Search
Close this search box.
CONTACT US
Linkedin-in Twitter Facebook-f

Data Protection Regulation Tracker

Proelium Law LLP | The UK’s foremost legal authority on high-risk jurisdictions and specialist risk services

Proelium Law LLP combines its legal and investigative experience to provide clients with an extensive suite of capability in the world of cyber and digital law.
Three diagonal digital chains on a blue background. Blockchain technology concept. Mining and cryptocurrency. Close up. 3d rendering

Data protection regulations

In an increasingly technology-focused world, data protection has become a matter of great importance. Whilst some countries are yet to address data privacy, many are now implementing laws that bear similarities with the GDPR.

Today, there are more than 120 countries already engaged in some form of international privacy laws for data protection data is managed through rigorous protections and controls. With many countries still in the process of drafting dedicated legislation for data protection, it is clear that data regulation will continue to evolve. 

This tracker aims to outline the data privacy legislation in each country, ranking their regulation and enforcement as one of the below:

Heavy   Robust  •  Moderate  •  Limited 

Click below to jump to countries and territories by letter: 

ABCDEFGHIJKLMNOPQRSTUVWXYZ

A

Limited

  • There is currently no general data protection law in Afghanistan.
  • The Constitution of Afghanistan does provide for the right to confidentiality and privacy of communications.
  • Additionally, sectoral laws such as the Telecommunications Services Law (available in Pashto and Dari here) and the Banking Law of Afghanistan contain some limited clauses on data protection.
  • The Penal Code of Afghanistan was amended in 2017 to include penalties for cybercrime, although these tend to focus more on AML/CTF issues.
  • Afghanistan is developing AML/CFT regime and completed its’ first national risk assessment in 2019.

Robust

The implementation of the Law is subject to several sub-legal acts, including but not limited to the following:

  • Decision of the Parliament No. 95/2019 of 12 September 2019 on the Appointment of the Commissioner for the Protection of Personal Data (only available in Albanian here); and
  • Decision of the Parliament No. 86/2018 of 19 July 2018 on the Approval of the Structure, Staff and Classification of Salaries of the Commissioner for the Right to Information and Protection of Personal Data (only available in Albanian here).

The Republic of Albania has also ratified the following international treaties:

  • Convention on the Protection of Individuals regarding the Automatic Processing of Personal Data (‘Convention 108’), as per Law No. 9288 of 7 October 2004 (only available in Albanian here); and
  • Amending protocol to the Convention On the protection of Individuals with regard to Automatic Processing of Personal Data, as per Law No. 49 of 12 May 2022 (only available in Albanian here).

Moderate

  • Algeria enacted Law No. 18-07 of 25 Ramadhan 1439 Corresponding on June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data. 
  • The law has set out the conditions of the collection, recording, organisation, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, as well as locking, encryption, erasure or destruction of any information, whatever its support, concerning an identified or identifiable person, directly or indirectly, in particular by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, biometric, psychic, economic, cultural or social identity.
  • As of March 2024, Law No. 18-07 is fully applicable and operators falling in its scope of application must comply with its requirements.
  • In addition, an e-commerce law was also enacted in 2018, Law No. 18-05 of 24 Chaâbane 1439 corresponding to May 10, 2018 relating to electronic commerce (only available to download in French here) (‘Law 18-05’). This legislation 18-05, among other things, sets out further protections for e-consumers, regulates cross-border e-commerce, and details obligations related to advertising through electronic means.
  • In broad terms, although these new laws have been introduced, there is little information released publicly on the enforcement of data protection or official guidance on compliance in Algeria and there is an absence of a national data protection authority.

Robust

  • Whilst it is located between France and Spain and has close ties with the European Union, Andorra is not a member. The Qualified Act 15/2003, of 18 December, of Personal Data Protection, adopted in 2004 has since been replaced by Law 29/2021, of 28 October, of Personal Data Protection which outlines a number of data protection principles and data subject rights akin to those found within the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) (only available in Catalan here).
  • However, Andorra has ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (‘Convention 108’) and all related texts.
  • Furthermore, Andorra obtained an adequacy decision from the EU, which enables the free flow of data, in 2010.
  • The Andorran legal system establishes that every person has the right to the protection of personal data that affects him, whatever his nationality or residence, within the framework of article 14 of the Constitution of the Principality of ‘Andorra which guarantees the right to privacy, honor and one’s image, interpreted in the light of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Moderate

  • Angola regulates data privacy and has issued multiple laws for this matter.
  • Angola issued the Data Protection Law (Law no. 22/11, 17 June 2011), the Electronic Communications and Information Society Services Law (Law no. 23/11, 20 June 2011) in 2011
  • Angola then issued the Protection of Information Systems and Networks Law (Law no. 7/17, 16 February 2017) in 2017.
  • In 2021, Angola published two more statues: Joint Executive Decree 72/21 of 19 March 2021 approving the fees for the authorisation of credit information private agencies, and the Presidential Decree 60/21 of 10 March 2021 approving all other fees.
  • The privacy and data protection principles in the Constitution of the Republic of Angola (‘the Constitution’) include not only the right to privacy in Article 32, but also a writ called habeas data (Article 69 of the Constitution) which grants to the data subject the right to be informed of any data about them included in files, archives, and computerised records, as well as the purposes for which the personal data is processed and to request that such data be updated and corrected.
  • Finally, Angola enacted Law 11/20 of 23 April 2020 on the Identification and Location of Cellular Phones and Electronic Surveillance carried out by Police Authorities as well as Law 2/20 of 22 January 2020 on Video Surveillance.

Robust

  • Data Protection Act, 2013 (No. 10 of 2013) (the “Act”).
  • The Act creates obligations for public and private bodies by establishing certain principles regarding the use of information, which include the principles of notice and choice, disclosure, security, integrity and access, among others.
  • It also provides various rights to data subjects, such as the right of access, the right to rectification of personal data and the right to not have their sensitive personal data processed unless certain conditions apply.
  • Finally, the Act appoints the Information Commissioner, established under the Freedom of Information Act, 2004 as the authority relevant for carrying out and enforcing the protection of data pursuant to its provisions.
  • Other relevant laws in Antigua and Barbuda include the Electronic Transactions Act, 2006, the Banking Act, 2015 and the Money Laundering (Prevention) Act, 1996.

Robust

  •  The Personal Data Protection Act 25.326 (PDPA) was executed in 2000 to help protect the privacy of personal data, and to give individuals access to any information stored in public and private databases and registries.
  • The PDPA includes basic personal data rules. It follows international standards and has been considered as granting adequate protection by the European Commission.
  • Article 43(3) of the Federal Consitution recognizes the right to access and correct personal records held in public or private bodies (habeas data).
  • These provisions are not held to be an express constitutional right to privacy or data protection but do create the basic framework. 
  • Resolution 4/2019 (only available in Spanish here), specifies mandatory guidelines for the application of the Act and address topics including video surveillance, automated data processing, consent, and biometric data. On 1 December 2022, Resolution 240/202 was passed which establishes the classification of offences under the Act respectively as minor, serious, and very serious, alongside the graduation of sanctions.

Robust

Heavy 

  • Australia regulates data privacy and protection through a mix of federal, state and territory laws.
  • The Federal Privacy Act 1988 applies to private sector entities (such as corporate bodies, partnerships and trusts) with an annual turnover of at least AU$3 million. It also applies to all Commonwealth Government and Australian Capital Territory Government Agencies. This act regulates the handling of personal information and empowers the Privacy Commissioner to conduct investigations and enforce penalties. The Australian government is expected to implement reforms in 2024 to widen the scope of this law and make the law applicable to all business regardless of size.
  • Most states and territories in Australia have their own data protection legislation applicable to state government agencies and private businesses that interact with state government agencies. These acts include:
  • Many state, territory and federal legislation relate to data protection and may impact privacy.  For example, legislation relating to health records or workplace surveillance. 
  • The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (AA Act) provides law enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on “Designated Communications Providers”.
  • The Commonwealth Government is also in the implementation phases of the Consumer Data Right (CDR).
  • The CDR allows a consumer to obtain certain data held about that consumer by a third party and require data to be given to accredited third parties for certain purposes. By requiring businesses to provide public access to information on specified products they have on offer, it is intended that consumers’ ability to compare and switch between products and services will be improved, as well as encouraging competition between service providers, which could lead to better prices for customers and more innovative products and services.
  • The Australian Government has announced increased fines under the Privacy Act 1988 (Cth) No. 119 1988 (as amended) (‘the Privacy Act’) to be in line with other recent changes to administrative fines in other areas. The maximum fine for a serious invasion or repeated invasions of privacy (i.e. breaches of the privacy law) will be increased to up to the greater of AUD 10 million (approx. €6.3 million), three times any benefit obtained from the invasion breach (whichever the greater) and 10% of Australian annual revenue.

Heavy

Heavy

B

Moderate

  • The Bahamas was one of the first Caribbean countries to enact a Data Protection (Privacy of Personal Information) Act, 2003 (DPA) which applies to the processing of personal data by both the private and public sectors.
  • The Commissioner has various powers under the Act, such as the capacity to prohibit the transfer of personal data outside the Bahamas under specific circumstances.
  • The Commissioner published several informational brochures, a Guide for Data Controllers, and other material between 2010-2015.
  • At present, the Act addresses certain essential data protection elements, including rights to access and erasure, establishing the data protection authority, data transfers, direct marketing, legal bases for processing, and enforcement processes.

Moderate

  • Bahrain enacted Law No. 30 of 2018 with respect to Personal Data Protection (“PDPL”) on July 12, 2018.
  • The PDPL is the main data protection regulation in Bahrain, and came into force on August 1st 2019. 
  • The Law serves as the main piece of legislation with respect to data protection issues.
  • It is worth noting that the Law recently entered into force, therefore many procedural and regulatory issues which are to be decided by the Data Protection Authority’s resolution are yet to be issued.
  • It should be noted that, as per Resolution No. 78 of 2019 (only available in Arabic here), published in the Official Gazette on 3 October 2019, the Ministry of Justice and Islamic Affairs shall exercise the duties of the Authority.
  • Between June and July 2021, eight implementing orders detailing specific obligations and responsibilities of data controllers, data processors and rights of data subjects were issued for public consultation.

  • On 17 March, 2022, the Authority issued a total of 10 enforcement decisions with guidelines supplementing the provisions of the Law.

     

Limited

  • The basic framework of data protection and privacy are laid out by the rights of privacy granted under the Constitution of Bangladesh (‘the Constitution’), along with the Information Communication Technology Act 2006 (only available in Bengali here) (‘the Technology Act’) and the Digital Security Act, 2018 (‘the Digital Security Act’).
  • The Technology Act and the Digital Security Act, address issues relating to wrongful disclosure, misuse of personal data, and violation of contractual terms in respect of personal data.

Moderate

  • The Data Protection Act 2019 (the “Act”) entered into effect on 31 March 2021 by proclamation from the Governor-General.
  • The Act is extensive, it has an extraterritorial scope and applies to the processing of personal data of Barbadians by a controller or processor not established in Barbados when it relates to goods or services provided in Barbados.

  • The Sections of the Act excluded from coming into effect on 31 March 2021 are expected to take effect upon publication of a further proclamation in the Official Gazette at a future date.

     

Moderate

  • Belarus’ data protection regulation is based on the Law of Information, Informatisation and Data Protection of 10 November 2008 and the Law on Population Register of 21 July 2008.
  • Legal requirements on technical measures are developed in a number of legal acts. The Edict of the President of the Republic of Belarus of 18 April 2013 No 196 is one of the most significant of these acts. Belarus is expected to adopt the Law on Personal Data Protection in 2021. This will be the first legal act intended especially for the regulation of personal data protection issues.
  • The Law of 7 May 2021 No. 99-Z on Personal Data Protection (‘the PDP Law’) sets out general principles of processing of personal data, provides for basic terminology in that field, defines the rights of data subjects as well as obligations of operators (similar to data controllers in General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)) and their authorised persons (similar to data processors in the GDPR), including obligations on measures for the protection of personal data.
  • There is a number of legislative amendments expected in order to implement the provisions of the PDP Law. In particular, it is expected that there will be amendments to the system of information relations currently established in the Law of 10 November 2008 No. 455-Z on Information, Informatization and Protection of Information.

