Data Protection Regulation Tracker

Proelium Law LLP | The UK’s foremost legal authority on high-risk jurisdictions and specialist risk services

Proelium Law LLP combines its legal and investigative experience to provide clients with an extensive suite of capability in the world of cyber and digital law.

Data protection regulations

In an increasingly technology-focused world, data protection has become a matter of great importance. Whilst some countries are yet to address data privacy, many are now implementing laws that bear similarities with the GDPR.

Today, there are more than 120 countries already engaged in some form of international privacy laws for data protection data is managed through rigorous protections and controls. With many countries still in the process of drafting dedicated legislation for data protection, it is clear that data regulation will continue to evolve.

This tracker aims to outline the data privacy legislation in each country, ranking their regulation and enforcement as one of the below:

Heavy • Robust • Moderate • Limited

Click below to jump to countries and territories by letter:

A‧B‧C‧D‧E‧F‧G‧H‧I‧J‧K‧L‧M‧N‧O‧P‧Q‧R‧S‧T‧U‧V‧W‧X‧Y‧Z

AFGHANISTAN

Limited

There is currently no general data protection law in Afghanistan.
The Constitution of Afghanistan does provide for the right to confidentiality and privacy of communications.
Additionally, sectoral laws such as the Telecommunications Services Law (available in Pashto and Dari here) and the Banking Law of Afghanistan contain some limited clauses on data protection.
The Penal Code of Afghanistan was amended in 2017 to include penalties for cybercrime, although these tend to focus more on AML/CTF issues.
Afghanistan is developing AML/CFT regime and completed its’ first national risk assessment in 2019.

ALBANIA

Robust

The Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) (‘the Law’), which reformed the previous data protection law in force from 1999, was amended in 2012 and 2014.
The Law incorporates provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).

The implementation of the Law is subject to several sub-legal acts, including but not limited to the following:

Decision of the Parliament No. 95/2019 of 12 September 2019 on the Appointment of the Commissioner for the Protection of Personal Data (only available in Albanian here); and
Decision of the Parliament No. 86/2018 of 19 July 2018 on the Approval of the Structure, Staff and Classification of Salaries of the Commissioner for the Right to Information and Protection of Personal Data (only available in Albanian here).

The Republic of Albania has also ratified the following international treaties:

Convention on the Protection of Individuals regarding the Automatic Processing of Personal Data (‘Convention 108’), as per Law No. 9288 of 7 October 2004 (only available in Albanian here); and
Amending protocol to the Convention On the protection of Individuals with regard to Automatic Processing of Personal Data, as per Law No. 49 of 12 May 2022 (only available in Albanian here).

ALGERIA

Moderate

Algeria enacted Law No. 18-07 of 25 Ramadhan 1439 Corresponding on June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data.
The law has set out the conditions of the collection, recording, organisation, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, as well as locking, encryption, erasure or destruction of any information, whatever its support, concerning an identified or identifiable person, directly or indirectly, in particular by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, biometric, psychic, economic, cultural or social identity.
Despite its publication in 2018, the entry in force of this Law is subject to the actual installation of the authority in charge of the protection of personal data which is until now (2024) not installed yet.
In addition, an e-commerce law was also enacted in 2018, Law No. 18-05 of 24 Chaâbane 1439 corresponding to May 10, 2018 relating to electronic commerce (only available to download in French here) (‘Law 18-05’). This legislation 18-05, among other things, sets out further protections for e-consumers, regulates cross-border e-commerce, and details obligations related to advertising through electronic means.
In broad terms, although these new laws have been introduced, there is little information released publicly on the enforcement of data protection or official guidance on compliance in Algeria and there is an absence of a national data protection authority.

ANDORRA

Robust

Whilst it is located between France and Spain and has close ties with the European Union, Andorra is not a member. The Qualified Act 15/2003, of 18 December, of Personal Data Protection, adopted in 2004 has since been replaced by Law 29/2021, of 28 October, of Personal Data Protection which outlines a number of data protection principles and data subject rights akin to those found within the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) (only available in Catalan here).
However, Andorra has ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (‘Convention 108’) and all related texts.
Furthermore, Andorra obtained an adequacy decision from the EU, which enables the free flow of data, in 2010.
The Andorran legal system establishes that every person has the right to the protection of personal data that affects him, whatever his nationality or residence, within the framework of article 14 of the Constitution of the Principality of ‘Andorra which guarantees the right to privacy, honor and one’s image, interpreted in the light of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

ANGOLA

Moderate

Angola regulates data privacy and has issued multiple laws for this matter.
Angola issued the Data Protection Law (Law no. 22/11, 17 June 2011), the Electronic Communications and Information Society Services Law (Law no. 23/11, 20 June 2011) in 2011
Angola then issued the Protection of Information Systems and Networks Law (Law no. 7/17, 16 February 2017) in 2017.
In 2021, Angola published two more statues: Joint Executive Decree 72/21 of 19 March 2021 approving the fees for the authorisation of credit information private agencies, and the Presidential Decree 60/21 of 10 March 2021 approving all other fees.
The privacy and data protection principles in the Constitution of the Republic of Angola (‘the Constitution’) include not only the right to privacy in Article 32, but also a writ called habeas data (Article 69 of the Constitution) which grants to the data subject the right to be informed of any data about them included in files, archives, and computerised records, as well as the purposes for which the personal data is processed and to request that such data be updated and corrected.
Finally, Angola enacted Law 11/20 of 23 April 2020 on the Identification and Location of Cellular Phones and Electronic Surveillance carried out by Police Authorities as well as Law 2/20 of 22 January 2020 on Video Surveillance.

ANTIGUA/ BARBUDA

Robust

D ata Protection Act, 2013 (No. 10 of 2013) (the “Act”).
The Act creates obligations for public and private bodies by establishing certain principles regarding the use of information, which include the principles of notice and choice, disclosure, security, integrity and access, among others.
It also provides various rights to data subjects, such as the right of access, the right to rectification of personal data and the right to not have their sensitive personal data processed unless certain conditions apply.
Finally, the Act appoints the Information Commissioner, established under the Freedom of Information Act, 2004 as the authority relevant for carrying out and enforcing the protection of data pursuant to its provisions.
Other relevant laws in Antigua and Barbuda include the Electronic Transactions Act, 2006, the Banking Act, 2015 and the Money Laundering (Prevention) Act, 1996.

ARGENTINA

Robust

The Personal Data Protection Act 25.326 (PDPA) was executed in 2000 to help protect the privacy of personal data, and to give individuals access to any information stored in public and private databases and registries.
The PDPA includes basic personal data rules. It follows international standards and has been considered as granting adequate protection by the European Commission.
Article 43(3) of the Federal Consitution recognizes the right to access and correct personal records held in public or private bodies (habeas data).
These provisions are not held to be an express constitutional right to privacy or data protection but do create the basic framework.
Resolution 4/2019 (only available in Spanish here), specifies mandatory guidelines for the application of the Act and address topics including video surveillance, automated data processing, consent, and biometric data. On 1 December 2022, Resolution 240/202 was passed which establishes the classification of offences under the Act respectively as minor, serious, and very serious, alongside the graduation of sanctions.

ARMENIA

Robust

Armenia’s first step in the protection of data came in the form of the Law of the Republic of Armenia of 13 June 2015 No. 49-ZR on the Protection of Personal Data.
Amendments to other regulatory acts were also conducted in relation the Personal Data Law, for instance, amendments to the Labour Code of the Republic of Armenia of 2004 to enhance the protection of employee’s personal data and regulation of their processing by the employer.
The main regulatory body for Personal Data in Armenia is the Personal Data Protection Agency.
The transfer of personal data is one of the directions highly regulated by the Personal Data Protection Agency.
In 2023, an exhaustive list of the countries providing a sufficient level of personal data protection was drafted by the Agency. In the case of data transfers to all other countries, which have not been included in this list, the consent of the Agency must be obtained.
The regulations are currently being reprocessed, the Government of the Republic of Armenia (‘the Government’) has developed a strategy for 2019-2023 for the adoption of new regulations and amendments to the existing ones.
Armenia is party to Convention 108 as well as its Additional Protocol.

AUSTRALIA

Heavy

Australia regulates data privacy and protection through a mix of federal, state and territory laws.
The Federal Privacy Act 1988 applies to private sector entities (such as corporate bodies, partnerships and trusts) with an annual turnover of at least AU$3 million. It also applies to all Commonwealth Government and Australian Capital Territory Government Agencies. This act regulates the handling of personal information and empowers the Privacy Commissioner to conduct investigations and enforce penalties. The Australian government is expected to implement reforms in 2024 to widen the scope of this law and make the law applicable to all business regardless of size.
Most states and territories in Australia have their own data protection legislation applicable to state government agencies and private businesses that interact with state government agencies. These acts include:
Many state, territory and federal legislation relate to data protection and may impact privacy. For example, legislation relating to health records or workplace surveillance.
The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (AA Act) provides law enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on “Designated Communications Providers”.
The Commonwealth Government is also in the implementation phases of the Consumer Data Right (CDR).
The CDR allows a consumer to obtain certain data held about that consumer by a third party and require data to be given to accredited third parties for certain purposes. By requiring businesses to provide public access to information on specified products they have on offer, it is intended that consumers’ ability to compare and switch between products and services will be improved, as well as encouraging competition between service providers, which could lead to better prices for customers and more innovative products and services.
The Australian Government has announced increased fines under the Privacy Act 1988 (Cth) No. 119 1988 (as amended) (‘the Privacy Act’) to be in line with other recent changes to administrative fines in other areas. The maximum fine for a serious invasion or repeated invasions of privacy (i.e. breaches of the privacy law) will be increased to up to the greater of AUD 10 million (approx. €6.3 million), three times any benefit obtained from the invasion breach (whichever the greater) and 10% of Australian annual revenue.

AUSTRIA

Heavy

Austria is a member of the European Union and so is required to comply with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
Austria has implemented GDPR gradually into its domestic legislation. In 2017, the existing Data Protection Act (Datenschutzgesetz 2000) was amended by the Data Protection Amendment Act 2018 (‘DSG’) in order to implement various regulations related to GDPR.
In addition to the DSG, further amendments to other statutory laws were adopted in order to implement the GDPR (mostly to adapt to the terminology of the GDPR). These amendments were included in the General Data Protection Adjustment Act (Materien-Datenschutz-Anpassungsgesetz 2018) and the research-sector specific Data Protection Adjustment Act – Science and Research (Datenschutz- Anpassungsgesetz 2018 – Wissenschaft und Forschung – WFDSAG 2018).
Further amendments in other laws have been made by the Second General Data Protection Adjustment Act, which was passed in June 2018 and applies retroactively.
Finally, ordinances were also passed regulating respectively the cases where a data privacy impact assessment is obligatory (the Obligatory DPIA Ordinance – DSFA-V) and the exemptions from the obligation to conduct a data privacy impact assessment (the DPIA Exemptions Ordinance – DSFA-AV).
Austria has also ratified Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (‘Convention 108’).

AZERBAIJAN

Heavy

The data protection regime in the Republic of Azerbaijan is primarily regulated by the Law on Personal Data of 11 May 2010 No 998-IIIQ (only available in Azerbaijani here)
While the Personal Data Law follows several fundamental principles established in the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), there are certain key deviations.
Importantly, the Personal Data Law establishes the requirement to register the information system of personal data in the Republic of Azerbaijan with the Ministry of Transport, Communications and High Technologies.
In addition, specific requirements with respect to the protection of personal data and registration of the information systems are provided in the secondary legislation comprised of the acts of the Republic of Azerbaijan Cabinet of Ministers.
Azerbaijan is also a member of the Council Europe and signatory to several major international treaties which stipulate privacy. related requirements, including the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (‘Convention 108’).
The main regulator for data protection is the ministry.

