Become an expert on PrivacyOps - Start Now

Start Now

Data Protection & Privacy Laws Around the World

Data is the new economic driver as it brings more value and innovations. The same data can also open companies up to risks if left undiscovered, unmonitored, and unprotected. To ensure organizations are handling and processing users’ data in a transparent manner, regional privacy regulations have been established globally.

So far 120 countries around the globe have established privacy and security regulations that protect residents’ data privacy and security. In fact, more local laws have been passed and are soon going into effect, enforcing obligations from data controllers and processors to protect consumers’ right to privacy.

The List of Top Data Privacy Laws Around the World:

Experts at Securiti have compiled a list of all privacy laws that are in legislation or going into effect soon. The list includes:

Loading data

United States

Some states of the U.S (California, Colorado and Virginia) have enacted comprehensive consumer data privacy laws. These includes:

China

The Peoples’ Republic of China (PRC) has passed 3 major laws relating to the collection, processing, retention, and transfer of data. These includes:

Thailand

The Personal Data Protection Act, B.E. 2562 (2019) ('PDPA') is Thailand's first consolidated data protection law, which was published in the Thai Government Gazette on 27 May 2019. Learn more about Thailand’s PDPA

Switzerland

The Swiss Parliament passed the revised Federal Data Protection Act (FADP), which should come into force in the second half of 2022. Learn more about Swiss Revised FADP

Australia

The Privacy Act 1988 (Privacy Act) is the principal piece of Australian legislation protecting the handling of personal information about individuals. Learn more about Australian Privacy Act 1988

Bahrain

The PDPL is the main data protection regulation in Bahrain that came into force on August 1st 2019, and supersedes any law with contradictory provisions. Learn more about Bahrain’s PDPL

Brazil

Brazil has a very comprehensive data protection law named LGPD that allows people to have more rights over their data and expects businesses to comply with it. Learn more about Brasil’s Lei Geral de Proteção de Dados (LGPD)

Canada

Canada’s primary federal privacy law (PIPEDA) legislation applies to organizations that collect, use or disclose personal information in the course of commercial activities. Learn more about Canadian PIPEDA.

Hong Kong

The Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 (the “PDPO) is the primary legislation in Hong Kong which was enacted to protect the privacy of individuals. Learn more about Hong Kong Personal Data (Privacy) Ordinance (PDPO)

India

In December 2019, India introduced the Personal Data Protection Bill (PDPB) to regulate the processing, collection, and storage of personal data. Learn more about Indian PDPB.

Ireland

The Irish Data Protection Act, 2018 (Irish DPA) implements the General Data Protection Regulation (GDPR) and transposes the European Union Law Enforcement Directive in Ireland. Learn more about Irish DPA and GDPR.

Japan

Japan’s APPI regulation outlines how organizations serving goods and services to users and customers in Japan deal with the data subjects’ personal information. Learn more about Japan’s APPI

New Zealand

New Zealand has a Privacy Act (NZPA) 2020 that is the revised version of its older Privacy Act 1993. Learn more about New Zealand’s NZPA

Philippines

The Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act') was the first comprehensive law covering data privacy in the Philippines. Learn more about Philippines' DPA

Qatar

Qatar is the first member of the Gulf Cooperation Council (GCC) that has established data protection regulations. Learn more about Qatar’s Data Privacy Law

South Korea

South Korea has a data protection law that provides very prescriptive specific requirements throughout the lifecycle of the handling of personal data. South Korea’s PIPA

Saudi Arabia

In Saudi Arabia, there is currently no specific data protection legislation in place. Personal data and privacy are somewhat protected in other sectoral laws.

Singapore

In Singapore, PDPA is the principal data protection legislation governing the collection, use, and disclosure of individuals' personal data by organisations. Learn More about Singapore’s PDPA

South Africa

South Africa has a data protection law named POPIA. The main purpose of this law is to protect individuals’ personal information. Learn more about South Africa’s POPIA

Turkey

Turkey published “Law on the Protection of Personal Data No. 6698 (LPPD) covering personal data protection on April 07, 2016.” Learn more about Turkey’s LPPD

United Arab Emirates

UAE doesn’t have a comprehensive data protection law at its federal level, however there are a number of laws in place that govern privacy and security law in the UAE.