Heavy

  • The Belgian government is waiting for guidance from the EU.
  • Government has warned investors about the risk of crypto fraud and lack of regulatory oversight.
  • Belgium’s has Bitcoin taxes, at 33% on any cryptocurrency income.

Limited

  • Belize adopted the Data Protection Bill (the “Act”) on 29 November 2021.
  • The Act regulates the collection, keeping, use and dissemination of personal data.
  • Privacy is also expressly considered in the Belize Constitution, though references can be found in some laws which regulate public and private entities, and which are required to obtain personal information.

Moderate

Limited

Limited

  • Bolivia recognizes data protection as a constitutional right under The Political Constitution of the Plurinational State of Bolivia, in Article Nº130.
  • However, Bolivia lacks the comprehensive data protection framework necessary to properly regulate consent and make the collection and processing of personal information secure.
  • The Bolivian Political Constitution of 2009 (only available in Spanish here) (‘the Constitution’) establishes the rights to inviolability of private communications, as well as the right to know, object to, eliminate, or rectify registered data.
  • There is currently one draft law on data protection pending consideration by the Legislative Assembly: Draft law No. 349/2020-2021 (only available in Spanish here) (‘the 2021 Draft Law’), presented by the organization Internet Bolivia, on October 19, 2021 before the Legislative Assembly.
  • There are no further statutory rules around data protection.

Moderate

  • The Law on Protection of Personal Data (‘Official Gazette of BIH’, nos. 49/06, 76/11 and 89/11) (DP Law) is the governing law regulating data protection issues in Bosnia and Herzegovina (BiH). The DP Law came into force on July 4, 2006 and was amended on October 3, 2011.
  • As part of the EU approximation process, Bosnia and Herzegovina (‘BiH’) has taken the obligation to harmonise all of its legislation with the EU laws. Therefore, BiH is obliged to harmonise its legislation with the Acquis Communautaire, which includes the harmonisation of the Law on the Protection of Personal Data No. 49/06 (‘the Law’) with EU regulations in the field of personal data protection.

Limited

  • Prior to the introduction of the Data Protection Act, 2018  Botswana did not have any primary legislation that regulated the protection of personal data.

  • The Data Protection Act, which was assented to by Parliament of Botswana on 3 August 2018, recently came into effect on 15 October 2021. The Act entered into force in October 2021, with the latest amendment, the Data Protection (Amendment) Act (Transitional Period) Order, 2023, having come into force on October 13, 2023.

  • The Data Protection Act defines what constitutes personal data, as well as outlines the rights and obligations of parties involved in the processing of personal data, including the data subject, data controller and data processor.

  • Further, the Data Protection Act establishes the Information and Data Protection Commission (‘the Commission’), which will be responsible for ensuring the effective application of the Data Protection Act after its commencement.

Moderate

  • The Brazillian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, has been in force since September 18, 2020 after several discussions and postponements. This LGPD was largely aligned to the EU General Data Protection Act (GDPR).
  • The LGPD is a comprehensive data protection law that covers the activities of data controllers and processors and creates requirements for the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer (‘DPO’) appointments, Data Protection Impact Assessments (‘DPIA’), data transfers, data breaches, and the establishment of the Brazilian data protection authority (‘ANPD’).
  • The LGPD is in force, however and penalties issued started being enforceable from August 2021.
  • Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread out across Brazilian legislation.

Limited

Heavy

Moderate

Limited

  • Burundi does not have a law that specifically regulates personal data protection. 
  • Several laws and regulations do contain data protection provisions or impose confidentiality obligations on specific types of personal information such as laws surrounding employment, telecommunications, and health sectors. However, Burundi is yet to implement a stand-alone statutory provision for the protection of data.

C

Moderate

  • Cape Verde provides individuals with several constitutional and statutory rights to personal data protection.

  • Major provisions in the data protection laws are effectively reproduced in the Constitution, which provides an additional layer of legitimacy.

  • Law No. 133, passed in 2001, was Cape Verde’s original data protection law. It closely mirrored European data protection laws at the time, as Cape Verde’s legal system largely draws from that of the Portuguese.

  • Law No. 41 was passed in 2013 to supplement and update Law No. 133, and Law No. 42 was subsequently passed to detail the responsibilities of the Cape Verdean data protection authority, known as the Comissão Nacional de Proteção de Dados Pessoais (CNPD). Cape Verde also introduced Law No. 121/IX/2021 in March 2021.

  • Law No. 42 establishes the CNPD as an independent administrative authority responsible for enforcing the data protection laws of Cape Verde.

  • Cape Verde ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’).

Limited

  • Cambodia has not yet enacted any comprehensive data protection legislation.
  • The latest update on a comprehensive personal data protection law was announced by the Ministry of Post and Telecommunications (‘MPTC’) on 19 February 2021, which stated that the MPTC intended to prepare a draft personal data protection law after finalising its draft cybersecurity law (‘the Draft Cybersecurity Law’). As of mid-2023, neither legislation is available.
  • Cambodia does have E-Commerce Law and the Consumer Protection Law which contain provisions of the protection of consumer data that has been gathered over the course of electronic communications.
  • Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the Constitution of the Kingdom of Cambodia 2010, the Civil Code of Cambodia 2007, and the Criminal Code of the Kingdom of Cambodia 2009.

Limited

  • Protecting data has become a major regulatory and legislative concern in Cameroon.

  •  As a specific data protection law is still yet to be adopted, it is quite challenging for users to control the use of their data. The Constitution of Cameroon, provides for the right to protection against any privacy interference and Law No. 2010/012 on Cybersecurity and Cybercrime in Cameroon sets out provisions on protection of individual’s privacy, data retention and electronic communications confidentiality.

  • However, Cameroon is preparing a privacy bill (‘the Bill’), according to the competent services of the Ministry of Posts and Telecommunications.

  • The drafting of the Bill is ongoing.

Heavy

  • Canada is made up of 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under other legislation, federal anti-spam legislation, criminal code provisions etc.) that govern the protection of personal information in the private, public and health sectors.

 

 

  • On 17 November 2020, Bill C-11 for the Digital Charter Implementation Act, 2020 (‘DCIA’) was introduced to the House of Commons, and would reform Canada’s federal private sector privacy laws by enacting the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act.

 

  • The DCIA failed to pass both the House of Commons and the Senate before the Parliamentary session ended.

Limited

  • By Law No. 007/PR/2015 on the Protection of Personal Data, the Republic of Chad has organised the protection of personal data.

  • The purpose of this law is to put in place a mechanism to protect private and professional life following the collection, processing, transmission, storage, and use of personal data, subject to the protection of public order.

Moderate

  • Chile approved its first regulation on data privacy back in 1999, Law No. 19.628 on the Protection of Private Life 1999, which was the first of its kind in Latin America.
  • After a very short period, the Law became obsolete and has practically no enforcement due to the lack of a catalogue of violations, no official data privacy authority, and low fines, among other flaws.
  • In 2010, Chile became a member of the Organisation for Economic Co-operation and Development (‘OECD’) countries, committing to adapt data protection regulation and regularise the cross-border data flow.
  • On 15 March 2017, the Government presented Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority that modifies the Law based on GDPR standards and creates a data protection agency.
  • Its legislative process has been very slow, with countless indications, and it is still in the first legislative process.
  • Moreover, in 2018, data protection was incorporated as a constitutional guarantee.
  • In order to expedite the legislative procedure, on 15 December 2020, the Government decided to place the Bill into an ‘urgent’ category, in order to speed up the remaining stages. The Government expects the Bill to be approved during 2021.
  • On 7 October 2021, the Government amended the Bill incorporating the creation of an Agency for the Protection of Personal Data as the data protection authority (‘the Agency’), as well as setting certain precisions to the structure of fines. Shortly after, and in order to expedite the legislative procedure, the Government placed an ‘urgency’ to the Bill

Heavy

There is not a single comprehensive data protection law in the People’s Republic of China (PRC), although one has now been proposed (see below).

Instead, rules relating to personal information protection and data security are part of a complex framework and are found across various laws and regulations.

On June 1, 2017, the PRC Cybersecurity Law came into effect and became the first national-level law to address cybersecurity and data privacy protection

.Following this, there has been an abundance of implementing regulations and guidelines (herein referred to as Guidelines) proposed, issued or revised to flesh out the essentials and concepts introduced under the PRC Cybersecurity Law. These include, non-exhaustively:

The Decision has the same legal effect as law, and its purpose is to protect the online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. While the PIS Specification and other Guidelines are only technical guides (covering in detail key issues such as data transfers, sensitive personal information and data subject rights), and thus not legally binding, they are highly persuasive.

Provisions contained in other laws and regulations may also apply depending on the industry or type of information involved (for example, personal information obtained by financial institutions and e-commerce businesses, personal information collected by telecom or Internet service/content providers, healthcare and genetic information, etc.).

In August 2021 China approved the Personal Information Protection Law (PIPL). PIPL established personal information processing rules, data subject rights and obligations for personal information processors. 

China has also approved the Data Security Law which entered into force in September 2021. The legislation regulates data processing activities associated with personal and non-personal data.

In addition, the Civil Code of the People’s Republic of China (‘the Civil Code’) effective on 1 January 2021, expressly provides the right of privacy and personal information protection. The express protection of personal information under the Civil Code represents a new era of privacy and personal information protection. Meanwhile, new supporting rules (such as guidelines and standards) are expected in 2022 and beyond as China’s cybersecurity and personal information protection framework continues to evolve.

Moderate

  • Colombia has various statutory provisions relating to data privacy. 
  • Statutory Law 1266 of 2008 (Law 1266) regulates the processing of financial data, credit records and commercial information collected in Colombia or abroad.
  • Law 1266 defines general terms on habeas data and establishes basic data processing principles, data subject rights, data controller obligations and specific rules for financial data.
  • Furthermore, Statutory Law 1581 of 2012 (Law 1581) regulates all personal data processing, as well as databases. Law 1581 defines special categories of personal data, including sensitive data and data collected from minors.
  • The law further regulates the obtention of authorisation to treat personal data and the procedures for data processing. Moreover, the law creates the National Register of Data Bases (NRDB).
  • Law 1581 is applicable to all data collection and processing in Colombia, except data regulated under Law 1266 and certain other types of data or regulated industries.
  • Decree 1377 of 2013 (Decree 1377), is a piece of secondary regulation related to Law 1581 which outlines requirements for personal and domestic databases regarding authorization of personal data usage and recollection, limitations to data processing, cross-border transfer of databases and privacy warnings, among others. This Decree also requires controllers and processors to adopt a privacy policy and privacy notice.
  • Decree 886 of 2014 (Decree 886) and Decree 090 of 2018 (Decree 090) issued by the Ministry of Commerce, Industry and Tourism as well as the Resolution 090 of 2018 issued by the Superintendence of Industry and Commerce, regulate the National Register of Data Bases and sets deadlines for registration of existing data bases in Colombia.

  • The Data Protection Regulations are applicable to individuals, private and public companies, and governmental entities that carry out the processing of personal data of individuals (regardless of their nationality) who are domiciled in the territory of Colombia, and companies that process the personal data of people in Colombia, whether they are located/incorporated in Colombian territory.

     

Limited

  • Specific legislation on data protection has been approved relatively recently in the country.
  • On 10 October of 2019, the Republic of Congo (‘Congo’) adopted Law 29-2019 on the Protection of Personal Data  The Law’s main objectives are to:
    • set up a framework that ensures the protection of the fundamental rights and freedoms of natural persons, namely their privacy, regarding the processing of personal data;
    • guarantee that information technology and communication remain at the service of citizens and do not infringe private and public freedoms, in particular the right to private life;
    • ensure that, while the processing of personal data is conducted according to the fundamental rights, State prerogatives are also considered, as well as the rights of decentralised public administration entities, and the interest of companies and the civil society.
  • The majority of the essential principles and diligence arising from the Law are similar to those established under the GDPR. this may be related to the fact that it is a very recent law, that was enacted following the EU application of the GDPR.
  • Moreover, the Law also contains provisions regarding privacy on the electronic communications sector that also reflects the principles underlying the EU’s Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (‘the ePrivacy Directive’).