BAHAMAS

Moderate

The Bahamas was one of the first Caribbean countries to enact a Data Protection (Privacy of Personal Information) Act, 2003 (DPA) which applies to the processing of personal data by both the private and public sectors.
The Commissioner has various powers under the Act, such as the capacity to prohibit the transfer of personal data outside the Bahamas under specific circumstances.
The Commissioner published several informational brochures, a Guide for Data Controllers, and other material between 2010-2015.
At present, the Act addresses certain essential data protection elements, including rights to access and erasure, establishing the data protection authority, data transfers, direct marketing, legal bases for processing, and enforcement processes.

BAHRAIN

Moderate

Bahrain enacted Law No. 30 of 2018 with respect to Personal Data Protection (“PDPL”) on July 12, 2018.
The PDPL is the main data protection regulation in Bahrain, and came into force on August 1st 2019.
The Law serves as the main piece of legislation with respect to data protection issues.
It is worth noting that the Law recently entered into force, therefore many procedural and regulatory issues which are to be decided by the Data Protection Authority’s resolution are yet to be issued.
It should be noted that, as per Resolution No. 78 of 2019 (only available in Arabic here), published in the Official Gazette on 3 October 2019, the Ministry of Justice and Islamic Affairs shall exercise the duties of the Authority.
Between June and July 2021, eight implementing orders detailing specific obligations and responsibilities of data controllers, data processors and rights of data subjects were issued for public consultation.
On 17 March, 2022, the Authority issued a total of 10 enforcement decisions with guidelines supplementing the provisions of the Law.

BANGLADESH

Limited

The basic framework of data protection and privacy are laid out by the rights of privacy granted under the Constitution of Bangladesh (‘the Constitution’), along with the Information Communication Technology Act 2006 (only available in Bengali here) (‘the Technology Act’) and the Digital Security Act, 2018 (‘the Digital Security Act’).

BARBADOS

Moderate

The Data Protection Act 2019 (the “Act”) entered into effect on 31 March 2021 by proclamation from the Governor-General.
The Act is extensive, it has an extraterritorial scope and applies to the processing of personal data of Barbadians by a controller or processor not established in Barbados when it relates to goods or services provided in Barbados.
The Sections of the Act excluded from coming into effect on 31 March 2021 are expected to take effect upon publication of a further proclamation in the Official Gazette at a future date.

BELARUS

Moderate

Belarus’ data protection regulation is based on the Law of Information, Informatisation and Data Protection of 10 November 2008 and the Law on Population Register of 21 July 2008.
Legal requirements on technical measures are developed in a number of legal acts. The Edict of the President of the Republic of Belarus of 18 April 2013 No 196 is one of the most significant of these acts. Belarus is expected to adopt the Law on Personal Data Protection in 2021. This will be the first legal act intended especially for the regulation of personal data protection issues.
The Law of 7 May 2021 No. 99-Z on Personal Data Protection (‘the PDP Law’) sets out general principles of processing of personal data, provides for basic terminology in that field, defines the rights of data subjects as well as obligations of operators (similar to data controllers in General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)) and their authorised persons (similar to data processors in the GDPR), including obligations on measures for the protection of personal data. The PDP Law comes into force on 15 November 2021.
There is a number of legislative amendments expected in order to implement the provisions of the PDP Law. In particular, it is expected that there will be amendments to the system of information relations currently established in the Law of 10 November 2008 No. 455-Z on Information, Informatization and Protection of Information.

BELGIUM

Heavy

Belgium is a member of the European Union and so is required to comply with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
The application of the GDPR in Belgium turns on whether an organisation is established in the EU. An ‘establishment’ may take a wide variety of forms and is not necessarily a legal entity registered in an EU member state.
The Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data (‘the GDPR Implementing Law’) incorporates elements of the GDPR that allow for Member State specifications or restrictions.
The GDPR Implementing Law also transposes the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) which regulates the processing of personal data by law enforcement and establishes the Police Information Supervisory Body.
The GDPR Implementing Law repeals the Act of 8 December 1992 on the Protection of Privacy in Relation to the Processing of Personal Data, the Royal Decree of 13 February 2001 implementing the Act of 8 December 1992 on the Protection of Privacy in Relation to the Processing of Personal Data, the Royal Decree of 17 December 2003 regarding Certain Sectoral Committees within the Privacy Commission (only available in Dutch and French here), and Article 15(3) of the Act of 25 December 2016 regarding the Processing of Passenger Data (available in Dutch and French here).

Cryptocurrencies are legal, although there is no specific cryptocurrency legislation in place.
The Belgian government is waiting for guidance from the EU.
Government has warned investors about the risk of crypto fraud and lack of regulatory oversight.
Belgium’s has Bitcoin taxes, at 33% on any cryptocurrency income.

BELIZE

Limited

Belize adopted the Data Protection Bill (the “Act”) on 29 November 2021.
The Act regulates the collection, keeping, use and dissemination of personal data.
Privacy is also expressly considered in the Belize Constitution, though references can be found in some laws which regulate public and private entities, and which are required to obtain personal information.

BENIN

Moderate

The data protection regime in Benin is governed by Book V of the 2017 Digital Code of the Republic of Benin: Protection of Personal Data, and Law No. 2009-09: Dealing with the Protection of Personally Identifiable Information (PII). These laws have considerable overlap but differ slightly in their scope.
Law No. 2009-09 pertains to the digital processing of personally identifiable information in digital files or manuals, as well as personal identification mechanisms based on nominative, personal, and biometric information processed alongside a national ID number.
Book V pertains to the collection, treatment, transmission, storage, and use of personal data by a person, the state, local authorities, and legal persons, as well as automated processing and non-automated processing of personal data contained in files, or any processing of data for public security, defence, research, prosecution of criminal offences, or the security and essential interests of the state.
The Autorité de protection des données à caractère personnel (APDP) is tasked with ensuring the application of the provisions of Book V and respect for privacy in general

BHUTAN

Limited

The “Information, Communications and Media Act” came into force in 2018.
The Act gives Bhutan a minimal data privacy law, but its coverage regarding privacy does remain extremely limited.
The law covers almost all uses of electronic information and enables the creation of an Infocomm and Media Authority, a partly independent body with limited authority.
Under the Act, it is able to investigate and resolve complaints. The Act also covers offences and compensation in such cases.

BOLIVIA

Limited

Bolivia recognizes data protection as a constitutional right under The Political Constitution of the Plurinational State of Bolivia, in Article Nº130.
However, Bolivia lacks the comprehensive data protection framework necessary to properly regulate consent and make the collection and processing of personal information secure.
The Bolivian Political Constitution of 2009 (only available in Spanish here) (‘the Constitution’) establishes the rights to inviolability of private communications, as well as the right to know, object to, eliminate, or rectify registered data.
Currently, there are two draft laws in progress. The Citizen Law of Privacy and Data Protection in Bolivia is the most complete draft (available in Spanish here).
There are no further statutory rules around data protection.

BOSNIA AND HERZEGOVINA

Moderate

The Law on Protection of Personal Data (‘Official Gazette of BIH’, nos. 49/06, 76/11 and 89/11) (DP Law) is the governing law regulating data protection issues in Bosnia and Herzegovina (BiH). The DP Law came into force on July 4, 2006 and was amended on October 3, 2011.
Due to the deficiencies and non-alignment of the DP Law with the GDPR, in 2018, the competent authorities initiated the procedure for the adoption of a new GDPR compliant data protection law.
According to the publicly available information the draft of the new data protection law (Draft Data Protection Law), was forwarded to the Ministry of Civil Affairs and the adoption procedure before the Parliament should have been initiated.
However, due to the complex political situation as well as the Covid-19 pandemic, the Draft Data Protection Law is not adopted to date. However, we expect the Draft Data Protection Law to be adopted in its current text within 2021.
As part of the EU approximation process, Bosnia and Herzegovina (‘BiH’) has taken the obligation to harmonise all of its legislation with the EU laws. Therefore, BiH is obliged to harmonise its legislation with the Acquis Communautaire, which includes the harmonisation of the Law on the Protection of Personal Data No. 49/06 (‘the Law’) with EU regulations in the field of personal data protection.

BOTSWANA

Limited

Prior to the introduction of the Data Protection Act, 2018 Botswana did not have any primary legislation that regulated the protection of personal data.
The Data Protection Act, which was assented to by Parliament of Botswana on 3 August 2018, recently came into effect on 15 October 2021. However, there is a grace period of one year to any person processing personal data to allow them to conform with the Provisions of the Data Protection Act.
The Data Protection Act defines what constitutes personal data, as well as outlines the rights and obligations of parties involved in the processing of personal data, including the data subject, data controller and data processor.
Further, the Data Protection Act establishes the Information and Data Protection Commission (‘the Commission’), which will be responsible for ensuring the effective application of the Data Protection Act after its commencement.

BRAZIL

Moderate

The Brazillian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, has been in force since September 18, 2020 after several discussions and postponements. This LGPD was largely aligned to the EU General Data Protection Act (GDPR).
The LGPD is a comprehensive data protection law that covers the activities of data controllers and processors and creates requirements for the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer (‘DPO’) appointments, Data Protection Impact Assessments (‘DPIA’), data transfers, data breaches, and the establishment of the Brazilian data protection authority (‘ANPD’).
The LGPD is in force, however and penalties issued started being enforceable from August 2021.
Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread out across Brazilian legislation.

BRUNEI

Limited

No legislation or common law protects the privacy of information upon which an individual can be directly or indirectly identified.
In May 2021, Brunei published the Public Consultation Paper on Personal Data Protection for the Private Sector in Brunei Darussalam – it is anticipated that the Personal Data Protection Order will come into force in the near future.

BULGARIA

Heavy

The Bulgarian legislation on data protection does not encompass significant variations of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). The data protection landscape is shaped by the Protection of Personal Data Act 2002 (‘the Act’) and the guidelines issued by the Commission for Personal Data Protection (‘CPDP’).
The Act is the main source of local data protection law. It was adopted in 2002 and now implements the provisions of the GDPR. The Act sets forth the legal framework for the CPDP established in 2002. Since then, the Act has been amended several times and its last revision followed the entry into force of the GDPR.

BURKINA FASO

Moderate

On 20 April 2004, Burkina Faso created a legal framework for the protection of personal data by adopting Law No. 010-2004/AN on the Protection of Personal Data. This was repealed and replaced in 2021 by the Act No. 001-2021/AN (available in French here) which strengthened the protection of the privacy of individuals and reinforced security requirements.
In addition, Burkina Faso’s application to accede to the Council of Europe’s Convention for the protection of individuals with regard to automatic processing of personal data of 1981 was accepted on 23 March 2017.
Burkina Faso has yet to ratify Convention 108.
Burkina Faso is a member of the French-speaking association of personal data protection authorities (Association francophone des autorités de protection des données personnelles).
As such, Burkina Faso has adopted on 22 November 2013 the resolution of Marrakech relating to the procedure for regulating transfers of personal data in the French-speaking area by means of binding corporate rules (‘BCR’).
The sanctions established under the 2021 Act are significantly stricter as they can reach 1% of a company’s turnover excluding tax and 5% in the event of a repeat offence.

BURUNDI

Limited

Burundi does not have a law that specifically regulates personal data protection.
Several laws and regulations do contain data protection provisions or impose confidentiality obligations on specific types of personal information such as laws surrounding employment, telecommunications, and health sectors. However, Burundi is yet to implement a stand-alone statutory provision for the protection of data.