Austria

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Belgium

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Bulgaria

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Croatia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Cyprus

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Czech Republic

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Denmark

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Estonia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Finland

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

France

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Germany

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Hungary

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Italy

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Latvia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Lithuania

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Luxembourg

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Malta

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Netherlands

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Poland

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Portugal

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Romania

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Slovakia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Slovenia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Spain

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Sweden

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR


United States

California Privacy Rights Act (CPRA)

Effective Date: January 1, 2023
Region: NA (North America)

The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot by 56% of California voters. Amending the recently passed California Consumer Protection Act (CCPA) 2018, the CPRA imposes even more stringent privacy protection obligations on organizations and greatly increases rights of consumers. The law applies to businesses and entities located in California or anywhere serving products or services to a California resident. The CPRA will take effect on January 1, 2023, and enforcement will begin six months later, on July 1, 2023.

Resources:

California Consumer Privacy Act (CCPA)

Effective Date: Since January 1, 2020
Region: NA (North America)

The California Consumer Privacy Act (CCPA) governs companies and individuals that collect and process consumers’ personal information. The law mandates companies to ensure the secure management of data and gives consumers the right to access and control how their personal information is collected, used, or shared. The regulation doesn’t require companies to have physical presence in California and applies to all entities serving their services to California residents.

Resources:

Virginia’s Consumer Data Protection Act (VCDPA)

Effective Date: January 1, 2023
Region: NA (North America)

Virginia became the second state in the United States, after California, to pass a comprehensive data privacy law called Virginia Consumer Data Protection Act (VCDPA). The law provides comprehensive data privacy rights to state residents of Virginia and imposes new obligations and duties on businesses managing consumers’ personal data. The law is structurally very similar to the CPRA even if it’s content diverges. It is slated to go into effect on January 1, 2023. The regulations apply to persons or entities conducting businesses in the commonwealth or offering products or services to Virginia residents.

Resources:

Colorado’s Privacy Act (CPA)

Effective Date: July 1, 2023
Region: NA (North America)

Soon after Virginia, Colorado became the third state in the United States to have passed a comprehensive data privacy law named Colorado Privacy Act (the “CPA”). The CPA applies to companies that conduct business in Colorado or sell products or services intentionally targeted to residents of Colorado. The Colorado law is very similar to the VCDPA with a very few but significant differences. The law will go into effect on July 1, 2023.

Resources:

China

China’s Personal Information Protection Law (PIPL)

Effective Date: November 1, 2021
Region: APAC (Asia-Pacific)

On 20 August 2021, China enacted its main data protection regulation, the Personal Information Protection Law (PIPL) that will come into effect on November 1, 2021. PIPL applies to organizations that are providing services within China, processing and analyzing personal information of Chinese citizens from within or outside the country. It imposes several stricter obligations on data controllers & processors and also provides extensive rights to individuals.

Resources:

China’s Data Security Law (DSL)

Effective Date: Since September 1, 2021
Region: APAC (Asia-Pacific)

The Data Security Law (DSL) of China governs companies operating in the region to classify and categorize data for optimal protection. The law regulates how organizations should process and handle users’ personal information. Mishandling of any information and violation can result in a criminal offense and fines of up to $1.5 million. Similar to PIPL, DSL applies to companies that are conducting business in China or collecting and processing PI of Chinese citizens from anywhere in the world.

Resources:

China’s Cybersecurity Law (CSL)

Effective Date: Since June 1, 2017
Region: APAC (Asia-Pacific)

China Cybersecurity Law (the “CSL'') went into effect on June 1st, 2017. It applies to the operation, maintenance, and use of information networks to protect the legal interests and rights of organizations as well as individuals in China. It also promotes the secure development of technology and the digitization of the economy in China.