Moderate

  • Data privacy regulation in Costa Rica is contained in two laws.
  • Law No. 7975, the Undisclosed Information Law, which makes it a crime to disclose confidential and/or personal information without authorization.
  • Law No. 8968, Protection in the Handling of the Personal Data of Individuals together with its by-laws, which were enacted to regulate the activities of companies that administer databases containing personal information. Therefore, the scope of the second law is limited.
  • However, the right to data protection has been recognised and protected in Costa Rica by the Constitutional Court since the 1990s, on the basis of Article 24 of the Political Constitution of Costa Rica (‘the Constitution’), which specifically recognises the right to intimacy, as well as the freedom and secrecy of communications.

Limited

  • Data protection in Ivory Coast is governed by Law No. 2013-450, which details enforcement responsibilities for the Autorité de régulation des télécommunications/TIC de Cote d’Ivoire (ARTCI).
  • Under Law No. 2013-450, individuals have the right to:
  • obtain all of their personal data in an understandable form, as well as any available information as to the origin; 
  • object, for legitimate reasons, to the processing of personal data concerning them;
  • oppose the processing of their personal data for prospecting purposes;
  • correct, supplement, update, lock, or delete personal data where it is inaccurate or incomplete; and 
  • not be subject to decisions made on the sole basis of automated processing that would produce significant or detrimental legal repercussions for them.

  • However, the issue of personal data protection has grown since the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Many international groups have required their subsidiaries in Côte d’Ivoire to comply with regulations. Today more and more companies and people are aware of this issue.

     

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
  • The Act on the Implementation of the General Data Protection Regulation (in Croatian as Zakon o provedbi Opće uredbe o zaštiti podataka) was enacted in the Croatian Parliament on April 27, 2018 and came into force on May 25, 2018 (the ‘Act’).
  • Also, the Act on Healthcare Data and Information, which came into force on 15 February 2019, regulates rights, obligations and responsibilities of legal and natural persons within the Croatian healthcare system with respect to healthcare data and information and, inter alia, sets out fundamental principles and standards of their collection, processing and protection.

Limited

  • Governed by Law 149/2022 on Personal Data Protection (only available in Spanish here) (‘the Law’)
  • In Cuba, the Law regulates the protection of personal data, consolidating the right to privacy provided under Article 97 of the Constitution of the Republic of Cuba. The Law applies to public and private bodies, introduces the concepts of data owners, with specific rights, as well as responsible persons, and designated persons.
  • Processing of personal data in Cuba is underpinned by 12 personal data protection principles which must be complied with in any such activities.

Heavy

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
  • The new Czech Act No. 110/2019 Coll., on Personal Data Processing, being the Czech GDPR implementation law, finally came into effect on 24th April 2019.
  • This statute fully replaced the older Personal Data Protection Law (Act No. 101/2000 Coll., as amended) and regulates personal data processing within the scope of Regulation (EU) 2016/679 and then processing of this data by competent authorities for preventing, searching for and detecting criminal activity, ensuring safety and public order etc.
  • It also regulates the jurisdiction of the Office for personal data protection and personal data processing at the time of ensuring defence and security of the Czech Republic.

D

Limited

  • There is currently no general data protection legislation.
  • There is currently no general data protection authority.

Limited

  • There is currently no general data protection legislation.
  • There is currently no general data protection authority.

Moderate

  • Section 44 of the Dominican Constitution recognizes citizens’ right to access their personal data stored in public or private databases, as well as their right to information concerning the purpose and use of the same.
  • The Constitution also establishes that the processing of personal data must be carried out in accordance to the principles of:
    • Reliability
    • Legality
    • Integrity
    • Security, and
    • Purpose of the information
  • The collection, storage and safekeeping of personal data, as well as usage and access rights concerning such personal data, are governed by the provisions of Law No. 172-13 on the Protection of Personal Data enacted December 13, 2013 (DPL).
  • Although there is no general data breach notification requirement under the Law, the Dominican Telecommunications Institute (‘INDOTEL’) requires the adoption of security measures, classified as basic, medium, or high depending on the type of information, and the notification of data breaches if they occur.

E

Limited

  • There is currently no general data protection legislation.
  • There is currently no general data protection authority.

Moderate

 

  • The Law has been enforced since May 2023, such as:
    • any processing of personal data carried out prior to the entry into force of the Law must be brought into compliance with the provisions of the Law within two years of its publication.
    • provisions related to corrective measures and sanctioning regime.
    • All personal data controllers must adapt the international transfer of personal data to the new legislation.

 

  • In general terms, the Law reflects the principles and procedures set forth in the General Data Protection Regulation (‘GDPR’) enacted by the European Union. Therefore, if the company has experience in the regulatory and day-to-day aspects of the GDPR, it will not be inconvenient to comply with the requirements of the local law.

 

  • The appointment of the person who will head the Personal Data Protection Authority, known as the Data Protection Superintendency (‘the Superintendency’), is pending, which in turn must issue the secondary regulations to regulate different aspects of the Law.

 

  • The issuance of the General Regulation (‘Draft Regulation’) is still pending by the President of Ecuador

Robust

  • On 13 July 2020, Egypt’s Government issued its long-awaited Data Protection Law, which establishes various standards and controls governing the processing and handling of personal data. The Law was published in the Official Gazette on 15 July 2020.
  • The Law is part of a growing trend of countries enacting comprehensive data protection laws, which reflect the European General Data Protection Regulation (GDPR).
  • The Law aims to safeguard the rights of individuals in Egypt in respect of their personal data and to place responsibilities on businesses in how they process personal data. 
  • The enactment of the Law brings a new standalone data protection and privacy regime to Egypt

Limited

  • El Salvador’s Congress approved a Personal Data Protection Act on Apr. 22, 2021.
  • However, the Act was vetoed and sent back to Congress for review but no further action has been taken in order to review the causes for the veto and/or make any amendments for its further approval. 
  • Until the Act is approved, data protection remains disseminated in other Acts.

Limited

  • Law No. 1/2016 on the Protection of Personal Data (a copy is available at ‘(only available in Spanish here) (‘the Law’)).

 

  • Governing Body for the Protection of Personal Data is to be the authority governing data protection law, although it is not yet operational.

Limited

  • There is currently no general data protection legislation.
  • There is currently no general data protection authority.

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
  • In Estonia, all derogations / additional requirements to the GDPR are provided in the new Personal Data Protection Act (PDPA) and the Personal Data Protection Implementation Act (Implementation Act).
  • The new PDPA was adopted by the Estonian parliament on December 12, 2018 and entered into force on January 15, 2019. The Implementation Act was adopted on February 20, 2019 and entered into force on March 15, 2019.

F

Limited

  • There is currently no general data protection legislation.
  • There is currently no general data protection authority.
  •  Whilst there is no general data protection law in Fiji, the Constitution of the Republic of Fiji (2013) provides for a right to privacy, which includes a right to the confidentiality of personal information.
  • In addition, there are sectoral laws regulating electronic transactions, cybercrime, and consumer protection.
  • Additionally, the Online Safety Act, 2018 came into effect in January 2019, which aims to, among other things, deter misuse of personal information online. The Cybercrime Act 2021 was also enacted by the Parliament of the Republic of Fiji.

Heavy

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

G

Limited

  • Gabon has a data protection law specifically addressing global protection for information identifying individuals.

 

  • The Gabon data protection authority, the Commission Nationale pour la Protection des Données à Caractère Personnel is (‘CNPDCP’) has entered into discussions periodically with civil society and its representatives regarding various matters (such as employee unions), addresses formal data complaints and has carried out training programs and awareness activities, so there is awareness to data protection in the country.

 

  • The CNPDCP is also an observing member of the Consultative Committee of Convention 108.

 

  • The CNPDCP clarified its capacity for enforcement actions in 2019 and noted that alongside issuing warnings and a three-month ban on activities, it can impose fines ranging from CFA 1 million (approx. €1,500) to CFA 100 million (approx. €150,100) for violations of the Law, and CFA 100 million to CFA 300 million (approx. €450,300) for repeat violations.

Limited

  • There is currently no general data protection legislation.
  • There is currently no general data protection authority.
  • However, data protection provisions are included in both sectoral national legislation and policies and continental conventions and acts.
  • In addition, the Public Utilities Regulation Authority (‘PURA’) issued, in May 2019, its Draft Data Protection and Privacy Policy Strategy 2019 (‘the Draft Policy Strategy’), however, it should be noted that this policy document does not currently have the status of law.

Heavy

 

  • In addition to the Data Protection Act, other normative acts such as the Law of Georgia on State Inspector Service (N3273-RS, 21.07.2018) and the Resolution of the Government of Georgia on the Approval of the Regulations on the Activities of the Personal Data Protection Inspector and the Rule of Exercising the Power by Him/Her (N180, 19.07.2013) (only available in Georgian here) contribute to the regulatory framework for data protection.

 

  • The processing of personal data in Georgia is regulated under the Law of Georgia on Personal Data Protection of 14 June, 2023 No. 3144 (only available in Georgian here) (the 2023 Law). The 2023 Law replaced the Law of Georgia on Personal Data Protection of 28 December 2011 No. 5669 (the Data Protection Act) and compared to its predecessor, is more harmonized with European Standards, creating a more effective legal framework for the protection of personal data.

 

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
  • Germany has adjusted the German legal framework to the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (Bundesdatenschutzgesetz – ‘BDSG’).
  • The BDSG was officially published on July 5, 2017 and came into force together with the GDPR on May 25, 2018. The purpose of the BDSG is especially to make use of the numerous opening clauses under the GDPR which enable Member States to specify or even restrict the data processing requirements under the GDPR.
  • In addition to the BDSG, there exist a number of data protection rules in area-specific laws, for example those regulating financial trade or the energy sector. Many of these laws have been adapted to the GDPR by the Second Data Protection Adaptation and Implementation Act EU (Zweites Datenschutz-Anpassungs- und Umsetzungsgesetz EU – ‘2. DSAnpUG-EU’), which generally entered into force on November 26, 2019. However, some particularly relevant laws have so far remained unchanged, most notably the Telemedia Act (Telemediengesetz – ‘TMG’), raising questions about the continued applicability of the data protection rules contained therein.
  • On 1 December 2021, a new Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (only available in German here) (‘TTDSG’) came into effect. The main purpose of the new law is to consolidate existing data protection provisions enshrined in the German Telemedia Act of 2007 and the German Telecommunications Act (only available in German here) in one new act and to implement the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (‘the ePrivacy Directive’). The TTDSG contains rules, inter alia, regarding tracking technologies.

Moderate

  • The primary legislation governing privacy/ data protection in Ghana is the Data Protection Act, 2012 (Act 843)
  • The 1992 Constitution of the Republic of Ghana (‘the Constitution) is the supreme law of Ghana and it is the instrument from which every piece of legislation derives its validity in Ghana. 
  • The primary legislation which protects data privacy is the Data Protection Act, 2012 (‘the Data Protection Act’). The purpose of the Data Protection Act is to establish a Data Protection Commission (‘DPC’), to protect individuals’ privacy and personal data by regulating the processing of personal information.

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
  • The Greek Law 4624/2019 “on the Hellenic Data Protection Authority, the implementation of Regulation 2016/679 and the transposition of Directive 2016/680” (Government Gazette A/137/29.08.2019) was enacted and entered into force in August 28, 2019.
  • The Law regulates the operation of the Hellenic Data Protection Authority, introduces GDPR supplementary rules and transposes the Law Enforcement Directive into Greek Law.

Limited

  • In May 2023, The Grenada Data Protection Act, No. 1 of 2023 (GDPA) was published in the Official Gazette, following its assent by the Deputy to the Grenada Governor-General.

  • The GDPA aims to establish a comprehensive data protection framework in Grenada and provides data subject rights such as the right to access and rectification, and establishes seven data protection principles, including data integrity and disclosure.