Cape Verde

Moderate

Cape Verde provides individuals with several constitutional and statutory rights to personal data protection.
Major provisions in the data protection laws are effectively reproduced in the Constitution, which provides an additional layer of legitimacy.
Law No. 133, passed in 2001, was Cape Verde’s original data protection law. It closely mirrored European data protection laws at the time, as Cape Verde’s legal system largely draws from that of the Portuguese.
Law No. 41 was passed in 2013 to supplement and update Law No. 133, and Law No. 42 was subsequently passed to detail the responsibilities of the Cape Verdean data protection authority, known as the Comissão Nacional de Proteção de Dados Pessoais (CNPD). Cape Verde also introduced Law No. 121/IX/2021 in March 2021.
Law No. 42 establishes the CNPD as an independent administrative authority responsible for enforcing the data protection laws of Cape Verde.
Cape Verde ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’).

Cambodia

Limited

Cambodia has not yet enacted any comprehensive data protection legislation.
The latest update on a comprehensive personal data protection law was announced by the Ministry of Post and Telecommunications (‘MPTC’) on 19 February 2021, which stated that the MPTC intended to prepare a draft personal data protection law after finalising its draft cybersecurity law (‘the Draft Cybersecurity Law’). As of mid-2022, neither legislation is available.
Cambodia does have E-Commerce Law and the Consumer Protection Law which contain provisions of the protection of consumer data that has been gathered over the course of electronic communications.
Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the Constitution of the Kingdom of Cambodia 2010, the Civil Code of Cambodia 2007, and the Criminal Code of the Kingdom of Cambodia 2009.

Cameroon

Limited

Protecting data has become a major regulatory and legislative concern in Cameroon.
As a specific data protection law is still yet to be adopted, it is quite challenging for users to control the use of their data. The Constitution of Cameroon, provides for the right to protection against any privacy interference and Law No. 2010/012 on Cybersecurity and Cybercrime in Cameroon sets out provisions on protection of individual’s privacy, data retention and electronic communications confidentiality.
However, Cameroon is preparing a privacy bill (‘the Bill’), according to the competent services of the Ministry of Posts and Telecommunications.
The drafting of the Bill is ongoing.

Canada

Heavy

Canada is made up of 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under other legislation, federal anti-spam legislation, criminal code provisions etc.) that govern the protection of personal information in the private, public and health sectors.
Although each statute varies in scope, they all set out a comprehensive regime for the collection, use and disclosure of personal information.
- Federal: Personal Information Protection and Electronic Documents Act 2000 (‘PIPEDA’);
- British Columbia: Personal Information Protection Act, SBC 2003 c 63 (‘BC PIPA’);
- Alberta: Personal Information Protection Act, SA 2003 c P-6.5 (‘AB PIPA’); and
- Quebec: Act respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 (‘Quebec Private Sector Act’)recently amended by the Act to modernize legislative provisions as regards the protection of personal information, 2021, Chapter 25 (formerly known as Bill 64) which is scheduled to take effect between one and three years from the date of assent on 22 September 2021.
On 17 November 2020, Bill C-11 for the Digital Charter Implementation Act, 2020 (‘DCIA’) was introduced to the House of Commons, and would reform Canada’s federal private sector privacy laws by enacting the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act.
The DCIA failed to pass both the House of Commons and the Senate before the Parliamentary session ended.

Chad

Limited

By Law No. 007/PR/2015 on the Protection of Personal Data, the Republic of Chad has organised the protection of personal data.
The purpose of this law is to put in place a mechanism to protect private and professional life following the collection, processing, transmission, storage, and use of personal data, subject to the protection of public order.

Chile

Moderate

Chile approved its first regulation on data privacy back in 1999, Law No. 19.628 on the Protection of Private Life 1999, which was the first of its kind in Latin America.
After a very short period, the Law became obsolete and has practically no enforcement due to the lack of a catalogue of violations, no official data privacy authority, and low fines, among other flaws.
In 2010, Chile became a member of the Organisation for Economic Co-operation and Development (‘OECD’) countries, committing to adapt data protection regulation and regularise the cross-border data flow.
On 15 March 2017, the Government presented Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority that modifies the Law based on GDPR standards and creates a data protection agency.
Its legislative process has been very slow, with countless indications, and it is still in the first legislative process.
Moreover, in 2018, data protection was incorporated as a constitutional guarantee.
In order to expedite the legislative procedure, on 15 December 2020, the Government decided to place the Bill into an ‘urgent’ category, in order to speed up the remaining stages. The Government expects the Bill to be approved during 2021.
On 7 October 2021, the Government amended the Bill incorporating the creation of an Agency for the Protection of Personal Data as the data protection authority (‘the Agency’), as well as setting certain precisions to the structure of fines. Shortly after, and in order to expedite the legislative procedure, the Government placed an ‘urgency’ to the Bill

China

Heavy

There is not a single comprehensive data protection law in the People’s Republic of China (PRC), although one has now been proposed (see below).

Instead, rules relating to personal information protection and data security are part of a complex framework and are found across various laws and regulations.

On June 1, 2017, the PRC Cybersecurity Law came into effect and became the first national-level law to address cybersecurity and data privacy protection

.Following this, there has been an abundance of implementing regulations and guidelines (herein referred to as Guidelines) proposed, issued or revised to flesh out the essentials and concepts introduced under the PRC Cybersecurity Law. These include, non-exhaustively:

National Standard of Information Security Technology – Personal Information Security Specification (PIS Specification), as amended and effective from October 1, 2020;
Guidelines on Internet Personal Information Security Protection, effective from April 19, 2019; and
National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment, effective from June 1, 2021.
The Decision on Strengthening Online Information Protection, effective from December 28, 2012 (Decision).

The Decision has the same legal effect as law, and its purpose is to protect the online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. While the PIS Specification and other Guidelines are only technical guides (covering in detail key issues such as data transfers, sensitive personal information and data subject rights), and thus not legally binding, they are highly persuasive.

Provisions contained in other laws and regulations may also apply depending on the industry or type of information involved (for example, personal information obtained by financial institutions and e-commerce businesses, personal information collected by telecom or Internet service/content providers, healthcare and genetic information, etc.).

In August 2021 China approved the Personal Information Protection Law (PIPL). PIPL established personal information processing rules, data subject rights and obligations for personal information processors.

China has also approved the Data Security Law which entered into force in September 2021. The legislation regulates data processing activities associated with personal and non-personal data.

In addition, the Civil Code of the People’s Republic of China (‘the Civil Code’) effective on 1 January 2021, expressly provides the right of privacy and personal information protection. The express protection of personal information under the Civil Code represents a new era of privacy and personal information protection. Meanwhile, new supporting rules (such as guidelines and standards) are expected in 2022 and beyond as China’s cybersecurity and personal information protection framework continues to evolve.

Colombia

Moderate

Colombia has various statutory provisions relating to data privacy.
Statutory Law 1266 of 2008 (Law 1266) regulates the processing of financial data, credit records and commercial information collected in Colombia or abroad.
Law 1266 defines general terms on habeas data and establishes basic data processing principles, data subject rights, data controller obligations and specific rules for financial data.
Furthermore, Statutory Law 1581 of 2012 (Law 1581) regulates all personal data processing, as well as databases. Law 1581 defines special categories of personal data, including sensitive data and data collected from minors.
The law further regulates the obtention of authorisation to treat personal data and the procedures for data processing. Moreover, the law creates the National Register of Data Bases (NRDB).
Law 1581 is applicable to all data collection and processing in Colombia, except data regulated under Law 1266 and certain other types of data or regulated industries.
Decree 1377 of 2013 (Decree 1377), is a piece of secondary regulation related to Law 1581 which outlines requirements for personal and domestic databases regarding authorization of personal data usage and recollection, limitations to data processing, cross-border transfer of databases and privacy warnings, among others. This Decree also requires controllers and processors to adopt a privacy policy and privacy notice.
Decree 886 of 2014 (Decree 886) and Decree 090 of 2018 (Decree 090) issued by the Ministry of Commerce, Industry and Tourism as well as the Resolution 090 of 2018 issued by the Superintendence of Industry and Commerce, regulate the National Register of Data Bases and sets deadlines for registration of existing data bases in Colombia.
The Data Protection Regulations are applicable to individuals, private and public companies, and governmental entities that carry out the processing of personal data of individuals (regardless of their nationality) who are domiciled in the territory of Colombia, and companies that process the personal data of people in Colombia, whether they are located/incorporated in Colombian territory.

Congo, Republic of the

Limited

Specific legislation on data protection has been approved relatively recently in the country.
On 10 October of 2019, the Republic of Congo (‘Congo’) adopted Law 29-2019 on the Protection of Personal Data The Law’s main objectives are to:

- set up a framework that ensures the protection of the fundamental rights and freedoms of natural persons, namely their privacy, regarding the processing of personal data;
- guarantee that information technology and communication remain at the service of citizens and do not infringe private and public freedoms, in particular the right to private life;
- ensure that, while the processing of personal data is conducted according to the fundamental rights, State prerogatives are also considered, as well as the rights of decentralised public administration entities, and the interest of companies and the civil society.
The majority of the essential principles and diligence arising from the Law are similar to those established under the GDPR. this may be related to the fact that it is a very recent law, that was enacted following the EU application of the GDPR.
Moreover, the Law also contains provisions regarding privacy on the electronic communications sector that also reflects the principles underlying the EU’s Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (‘the ePrivacy Directive’).

Costa Rica

Moderate

Data privacy regulation in Costa Rica is contained in two laws.
Law No. 7975, the Undisclosed Information Law, which makes it a crime to disclose confidential and/or personal information without authorization.
Law No. 8968, Protection in the Handling of the Personal Data of Individuals together with its by-laws, which were enacted to regulate the activities of companies that administer databases containing personal information. Therefore, the scope of the second law is limited.
However, the right to data protection has been recognised and protected in Costa Rica by the Constitutional Court since the 1990s, on the basis of Article 24 of the Political Constitution of Costa Rica (‘the Constitution’), which specifically recognises the right to intimacy, as well as the freedom and secrecy of communications.

Côte d’Ivoire

Limited

Data protection in Ivory Coast is governed by Law No. 2013-450, which details enforcement responsibilities for the Autorité de régulation des télécommunications/TIC de Cote d’Ivoire (ARTCI).
Under Law No. 2013-450, individuals have the right to:
obtain all of their personal data in an understandable form, as well as any available information as to the origin;
object, for legitimate reasons, to the processing of personal data concerning them;
oppose the processing of their personal data for prospecting purposes;
correct, supplement, update, lock, or delete personal data where it is inaccurate or incomplete; and
not be subject to decisions made on the sole basis of automated processing that would produce significant or detrimental legal repercussions for them.
However, the issue of personal data protection has grown since the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Many international groups have required their subsidiaries in Côte d’Ivoire to comply with regulations. Today more and more companies and people are aware of this issue.

Croatia

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
The Act on the Implementation of the General Data Protection Regulation (in Croatian as Zakon o provedbi Opće uredbe o zaštiti podataka) was enacted in the Croatian Parliament on April 27, 2018 and came into force on May 25, 2018 (the ‘Act’).
Also, the Act on Healthcare Data and Information, which came into force on 15 February 2019, regulates rights, obligations and responsibilities of legal and natural persons within the Croatian healthcare system with respect to healthcare data and information and, inter alia, sets out fundamental principles and standards of their collection, processing and protection.

Cuba

Limited

Governed by Law 149/2022 on Personal Data Protection (only available in Spanish here) (‘the Law’)
In Cuba, the Law regulates the protection of personal data, consolidating the right to privacy provided under Article 97 of the Constitution of the Republic of Cuba. The Law applies to public and private bodies, introduces the concepts of data owners, with specific rights, as well as responsible persons, and designated persons.
Processing of personal data in Cuba is underpinned by 12 personal data protection principles which must be complied with in any such activities.