Resources:

Thailand

Thailand’s Personal Data Protection Act (PDPA)

Effective Date: June 1, 2022
Region: APAC (Asia-Pacific)

Thailand's first consolidated Personal Data Protection Law (PDPA) aims to guarantee the protection of individuals' personal data and impose obligations on businesses that deal with the collection, usage, and disclosure of personal data. PDPA applies to any organization located inside Thailand and organizations with consumers in Thailand that deal with the personal data of Thai residents. PDPA will come into effect on June 1, 2022.

Resources:

Switzerland

Swiss Revised Federal Act on Data Protection (FADP)

Effective Date: 2022
Region: EMEA (Europe, the Middle East and Africa)

The revised Swiss Federal Act on Data Protection 2020 (FADP) will replace Switzerland’s long-existing Federal Act on Data Protection of 1992. The Revised Law does not govern the processing of personal data relating to legal persons. It expands the list of sensitive personal data by including genetic and biometric data. Organizations will have an enhanced information obligation and an obligation to conduct data protection impact assessments for high-risk data processing activities. The Revised Swiss FADP is expected to come into effect in 2022.

Resources:

Australia

Australian Privacy Act 1988

Effective Date: Since 1988
Region: APAC (Asia-Pacific)

It has been over 20 years since the Privacy Act 1988 was enforced in Australia. It was established to ensure the protection of the privacy of Australian data subjects, obligating the Australian Privacy Principles Entities (APP entities), including both private sector and government agencies to ensure transparent and open processing of personal information, including but not limited to data subjects credit card report, medical report, and tax file number.

Resources:

Bahrain

Bahrain’s Personal Data Protection Law (PDPL)

Effective Date: Since August 1, 2019
Region: EMEA (Europe, the Middle East and Africa)

PDPL takes after Bahrain’s data protection regulations, Law no. 30, replacing all the other laws in the region. The PDPL regulations enforce businesses and individuals operating within or outside Bahrain collecting personal information of users in Bahrain to ensure the collection and processing of personal data only for legitimate purposes. The regulations further define the personal information privacy rights of data subjects, and possible fines and penalties in the event of a breach of any policies.

Resources:

Brazil

Brasil’s Lei Geral de Proteção de Dados (LGPD)

Effective Date: Since September 18, 2020
Region: LATAM (Latin America)

Lei Geral de Proteção de Dados (LGPD) is a comprehensive data protection law in Brazil that takes its inspiration from the EU’s GDPR. The data protection law applies to all data subjects located in Brazil and who are served different products or services from companies operating inside or outside Brazil. The law establishes ten legal bases for the lawful processing and handling of data, imposing heavy penalties upon violation.

Resources:

Canada

Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

Effective Date: Since January 1, 2004
Region: NA (North America)

PIPEDA governs the data collection, processing, and protection by the Canadian private sector under Bill C-6. The data privacy and protection regulations were enacted to assure the global community of the data protection practices and compliance of Canadian private sectors. The regulations apply to for-profit organizations offering commercial services in Canada.

Resources:

Hong Kong

Hong Kong Personal Data (Privacy) Ordinance (PDPO)

Effective Date: Since 1995
Region: APAC (Asia-Pacific)

The PDPO regulations passed by the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong govern how organizations and other entities should collect, use, process, or disclose the personal information of data subjects who reside in Hong Kong. The personal data protected under PDPO includes name, medical record, identity card number, etc. The regulations are applicable to local and international companies where the personal data is handled by a data user in Hong Kong.

Resources:

India

Indian Personal Data Protection Bill (PDPB)

Effective Date: Dec 11, 2019
Region: APAC (Asia-Pacific)

The Personal Data Protection Bill (PDPB) introduced by the Indian regulatory authorities is said to be the most comprehensive and stricter privacy protection regulation than its international counterparts like the GDPR. The bill governs the data collection, processing, and storage of data subjects residing in India. The law applies to companies that offer products or services to people in India, taking Indian rupees as payment or shipping product in India. In the event of unlawfully obtained data or re-identifying any de-identified data, the entity could face criminal charges or a $2,121,900 fine.