Limited

  • There is currently no general data protection authority.
  • Although the Political Constitution of the Republic of Guatemala (‘the Constitution’) recognises privacy and data privacy rights as a constitutional right, there is no specific law currently regulating data privacy.

Limited

  • There is currently no general data protection legislation.
  • There is currently no general data protection authority.
  • Although, as yet, there is no general data protection framework in Guinea, data privacy is addressed in several pieces of legislation
  • These include the Constitution of Guinea 2010, as well as previous iterations of the constitution, which states under Article 12 that the secrecy of correspondence and communication is inviolable, and highlights the right to the protection of privacy.
  • The Law on Cybersecurity and Personal Data came into effect on 28 July 2016, and outlines requirements for combating cybercrime in part one, as well as for the protection of personal and sensitive data in part two.

Limited

  • There is currently no general data protection legislation.
  • There is currently no general data protection authority.

Limited

  • On August 16, 2023, the Data Protection Act No.18 of 2023 received Presidential assent and will come into effect on the day the Minister responsible for data protection may, by order, appoint.

  • The Act regulates the collection, keeping, processing, use, and dissemination of personal data and establishes data protection principles as well as legal basis for the processing of personal data.

H

Limited

  • There is currently no general data protection legislation.
  • There is currently no general data protection authority

Limited

  • Personal data protection is regulated mainly in:
  • National Constitution: Article 182 provides the constitutional protection of habeas data, giving individuals the right ‘to access any file or record, private or public, electronic or hand written, that contains information which may produce damage to personal honour and family privacy. It is also a method to prevent the transmission or disclosure of such data, rectify inaccurate or misleading data, update data, require confidentiality and to eliminate false information. This guarantee does not affect the secrecy of journalistic sources.’
  • In addition, the Law for the Protection of Confidential Personal Data (the “Law”) is currently in discussion in the Honduran Congress. Congress has approved the first chapters of the Law. The complete approval of the Law and the date for when the Law will enter into force is expected in the first half of 2019.

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
  • The Hungarian Parliament implemented the GDPR into Hungarian laws by amending Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information. As of 26 April 2019 all the relevant sectorial laws were also amended in Hungary in order to comply with the provisions of the GDPR.
  • The Hungarian Parliament has begun to harmonise sectoral laws with the GDPR, in particular focusing on employment, and direct marketing. Other specific jurisdictional issues are expected to be discussed in the upcoming amendment of sectoral laws

Heavy

The Personal Data (Privacy) Ordinance (Cap. 486) (Ordinance) regulates the collection and handling of personal data. The Ordinance has been in force since 1996, but in 2012/2013 was significantly amended (notably with regard to direct marketing).

A consultation paper was put before the Legislative Council in January 2020 (Consultation Paper) to propose certain changes to the Ordinance with the aim of strengthening data protection in Hong Kong. There is no indication on the timeline of any legislative amendments to the Ordinance.

Further amendments to the PDPO were introduced in 2021, pursuant to the Personal Data (Privacy) (Amendment) Ordinance 2021 (‘2021 Amendment Ordinance’), which took effect on 8 October 2021. The purpose of these amendments were, primarily, to address the acts of disclosing personal data without consent, i.e. ‘doxxing’.

I

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
  • The Act No. 90/2018 on Data Protection and the Processing of Personal Data (the ‘DPA’) implements the GDPR in Iceland. The law contains derogations and exemptions from the position under the GDPR in certain permitted areas.

Limited

 

  • This constitutional right casts a long shadow on Indian law and influences policy and judicial action and acts as a check on legislative and executive action. In addition to the public law implications, this right has influenced the development of a tortious right against the invasion of privacy and the interpretation of rights embodied in laws on consumer protection, health, IT, telecom licences, and the financial sector.

 

 

Limited

  • In Indonesia, as of the date of this publication there is no general law on data protection.
  • Currently, Indonesia takes a patchwork approach to personal data protection legislation, with provisions related to data privacy appearing in several different pieces of legislation. In particular, Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 on the Amendment to Law No. 11 of 2008 on Electronic Information and Transactions  provides certain data privacy rights.
  • In addition, the Kominfo Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (‘Kominfo Regulation 20’) establishes significant data protection requirements for electronic system providers, and Government Regulation No. 71 of 2019 regarding the Implementation of Electronic Systems and Transactions (only available in Indonesian here) (‘GR 71’) outlines the procedural guidelines for the Law No. 11 of 2008 on Electronic Information and Transactions.
  • However, for a number of years, a new draft Bill on the Protection of Private Personal Data is being discussed but to this date, it has not been issued. Although the exact date remains uncertain and the Bill is still to be considered by the House of Representatives, if passed, this will become Indonesia’s first comprehensive law to specifically deal with the issue of data privacy.
  • The PDP Bill, if enacted, is expected to unify this system under a singular, comprehensive approach to personal data protection.
  • The PDP Bill is further anticipated to establish data sovereignty and security as the keystone of Indonesia’s data protection regime, and to introduce notable obligations for data owners and users. However, there are certain regulations concerning the use of electronic data.
  • The draft of the Personal Data Protection Act (only available in Indonesian here) (‘the PDP Bill’) was ratified by the House of Representatives on 20 September 2022, and is expected to enter into force upon its promulgation.

Limited

  • Iran has not enacted comprehensive data protection legislation.

  • A Draft Protection of Personal Data Law (only available in Persian here) (‘the Draft Law’) has been announced by MICEX and it is awaiting review from the Islamic Parliament of Iran, however the expected timeframe for parliamentary deliberations has not been clarified.

  • In particular, the Draft Law provides for the establishment of the Supervisory Board of Personal Data, which would be tasked with receiving and processing stakeholder complaints to protect personal data.

  • In the absence of an overarching data privacy law, the legal framework for privacy derives from a patchwork of other laws and regulations dealing with data protection alongside additional matters. Such legislation includes the Law on Publication and Access to Data 2009, the Electronic Commerce Law 2004, and the Cybercrime Law 2009 (only available to download in Persian here).

Limited

  • There is no codified law that governs data protection in Iraq.
  • Data protection is governed briefly under various laws including the Iraqi Constitution, the Iraqi Penal Code No. 111 of 1969 (‘the Penal Code’), the Iraqi Civil Code (only available in Arabic here), and other laws which are sector-specific (e.g. banking laws, securities laws, labour laws, tax laws, etc.).
  • While a data protection law has been recently passed, it only applies to government entities, with the private sector remaining largely unregulated and subject to only piecemeal rules.
  • There are no data protection initiatives for the private sector. However, the Iraqi Government has been contemplating a cybercrime law for some time now.

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
  • The Irish Data Protection Act 2018 (“DP Act”) came into force on 25 May 2018 in order to give further effect to the GDPR in Ireland. The DP Act includes certain derogations, provides for the establishment of a new Data Protection Commission, implements the Law Enforcement Directive and otherwise addresses procedural aspects of the enforcement of data protection in Ireland.
  • The previous data protection legislation in Ireland, the Data Protection Acts 1988 to 2003, were largely repealed by the DP Act, however those Acts continue to apply in relation to certain limited purposes including national security and defence. Additionally, the previous legislation continues to apply in relation to complaints or infringements which occurred prior to 25 May 2018 as well as to investigations commenced (but not completed) prior to that date.

Robust

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.
  • The Italian data protection law framework has been harmonized with the GDPR by means of the Legislative Decree 101/2018, that entered into force on 19 September 2018, and amended a number of provisions of the Legislative Decree 196/2003 (the “Privacy Code”), as well as introduced some transitional provisions regulating the migration to the new regime.

J

Heavy

 

 

  • The Act will not come into operation until the Government has publicly appointed a date that the Act will take effect. Additionally, data controllers will have a transition period of two years from the appointed date to take the necessary steps to ensure full compliance with the requirements under the Act.

 

  • The result of this is that the two year transition period for data controllers to take the necessary steps to ensure full compliance with the requirements under the Act commenced on 1 December 2021 and expired on 30 November 2023.

Robust

  • The Act on the Protection of Personal Information (“APPI”) regulates privacy protection issues in Japan and the Personal Information Protection Commission (“PPC”), a central agency acts as a supervisory governmental organization on issues of privacy protection.
  • The APPI was originally enacted in 2003 but was amended and the amendments came into force on 30 May 2017. Note that a bill to amend the APPI (‘the 2020 Amendments’) passed the National Diet of Japan on 5 June 2020 and was promulgated on 12 June 2020.
  • The 2020 Amendments will come into force on a date specified by a cabinet order, which is not later than two years from the date of promulgation.

Limited

  • On September 17, 2023, Law No. 24 of 2023 Personal Data Protection Law (the Law) was published in the Official Gazette and came into effect on March 17, 2024.

  • The provisions of the Law will apply to any personal and sensitive information processing of natural persons, whether such data was collected or processed before or after the effectiveness of the Law within Jordan and applies to controllers who are also based outside of Jordan. 

K

Limited

  • The main legal act regulating personal data in Kazakhstan is the law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 ‘On Personal Data and Its Protection’ (the ‘Law’).

 

 

  • At present, the Personal Data Law provides general regulations on the collection and processing of personal data, and notably includes broad requirements for data localisation.

 

  • In addition, the Laws on Amendments to the Personal Data Law were introduced in January and December 2021, July, November, and December 2022, significantly extending data protection obligations for organisations. 

 

  • The Amendment Law introduces, among other things, further requirements for data collection and processing, obligations for data operators (similar to data processors), and redefines key concepts. The Amendment Law further establishes the competency of the data protection authority including its powers and role.

Moderate

  • The Constitution of Kenya (‘the Constitution’) guarantees the right to privacy as a fundamental right.

  • To give effect to this constitutional right under Article 31(c) and (d), the Data Protection Act, 2019 (‘the Act’) was enacted and came into effect on 25 November 2019.

  • Progress towards implementation started in November 2020 with the appointment of the Data Protection Commissioner (‘the Commissioner’) and setting up of the Office of the Data Protection Commissioner (‘ODPC’). The ODPC is now fully operational.

  • The Data Protection (General) Regulations, 2021 (‘General Regulations’); the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 (‘Complaints Handling and Enforcement Procedures Regulations’); and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021(‘Registration of Data Controllers and Data Processors Regulations’) collectively the Data Protection (Civil Registration) Regulations, were published in the National Gazette on January 14, 2022 and were approved by the National Assembly on March 14, 2022. 

  • The General Regulations and Complaints Handling and Enforcement Procedures Regulations came into effect immediately upon approval whilst the Registration of Data Controllers and Data Processors Regulations came into effect on July 14, 2022.

Limited

  • There is currently no general data protection legislation.
  • There is currently no general data protection authority.

Moderate

  • Under the Constitution of South Korea (‘the Constitution’), the rights to privacy, privacy of communications and freedom of expression are recognised as fundamental rights.

 

  • In addition, the Constitutional Court of South Korea (‘Constitutional Court’) and Supreme Court of South Korea (‘Supreme Court’) have established through subsequent court decisions that the right to informational self-determination should be viewed as a separate fundamental right, despite not being stipulated in the Constitution.

 

  • The main law and regulations related to data protection are the Personal Information Protection Act of Korea as amended in 2023 (available in English here and available in Korean here) (PIPA) and its implementing regulations, which regulate the collection, usage, disclosure, and other processing of personal data by governmental or private entities as well as individuals. 

 

  • The data protection laws in South Korea provide very prescriptive specific requirements throughout the lifecycle of the handling of personal data. Under these laws, the data subject’s consent is almost always required, in principle, to process his/her personal data.

 

  • On 6 January 2021, an additional amendment to the PIPA was published by the PIPC for public comment (only available to download in Korean here). Among others, the proposed amendment introduces the right to data portability and the right to be excluded from automated decision-making, diversifies the methods of transferring personal data overseas and includes pseudonymised data in the scope of information that a data handler is required to destroy.