Cyprus

Heavy

The General Data Protection Regulation(Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
The Protection of Physical Persons Against the Processing of Personal Data and Free Movement of such Data Law 125(I)/2018, implements certain provisions of the GDPR into local law, entered into force on July 31, 2018
To ensure the proper application of the GDPR, the Office of the Commissioner for Personal Data Protection (‘the Commissioner’) has adopted certain guidelines issued by the Article 29 Working Party (‘WP29’) which has been replaced by the European Data Protection Board (‘EDPB’) and has also issued its own guidelines and opinions.

Czech Republic

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
The new Czech Act No. 110/2019 Coll., on Personal Data Processing, being the Czech GDPR implementation law, finally came into effect on 24th April 2019.
This statute fully replaced the older Personal Data Protection Law (Act No. 101/2000 Coll., as amended) and regulates personal data processing within the scope of Regulation (EU) 2016/679 and then processing of this data by competent authorities for preventing, searching for and detecting criminal activity, ensuring safety and public order etc.
It also regulates the jurisdiction of the Office for personal data protection and personal data processing at the time of ensuring defence and security of the Czech Republic.

Dijibouti

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Dominica

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Dominican Republic

Moderate

Section 44 of the Dominican Constitution recognizes citizens’ right to access their personal data stored in public or private databases, as well as their right to information concerning the purpose and use of the same.
The Constitution also establishes that the processing of personal data must be carried out in accordance to the principles of:

- Reliability
- Legality
- Integrity
- Security, and
- Purpose of the information
The collection, storage and safekeeping of personal data, as well as usage and access rights concerning such personal data, are governed by the provisions of Law No. 172-13 on the Protection of Personal Data enacted December 13, 2013 (DPL).
Although there is no general data breach notification requirement under the Law, the Dominican Telecommunications Institute (‘INDOTEL’) requires the adoption of security measures, classified as basic, medium, or high depending on the type of information, and the notification of data breaches if they occur.

East Timor (Timor-Leste)

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Ecuador

Moderate

The National Assembly of Ecuador enacted on 26 May 2021 the Personal Data Protection Law. This is the first specific legal regulation about personal data protection.
The Law is currently in force, however some provisions will enter into force within the next two years (until May 2023), such as:

- any processing of personal data carried out prior to the entry into force of the Law must be brought into compliance with the provisions of the Law within two years of its publication.
- provisions related to corrective measures and sanctioning regime.
- All personal data controllers must adapt the international transfer of personal data to the new legislation.
In general terms, the Law reflects the principles and procedures set forth in the General Data Protection Regulation (‘GDPR’) enacted by the European Union. Therefore, if the company has experience in the regulatory and day-to-day aspects of the GDPR, it will not be inconvenient to comply with the requirements of the local law.
The appointment of the person who will head the Personal Data Protection Authority, known as the Data Protection Superintendency (‘the Superintendency’), is pending, which in turn must issue the secondary regulations to regulate different aspects of the Law.
The issuance of the General Regulation (‘Draft Regulation’) is still pending by the President of Ecuador

Egypt

Robust

On 13 July 2020, Egypt’s Government issued its long-awaited Data Protection Law, which establishes various standards and controls governing the processing and handling of personal data. The Law was published in the Official Gazette on 15 July 2020.
The Law is part of a growing trend of countries enacting comprehensive data protection laws, which reflect the European General Data Protection Regulation (GDPR).
The Law aims to safeguard the rights of individuals in Egypt in respect of their personal data and to place responsibilities on businesses in how they process personal data.
The enactment of the Law brings a new standalone data protection and privacy regime to Egypt

El Salvador

Limited

Currently, El Salvador does not have a law that specifically regulates data protection.
The Government is currently working on a data protection bill that would provide more specific rules and norms that facilitate an effective protection of this right.
Its enactment was expected for 2020, however it is still pending

Equatorial Guinea

Limited

Law No. 1/2016 on the Protection of Personal Data (there is currently no available copy of the Law)
Governing Body for the Protection of Personal Data is to be the authority governing data protection law, although it is not yet operational.

Eritrea

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Estonia

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
In Estonia, all derogations / additional requirements to the GDPR are provided in the new Personal Data Protection Act (PDPA) and the Personal Data Protection Implementation Act (Implementation Act).
The new PDPA was adopted by the Estonian parliament on December 12, 2018 and entered into force on January 15, 2019. The Implementation Act was adopted on February 20, 2019 and entered into force on March 15, 2019.

Fiji

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.
Whilst there is no general data protection law in Fiji, the Constitution of the Republic of Fiji (2013) provides for a right to privacy, which includes a right to the confidentiality of personal information.
In addition, there are sectoral laws regulating electronic transactions, cybercrime, and consumer protection.
Additionally, the Online Safety Act, 2018 came into effect in January 2019, which aims to, among other things, deter misuse of personal information online. The Cybercrime Act 2021 was also enacted by the Parliament of the Republic of Fiji.

Finland

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
Finland has passed a supplementary implementation act of the GDPR, the Data Protection Act of Finland (Tietosuojalaki), which entered into force on January 1, 2019.
Other key Finnish laws concerning data privacy and protection are: the Act on Electronic Communication Services 917/2014 (Laki sähköisen viestinnän palveluista) of January 1, 2015, which aims to, inter alia, ensure the confidentiality of electronic communication and the protection of privacy; the Act on the Protection of Privacy in Working Life 759/2004 (‘Working Life Act’) (Laki yksityisyyden suojasta työelämässä), and; the Act on the Processing of Personal Data in Criminal Cases and in connection with Maintaining National Security 1054/2018 (Laki henkilötietojen käsittelystä rikosasioissa ja kansallisen turvallisuuden ylläpitämisen yhteydessä), which entered into force on January 1, 2019 along with the Data Protection Act.

France

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

France updated Law No. 78-17 of January 6, 1978 on information technology, data files and civil liberties (the “Law”) to GDPR with the enactment of (i) Law No. 2018-493 of June 20, 2018 on the protection of personal data, and (ii) Order No. 2018-1125 of December 12, 2018, adopted pursuant to Article 32 of Law No. 2018-493, updates the Law and other French laws relating to personal data protection in order to “simplify the implementation and make the necessary formal corrections to ensure consistency with EU data protection law”. France domestic data protection legislation was further completed with the adoption of Decree No. 2019-536, adopted for the application of the Law (the “Decree”). The Decree clarifies procedural rules of the French data protection authority, including its control and sanctions, and further specifies data subject rights.

Gabon

Limited

Gabon has a data protection law specifically addressing global protection for information identifying individuals.
The Gabon data protection authority, the Commission Nationale pour la Protection des Données à Caractère Personnel is (‘CNPDCP’) has entered into discussions periodically with civil society and its representatives regarding various matters (such as employee unions), addresses formal data complaints and has carried out training programs and awareness activities, so there is awareness to data protection in the country.
The CNPDCP is also an observing member of the Consultative Committee of Convention 108.
However, there is very limited available information on sanctions and penalties issued by the local data protection authority, and enforcement trends are therefore difficult to identify and predict.

The Gambia

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.
However, data protection provisions are included in both sectoral national legislation and policies and continental conventions and acts.
In addition, the Public Utilities Regulation Authority (‘PURA’) issued, in May 2019, its Draft Data Protection and Privacy Policy Strategy 2019 (‘the Draft Policy Strategy’), however, it should be noted that this policy document does not currently have the status of law.

Georgia

Heavy

Data Protection Legislation is regulated by the Office of the Personal Data Protection Inspector (‘PDP’)
Law of Georgia on Personal Data Protection of 28 December 2011 No. 5669 (‘the Data Protection Act’) was adopted in Georgia on 28 December 2011 and is the primary law governing the area of data protection and data processing activities.
In addition to the Data Protection Act, other normative acts such as the Law of Georgia on State Inspector Service (N3273-RS, 21.07.2018) and the Resolution of the Government of Georgia on the Approval of the Regulations on the Activities of the Personal Data Protection Inspector and the Rule of Exercising the Power by Him/Her (N180, 19.07.2013) (only available in Georgian here) contribute to the regulatory framework for data protection.
Moreover, in May 2019 the PDP registered the draft Law on Personal Data Protection (‘the Draft Law’) as a bill before the Parliament of Georgia; however, the Draft Law has yet to come into effect.
Specifically, the Draft Law aims at bringing Georgian legislation on personal data protection into closer alignment with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).

Germany

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
Germany has adjusted the German legal framework to the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (Bundesdatenschutzgesetz – ‘BDSG’).
The BDSG was officially published on July 5, 2017 and came into force together with the GDPR on May 25, 2018. The purpose of the BDSG is especially to make use of the numerous opening clauses under the GDPR which enable Member States to specify or even restrict the data processing requirements under the GDPR.
In addition to the BDSG, there exist a number of data protection rules in area-specific laws, for example those regulating financial trade or the energy sector. Many of these laws have been adapted to the GDPR by the Second Data Protection Adaptation and Implementation Act EU (Zweites Datenschutz-Anpassungs- und Umsetzungsgesetz EU – ‘2. DSAnpUG-EU’), which generally entered into force on November 26, 2019. However, some particularly relevant laws have so far remained unchanged, most notably the Telemedia Act (Telemediengesetz – ‘TMG’), raising questions about the continued applicability of the data protection rules contained therein.
On 1 December 2021, a new Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (only available in German here) (‘TTDSG’) came into effect. The main purpose of the new law is to consolidate existing data protection provisions enshrined in the German Telemedia Act of 2007 and the German Telecommunications Act (only available in German here) in one new act and to implement the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (‘the ePrivacy Directive’). The TTDSG contains rules, inter alia, regarding tracking technologies.

Ghana

Moderate

The primary legislation governing privacy/ data protection in Ghana is the Data Protection Act, 2012 (Act 843)
The 1992 Constitution of the Republic of Ghana (‘the Constitution) is the supreme law of Ghana and it is the instrument from which every piece of legislation derives its validity in Ghana.
The primary legislation which protects data privacy is the Data Protection Act, 2012 (‘the Data Protection Act’). The purpose of the Data Protection Act is to establish a Data Protection Commission (‘DPC’), to protect individuals’ privacy and personal data by regulating the processing of personal information.

Greece

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
The Greek Law 4624/2019 “on the Hellenic Data Protection Authority, the implementation of Regulation 2016/679 and the transposition of Directive 2016/680” (Government Gazette A/137/29.08.2019) was enacted and entered into force in August 28, 2019.
The Law regulates the operation of the Hellenic Data Protection Authority, introduces GDPR supplementary rules and transposes the Law Enforcement Directive into Greek Law.

Grenada

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Guatemala

Limited

There is currently no general data protection authority.
Although the Political Constitution of the Republic of Guatemala (‘the Constitution’) recognises privacy and data privacy rights as a constitutional right, there is no specific law currently regulating data privacy.

Guinea

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.
Although, as yet, there is no general data protection framework in Guinea, data privacy is addressed in several pieces of legislation
These include the Constitution of Guinea 2010, as well as previous iterations of the constitution, which states under Article 12 that the secrecy of correspondence and communication is inviolable, and highlights the right to the protection of privacy.
The Law on Cybersecurity and Personal Data came into effect on 28 July 2016, and outlines requirements for combating cybercrime in part one, as well as for the protection of personal and sensitive data in part two.

Guinea-Bissau

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Guyana

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.
Guyana does not have a privacy or data protection law in place. However, it does have legislation specific to the financial sector, such as the Financial Institutions Act of 1995, the Anti-Money Laundering and Countering the Financing of Terrorism Act No. 13 of 2009 and the Credit Reporting Act of 2010.
The Bank of Guyana oversees anti-money laundering and countering the financing of terrorism activities. In addition, citizens of Guyana have the right to access information held by or under the control of any public authority, according to Act No. 21 of 2011 Access to Information Act 2011.