Resources:

Ireland

Irish Data Protection Act (Irish DPA)

Effective Date: May 24, 2018
Region: EMEA (Europe, the Middle East and Africa)

The Irish DPA implements the GDPR into the national law by incorporating most of the provisions of the GDPR with limited additions and deletions. It contains several provisions restricting data subjects’ rights that they generally have under the GDPR, for example, where restrictions are necessary for the enforcement of civil law claims.

Resources:

Japan

Japan’s Act on the Protection of Personal Information (APPI)

Effective Date: June 12, 2022
Region: APAC (Asia-Pacific)

Japan’s APPI regulation outlines how organizations serving goods and services to users and customers in Japan deal with the data subjects’ personal information. The privacy regulations apply to all the Personal Information Controllers (PICs), operating inside and outside Japan, providing PI of data subjects to businesses. The act ensures the individual’s rights to privacy and also the legal use of personal data for economic development.

Resources:

New Zealand

New Zealand’s Privacy Act 2020 (NZPA)

Effective Date: December 1, 2020
Region: APAC (Asia-Pacific)

New Zealand’s Privacy Act (NZPA) 2020 is the revised version of its older Privacy Act 1993. It applies to not only New Zealand entities but also to overseas entities in the course of carrying on business in New Zealand, irrespective of their size, geographical location and whether or not they are registered in New Zealand. NZPA introduces mandatory breach notification requirements including the obligation to notify even those privacy breaches that are caused by any outsourced third-party, in addition to other data protection obligations.

Resources:

Philippines

Philippines' Data Privacy Act 2012 (DPA)

Effective Date: Since 2012
Region: APAC (Asia-Pacific)

The Philippines Data Privacy Act of 2012 sets the ground rules for organizations dealing with the personal information of Filipinos. The Act gives data subjects the right to control the handling of their data and file complaints against the Personal Information Controller (PIC) for illegal access to or processing of their data. The Act also outlines penalties against any violation. This applies to persons or entities serving users in the Philippines and conducting business from within or outside the Philippines or having links with any third party with presence in the country.

Resources:

Qatar

Qatar’s Data Privacy Law

Effective Date: Since 2016
Region: EMEA (Europe, the Middle East and Africa)

Qatar is the first member of the Gulf Cooperation Council (GCC) that has established data protection regulations that regulate the policies in regards to how organizations treat personal information of data subjects within Qatar. The law was introduced in 2016 but a new set of regulations were later imposed on January 31, 2021, to further strengthen data protection policies.

Resources:

South Korea

South Korea’s Personal Information Protection Act 2012 (PIPA)

Effective Date: Since 2012
Region: APAC (Asia-Pacific)

South Korea’s privacy protection law, PIPA, governs the collection and processing of personal information of data subjects in its strictest sense. The law requires strict opt-in consent compliance, timely breach notifications, and timely fulfillment of data subject requests. In case of any violations local and foreign South Korean companies may face heavy fines and penalties. PIPA doesn’t explicitly hint at its territorial scope, but the law is mostly applicable to entities within South Korea.

Resources:

Saudi Arabia

Saudi Arabian E-Commerce Law (ECL)

Effective Date: Since October 2019
Region: EMEA (Europe, the Middle East and Africa)

The Kingdom of Saudi Arabia (KSA) established the E-commerce Law in the region to promote transparency and protection of consumers’ personal data privacy rights, mandating organizations involved in E-commerce transactions to ensure appropriate security and privacy measures. The regulations are applicable to entities conducting businesses within or outside Saudi Arabia, offering services to Saudi Arabia residents.

Resources:

Saudi Arabia’s Personal Data Protection Law (PDPL)

Effective Date: March 23, 2022
Region: EMEA (Europe, the Middle East and Africa)

Saudi Arabia has drafted a data privacy regulation to protect the personal data of individuals in Saudi Arabia. This law was approved by the Council of Ministers in Saudi Arabia and is named the Personal Data Protection Law (the “PDPL”). The PDPL aims to protect the privacy of individuals’ personal data, and regulate the collection, holding, processing, disclosure, or use of personal data by the organizations. The law is applicable to entities within or outside Saudi Arabia processing personal information of Saudi Arabia residents.