Heavy

  • The protection of personal data in Kosovo is guaranteed by the Constitution of the Republic of Kosovo (‘the Constitution’).
  • Article 36, paragraph 4 of the Constitution stipulates that the collection, storage, access, correction, and use of personal data is regulated by law.
  • The first law regulating personal data protection was approved and entered into force in 2010, Law No.03/L – 172 on the Protection of Personal Data (‘the Law’). The Law established the basic principles and measures concerning the protection of personal data and the institution responsible for monitoring the legitimacy of data processing.
  • Following the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), the data protection law in Kosovo has been amended and aligned with the GDPR. 

Limited

  • The main legislation in the field of data protection is the Data Privacy Protection Regulation, No.42 of 2021 (‘the Data Privacy Regulation’);

  • The Data Privacy Regulation applies only to licensees that work to collect, process, and store personal and their users’ data content in whole or in part, whether the processing takes place within or outside Kuwait.

  • The Data Privacy Regulation: Personal data under this Regulation includes information that can identify an individual or an entity such as users of a telecommunications service provider. This encompasses but is not limited to name, identity, financial details, health records, ethnicity, religion, and any information that can pinpoint a person’s geographic location, fingerprint, DNA, or internet contact details.

Limited

  • The Law of the Kyrgyz Republic of 14 April 2008 No. 58 on Personal Information as amended by the Law of the Kyrgyz Republic of 20 July 2017 No. 129 (only available in Kyrgyz here and Russian here)  was adopted to govern personal data matters, on the basis of generally accepted international principles and standards in accordance with the Constitution of the Kyrgyz Republic (only available in Kyrgyz here and Russian here)  and other laws of the Kyrgyz Republic.

 

  • The Law on Personal Data ensures the protection of rights and freedoms related to the collection, processing, and use of personal data.

 

  • The President of the Kyrgyz Republic by Decree of 14 September 2021 No. 391 (only available in Kyrgyz here and Russian here) announced the creation of the State Agency for Protection of Personal Data. The State Agency for Protection of Personal Data under the Cabinet of Ministers of the Kyrgyz Republic was registered on January 10, 2022, and as of now, the Agency is a Regulator for data protection.

L

Limited

  • From 2012, Laos has introduced this framework by circulating relevant information only. This trend has accelerated since 2015 with the publication of the Law on Cyber Crime. In addition, for both professionals or non-professionals, the authorities have provided a series of guidelines of best practices for the use of software and hardware, social media platforms, and better protection of electronic data.
  • The Electronic Data Protection Act 2017 (only available in Lao here) (‘the Act’) and The Ministry of Post, Telecommunications and Communications  regulate Data Protetion in Laos.
  • The Act came into force in 2017 providing data protection to Lao citizens in circumstances where electronic information is collected, accessed, used or disclosed.
  • The Act is supplemented by the Introduction on Implementation of the Electronic Data Protection Act (only available in Lao here), which sets out examples of how data protection procedures may be implemented by companies.

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679)  (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

 

  • The Personal Data Processing Law has been approved by the parliament and came into force on July 5, 2018. This law provides legal prerequisites for the implementation of the GDPR in Latvia and replaced the current Personal Data Protection Law.

 

  • Apart from the Law, the Government Regulations No. 620 the Data Protection Specialist Qualification Rules (only available in Latvian here), which were adopted on 6 October 2020, are relevant.

 

  • In addition, Government Regulations No. 488 Licensing Requirements for the Code of Conduct Monitoring Body (only available in Latvian here) entered into force on January 2, 2023, and related Accreditation Requirements for the Code of Conduct Monitoring Body (only available in Latvian here).

Limited

  • While Lebanon does not have a comprehensive data protection legislation, privacy provisions are contained in Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data (‘the Law’).
  • The Law does not establish an independent data protection authority; however, it provides that any intended data processing activity must be notified to the Ministry of Economy and Trade (‘the Ministry’).

Limited

  • The right to privacy is recognized and protected under the Constitution of the Kingdom of Lesotho.
  • Lesotho has established a Data Protection Act, 2013 (the DP Act). The DP Act provides principles for the regulation of the processing of any personal information in order to protect and reconcile the fundamental and competing values of personal information privacy.

Limited

  • Liberia is yet to enact a general data protection law. However, the Liberia’s Constitution of 1986 (‘the Constitution’) provides for the right to privacy. In particularly, Article 16 of the Constitution provides that no person shall be subjected to interference with his privacy of person, family, home or correspondence except by order of a court of competent jurisdiction.

Limited

  • There is currently no general data protection legislation.

 

  • There is currently no general data protection authority.

 

  • However, Articles 12 and 13 of Constitutional Declaration 2011 of Libya guarantee the right to a private life for citizens and the confidentiality of correspondence, telephonic conversations and other forms of communications except where required by a judicial warrant respectively. Additionally, Law No. (6) of 2022 regarding electronic transactions (only available in Arabic here), provides for protection of personal data in relation to electronic transactions under Chapter 7.

Heavy

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

 

  • Two Luxembourg Data Protection Laws of August 1, 2018 have been enacted to implement the GDPR:

 

  • The Law on the organization of the National Data Protection Commission (CNPD) and the general data protection framework. It has repealed the previous Law on Data Protection (amended Law of August 2, 2002) and completes the GDPR at the national level. Most of all it gives the framework for the CNPD’s organization, composition and powers under the GDPR and the applicable national law.

 

  • The Law on the protection of individuals with regard to the processing of personal data in criminal matters as well as in matters of national security.

 

  • The CNPD frequently advises the legislator on privacy aspects and has issued opinions on legal reforms regarding anti-money laundering, insurance, and financial trusts.

 

  • Since the constitutional reform, which entered into force on July 1, 2023, data protection has been raised to a constitutional level in Luxembourg.

M

Heavy

Limited

  • Law No. 2014-038 relating to the protection of personal data is the main regulatory framework in Madagascar (the ‘Data Protection Law’).
  • The Law, adopted on 16 December 2014 and promulgated on 9 January 2015, declares that the processing of personal data is based on four main pillars, namely the principles of legitimate purpose and fairness of collection and processing, the existence of data subjects’ rights, the presence of an independent supervisory authority, and the establishment of an enforcement regime.
  • In relation to its scope of application, the Law covers the processing of personal data carried out by controllers established on the state territory, as well as processing that utilises means that are located on the national territory, even when the controller is not established in Madagascar.
  • CMIL, the independent authority responsible for the compliance with the principles provided in the Law, has not yet been established.

Limited

 

 

  • The Constitution provides for the right and sectoral laws include provisions regarding data protection. For instance, the Act provides, among other things, principles governing the processing of personal data, legal bases for the processing activities, data subjects’ rights, and security measures that a controller must put in place when processing personal data. 

 

  • On July 2021, MACRA announced that Electronic Transactions and Cyber Security Regulations are being developed, whose purpose would be to outline the role of MACRA, and the obligations of all relevant stakeholders. Although MACRA is the competent authority for the enforcement of the provisions of the Act, the Act also mandates the Government to adopt the necessary regulations in order to establish a legal framework to ensure the confidentiality of personal data. 

Robust

  • Malaysia’s first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013.

 

 

Limited

  • The Maldives has not yet enacted any comprehensive data protection legislation.
  • Therefore, matters pertaining to data protection fall under the right to privacy, which is protected in broad terms under the Constitution of the Republic of Maldives 2008 (‘the Constitution’), and Law No 6/2014 Penal Code of Maldives (‘the Penal Code’).
  • In addition, for specific industries, there are other laws of general application that involve data protection issues.

Moderate

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
  • The  Data Protection Act 2018 (Act) (Chapter 586 of the Laws of Malta) and the Regulations (at present 8 in number) issued under it implement the requirements under GDPR.
  • The Act repealed and replaced the previous Data Protection Act (Chapter 440 of the Laws of Malta).
  • See Maltese legislation here.

Limited

  • While the Republic of Marshall Islands does not have a personal data protection law, nor any legislation governing cybersecurity, the Marshall Islands has participated in international discussions related to cybersecurity and is a member of the Pacific Cyber Security Operational Network which, among other things, aims to strengthen cybersecurity across the across the Pacific.

 

  • While the Republic of Marshall Islands does not have a personal data protection law, nor any legislation governing cybersecurity, the Criminal Code 2011 [31 MIRC Ch.1] includes a provision on violations of privacy (§250.12. of the Criminal Code 2011), which covers unlawful eavesdropping or surveillance and breach of privacy of messages and frames such conducts as misdemeanours.

Limited

  • Draft Law No. 2017 – 020 on the protection of the personal data (only available in French here) (‘the Draft Law’)
  • The Draft Law was adopted by the National Assembly on 22 June 2017 and sets out, among other things, requirements for data processing as well as data subject rights.
  • The Draft Law also lays the groundwork for the creation of a data protection authority. However, since the adoption of the Draft Law there have been minimal developments.
  • The Prime Minister outlined in his review of 2015-2017 and plan for 2018 (only available in French here) that the legal basis for Mauritanian information society, including the formation of a data protection authority and electronic certification authority, had been established.
  • Mauritania is one of several jurisdictions to have signed but not yet ratified the African Union Convention on Cyber Security and Personal Data Protection.

Moderate

Moderate

Limited

  • There is currently no general data protection legislation.
  • There is currently no general data protection authority.

Moderate

  • Law of 8 July 2011 No. 133 on Personal Data Protection (‘the Law’) provides general personal data protection provisions, establishing data subject rights such as the rights to access, rectification, or erasure, and requirements to appoint data protection officers and provide data processing notifications.
  • The Governmental Decision of 14 December 2010 No. 1123 on the Security of Personal Data within Automatic Databases (only available in Romanian here) established data breach notification requirements, as well as sanctions for failure to notify the NCPDP.
  • Moldova has an Association Agreement with the EU through which it has committed to ensuring adequate safeguards for the protection of personal data, and is a signatory of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’).
  • The Moldova EU Twinning Project is also particularly active, and a draft personal data protection law (only available in Romanian here) has been in discussion over the past few years that would further align Moldovan law with data protection requirements in the EU.

  • In a new legislative reform spur, on 10 January 2022 important amendments to the Law on Personal Data were enacted, passed by the Law No. 175 of 11 November 2021 (only available to download in Romanian here) (‘the Amendments’), which aim to partially transpose the GDPR.

Robust

  • Since then, the Act has been revised several times, most notably in 2008 to grant the Monegasque data protection authority (‘CCIN’) the status of an independent authority, and in 2015, to create a constitutionally compliant legal framework for the CCIN’s investigatory powers.

 

  • In consideration of the importance of the finance sector (which is officially classified as a ‘sector of vital importance’ in Monaco), the CCIN works closely with local professional associations such as the Monaco Association for Financial Activities and has issued several recommendations for financial entities on issues such as anti-money laundering and tax transparency obligations.

 

Limited

 

  • All became effective and came into force and effect on May 1, 2022, by repealing the Law of Mongolia on Personal Secrets (‘the Personal Secrets Law’), enacted on April 21, 1995, and the Law of Mongolia on Data Transparency and Right to Data (‘the Data Transparency Law’), enacted on June 16, 2011.

Moderate

  • The Ministry of Interior prepared a draft of the new Personal Data Protection Act (only available for download in Croatian here) (‘Draft Law’), which was generally consistent with the text of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), but omitted some important elements which the GDPR contains.
  • On 10 April 2019, the Ministry of Interior invited stakeholders to take part in a public consultations about the Draft Law.
  • On 9 July 2019, the Ministry published a document detailing the received suggestions which it will accept or reject.
  • The Draft Law was under consideration by the European Commission as of October 2020, and the Parliament of Montenegro is expected to adopt the Draft Law in the first half of 2022.

Robust

  • In Morocco, personal data protection is governed by Law n° 09-08 of 18 February 2009 (in French), relating to the protection of individuals with respect to the processing of personal data and by its Implementation Decree n° 2-09-165 of 21 May 2009 (in French).
  • The law was initially enacted to encourage foreign investment, including the offshoring and outsourcing of processing activities related to European residents’ personal data. Morocco is, indeed, an important player in the offshoring and outsourcing market due to its proximity to European markets as well as its competitive telecommunication infrastructure and multilingual workforce.
  • Since the adoption of the law, Morocco has made large efforts to ensure the effective protection of personal data and to have its data protection level recognized by the European Union to promote further international business. Moreover, Morocco requested an adequacy recognition decision from the European Commission as early as 2009. Today this request is still pending.