Haiti

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority

Honduras

Limited

Personal data protection is regulated mainly in:
National Constitution: Article 182 provides the constitutional protection of habeas data, giving individuals the right ‘to access any file or record, private or public, electronic or hand written, that contains information which may produce damage to personal honour and family privacy. It is also a method to prevent the transmission or disclosure of such data, rectify inaccurate or misleading data, update data, require confidentiality and to eliminate false information. This guarantee does not affect the secrecy of journalistic sources.’
In addition, the Law for the Protection of Confidential Personal Data (the “Law”) is currently in discussion in the Honduran Congress. Congress has approved the first chapters of the Law. The complete approval of the Law and the date for when the Law will enter into force is expected in the first half of 2019.

Hungary

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
The Hungarian Parliament implemented the GDPR into Hungarian laws by amending Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information. As of 26 April 2019 all the relevant sectorial laws were also amended in Hungary in order to comply with the provisions of the GDPR.
The Hungarian Parliament has begun to harmonise sectoral laws with the GDPR, in particular focusing on employment, and direct marketing. Other specific jurisdictional issues are expected to be discussed in the upcoming amendment of sectoral laws

Hong Kong

Heavy

The Personal Data (Privacy) Ordinance (Cap. 486) (Ordinance) regulates the collection and handling of personal data. The Ordinance has been in force since 1996, but in 2012/2013 was significantly amended (notably with regard to direct marketing).

A consultation paper was put before the Legislative Council in January 2020 (Consultation Paper) to propose certain changes to the Ordinance with the aim of strengthening data protection in Hong Kong. There is no indication on the timeline of any legislative amendments to the Ordinance.

Further amendments to the PDPO were introduced in 2021, pursuant to the Personal Data (Privacy) (Amendment) Ordinance 2021 (‘2021 Amendment Ordinance’), which took effect on 8 October 2021. The purpose of these amendments were, primarily, to address the acts of disclosing personal data without consent, i.e. ‘doxxing’.

Iceland

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
The Act No. 90/2018 on Data Protection and the Processing of Personal Data (the ‘DPA’) implements the GDPR in Iceland. The law contains derogations and exemptions from the position under the GDPR in certain permitted areas.

India

Limited

The Constitution of India (‘the Constitution’) recognises a fundamental right to privacy.
This constitutional right casts a long shadow on Indian law and influences policy and judicial action and acts as a check on legislative and executive action. In addition to the public law implications, this right has influenced the development of a tortious right against the invasion of privacy and the interpretation of rights embodied in laws on consumer protection, health, IT, telecom licences, and the financial sector.
At present, the Information Technology Act, 2000 (the Act) and rules notified thereunder largely govern data protection in India.

Indonesia

Limited

In Indonesia, as of the date of this publication there is no general law on data protection.
Currently, Indonesia takes a patchwork approach to personal data protection legislation, with provisions related to data privacy appearing in several different pieces of legislation. In particular, Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 on the Amendment to Law No. 11 of 2008 on Electronic Information and Transactions provides certain data privacy rights.
In addition, the Kominfo Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (‘Kominfo Regulation 20’) establishes significant data protection requirements for electronic system providers, and Government Regulation No. 71 of 2019 regarding the Implementation of Electronic Systems and Transactions (only available in Indonesian here) (‘GR 71’) outlines the procedural guidelines for the Law No. 11 of 2008 on Electronic Information and Transactions.
However, for a number of years, a new draft Bill on the Protection of Private Personal Data is being discussed but to this date, it has not been issued. Although the exact date remains uncertain and the Bill is still to be considered by the House of Representatives, if passed, this will become Indonesia’s first comprehensive law to specifically deal with the issue of data privacy.
The PDP Bill, if enacted, is expected to unify this system under a singular, comprehensive approach to personal data protection.
The PDP Bill is further anticipated to establish data sovereignty and security as the keystone of Indonesia’s data protection regime, and to introduce notable obligations for data owners and users. However, there are certain regulations concerning the use of electronic data.
The draft of the Personal Data Protection Act (only available in Indonesian here) (‘the PDP Bill’) was ratified by the House of Representatives on 20 September 2022, and is expected to enter into force upon its promulgation.

Iran

Limited

Iran has not enacted comprehensive data protection legislation.
A Draft Protection of Personal Data Law (only available in Persian here) (‘the Draft Law’) has been announced by MICEX and it is awaiting review from the Islamic Parliament of Iran, however the expected timeframe for parliamentary deliberations has not been clarified.
In particular, the Draft Law provides for the establishment of the Supervisory Board of Personal Data, which would be tasked with receiving and processing stakeholder complaints to protect personal data.
In the absence of an overarching data privacy law, the legal framework for privacy derives from a patchwork of other laws and regulations dealing with data protection alongside additional matters. Such legislation includes the Law on Publication and Access to Data 2009, the Electronic Commerce Law 2004, and the Cybercrime Law 2009 (only available to download in Persian here).

Iraq

Limited

There is no codified law that governs data protection in Iraq.
Data protection is governed briefly under various laws including the Iraqi Constitution, the Iraqi Penal Code No. 111 of 1969 (‘the Penal Code’), the Iraqi Civil Code (only available in Arabic here), and other laws which are sector-specific (e.g. banking laws, securities laws, labour laws, tax laws, etc.).
While a data protection law has been recently passed, it only applies to government entities, with the private sector remaining largely unregulated and subject to only piecemeal rules.
There are no data protection initiatives for the private sector. However, the Iraqi Government has been contemplating a cybercrime law for some time now.

Ireland

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
The Irish Data Protection Act 2018 (“DP Act”) came into force on 25 May 2018 in order to give further effect to the GDPR in Ireland. The DP Act includes certain derogations, provides for the establishment of a new Data Protection Commission, implements the Law Enforcement Directive and otherwise addresses procedural aspects of the enforcement of data protection in Ireland.
The previous data protection legislation in Ireland, the Data Protection Acts 1988 to 2003, were largely repealed by the DP Act, however those Acts continue to apply in relation to certain limited purposes including national security and defence. Additionally, the previous legislation continues to apply in relation to complaints or infringements which occurred prior to 25 May 2018 as well as to investigations commenced (but not completed) prior to that date.

Israel

Robust

Data protection in Israel is governed primarily by the Protection of Privacy Law, 5741-1981 (‘the Privacy Law’) and the regulations promulgated under it, the Basic Law: Human Dignity and Liberty, 5752-1992, and the guidelines of the Israeli regulator, the Privacy Protection Authority (‘PPA’) (formerly known as the Israel Law, Information and Technology Authority (‘ILITA’)).
Additional legislation includes:
Protection of Privacy (Data Security) Regulations, 5777-2017 (‘the Data Security Regulations’);
Amendment No. 40 to the Communications Law (Telecommunications and Broadcasting), 5742-1982 (‘the Anti-Spam Law’);
Administrative Offences Regulations (Administrative Fines and Protection of Privacy) 2004 (‘the Administrative Fine Regulations’);
Protection of Privacy Regulations (Transfer of Information to Databases Abroad), 5761-2001 (‘the Transfer of Information Regulations’);
Protection of Privacy Regulations (Conditions for Possessing and Protecting Data and Procedures for Transferring Data Between Public Bodies) 1986 (only available in Hebrew here); and
Protection of Privacy Regulations (Conditions for Inspection of Data and Procedures for Appeal on a Denial of a Request to Inspect) 1981 (only available in Hebrew here) (‘the Data Inspection Regulations’).

Italy

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

The Italian data protection law framework has been harmonized with the GDPR by means of the Legislative Decree 101/2018, that entered into force on 19 September 2018, and amended a number of provisions of the Legislative Decree 196/2003 (the “Privacy Code”), as well as introduced some transitional provisions regulating the migration to the new regime.

Jamaica

Heavy

Since the implementation of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) there has been a race amongst territories in the Caribbean to enforce data protection legislation.
The bill for the Data Protection Act, 2020 (‘the Act’) was recently passed by the Government of Jamaica (‘the Government’) but has not yet been enacted.
The Act will not come into operation until the Government has publicly appointed a date that the Act will take effect. Additionally, data controllers will have a transition period of two years from the appointed date to take the necessary steps to ensure full compliance with the requirements under the Act.
The provisions appointing and establishing the Office of the Information Commissioner came into effect on 1 December 2021. The result of this is that the two year transition period for data controllers to take the necessary steps to ensure full compliance with the requirements under the Act commenced on 1 December 2021 and will expire on 30 November 2023.

Japan

Robust

The Act on the Protection of Personal Information (“APPI”) regulates privacy protection issues in Japan and the Personal Information Protection Commission (“PPC”), a central agency acts as a supervisory governmental organization on issues of privacy protection.
The APPI was originally enacted in 2003 but was amended and the amendments came into force on 30 May 2017. Note that a bill to amend the APPI (‘the 2020 Amendments’) passed the National Diet of Japan on 5 June 2020 and was promulgated on 12 June 2020.
The 2020 Amendments will come into force on a date specified by a cabinet order, which is not later than two years from the date of promulgation.

Jordan

Limited

Although Jordan does not currently have a data protection law in place, the country is taking steps to bring in legislation aimed at the protection of personal data.
In 2014, the Ministry of Digital Economy and Entrepreneurship submitted a draft data protection bill (‘the Draft Bill’) which proposed, among other things, the establishment of an assigned council for the privacy commission.
In addition, a committee consisting of different ministries, governmental authorities and civil society organisations, was formed to discuss the Draft Bill.
The Draft Bill appears to be based on the EU’s General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and incorporates some of the main principles of the GDPR such as transparency, accuracy, storage limitation, and data minimisation.
An updated version of the Draft Bill was issued on 23 January 2020, however, a final version has yet to be approved. Until such a law comes into effect, data protection in Jordan will be regulated through the Constitution and sectoral legislation.

Kazakhstan

Limited

The main legal act regulating personal data in Kazakhstan is the law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 ‘On Personal Data and Its Protection’ (the ‘Law’).
Data protection has been a significant area of interest for the Government of the Republic of Kazakhstan (‘the Government’).
At present, the Personal Data Law provides general regulations on the collection and processing of personal data, and notably includes broad requirements for data localisation.
In addition, the Law on Amendments and Additions to Some Legislative Acts of the Republic of Kazakhstan on the Regulation of Digital Technologies (only available in Kazakh here) (‘the Amendment Law’) was introduced in July 2020, significantly extending data protection obligations for organisations.
The Amendment Law introduces, among other things, further requirements for data collection and processing, obligations for data operators (similar to data processors), and redefines key concepts. The Amendment Law further establishes the competency of the data protection authority including its powers and role.

Kenya

Moderate

The Constitution of Kenya (‘the Constitution’) guarantees the right to privacy as a fundamental right.
To give effect to this constitutional right under Article 31(c) and (d), the Data Protection Act, 2019 (‘the Act’) was enacted and came into effect on 25 November 2019.
The Act has not been implemented and progress towards implementation started in November 2020 with the appointment of the Data Protection Commissioner (‘the Commissioner’).
As of the date of publication, the Office of the Data Protection Commissioner is in the process of setting up operations.
A key action the Office of the Data Protection Commissioner has taken, through the ICT Advisory Committee on COVID-19, was the development of the Guidance Note on Access to Personal Data During COVID-19 Pandemic (‘COVID-19 Guidelines’).
The COVID-19 Guidelines were put out for public and stakeholder participation on 12 January 2021, and closed on 9 February 2021. Upon implementation, the COVID-19
Guidelines are expected to provide policy guidance on processing personal data to actualise responses to and research on the COVID-19 pandemic.

