and the Data Protection Act in Belgium. A series of legislative proposals meant to reform the Data Protection Act are expected to be introduced in the Belgian parliament in 2023.

Flag of GeorgiaGeorgia

Georgia

Effective Date: December 28, 2011
Region: EMEA (Europe, Middle East, Africa)

​​The Law of Georgia On Personal Data Protection (N5669-RS, 28/12/2011) is the primary data protection legislation in Georgia. The law aims to protect Georgians’ right to privacy, and ensure that any organization processing their data has the necessary measures in place to guarantee the protection of this right. The State Inspector Service directly supervises the implementation and enforcement of the law within Georgia while also being the first point of contact for Georgians in case any of their data rights are violated.

Flag of MaltaMalta

Malta

Effective Date: May 28, 2018
Region: EMEA (Europe, Middle East, Africa)

​​Chapter 586 of the Laws of Malta, also known as the Data Protection Act of 2018 is Malta’s primary data protection law. At the time of its implementation, it repealed and replaced the previous Data Protection Act (Chapter 440 of the Laws of Malta). Since it came into effect, there have been procedural amendments made to the law. The Information and Data Protection Commissioner is the primary supervisory authority enforcing the Data Protection Act while also representing Malta in the European Data Protection Board.

Flag of MauritiusMauritius

Mauritius

Effective Date: January 15, 2018
Region: EMEA (Europe, Middle East, Africa)

​​In 2018, Mauritius enacted the Data Protection Act of 2017 via Proclamation No. 3 of 2018. It came into effect in January 2018, repealing and replacing the Data Protection Act of 2004. Since Mauritius is a signatory to the interim Economic Partnership Agreement (EPA) with the EU, the DPA of 2017 is an effective way to align its data protection framework with that of the EU. The Data Protection Office oversees the implementation of the law within the country, and being headed by the Data Protection Commissioner.

Flag of MontenegroMontenegro

Montenegro

Effective Date: December 23, 2008
Region: EMEA (Europe, Middle East, Africa)

​​The Law on Protection of Personal Data is the main data protection law within Montenegro. First enacted in 2008, it is one of the few data protection legislations within Europe that precede the GDPR. It was last amended in 2017. Since then, a draft has been in the works to officially introduce a data protection law that is consistent with the GDPR. The draft law is expected to be adopted by the Parliament of Montenegro in the first half of 2023. Under the prevalent Law on Protection of Personal Data, the Agency for Protection of Personal Data and Free Access to Information is the regulatory authority.

Flag of SerbiaSerbia

Serbia

Effective Date: August 21, 2019
Region: EMEA (Europe, Middle East, Africa)

​​In November 2018, Serbia enacted its Act on Personal Data Protection to align its legal requirements with the GDPR. The Act officially came into force in August 2019. The Act on Personal Data Protection is quite similar to the GDPR. The Commissioner for Information of Public Importance and Protection of Personal Data (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) is primarily responsible for enforcing the Act within the country.

Flag of SlovakiaSlovakia

Slovakia

Effective Date: May 25, 2018
Region: EMEA (Europe, Middle East, Africa)

​​Act No. 18/2018 Coll. on the protection of personal data and on amending and supplementing certain acts, better known as the Slovak Data Protection Act harmonizes and implements the GDPR within the country. The Data Protection Office of the Slovak Republic is responsible for overseeing the enforcement of the GDPR and the Slovak Data Protection Act within the country, as well as representing the Slovak Republic in the European Data Protection Board.

Flag of TajikistanTajikistan

Tajikistan

Effective Date: August 3, 2018
Region: EMEA (Europe, Middle East, Africa)

​​There are various data protection regulations in effect in Tajikistan that govern various aspects of data privacy within the country. However, the Personal Data Protection Law, No.1537 which came into effect in 2018 is the primary legislation that gives Tajik citizens access to data rights while placing obligations and requirements upon organizations when it comes to Tajiks’ personal data online. The Communication Service under the Government of the Republic of Tajikistan is the body primarily responsible for enforcing the law within the country.

Flag of European UnionEuropean Union

EU’s General Data Protection Regulation (GDPR)

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East and Africa)

The European Union’s General Data Protection Regulation (GDPR) is considered to be one of the most comprehensive data protection legal frameworks that aim to protect personal data of natural persons and grants several rights to them. The regulation applies to companies established in the EU. It also applies to organizations not established in the EU that monitor individuals’ behavior in the EU or offer goods or services to data subjects in the EU. Inspired by the GDPR, countries worldwide have formulated their data protection laws based on a similar framework.