Limited

  • In Mozambique there is no specific legislation on data protection or privacy.

 

  • While there is no general data protection law, relevant provisions can be found in, among other things, the Constitution of the Republic of Mozambique (‘the Constitution’), which explicitly refers to computerised data and privacy, and various pieces of sectoral legislation. The Electronic Transactions Law (Law no. 03/2017, of 9 January) (only available in Portuguese here), for instance, provides requirements related to e-commerce. 

Limited

  • There is no general data protection law in Myanmar.

 

N

Limited

  • Namibia has not enacted comprehensive data privacy legislation.

 

  • However, Article 13 of the Constitution of the Republic of Namibia establishes a right to privacy. More recently, in November 2022 a Draft Bill was released, and outlines data processing principles, data subject rights including access and rectification, as well as restrictions on cross border data transfers. Furthermore, the bill requires the appointment of a data protection officer and establishes a supervisory authority responsible for monitoring and enforcing compliance with the Draft Bill.

Limited

  • Nauru has not enacted comprehensive data privacy legislation

Limited

  • Currently, Nepal does not have a unified data protection legislation.

 

  • The Individual Privacy Act 2075 (2018) enacted to implement and safeguard the fundamental right to privacy guaranteed by the Constitution and the Individual Privacy Regulation 2077 (2020) (only available in Nepali here), framed thereunder are regarded as the data protection legislation.

 

 

  • Thus, in the absence of a specific data control legislation, the Privacy Act and Privacy Regulation shall govern all aspects of data protection and privacy in Nepal.

 

  • In recent years, incidents of data breach have been observed frequently in Nepal wherein a large number of customers’ data including their names, mailing id, phone numbers were leaked in public.

 

  • On September 13, 2022, the Data Act 2079 (2022) (only available in Nepali here) (‘the Data Act’), which came into force on October 13, 2022, was promulgated with an aim to consolidate laws relating to data collection as well as to make the task of production, processing, storage, publication, and distribution of data more reliable, systematic, and in a timely fashion. Nevertheless, the Data Act fell short of expectations to provide clarity on data protection-related matters and to include comprehensive provisions relating to data collection, processing, storage, and publication thereof as well as privacy-related issues.  In contrast, it is primarily focused on regulating data collected by governmental and public entities for official purposes rather than regulating general data privacy issues.

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
  • The Dutch GDPR Implementation Act (Uitvoeringswet AVG, the Implementation Act) constitutes the local implementation of the GDPR in the Netherlands.
  • The Implementation Act follows a policy-neutral approach, meaning that the requirements of the previous Dutch Data Protection Act (Wet bescherming persoonsgegevens) are maintained insofar as possible under the GDPR.
  • The Implementation Act provides for, among other things, national rules where this is necessary for the implementation of GDPR provisions on the position of the regulatory authority or the fulfilment of discretionary powers provided by the GDPR.

 Robust

  • The Privacy Act 2020 and its Information Privacy Principles (IPPs) govern how agencies collect, use, disclose, store, retain and give access to personal information.
  • The Act gives the Privacy Commissioner the power to issue codes of practice that modify the operation of the Act in relation to specific industries, agencies, activities or types of personal information.

 

  • Enforcement is through the Privacy Commissioner.

 

  • The Privacy Commissioner can also issue compliance notices requiring agencies to do or refrain from doing something in order to comply with the Act.

 

Moderate

  • Data protection in Nicaragua is regulated by the Law on Personal Data Protection No. 787 of 21 March 2012 (only available in Spanish here) (‘the Law’), published in the Official Gazette on 29 March 2012; and the Regulation of Law No. 787, Decree No. 36-2012 of 17 October 2012 (only available in Spanish here) (‘the Regulation’).
  • The purpose of the Law is to protect personal information filed/stored in public and/or private records.
  • Prior to the establishment of the Law and the Regulation, there was only a general constitutional provision establishing that all individuals are entitled to privacy. 

Moderate

  • Niger hastened to legislate in the field to regulate the protection of personal data by providing a ‘legal arsenal’ of a preventive but also repressive nature.
  • In this respect, it referred to Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law , amended and supplemented by Law N° 2019-71 of December 24, 2019 (only available in French here) (‘the Law’), which creates the High Authority for the Protection of Personal Data (‘HAPDP’).

Limited

Moderate

  • The Republic of North Macedonia regulates personal data protection issues with the Law on Personal Data Protection, effective 24 February 2020. Data controllers and data processors have an 18-month period from the DP Law’s entry into force (i.e. until 24 August 2021) to harmonize their operations with the DP Law.
  • The DP Law is largely harmonized with the General Data Protection Regulation (GDPR) of the European Union (EU).

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
  • The GDPR was incorporated in the EEA Agreement by a Joint Committee Decision dated July 6, 2018. The new Norweigan Personal Data Act (“PDA”) implements GDPR and became effective as of July 20, 2018.

O

Moderate

 

  • With its Data Protection Law—adopted in 2016—Qatar became the first Gulf Cooperation Council (GCC) member state to issue a generally applicable data protection law.

 

  • While the Data Protection Law took effect in 2017, executive regulations further implementing this law are expected to be passed in 2021.

 

  • The Qatar Financial Centre (“QFC”), a business center located on-shore in Qatar with its own regulations that are separate and distinct from those of the State of Qatar, implemented QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations (“DPL”).

 

  • Additionally, under the powers granted to the QFC Authority under Article 21 of the DPL, the QFC Authority has issued the Data Protection Rules 2005 (DPR).

 

  • The country’s personal data protection framework changed considerably with the enactment of Royal Decree 6/2022 promulgating the Personal Data Protection Law (only available in Arabic here) (‘Oman PDPL’)

 

  • The Oman PDPL was issued on February 9, 2022, and is now considered effective and in force as of February 13, 2023. It repeals Chapter 7 of the Electronic Transactions Law and introduces much more robust privacy provisions as well as core privacy law principles with a view to align Oman’s data protection landscape with global best practice enshrined in laws such as the European Union‘s General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).

 

  • The provisions of the Oman PDPL have been clarified and supplemented by the Executive Regulations (‘the Regulations’) (only available in Arabic here), which were issued on January 28, 2024. 

P

Limited

  • Pakistan currently has not enacted data protection legislation per se similar to data protection legislation enacted in other countries of the world, however the Prevention of Electronic Crimes Act, 2016 (“PECA 2016”) at present serves the same purpose to a certain extent.
  • Moreover, a consultation draft of the Personal Data Protection Bill 2020 (“PDPB”) has been introduced by the Ministry of Information Technology and Telecommunications with a view to having the same being promulgated into law after public consultation, approval from both Houses of Parliament and receipt of assent from the President of Pakistan.

Limited

  • Palau has not enacted any data protection legislation

Moderate

  • The Law No. 81 on Personal Data Protection 2019 (only available in Spanish here) (‘the Law’) has been enacted and entered into force on 29 March 2021.

  • In addition, rules to the Law were published on 28 May 2021, through Executive Order 285/2021 (only available in Spanish here) (‘the Rule’). 

  • There are several laws, such as the National Constitution of the Republic of Panama (only available in Spanish here) (‘the Constitution’), which regulate personal data protection.

  • The Constitution outlines the right to privacy of personal communications and documents, the right to access information contained in databases held by public bodies or by private persons providing public services, as well as to request the correction, rectification, or deletion of such information.

Limited

Limited

  • Law No. 6534/20 on the Protection of Personal Credit Data (only available in Spanish here) (‘the Credit Data Law’) entered into in force on 28 October 2020 in Paraguay.
  •  In particular, a new regime for the protection of credit data of all citizens, on the matters of the incorporation, organisation, operation, rights, obligations, and termination of companies dedicated to obtaining and providing credit information; as well as the collection and processing of personal data was established.
  • The Credit Data Law also appoints two authorities able to impose sanctions for breaches. 

Moderate

  • Currently, in the midst of a technological era, the protection of personal data has acquired greater relevancy in Peru.

 

  • Not only has it been established, through regulation, the obligations that must be fulfilled by data controllers and/or data processors to ensure an adequate processing of personal data; but also, due to the proactivity of the Peruvian data protection authority (‘APDP’), it has been verified by audits of the compliance of such obligations.

 

  • This, together with an awareness of the importance of the protection of personal data, not only to those who are in charge of its processing, but also to those who share it without knowing the consequences that this may entail, have been a fundamental part to strengthen this area of law in Peru.

 

  • The data protection right was first introduced by the Political Constitution of Peru (‘the Constitution’), which states, as a fundamental right, that ‘information services, whether computerized or not, whether public or private, will not provide information affecting personal and family privacy’ (Article 2(6) of the Constitution).

Moderate

 

Heavy

Heavy

  • The fundamental right to personal data protection was established in the Constitution of the Portuguese Republic 1976 (‘the Constitution’).

  • The first Portuguese Data Protection Act No. 10/91 (only available in Portuguese here) was adopted in 1991, foreseeing the creation of the Portuguese supervisory authority in data protection matters.

  • Prior to the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), the general rule was the following: before initiating any personal data processing, the controller had to notify the Portuguese data protection authority (‘CNPD’) or obtain prior processing authorisation from the same entity.

  • The CNPD’s decisions taken in accordance with authorisation procedures have been very inconsistent. 

Q

Moderate

  • Qatar has implemented Law No. (13) of 2016 Concerning Personal Data Protection (“the Data Protection Law”).
  • With its Data Protection Law—adopted in 2016—Qatar became the first Gulf Cooperation Council (GCC) member state to issue a generally applicable data protection law.
  • While the Data Protection Law took effect in 2017, executive regulations further implementing this law are expected to be passed in 2021.
  • The Qatar Financial Centre (“QFC”), a business center located on-shore in Qatar with its own regulations that are separate and distinct from those of the State of Qatar, implemented QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations (“DPL”).
  • Additionally, under the powers granted to the QFC Authority under Article 21 of the DPL, the QFC Authority has issued the Data Protection Rules 2005 (DPR).

R

Heavy

Moderate

  • Fundamental provisions of data protection law in Russia can be found in the Russian Constitution, international treaties and specific laws.

 

  • Russia is a member of the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention) (ratified by Russia in 2006) and the Russian Constitution establishes the right to privacy of each individual (articles. 23 and 24).

 

 

  • In January 2022, new rules for the accreditation of organisations that perform identification and/or authentication using biometric personal data came into force, pursuant to Decree of 20 October 2021 No. 1799 on the Accreditation of Organisations that Own Information Systems that Provide Identification and (or) Authentication using Biometric Personal Data of Individuals (only available in Russian here) (‘Decree No. 1799’) adopted by the Government. 

 

 

  • In July 2022, the law significantly amending Federal Law of 27 July 2006 No. 152-FZ on Personal Data (as amended) (available in Russian here; an unofficial English version as of 2019 is available here) (‘the Law on Personal Data’) has been adopted by the State Parliament (‘Duma’). The new-passed law provides new rules for personal data processing, especially cross-border data transfer, and establishes new mandatory requirements for both data controllers and data processors, among them is the new requirement on data breach notification. The new-passed law entered into force on September 1, 2022. However, some of the law’s provisions came into force on March 1, 2023.

Limited

  • Rwanda is on the verge of passing its first single and comprehensive legal instrument regulating privacy and data protection.
  • As of 27 October 2020, Rwanda’s Cabinet approved the Rwanda Draft Data Protection Law 2020 (‘the Draft Law’) which was then sent to President Paul Kagame to sign into law.
  • The Data Protection Law was published, on 15 October 2021, in the Rwanda Official Gazette. The Data Protection Law introduces principles related to lawfulness, fairness and transparency, purpose limitation and accuracy, and obligations related to data subject rights, registration as a data controller or data processor, pseudonymisation, sensitive data, data transfers, designation of a data protection officer, Data Protection Impact Assessments, and data breach notifications. 
  • Whilst the Draft Law will regulate the obligations of data controllers and processors, as well as afford data subjects general rights that protect their personal information, it does not establish a national data protection authority.
  • However, there are other laws that deal directly or indirectly with data privacy and/or data protection as noted below.