Kiribati

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Korea, South

Moderate

Under the Constitution of South Korea (‘the Constitution’), the rights to privacy, privacy of communications and freedom of expression are recognised as fundamental rights.
In addition, the Constitutional Court of South Korea (‘Constitutional Court’) and Supreme Court of South Korea (‘Supreme Court’) have established through subsequent court decisions that the right to informational self-determination should be viewed as a separate fundamental right, despite not being stipulated in the Constitution.
The main law and regulations related to data protection are the Personal Information Protection Act 2011 (as amended in 2020) (‘the PIPA’) and its implementing regulations, which regulate the collection, usage, disclosure, and other processing of personal information by governmental or private entities as well as individuals.
The data protection laws in South Korea provide very prescriptive specific requirements throughout the lifecycle of the handling of personal data. Under these laws, the data subject’s consent is almost always required, in principle, to process his/her personal data.
On 6 January 2021, an additional amendment to the PIPA was published by the PIPC for public comment (only available to download in Korean here). Among others, the proposed amendment introduces the right to data portability and the right to be excluded from automated decision-making, diversifies the methods of transferring personal data overseas and includes pseudonymised data in the scope of information that a data handler is required to destroy.

Kosovo

Heavy

The protection of personal data in Kosovo is guaranteed by the Constitution of the Republic of Kosovo (‘the Constitution’).
Article 36, paragraph 4 of the Constitution stipulates that the collection, storage, access, correction, and use of personal data is regulated by law.
The first law regulating personal data protection was approved and entered into force in 2010, Law No.03/L – 172 on the Protection of Personal Data (‘the Law’). The Law established the basic principles and measures concerning the protection of personal data and the institution responsible for monitoring the legitimacy of data processing.
Following the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), the data protection law in Kosovo has been amended and aligned with the GDPR.

Kuwait

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Kyrgyzstan

Limited

The Law of the Kyrgyz Republic of 14 April 2008 No. 58 on Personal Information as amended by the Law of the Kyrgyz Republic of 20 July 2017 No. 129 (only available in Kyrgyz here and Russian here) was adopted to govern personal data matters, on the basis of generally accepted international principles and standards in accordance with the Constitution of the Kyrgyz Republic (only available in Kyrgyz here and Russian here) and other laws of the Kyrgyz Republic.
The Law on Personal Data ensures the protection of rights and freedoms related to the collection, processing, and use of personal data.

Laos

Limited

From 2012, Laos has introduced this framework by circulating relevant information only. This trend has accelerated since 2015 with the publication of the Law on Cyber Crime. In addition, for both professionals or non-professionals, the authorities have provided a series of guidelines of best practices for the use of software and hardware, social media platforms, and better protection of electronic data.
The Electronic Data Protection Act 2017 (only available in Lao here) (‘the Act’) and The Ministry of Post, Telecommunications and Communications regulate Data Protetion in Laos.
The Act came into force in 2017 providing data protection to Lao citizens in circumstances where electronic information is collected, accessed, used or disclosed.
The Act is supplemented by the Introduction on Implementation of the Electronic Data Protection Act (only available in Lao here), which sets out examples of how data protection procedures may be implemented by companies.

Latvia

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
The Personal Data Processing Law has been approved by the parliament and came into force on July 5, 2018. This law provides legal prerequisites for the implementation of the GDPR in Latvia and replaced the current Personal Data Protection Law.
Apart from the Law, the Government Regulations No. 620 the Data Protection Specialist Qualification Rules (only available in Latvian here), which were adopted on 6 October 2020, are relevant.

Lebanon

Limited

While Lebanon does not have a comprehensive data protection legislation, privacy provisions are contained in Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data (‘the Law’).
The Law does not establish an independent data protection authority; however, it provides that any intended data processing activity must be notified to the Ministry of Economy and Trade (‘the Ministry’).

Lesotho

Limited

The right to privacy is recognized and protected under the Constitution of the Kingdom of Lesotho.
Lesotho has established a Data Protection Act, 2013 (the DP Act). The DP Act provides principles for the regulation of the processing of any personal information in order to protect and reconcile the fundamental and competing values of personal information privacy.

Liberia

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Libya

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Lichtenstein

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
GDPR has been implemented through the Data Protection Act of 4 October 2018 (unofficial translation) (‘DSG’), the Data Protection Ordinance of 11 December 2018 (unofficial translation) (‘DSV’), and amended or supplemented through a number of other national acts.

Luxembourg

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
Two Luxembourg Data Protection Laws of August 1, 2018 have been enacted to implement the GDPR:
The Law on the organization of the National Data Protection Commission (CNPD) and the general data protection framework. It has repealed the previous Law on Data Protection (amended Law of August 2, 2002) and completes the GDPR at the national level. Most of all it gives the framework for the CNPD’s organization, composition and powers under the GDPR and the applicable national law
The Law on the protection of individuals with regard to the processing of personal data in criminal matters as well as in matters of national security
The CNPD frequently advises the legislator on privacy aspects and has issued opinions on legal reforms regarding anti-money laundering, insurance, and financial trusts.

MACEDONIA

Heavy

The Constitution of the Republic of North Macedonia guarantees the right to privacy of individuals in the scope afforded by the European Convention for the Protection of Human Rights and Fundamental Freedoms.
The country is also a signatory to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 108/81.
A new data protection law was adopted in February 2020 to align the national data protection legislation with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
Same as the GDPR, the territorial scope of the new data protection law is increased, and it applies to all organisations that process personal data of individuals residing in North Macedonia, including foreign organisations if they offer goods or services to or monitor the behavior of individuals in North Macedonia.
As a result, many organisations that were not subject to the previous data protection legislation are now subject to the new data protection law, especially online businesses that process individuals’ personal data in North Macedonia.
Data controllers and processors must have ensured compliance with the provisions of the new data protection legislation by 25 February 2022.

Madagascar

Limited

Law No. 2014-038 relating to the protection of personal data is the main regulatory framework in Madagascar (the ‘Data Protection Law’).
The Law, adopted on 16 December 2014 and promulgated on 9 January 2015, declares that the processing of personal data is based on four main pillars, namely the principles of legitimate purpose and fairness of collection and processing, the existence of data subjects’ rights, the presence of an independent supervisory authority, and the establishment of an enforcement regime.
In relation to its scope of application, the Law covers the processing of personal data carried out by controllers established on the state territory, as well as processing that utilises means that are located on the national territory, even when the controller is not established in Madagascar.
CMIL, the independent authority responsible for the compliance with the principles provided in the Law, has not yet been established.

Malawi

Limited

Malawi does not have a comprehensive data protection law, but the Electronic Transactions and Cybersecurity Act No. 33 of 2016 replicates some provisions seen in data protection laws.
The Malawi Communications Regulatory Authority is responsible for the implementation of Act No. 33 of 2016, and may impose administrative penalties of up to K5,000,000 for violations.

Malaysia

Robust

Malaysia’s first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013.
As part of an ongoing review of the PDPA, the Personal Data Protection Commissioner of the Ministry of Communications and Multimedia Malaysia has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 (PC01/2020) dated February 14, 2020 to seek the views and comments of the public on 22 issues set out in PC01/2020.

Maldives

Limited

The Maldives has not yet enacted any comprehensive data protection legislation.
Therefore, matters pertaining to data protection fall under the right to privacy, which is protected in broad terms under the Constitution of the Republic of Maldives 2008 (‘the Constitution’), and Law No 6/2014 Penal Code of Maldives (‘the Penal Code’).
In addition, for specific industries, there are other laws of general application that involve data protection issues.

Mali

Moderate

In Mali, data protection is governed by Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data and Law No. 2019-056 of 5 December 2019 on the Repression of Cybercrime.
This legislation is applicable to natural, legal persons, the State, and any local authority, acting in whole or in part on the Malian territory.
The Malian data protection authority (‘APDP’) is in charge of informing and advising data subjects and controllers of their rights and obligations, ensuring compliance with the applicable legislation, inflicting administrative sanctions and, if necessary, referring offences to the competent Public Prosecutor’s Office.

Malta

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
The Data Protection Act 2018 (Act) (Chapter 586 of the Laws of Malta) and the Regulations (at present 8 in number) issued under it implement the requirements under GDPR.
The Act repealed and replaced the previous Data Protection Act (Chapter 440 of the Laws of Malta).
See Maltese legislation here.

Marshall Islands

Limited

While the Republic of Marshall Islands does not have a personal data protection law, nor any legislation governing cybersecurity, the Marshall Islands has participated in international discussions related to cybersecurity and is a member of the Pacific Cyber Security Operational Network which, among other things, aims to strengthen cybersecurity across the across the Pacific.
In addition, on 26 February 2018, the Parliament of the Republic of Marshall Islands (‘Nitijela’) passed the Declaration and Issuance of the Sovereign Currency Act 2018, which set the ground for the issuance of a digital decentralised currency based on blockchain technology, the Sovereign (‘SOV’), as a legal tender.
The SOV is set to be the first legal tender digital currency in the world, and a system of accredited verifiers and cryptographically signed SOV IDs are expected to be employed to protect user privacy.

Mauritiana

Limited

Draft Law No. 2017 – 020 on the protection of the personal data (only available in French here) (‘the Draft Law’)
The Draft Law was adopted by the National Assembly on 22 June 2017 and sets out, among other things, requirements for data processing as well as data subject rights.
The Draft Law also lays the groundwork for the creation of a data protection authority. However, since the adoption of the Draft Law there have been minimal developments.
The Prime Minister outlined in his review of 2015-2017 and plan for 2018 (only available in French here) that the legal basis for Mauritanian information society, including the formation of a data protection authority and electronic certification authority, had been established.
Mauritania is one of several jurisdictions to have signed but not yet ratified the African Union Convention on Cyber Security and Personal Data Protection.

Mauritius

Moderate

Mauritius regulates data protection under the Data Protection Act 2017 (DPA 2017 or Act), proclaimed through Proclamation No. 3 of 2018 and effective on January 15, 2018.
The current Data Protection Act 2017 (‘the Act’) is aligned with international standards, namely the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’).
However, there are certain instances in the Act where the provisions are not exactly the same as contained in the GDPR.

Mexico

Moderate

Mexico has followed, along with other Latin American countries, the international trend of ensuring the protection of personal data. In this sense, the protection of personal data is a fundamental right recognised by the Constitution of Mexico (‘the Constitution’) since 2009. Following this recognition, the Federal Law on Protection of Personal Data Held by Private Parties (‘the Law’) was published in 2010.
The following year, the Regulations to the Federal Law on Protection of Personal Data Held by Private Parties (‘the Regulations’) were enacted. In 2013, the National Institute for Access to Information and Protection of Personal Data (‘INAI’), issued the Guidelines on Privacy Notices (only available in Spanish here) (‘the Guidelines’).
In January 2017, the long-awaited data protection law for the public sector was published: the General Law on Protection of Personal Data Held by Mandated Parties (only available in Spanish here) (‘the Public Sector Law’).

Micronesia, Federated States of

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Moldova

Moderate

Law of 8 July 2011 No. 133 on Personal Data Protection (‘the Law’) provides general personal data protection provisions, establishing data subject rights such as the rights to access, rectification, or erasure, and requirements to appoint data protection officers and provide data processing notifications.
The Governmental Decision of 14 December 2010 No. 1123 on the Security of Personal Data within Automatic Databases (only available in Romanian here) established data breach notification requirements, as well as sanctions for failure to notify the NCPDP.
Moldova has an Association Agreement with the EU through which it has committed to ensuring adequate safeguards for the protection of personal data, and is a signatory of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’).
The Moldova EU Twinning Project is also particularly active, and a draft personal data protection law (only available in Romanian here) has been in discussion over the past few years that would further align Moldovan law with data protection requirements in the EU.
In a new legislative reform spur, on 10 January 2022 important amendments to the Law on Personal Data were enacted, passed by the Law No. 175 of 11 November 2021 (only available to download in Romanian here) (‘the Amendments’), which aim to partially transpose the GDPR.