Resources:

Singapore

Singapore’s Personal Data Protection Act (PDPA)

Effective Date: Since November 2012
Region: APAC (Asia-Pacific)

The Personal Data Protection Act (PDPA) 2012 of Singapore supplements the sector-specific legislative frameworks, limiting organizations from collecting and processing personal data other than legitimate purposes. The act also mandates organizations that they maintain care while collecting, using, and disclosing personal data. PDPA enjoys an extraterritorial reach, and thus, it applies to companies whether they are working in or outside Singapore.

Resources:

South Africa

South Africa’s Protection of Personal Information Act (POPIA)

Effective Date: Since July 1, 2021
Region: EMEA (Europe, the Middle East and Africa)

POPIA is established to empower data subjects to have better control over the free flow of their personal information and file complaints against privacy violations. It applies to public and private bodies that are domiciled in South Africa and not domiciled in South Africa if they process personal information in South Africa, unless such processing is only used to forward the information through the country. Violators may be fined up to ZAR10 million or get sentenced to up to 10 years in jail.

Resources:

Turkey

Turkey’s Law on the Protection of Personal Data (LPPD)

Effective Date: Since April 7, 2016
Region: EMEA (Europe, the Middle East and Africa)

In 2016, Turkey established its first personal data protection rights, limiting organizations and individuals from processing PI of users without explicit consent and any legal basis. Similar to GDPR, data subjects have the right to be informed, to access, rectify, erase, object, opt-out, data portability, or not to be subject to automated decision-making. Violators may be fined up to TRY 1 million or six months to 4 years imprisonment. The regulations apply to data controllers conducting business inside or outside Turkey but serving data subjects residing in Turkey.

Resources:

United Arab Emirates

UAE’s TRA’s Consumer Protection Regulations (CPR)

Region: EMEA (Europe, the Middle East and Africa)

The Telecommunications Regulatory Authority (TRA) of UAE established Consumer Protection Regulations (CPR) mandating all licensed companies in the UAE to strictly protect the PI of consumers. The laws require licensed companies to take measures against PI data leakage, unauthorized access, privacy risks, inappropriate use of PI, etc.

UAE’s CBUAE SVF Regulation

Region: EMEA (Europe, the Middle East and Africa)

The Central Bank of UAE (CBUAE) established Stored Value Facilities (SVF) Regulations. Apart from fostering digital payment systems in the region, the regulations also mandate licensed companies to protect the personal information of their customers and protect their systems and data with strict security measures against unauthorized access, inappropriate, misuse, and any tempering.

Resources:

DIFC’s Data Protection Law 2020

Region: EMEA (Europe, the Middle East and Africa)

The Dubai International Financial Center (DIFC) Data Protection Law 2020 supersedes the Data Protection Law 2007, subjecting organizations in the special economic zone in Dubai to product the individuals’ right to privacy. The law runs in parallel with the international privacy regulations, such as the GDPR and CCPA. It is established to help regional regulatory authorities realize DIFC’s sufficient data protection practices so they may allow data transfer to and from the special economic zone.

Resources:

European Union

EU’s General Data Protection Regulation (GDPR)

Effective Date: Since May 29, 2018
Region: European Union

The European Union’s General Data Protection Regulation (GDPR) is considered to be the most comprehensive data protection legal framework that aims to protect personal data of natural persons and grants several rights to them. The regulation applies to companies established in the EU. It also applies to organizations not established in the EU that monitor individuals’ behavior in the EU or offer goods or services to data subjects in the EU. Inspired by the GDPR, countries all around the world have formulated their data protection laws based on the similar framework.

Resources:

Compliance with applicable global data privacy laws is obligatory for businesses.
Failure to comply can result in huge loss such as consumer trust, class-action lawsuits, and hefty fines.
Is your organization ready to comply with the existing as well as upcoming data privacy laws?

Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.

Watch the demo

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Newsletter