S

Limited

  • The Data Protection Act 2018 was published in the Official Gazette No. 31 on 7 June 2018, however it is not yet in force. Once in force, the Act would establish data protection principles related to notice and choice, disclosure, security, retention, data integrity, and access. The Act would also set out data subject access and rectification rights, regulate the processing of sensitive data, and empower the Information Commissioner to ensure compliance with the Act.

Moderate

Limited

  • Law No. 03/2016 on the Protection of Personal Data (only available in Portuguese here) establishes a relatively comprehensive data protection framework and addresses matters such as data processing notifications, data protection principles, data processor agreements, and essential data subject rights.
  • Although the Law also requires notifications to the ANPDP in relation to data transfers, it does not provide for data breach notifications, nor does it cover data protection officer appointments or impact assessments.
  • In 2018, a series of Resolutions were issued by the ANPDP that generally exempted data processing notifications under certain circumstances, and primarily in relation to employment and employee’s data.

Limited

  • The PDPL was published in the Official Gazette on 24 September 2021 and marks the introduction of Saudi Arabia’s first data protection law. Additionally, a draft version of the executive regulations supplementing the PDPL (‘the Executive Regulations’) was issued, on 10 March 2022, for public consultation and adds significant detail to the law.

 

  • The PDPL will take effect on 17 March 2023, this period however may be delayed for a period of up to five years for entities located outside Saudi Arabia that process personal data of Saudi residents. The aim of the PDPL is to ensure the privacy of personal data, regulate data sharing, and prevent the abuse of personal data. 

 

  • Saudi Arabia issued its first comprehensive and unified national data protection law in September 2021 to regulate the collection and processing of personal data. The Saudi Arabia Personal Data Protection Law (as amended) (‘the PDPL’) has been implemented by Royal Decree No. M/19 of 9/2/1443H (16 September 2021) approving Resolution No.98 of 7/2/1443H (14 September 2021) and amended by Royal Decree No. M/147 of 5/9/1444H (21 March 2023), and came into effect on September 14, 2023.

Moderate

  • In January 2008, Senegal adopted Law No. 2008-12 of 25 which provides a legal and institutional framework for the protection of personal data.
  • The law established an independent authority known as the Commission of Personal Data (CDP) whose mandate is to ensure that the processing of personal data is implemented in accordance with the provisions of this law, and upholds the rights of data subjects and the obligations of data processors.
  • A few years later in 2016, Senegal went on to become the first African country to ratify the continent-wide convention on Cyber Security and Personal Data Protection, which was adopted by the African Union in 2014.

Moderate

  • The main piece of legislation currently regulating personal data protection in the Republic of Serbia is the Law on Protection of Personal Data (Official Gazette of the Republic of Serbia, No. 87/2018 (only available in Serbian here) (‘the Law’).
  • The former Poverenik, Mr. Rodoljub Šabić, has, on many occasions, pointed out the drawbacks of the Law, stating that the existing legal framework in the field of protection of personal data is far from adequate especially in terms of its completeness.
  • With regards to the Law, the former Poverenik has stressed that the content is convoluted, confusing, and therefore likely to be quite difficult to implement in practice.

Limited

  • The key piece of legislation is the Data Protection Act 2002 (Act 9 of 2003) (‘the Act’) which was enacted in 2003 to provide individuals with privacy rights regarding the processing of personal data; however, at the time of writing, the Act is not yet in force.
  • The Act will enter into force on such date as notified by the Minister in the Official Gazette.

Limited

  • No specific data protection legislation has been adopted.

Robust

  • The Personal Data Protection Act 2012 (No. 26 of 2012) (‘PDPA’) governs the collection, use, and disclosure of individuals’ personal data by organisations in a manner that recognises both the right of individuals to protect their personal data, and the need of organisations to collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
  • Apart from the obligations imposed on organisations under the PDPA, there has been a general push towards a culture of accountability by the Personal Data Protection Commission (‘PDPC’), the regulator for data protection.
  • For example, the PDPC implemented the Data Protection Trustmark Certification in 2019, which is a voluntary enterprise-wide certification program for organisations to demonstrate accountable data protection practices.
  • The PDPA has recently undergone its first comprehensive revision since its enactment in 2012 under the Personal Data Protection (Amendment) Bill 2020 (‘the Amendment Bill’) which was passed on 2 November 2020 and which was formally enacted as the Personal Data Protection (Amendment) Act 2020 (‘the Amendment Act’).

  • Notably, not all provisions under the Amendment Act have come into effect. For example, the enhanced financial penalty regime enables the PDPC to impose financial penalties of up to 10% of an organisation’s annual turnover in Singapore (if the organisation’s annual turnover in Singapore exceeds SGD 10 million (approx. €6.85 million), or SGD 1 million (approx. €684,600), whichever is higher, and will take effect from 1 October 2022. Similarly, the provisions on the new data portability obligation will also take effect at a later date.

Heavy

Limited

  • After several years in the making and four attempts, the Slovenian Parliament (‘the Parliament’) adopted the new Personal Data Protection Act 2022 (only available in Slovene here) (‘ZVOP-2’) in December 2022, which came into effect on January 16, 2023. With the ZVOP-2, Slovenia became the last EU Member State to adopt the legislative provisions on the matters left by the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) to the competence of EU Member States.

  • In addition to tailoring the GDPR to the specifics of Slovenian national laws, the ZVOP-2 appoints the Information Commissioner (‘the Commissioner’) as the Slovenian data protection supervisory authority and repealed and replaced the previous Personal Data Protection Act 2004 (‘the Act’).

Limited

  • on March 23, 2023, the Data Protection Act, 2023 (the Act) was enacted as Somalia’s main data protection legislation. The Act applies to the processing of personal data and provides principles governing such processing, including legal bases.

  • In line with international norms, the Act also provides data subject rights including the right to access, correction, deletion, and object. Moreover, the Act establishes data controller obligations such as breach notification, the conducting of Data Protection Impact Assessments, vendor management, and restrictions on cross-border transfers.

Moderate

  • The right to privacy is recognized as a fundamental human right in the Bill of Rights of the Constitution of the Republic of South Africa and is protected in terms of the Constitution and the common law.
  • This right to privacy is not absolute and may be limited where it is reasonable and justifiable to do so.
  • The Protection of Personal Information Act, 2013 (Act 4 of 2013) came into effect on 1 July 2020, save for certain provisions, but there is a one year grace period within which to comply with POPIA. POPIA specifically regulates the processing of personal information that is entered into a record pertaining to natural living persons as well as existing legal persons.

  • The Republic of South Africa has seen its first specific data protection law come into effect on 1 July 2021, joining the rest of the world in protecting the right to privacy in this digital age of the Fourth Industrial Revolution.

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.
  • After a very long delay and amidst rumors that the Spanish Parliament could be dissolved and early elections called, the Spanish Senate speedily dismissed all proposals for further changes and approved the new Spanish Fundamental Law on Data Protection and digital rights guarantee, which is in force from 7 December 2018 (“NLOPD”).

Limited

  • Presently, Sri Lanka does not have any consolidated and/or specific laws on data protection.

 

  • There are several data protection-enabled legislation that are industry-specific. Such legislation does not however provide a definition for the term ‘data’ nor specific provisions for implementation.

 

 

 

  • The Personal Data Protection Act No. 9 of 2022 (‘PDPA’) was passed in the Parliament of Sri Lanka (‘the Parliament’) and was certified by the Speaker on 19 March 2022. Section 1 of the PDPA provides for the mechanism and specific periods by and on which the PDPA would gradually come into force as follows.

  • Part V of the PDPA was given effect by Order of the Minister of Technology as empowered under the PDPA on July 21, 2023, by Gazette Extraordinary Order No. 2341/59 and accordingly, the Data Protection Authority (‘the Authority’) has been set up.

  • On January 8, 2024, Order No. 2366/08 confirmed that Parts VI, VIII, IX, and X of the PDPA entered into effect on December 1, 2023, while Parts I, II, III, and VII of the PDPA will enter into effect March 18, 2025.

Limited

  • There is currently no enacted data protection legislation in Sudan.

Limited

  • There is currently no enacted data protection legislation in Sudan.

Limited

  • The Bill for the Privacy Protection Act and Personal Data (only available in Dutch here) (‘the Bill’) was presented to the Suriname National Assembly in 2018 and considered by the Committee of Rapporteurs on 21 January 2021. The Committee had several questions and sought feedback on the Bill. However, there has been no further progress since this time, and the Bill is still under consideration in the National Assembly.

Heavy

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.
  • The Data Protection Act (2018:218) and the Data Protection Ordinance (2018:19) (the “DPA”) – The DPA regulates general aspects of data protection where the GDPR allows, e.g. processing of social security numbers and processing of data pertaining to criminal offences. The DPA entered into force on 25 May 2018.
  • In addition to the Swedish DPA, a vast number of sector specific acts have been adopted in Sweden, for example relating to the sectors of healthcare, finance, energy, environment, education, referendums/elections, enterprise, communication, labour market, etc.

Heavy

Limited

  • There is currently no specific data protection legislation in force in Syria.

T

Robust

Moderate

  • Prior to 2018, the rights of data subjects had been protected by a range of existing laws that indirectly applied, due to the lack of a comprehensive legislation on data protection
  • However, in 2018, Law of 3 August 2018 No. 1537 on Personal Data Protection (only available in Tajik here) (‘the Law on Personal Data’) was adopted, which established grounds for the regulation of relations between owners, operators, and data subjects.
  • The Law on Personal Data also clearly sets out rules for obtaining consent, notifying the data subject in case of the transfer of her/his data, as well as conditions for cross-border transfer
  • The fundamental provision of Tajik legislation which provides for the right to protection of personal data is contained in Article 23 of the Constitution of the Republic of Tajikistan of 6 November 1994, which states that the collection, storage, use, and dissemination of personal data of an individual without their consent is prohibited.

Limited

  • The PDPA was passed into law on 27 November 2022 and contains detailed provisions imposing obligations on data controllers and data processors, including requirements associated with data security and international data transfers, and establishes the PDPC. 

  • The PDPA entered into force on 1 May 2023, by means of Government Notice No. 326 of 2023 (only available in Kiswahili here), which was published on 28 April 2023. Subsequently, on 12 May 2023, the Data Protection (Collection and Processing of Personal Data) Regulations, 2023 (only available in Kiswahili here) and the Data Protection (Complaints Handling Procedure) Regulations, 2023 (only available in Kiswahili here), were published by the Ministry of Information, Communication, and Information Technology.

Moderate

  • The Personal Data Protection Act 2019 (‘PDPA’) was published, on 27 May 2019, in the Royal Thai Government Gazette. The PDPA is the very first consolidated law governing data protection in Thailand.
  • the Cabinet of Parliament of the Kingdom of Thailand (‘the Parliament’) approved the Royal Decree on the Organizations and Businesses of which Personal Data Controllers are exempted from the Applicability of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2563 (2020) (only available in Thai here).
  • The Royal Decree initially postponed the effective date of the enforcement of the PDPA in Chapters 2, 3, 5, 6, 7 and Section 95, on exempted organisations, until 31 May 2021.
  • Following a second deliberation, the Parliament has approved a further one year postponement of the effective data of the enforcement of the PDPA, under the Royal Decree on the Organizations and Businesses of which Personal Data Controllers are exempted from the Applicability of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2564 (2021) (only available in Thai here) (‘the Royal Decree’), making the effective date of the PDPA, the 1 June 2022.

Limited

  • The personal data protection industry is emerging in Togo.
  • Law No. 2019-014 Relating to the Protection of Personal Data (only available in French here) (‘the Law’) provides the conditions for the collection, processing, transmission, storage, use of personal data.
  • In addition, in December 2020 the National Assembly issued a press release (only available in French here) announcing the adoption of a draft decree (‘the Decree’) on the organisation and functioning of the Togolese data protection authority (‘IPDCP’).