Monaco

Robust

Since then, the Act has been revised several times, most notably in 2008 to grant the Monegasque data protection authority (‘CCIN’) the status of an independent authority, and in 2015, to create a constitutionally compliant legal framework for the CCIN’s investigatory powers.
In consideration of the importance of the finance sector (which is officially classified as a ‘sector of vital importance’ in Monaco), the CCIN works closely with local professional associations such as the Monaco Association for Financial Activities and has issued several recommendations for financial entities on issues such as anti-money laundering and tax transparency obligations.

Mongolia

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.
On 5 August 2021, the Parliament of Mongolia announced discussions on a Draft Law on the Protection of Personal Information, which if adopted would enter into effect 1 November 2021. The draft Law would introduce obligations for data controllers including restriction on cross border data transfers, and provide data subjects with rights.

Montenegro

Moderate

The Ministry of Interior prepared a draft of the new Personal Data Protection Act (only available for download in Croatian here) (‘Draft Law’), which was generally consistent with the text of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), but omitted some important elements which the GDPR contains.
On 10 April 2019, the Ministry of Interior invited stakeholders to take part in a public consultations about the Draft Law.
On 9 July 2019, the Ministry published a document detailing the received suggestions which it will accept or reject.
The Draft Law was under consideration by the European Commission as of October 2020, and the Parliament of Montenegro is expected to adopt the Draft Law in the first half of 2022.

Morocco

Robust

In Morocco, personal data protection is governed by Law n° 09-08 of 18 February 2009 (in French), relating to the protection of individuals with respect to the processing of personal data and by its Implementation Decree n° 2-09-165 of 21 May 2009 (in French).
The law was initially enacted to encourage foreign investment, including the offshoring and outsourcing of processing activities related to European residents’ personal data. Morocco is, indeed, an important player in the offshoring and outsourcing market due to its proximity to European markets as well as its competitive telecommunication infrastructure and multilingual workforce.
Since the adoption of the law, Morocco has made large efforts to ensure the effective protection of personal data and to have its data protection level recognized by the European Union to promote further international business. Moreover, Morocco requested an adequacy recognition decision from the European Commission as early as 2009. Today this request is still pending.

Mozambique

Limited

In Mozambique there is no specific legislation on data protection or privacy.

Myanmar (Burma)

Limited

There is no general data protection law in Myanmar.

Namibia

Limited

Namibia has not enacted comprehensive data privacy legislation.

Nauru

Limited

Nauru has not enacted comprehensive data privacy legislation

Nepal

Limited

Currently, Nepal does not have a unified data protection legislation.
The Individual Privacy Act 2075 (2018) enacted to implement and safeguard the fundamental right to privacy guaranteed by the Constitution and the Individual Privacy Regulation 2077 (2020) (only available in Nepali here), framed thereunder are regarded as the data protection legislation.
Other general laws such as the Country Civil Code 2074 (2017) (‘the Act’Civil Code’) and the National Penal (Code) Act (2017) (‘the Criminal Code’) also contain general provisions relating to privacy and data protection.
Thus, in the absence of a specific data control legislation, the Privacy Act and Privacy Regulation shall govern all aspects of data protection and privacy in Nepal.
In recent years, incidents of data breach have been observed frequently in Nepal wherein a large number of customers’ data including their names, mailing id, phone numbers were leaked in public.

Netherlands

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

The Dutch GDPR Implementation Act (Uitvoeringswet AVG, the Implementation Act) constitutes the local implementation of the GDPR in the Netherlands.
The Implementation Act follows a policy-neutral approach, meaning that the requirements of the previous Dutch Data Protection Act (Wet bescherming persoonsgegevens) are maintained insofar as possible under the GDPR.
The Implementation Act provides for, among other things, national rules where this is necessary for the implementation of GDPR provisions on the position of the regulatory authority or the fulfilment of discretionary powers provided by the GDPR.

New Zealand

Robust

The Privacy Act 2020 and its Information Privacy Principles (IPPs) govern how agencies collect, use, disclose, store, retain and give access to personal information.
The Act gives the Privacy Commissioner the power to issue codes of practice that modify the operation of the Act in relation to specific industries, agencies, activities or types of personal information.
Enforcement is through the Privacy Commissioner.
The Privacy Commissioner can also issue compliance notices requiring agencies to do or refrain from doing something in order to comply with the Act.

Nicaragua

Moderate

Data protection in Nicaragua is regulated by the Law on Personal Data Protection No. 787 of 21 March 2012 (only available in Spanish here) (‘the Law’), published in the Official Gazette on 29 March 2012; and the Regulation of Law No. 787, Decree No. 36-2012 of 17 October 2012 (only available in Spanish here) (‘the Regulation’).
The purpose of the Law is to protect personal information filed/stored in public and/or private records.
Prior to the establishment of the Law and the Regulation, there was only a general constitutional provision establishing that all individuals are entitled to privacy.

Niger

Moderate

Niger hastened to legislate in the field to regulate the protection of personal data by providing a ‘legal arsenal’ of a preventive but also repressive nature.
In this respect, it referred to Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law , amended and supplemented by Law N° 2019-71 of December 24, 2019 (only available in French here) (‘the Law’), which creates the High Authority for the Protection of Personal Data (‘HAPDP’).

Nigeria

Limited

In Nigeria, data protection is a constitutional right founded on Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) (‘the Constitution’).
The Nigerian Data Protection Regulation, 2019 (‘NDPR’) is the main data protection regulation in Nigeria.

North Macdeonia

Moderate

The Republic of North Macedonia regulates personal data protection issues with the Law on Personal Data Protection, effective 24 February 2020. Data controllers and data processors have an 18-month period from the DP Law’s entry into force (i.e. until 24 August 2021) to harmonize their operations with the DP Law.
The DP Law is largely harmonized with the General Data Protection Regulation (GDPR) of the European Union (EU).

Norway

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
The GDPR was incorporated in the EEA Agreement by a Joint Committee Decision dated July 6, 2018. The new Norweigan Personal Data Act (“PDA”) implements GDPR and became effective as of July 20, 2018.

Oman

Moderate

Qatar has implemented Law No. (13) of 2016 Concerning Personal Data Protection (“the Data Protection Law”).
With its Data Protection Law—adopted in 2016—Qatar became the first Gulf Cooperation Council (GCC) member state to issue a generally applicable data protection law.
While the Data Protection Law took effect in 2017, executive regulations further implementing this law are expected to be passed in 2021.
The Qatar Financial Centre (“QFC”), a business center located on-shore in Qatar with its own regulations that are separate and distinct from those of the State of Qatar, implemented QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations (“DPL”).
Additionally, under the powers granted to the QFC Authority under Article 21 of the DPL, the QFC Authority has issued the Data Protection Rules 2005 (DPR).
The country’s personal data protection framework changed considerably with the enactment of Royal Decree 6/2022 promulgating the Personal Data Protection Law (only available in Arabic here) (‘Oman PDPL’)
The Oman PDPL was issued on 9 February 2022 and will come into force one year from the date of issuance. It repeals Chapter 7 of the Electronic Transactions Law and introduces a much more robust privacy provisions as well as core privacy law principles with a view to align Oman’s data protection landscape with global best practice enshrined in laws such as the European Union‘s General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).

Pakistan

Limited

Pakistan currently has not enacted data protection legislation per se similar to data protection legislation enacted in other countries of the world, however the Prevention of Electronic Crimes Act, 2016 (“PECA 2016”) at present serves the same purpose to a certain extent.
Moreover, a consultation draft of the Personal Data Protection Bill 2020 (“PDPB”) has been introduced by the Ministry of Information Technology and Telecommunications with a view to having the same being promulgated into law after public consultation, approval from both Houses of Parliament and receipt of assent from the President of Pakistan.

Palau

Limited

Palau has not enacted any data protection legislation

Panama

Moderate

The Law No. 81 on Personal Data Protection 2019 (only available in Spanish here) (‘the Law’) has been enacted and entered into force on 29 March 2021.
In addition, rules to the Law were published on 28 May 2021, through Executive Order 285/2021 (only available in Spanish here) (‘the Rule’).
There are several laws, such as the National Constitution of the Republic of Panama (only available in Spanish here) (‘the Constitution’), which regulate personal data protection.
The Constitution outlines the right to privacy of personal communications and documents, the right to access information contained in databases held by public bodies or by private persons providing public services, as well as to request the correction, rectification, or deletion of such information.

Papua New Guinea

Limited

While Papua New Guinea does not have a personal data protection law, the Cybercrime Code Act 2016 (‘the Act’) contains provisions relevant to cybersecurity and aspects of data protection.
The Act, and cybersecurity more generally, is regulated by the National Information & Communications Technology Authority (‘NICTA’). Legislative developments in Papua New Guinea are often influenced by events and practices in Indonesia and Australia, as well as the Association of South East Asian Nations (‘ASEAN’).

Paraguay

Limited

Law No. 6534/20 on the Protection of Personal Credit Data (only available in Spanish here) (‘the Credit Data Law’) entered into in force on 28 October 2020 in Paraguay.
In particular, a new regime for the protection of credit data of all citizens, on the matters of the incorporation, organisation, operation, rights, obligations, and termination of companies dedicated to obtaining and providing credit information; as well as the collection and processing of personal data was established.
The Credit Data Law also appoints two authorities able to impose sanctions for breaches.

Peru

Moderate

Currently, in the midst of a technological era, the protection of personal data has acquired greater relevancy in Peru.
Not only has it been established, through regulation, the obligations that must be fulfilled by data controllers and/or data processors to ensure an adequate processing of personal data; but also, due to the proactivity of the Peruvian data protection authority (‘APDP’), it has been verified by audits of the compliance of such obligations.
This, together with an awareness of the importance of the protection of personal data, not only to those who are in charge of its processing, but also to those who share it without knowing the consequences that this may entail, have been a fundamental part to strengthen this area of law in Peru.

Phillipines

Moderate

The Data Privacy Act of 2012 (“Act”) or Republic Act No. 10173, which took effect on 8 September 2012, is the governing law on data privacy matters in the Philippines.

Poland

Heavy

Data protection in Poland is primarily governed by the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) which has been implemented into Polish law by virtue of Act of 10 May 2018 on the Protection of Personal Data (‘the Act’).
In addition, Act of 21 February 2019 Amending Sectoral Laws to Ensure Application of GDPR (only available in Polish here) (‘the Amending Act’) aims at adjusting the Polish legal system to the requirements under the GDPR. It introduced changes to almost 170 separate sectoral acts.

Portugal

Heavy

The fundamental right to personal data protection was established in the Constitution of the Portuguese Republic 1976 (‘the Constitution’).
The first Portuguese Data Protection Act No. 10/91 (only available in Portuguese here) was adopted in 1991, foreseeing the creation of the Portuguese supervisory authority in data protection matters.
Prior to the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), the general rule was the following: before initiating any personal data processing, the controller had to notify the Portuguese data protection authority (‘CNPD’) or obtain prior processing authorisation from the same entity.
The CNPD’s decisions taken in accordance with authorisation procedures have been very inconsistent.

Qatar

Moderate

Qatar has implemented Law No. (13) of 2016 Concerning Personal Data Protection (“the Data Protection Law”).
With its Data Protection Law—adopted in 2016—Qatar became the first Gulf Cooperation Council (GCC) member state to issue a generally applicable data protection law.
While the Data Protection Law took effect in 2017, executive regulations further implementing this law are expected to be passed in 2021.
The Qatar Financial Centre (“QFC”), a business center located on-shore in Qatar with its own regulations that are separate and distinct from those of the State of Qatar, implemented QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations (“DPL”).
Additionally, under the powers granted to the QFC Authority under Article 21 of the DPL, the QFC Authority has issued the Data Protection Rules 2005 (DPR).