Resources:

Flag of KazakhstanKazakhstan

Kazakhstan Law No. 94-V

Effective Date: May 21, 2013
Region: EMEA (Europe, the Middle East and Africa)

Kazakhstan already had a data protection law, known as the Law of the Republic of Kazakhstan No. 94-V, dated May 21, 2013. However, on April 13, 2021, the Ministry of Digital Development, Innovations and Aerospace published a draft of amendments that would be made to this law to introduce notification requirements, prohibition on the use of personal data without user consent, the users' right to erasure, as well as a slew of other security measures and obligations for data controllers and processors.

To Conclude:

Compliance with global data privacy laws is obligatory for every business. Failure to comply can result in huge losses such as consumer trust, class-action lawsuits, and hefty fines.

Is your organization ready to comply with the existing as well as upcoming data privacy laws? Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.


Key Takeaways:

  1. Global Adoption of Data Privacy Laws: 120 countries have established data privacy and security regulations to protect residents' data privacy and security, highlighting the global recognition of the importance of data privacy.
  2. Top Data Privacy Laws Worldwide: The content lists significant data privacy laws in various countries, including the United States, China, the European Union, and others, indicating the widespread legislative efforts to safeguard personal data.
  3. California Privacy Rights Act (CPRA): In the United States, California has taken a leading role in data privacy with the CPRA and CCPA, setting stringent privacy protection obligations and enhancing consumer rights.
  4. Virginia’s Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA): Following California, other U.S. states like Virginia and Colorado have enacted comprehensive data privacy laws, showing a trend towards state-level data privacy regulations in the U.S.
  5. International Laws: Countries around the world, including China (PIPL), Switzerland (Revised FADP), and countries in the European Union (GDPR), have their data protection regulations, each with unique requirements and scopes.
  6. Rights and Obligations: These laws generally grant individuals several rights over their personal data, such as access, rectification, and deletion rights, and impose obligations on organizations to protect personal data.
  7. Cross-Border Data Transfers: Many of these laws have provisions regulating the transfer of personal data across borders, requiring adequate protections for data transferred to other jurisdictions.
  8. Enforcement and Penalties: Non-compliance with these laws can lead to significant penalties, including financial fines and, in some cases, criminal penalties, emphasizing the importance of compliance.
  9. Emerging and Evolving Laws: The landscape of data privacy laws is continually evolving, with new laws being proposed and existing laws being updated to address new privacy challenges and technological advancements.
  10. Importance of Compliance: Organizations must ensure compliance with applicable data privacy laws to avoid legal penalties, protect consumer trust, and mitigate the risk of data breaches.
Compliance with applicable global data privacy laws is obligatory for businesses.
Failure to comply can result in huge loss such as consumer trust, class-action lawsuits, and hefty fines.
Is your organization ready to comply with the existing as well as upcoming data privacy laws?

Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.

Watch the demo

Frequently Asked Questions (FAQs)

The assessment of which country has the best data privacy laws can vary based on individual perspectives and criteria. Countries such as the European Union member states (due to GDPR) , California (CPRA), and Canada (due to PIPEDA) are often recognized for having strong data privacy regulations.

Different types of privacy laws include comprehensive data protection regulations (e.g., GDPR), sector-specific laws (e.g., HIPAA for healthcare data in the U.S.), and broader privacy frameworks (e.g., CPRA in California).

GDPR (General Data Protection Regulation) is a regulation of the European Union and applies to EU member states and their residents. However, its impact extends globally because it can apply to non-EU organizations processing EU residents' data.

GDPR covers the European Union member states, which totaled 27.

Non-EU countries do not follow GDPR as a legal requirement. However, some of these countries may implement their own data protection laws that align with GDPR principles.

EU member states are covered by GDPR, and data transfers between these countries are generally considered safe due to the uniform data protection framework.

Data breach statistics can vary over time, and the country with the most data breaches may change. Generally, countries with high levels of technology adoption and extensive digital activities might experience more data breaches.

Countries with strict cyber laws include the United States, the European Union member states (due to GDPR), and Singapore, which has strong cybersecurity and data protection regulations.

Share

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

What's
New