Limited 

  • There is currently no data protection legislation in force in Tonga.

Limited

  • Privacy as the overarching principle of which data or information privacy is a subset has been generally guaranteed protection in Trinidad and Tobago, as in numerous other jurisdictions, through constitutional provisions and international human rights law.

  • In terms of specific legislation, the Data Protection Act 2011 (‘the Act’) is the sole piece of legislation on the topic and deals, not with the broad issue of privacy, but specifically with that of the protection of personal information in the public and private sectors. It is not fully proclaimed as detailed below.

  • The DPA was partially enacted on January 6, 2012 by Legal Notice 2 of 2012, and only Part I and sections 7 to 18, 22, 23, 25(1), 26 and 28 of Part II have come into operation.

  • No timetable has been set for enacting the remainder of the DPA, and it is possible that there may be changes to the remainder of the legislation before it is proclaimed.

Robust

  • Organic Act No. 2004-63 of 27 July 2004 on the Protection of Personal Data (available only in Arabic and French here) (‘the Law’) details the scope of data protection and sets up a national commission in charge of its enforcement.
  • Several texts have been enacted such as the Law and Decree No. 2007-3004 of 27 November 2007 Laying Down the Conditions and Procedures for the Declaration and Authorisation of the Processing Of Personal Data (available only in Arabic and French here) (‘the Decree’).
  • Tunisia became the 51st Member State of the Council of Europe Convention 108 on November 1, 2017.
  • In March 2018, it introduced a new draft law on the protection of personal data in line with the new European GDPR in Parliament.

Moderate

 

  • The Data Protection Law received Presidential approval and its final text was published in the Official Gazette, Number 29677 on 7 April 2016. Prior to this date, Turkey did not have specific legislation addressing personal data protection.

 

  • The LPPD is primarily based on EU Directive 95/46/EC.

 

  • To date, the legislature has enacted several regulations to implement various aspects of the LPPD.

 

  • From April 7, 2016, onward, a general prohibition applied in Turkey on the processing or storing of personal data without explicit consent from the data subject, subject to certain limited exceptions where such consent is not required. Companies which held personal data prior to April 7, 2016, received a two-year grace period to ensure the data met the new legislative requirements.

Limited

  • The legislation of Turkmenistan on personal information and its protection is based on the Constitution of Turkmenistan (only available in Russian here) and consists of the Law of Turkmenistan of 20 March 2017 on Information on Private Life and its Protection No. 519-V (only available in Russian here) (‘the Law on Information’) and other regulatory legal acts.
  • The Law on Information sets the procedure for collecting, processing, and protecting personal information. Also, the Law on Information sets out the rights and obligations of the data subject and the operator and provides for sanctions for failure to comply with personal data protection requirements.

Limited 

  • There is currently no data protection legislation in force in Tuvalu

U

Moderate

 

  • It is anticipated that the Regulations will implement the Act which is not yet in effect. The Act and Regulations are intended to support privacy protections that are already guaranteed to Ugandans under the Constitution and complement sectoral laws for regulated activities that had previously incorporated data protection provisions.

 

  • Article 27 of the Constitution grants the right to privacy and provides that the privacy of a person’s home, correspondences, communication or property, shall not be interfered with.

Moderate

  • The Law of Ukraine No. 2297 VI ‘On Personal Data Protection as of June 1, 2010 (Data Protection Law) is the main legislative act regulating personal data protection in Ukraine.

 

 

  • The Data Protection Law essentially complies with EU Data Protection Directive 95/46/EC.

 

  • On 25 October 2022 a draft law on Personal Data Protection (only available in Ukrainian here) was submitted to the Parliament of Ukraine following the rejection of the previous data protection bill from June 2021.

  • The draft law provides, among other things, grounds for the processing of personal, sensitive, as well as biometric information; data subject rights; responsibilities for data controllers and operators, including the adoption of Privacy by Design and requirements for the security of processing and cross border data transfers, as well as the carrying out of Data Protection Impact Assessments.

Limited

  • The Constitution of the UAE (only available in Arabic here) (‘the Constitution’) gives citizens a general right to privacy, and provisions of the Federal Law No. 5 of 1985: The Civil Code as amended by Federal Law No. 1 of 1987 (only available in Arabic here) (‘the Civil Code’) and the Federal Law No. 3 of 1987: The Penal Code (‘the Penal Code’) are also relevant when considering privacy related issues. Elsewhere, sector specific regulation (such as the telecommunications, consumer protection, and cybercrime laws) provides some limited data protection rights in certain circumstances.
  • The United Arab Emirates (‘UAE’) published its first federal level data protection law Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (‘the PDPL’) on 20 September 2021.

Heavy

  • Following the UK’s exit from the European Union, the UK Government has transposed the General Data Protection Regulation (Regulation (EU) 2016/679) into UK national law (thereby creating the “UK GDPR”). In so doing, the UK has made a number of technical changes to the GDPR in order account for its status as a national law of the United Kingdom (e.g. to change references to “Member State” to “the United Kingdom”). These changes were made under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. At this time, all material obligations on controller and processors essentially remain the same under the UK GDPR as under the ‘EU GDPR’.

 

  • The Data Protection Act 2018 (“DPA”) remains in place as a national data protection law, and supplements the UK GDPR regime.  It deals with matters that were previously permitted derogations and exemptions from the EU GDPR (for example, substantial public interest bases for the processing of special category data, and context-specific exemptions from parts of the GDPR such as data subject rights).

 

  • The current version of the legislative framework (as amended, following the withdrawal of the UK from the European Union on 31 January 2020) has applied in the UK since 1 January 2021.

 

  • The Retained EU Law (Revocation and Reform) Act 2023 (‘REULA’) entered into force and became law on January 1, 2024. The aim of the REULA is to ‘sunset’ specified EU laws that were retained as part of UK law after Brexit. The UK GDPR and PECR are not on the list of legislation due to be revoked, and accordingly, the UK data protection framework will retain all of its main constituent elements.

Heavy

  • The US has several sector-specific and medium-specific national privacy or data security laws, including laws and regulations that apply to financial institutions, telecommunications companies, personal health information, credit report information, children’s information, telemarketing and direct marketing.
  • The US also has hundreds of privacy and data security among its 50 states and territories, such as requirements for safeguarding data, disposal of data, privacy policies, appropriate use of Social Security numbers and data breach notification. California alone has more than 25 state privacy and data security laws,
  •  In addition, the US Federal Trade Commission (FTC) has jurisdiction over a wide range of commercial entities under its authority to prevent and protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.

Limited

 

 

 

Moderate

  • The legislative history of data protection in Uzbekistan can be divided into two periods. The first period started with Law of Uzbekistan of 24 April 1994 No 400-I on Guarantees and Freedom of Access to Information (only available in Uzbek and Russian here) (‘the Law on Information’), and lasted for 16 years, until the enactment of Law of Uzbekistan of 2 July 2019 No. ЗРУ-547 on Personal Data (only available in Uzbek and Russian here) (‘the Law on Personal Data’), which initiated the second period.

V

Limited

  • Vanuatu has not yet enacted legislation relating to data privacy.

Limited

  • In the Vatican City State, no specific laws have been adopted either by the Supreme Pontiff, the Pontifical Commission, or other legitimate Vatican City State authorities in relation to the fundamental right to privacy of natural and legal persons.
  • Canon 220 of the Code of Canon Law refers to the protection of a good reputation and of intimitas, but does not provide for specific or self-contained rules related to personal data protection; it contains only general principles that can (and should) be articulated in more specific regulations.

Limited

  • In Venezuela, there are no express regulations regarding data privacy.
  • Nevertheless, main laws and regulations on data privacy and data protection are set forth in the Constitution of the Bolivarian Republic of Venezuela (published in the Special Official Gazette No. 5.908 of February 19, 2009) (‘the Constitution’) and the Decision issued by the Constitutional Chamber of the Supreme Court of Justice on March 14, 2001(‘the 2001 Decision’);
  • According to the 2001 Decision, privileged information is constitutionally protected if such information, contained in one or more combined registries, could create a complete or partial profile of the individual whose data is included in such registries.

Moderate

  • In Vietnam, the right to privacy and personal secrets is a constitutional right.

 

  • However, Vietnam does not have a consolidated piece of legislation on the protection of personal data. Instead, rules and regulations on personal data protection can be found in several laws, including general laws such as the Civil Code and the Law on Cyberinformation Security and sectoral laws such as the Law on Electronic Transactions and the Law on Telecommunications.

 

  • On April 17, 2023, the Government of Vietnam (the Government) issued Decree No. 13/2023/ND-CP on the Protection of Personal Data (April 17, 2023) (only available in Vietnamese here) (PDPD) which came into effect on July 1, 2023. The PDPD is the Government’s first step towards consolidating the regulations on personal data. Based on Decision No. 06/QD-TTg 2022 (January 6, 2022) (only available in Vietnamese here) of the Prime Minister of Vietnam, the Ministry of Public Security is tasked with researching and drafting a law on the protection of personal data, the first draft of which should be introduced in 2024.

Y

Limited

  • The Law on the Right to Information outlines rights relating to information, the obligations or organisations to fulfil such rights, the appointment of an employee in organisations to supervise the use and collection and personal information, and security standards of organisations for information protection. Further, Chapter 4 of the Law on the Right to Information outlines specific obligations of organisations relating to personal information.

  • In addition, Law No. (46) of 2008 on consumer protection (only available in Arabic here) (‘the Consumer Protection Act’) provides for the right to be informed. The 2015 Draft Yemen Constitution (only available in Arabic here) outlines an inviolable right to privacy under Article 90, although owing to the ongoing conflict in Yemen its implementation has been delayed.

Z

Limited

Limited

  • In Zimbabwe, the starting point in recognising the right to privacy and protection of data privacy is Section 57 of the Constitution of Zimbabwe Amendment 20 of 2013 (‘the Constitution’), which affords every person with the right to privacy.
  • The Freedom of Information Act (No. 1 of 2020) (‘the Freedom of Information Act’) was enacted into the laws of Zimbabwe on 1 July 2020 to provide for rights of expression, freedom of media, and the right of access to information held by entities in the interest of public accountability or for the exercise or protection of a right. It is a recently welcomed development which effectively repeals the Access to Information and Protection of Privacy Act of 2001 (‘the AIPP’).
  • Whilst the Freedom of Information Act does not focus on data protection rights, certain provisions stated therein regulate the handling of personal information which directly affects data rights. More relevant to the present overview is the Cybersecurity and Data Protection Bill of 2019 (‘the Bill’) which was gazetted on 15 May 2020. The Bill is a transformative measure in Zimbabwean law with the primary purpose of protecting the privacy and data rights of those susceptible to infringement.
  • It is difficult to predict at this point whether or not the Bill will be passed given the contentious issues raised at public hearings.
  • On the 3 December 2021, Zimbabwe gazetted the much anticipated Data Protection Act [Chapter 11:12] (‘the Act’) into law. Originally referred to as the Cyber Security and Data Protection Bill, this new legal framework seeks to regulate a technology driven business environment and to protect the data subjects in the cyberspace through ensuring the lawful use of technology.

For more information on data protection, visit the below sites:

1. https://ico.org.uk/for-organisations/guide-to-data-protection/

2. https://www.dataguidance.com/

Need advice?

Please get in touch via our Contact Us page

CONTACT US
Our Location

Proelium Law LLP

35 New Broad Street

London, EC2M 1NH

United Kingdom

+44 (0) 20 3875 7422

+44 (0) 7725 329437

[email protected]

Proelium Law LLP

FIND US ON:
Facebook-f Twitter Linkedin-in

Proelium Law LLP is a Limited Liability Partnership registered in England and Wales No.OC411568.

Proelium Law LLP is authorised and regulated by the Solicitors Regulation Authority No. 629608 (www.sra.org.uk)

VAT Registration No. 242 4002 59

D-U-N-S Number 21770643

MAKE Uk Defence logo
Cyber Essentials certified badge

Copyright © 2024 Proelium Law LLP All rights reserved. Use of this website constitutes acceptance of the Privacy Policy.  Web Consultancy | Piernine