Romania

Heavy

The legal rules in Romania are mainly set in the Law No. 190/2018 Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) (‘the Law’) which in principle reiterates the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) rules and in specific decisions issued by the National Supervisory Authority for Personal Data Processing (‘ANSPDCP’), regulates main areas of the GDPR such as when Data Privacy Impact Assessments (‘DPIA’) will be mandatory, the accreditation of certification bodies, the conducting of investigations and managing complaints, and notifying security breaches.
The ANSPDCP’s guidelines are quite scarce and generic, only reiterating the main GDPR principles and standards.

Russia

Moderate

Fundamental provisions of data protection law in Russia can be found in the Russian Constitution, international treaties and specific laws.
Russia is a member of the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention) (ratified by Russia in 2006) and the Russian Constitution establishes the right to privacy of each individual (articles. 23 and 24).
Most rules are found in specific legislation, particularly the Data Protection Act No. 152 FZ dated 27 July 2006 (DPA) and various regulatory acts adopted to implement the DPA.
In January 2022, new rules for the accreditation of organisations that perform identification and/or authentication using biometric personal data came into force, pursuant to Decree of 20 October 2021 No. 1799 on the Accreditation of Organisations that Own Information Systems that Provide Identification and (or) Authentication using Biometric Personal Data of Individuals (only available in Russian here) (‘Decree No. 1799’) adopted by the Government.
On 16 March 2022, the Council of Europe (‘CoE’) adopted Resolution CM/Res(2022)3 on legal and financial consequences of the cessation of membership of the Russian Federation in the Council of Europe (‘Resolution No. 3’). Alongside the cessation of membership of the Russian Federation in the CoE, it implies that Russia’s signatory status under the Protocol Amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108+’) has been suspended as of 16 March 2022, because it has not ratified it.

Rwanda

Limited

Rwanda is on the verge of passing its first single and comprehensive legal instrument regulating privacy and data protection.
As of 27 October 2020, Rwanda’s Cabinet approved the Rwanda Draft Data Protection Law 2020 (‘the Draft Law’) which was then sent to President Paul Kagame to sign into law.
The Data Protection Law was published, on 15 October 2021, in the Rwanda Official Gazette. The Data Protection Law introduces principles related to lawfulness, fairness and transparency, purpose limitation and accuracy, and obligations related to data subject rights, registration as a data controller or data processor, pseudonymisation, sensitive data, data transfers, designation of a data protection officer, Data Protection Impact Assessments, and data breach notifications.
Whilst the Draft Law will regulate the obligations of data controllers and processors, as well as afford data subjects general rights that protect their personal information, it does not establish a national data protection authority.
However, there are other laws that deal directly or indirectly with data privacy and/or data protection as noted below.

Saint Kitts and Nevis

Limited

Saint Kitts & Nevis currently does not have specific data protection legislation in force.

San Marino

Moderate

Law No. 171 of 21 December 2018, Protection of Natural Persons with Regard to the Processing of Personal Data entered into force on 5 January 2019 and provides for a data protection framework that echoes the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
In light of the above, the Law was drafted considering the third-country status of San Marino in an ongoing effort to obtain an adequacy decision from the European Commission and enable data flows with the EU.
In respect of the international landscape, San Marino has signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (‘Convention 108’), and is also a member of the Global Privacy Assembly (‘GPA’), following an accreditation resolution that included the Guarantor as a new member.

Sao Tome and Principe

Limited

Law No. 03/2016 on the Protection of Personal Data (only available in Portuguese here) establishes a relatively comprehensive data protection framework and addresses matters such as data processing notifications, data protection principles, data processor agreements, and essential data subject rights.
Although the Law also requires notifications to the ANPDP in relation to data transfers, it does not provide for data breach notifications, nor does it cover data protection officer appointments or impact assessments.
In 2018, a series of Resolutions were issued by the ANPDP that generally exempted data processing notifications under certain circumstances, and primarily in relation to employment and employee’s data.

Saudi Arabia

Limited

There is currently no specific national data protection legislation in the Kingdom of Saudi Arabia (‘KSA’) but privacy provisions and concepts can be found in specific legislation.
It has been reported that the Government of KSA is considering the introduction of personal data protection laws. However, there has been no formal confirmation or public consultation on any draft legislation in this area, so far.
The PDPL was published in the Official Gazette on 24 September 2021 and marks the introduction of Saudi Arabia’s first data protection law. Additionally, a draft version of the executive regulations supplementing the PDPL (‘the Executive Regulations’) was issued, on 10 March 2022, for public consultation and adds significant detail to the law.
The PDPL will take effect on 17 March 2023, this period however may be delayed for a period of up to five years for entities located outside Saudi Arabia that process personal data of Saudi residents. The aim of the PDPL is to ensure the privacy of personal data, regulate data sharing, and prevent the abuse of personal data.

Senegal

Moderate

In January 2008, Senegal adopted Law No. 2008-12 of 25 which provides a legal and institutional framework for the protection of personal data.
The law established an independent authority known as the Commission of Personal Data (CDP) whose mandate is to ensure that the processing of personal data is implemented in accordance with the provisions of this law, and upholds the rights of data subjects and the obligations of data processors.
A few years later in 2016, Senegal went on to become the first African country to ratify the continent-wide convention on Cyber Security and Personal Data Protection, which was adopted by the African Union in 2014.

Serbia

Moderate

The main piece of legislation currently regulating personal data protection in the Republic of Serbia is the Law on Protection of Personal Data (Official Gazette of the Republic of Serbia, No. 87/2018 (only available in Serbian here) (‘the Law’).
The former Poverenik, Mr. Rodoljub Šabić, has, on many occasions, pointed out the drawbacks of the Law, stating that the existing legal framework in the field of protection of personal data is far from adequate especially in terms of its completeness.
With regards to the Law, the former Poverenik has stressed that the content is convoluted, confusing, and therefore likely to be quite difficult to implement in practice.

Seychelles

Limited

The key piece of legislation is the Data Protection Act 2002 (Act 9 of 2003) (‘the Act’) which was enacted in 2003 to provide individuals with privacy rights regarding the processing of personal data; however, at the time of writing, the Act is not yet in force.
The Act will enter into force on such date as notified by the Minister in the Official Gazette.

Sierra Leone

Limited

No specific data protection legislation has been adopted.

Singapore

Robust

The Personal Data Protection Act 2012 (No. 26 of 2012) (‘PDPA’) governs the collection, use, and disclosure of individuals’ personal data by organisations in a manner that recognises both the right of individuals to protect their personal data, and the need of organisations to collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
Apart from the obligations imposed on organisations under the PDPA, there has been a general push towards a culture of accountability by the Personal Data Protection Commission (‘PDPC’), the regulator for data protection.
For example, the PDPC implemented the Data Protection Trustmark Certification in 2019, which is a voluntary enterprise-wide certification program for organisations to demonstrate accountable data protection practices.
The PDPA has recently undergone its first comprehensive revision since its enactment in 2012 under the Personal Data Protection (Amendment) Bill 2020 (‘the Amendment Bill’) which was passed on 2 November 2020 and which was formally enacted as the Personal Data Protection (Amendment) Act 2020 (‘the Amendment Act’).
Notably, not all provisions under the Amendment Act have come into effect. For example, the enhanced financial penalty regime enables the PDPC to impose financial penalties of up to 10% of an organisation’s annual turnover in Singapore (if the organisation’s annual turnover in Singapore exceeds SGD 10 million (approx. €6.85 million), or SGD 1 million (approx. €684,600), whichever is higher, and will take effect from 1 October 2022. Similarly, the provisions on the new data portability obligation will also take effect at a later date.

Slovakia

Heavy

The Act No. 18/2018 Coll. on Protection of Personal Data (‘the Act’) was adopted on 29 November 2017 and entered into force on 25 May 2018.
In addition to the GDPR, the Act also implements the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680) (‘the Law Enforcement Directive’).
The Act is enforced by the Office for Personal Data Protection of the Slovak Republic (‘ÚOOÚ’), which among other things, acts upon data subjects’ complaints, adopts guidelines, participates in the protection of fundamental rights of natural persons in relation to the processing of personal data, and executes data protection supervision.

Slovenia

Limited

Personal Data Protection Act 2004 (‘the Act’). Slovenia has not yet adopted the new Personal Data Protection Act (only available in Slovenian here) (‘the Draft Act’)
Slovenia is the only remaining EU Member State that has yet to implement the GDPR.
The Draft Act is currently progressing through the legislative procedure but there is no set date for its passage in the National Assembly.
The Commissioner issued an opinion on the Draft Act in 2019, which highlights that differences between the Draft Act, which was subject to public consultation at the time, and the GDPR would lead to difficulties with cross-border procedures, and hinder legal harmonisation across the EU Member States.

Somalia

Limited

Somalia currently does not have a data protection legislation into force even though several public bodies, including, the Somalia Chamber of Commerce and Industry, the Federal Minister of Posts, Telecommunications and Technology, and the Minister of Commerce and Industry, have suggested the creation of a privacy legislation to the Cabinet of Federal Government of Somalia.
There are, however, sectoral data protection provisions in, for example, the telecommunications sector.

South Africa

Moderate

The right to privacy is recognized as a fundamental human right in the Bill of Rights of the Constitution of the Republic of South Africa and is protected in terms of the Constitution and the common law.
This right to privacy is not absolute and may be limited where it is reasonable and justifiable to do so.
The Protection of Personal Information Act, 2013 (Act 4 of 2013) came into effect on 1 July 2020, save for certain provisions, but there is a one year grace period within which to comply with POPIA. POPIA specifically regulates the processing of personal information that is entered into a record pertaining to natural living persons as well as existing legal persons.
The Republic of South Africa has seen its first specific data protection law come into effect on 1 July 2021, joining the rest of the world in protecting the right to privacy in this digital age of the Fourth Industrial Revolution.

Spain

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.
After a very long delay and amidst rumors that the Spanish Parliament could be dissolved and early elections called, the Spanish Senate speedily dismissed all proposals for further changes and approved the new Spanish Fundamental Law on Data Protection and digital rights guarantee, which is in force from 7 December 2018 (“NLOPD”).

Sri Lanka

Limited

Presently, Sri Lanka does not have any consolidated and/or specific laws on data protection.
There are several data protection-enabled legislation that are industry-specific. Such legislation does not however provide a definition for the term ‘data’ nor specific provisions for implementation.
Notably, the Ministry of Digital Infrastructure and Information Technology (‘MDIIT’) and the Legal Draftsman’s Department (‘LDD’) launched, in 2019, a draft for an Act to Provide for the Regulation of Processing Personal Data (2019), which provides fundamental principles of privacy and data protection and is modeled after data protection legislation in place by similar countries.
In early 2021, the LDD released a final draft version of an Act to Provide for the Regulation of Processing of Personal Data (2021) (‘the Draft Bill’). The Draft Bill is currently awaiting final approval and thereafter will be submitted to the Cabinet of Ministers (‘the Cabinet’) and published as an official Bill.
The Personal Data Protection Act No. 9 of 2022 (‘PDPA’) was passed in the Parliament of Sri Lanka (‘the Parliament’) and was certified by the Speaker on 19 March 2022. Section 1 of the PDPA provides for the mechanism and specific periods by and on which the PDPA would gradually come into force as follows.

Sudan

Limited

There is currently no enacted data protection legislation in Sudan.

South Sudan

Limited

There is currently no enacted data protection legislation in Sudan.

Suriname

Limited

No specific data protection legislation has been adopted.

Sweden

Heavy

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.
The Data Protection Act (2018:218) and the Data Protection Ordinance (2018:19) (the “DPA”) – The DPA regulates general aspects of data protection where the GDPR allows, e.g. processing of social security numbers and processing of data pertaining to criminal offences. The DPA entered into force on 25 May 2018.
In addition to the Swedish DPA, a vast number of sector specific acts have been adopted in Sweden, for example relating to the sectors of healthcare, finance, energy, environment, education, referendums/elections, enterprise, communication, labour market, etc.

Switzerland

Heavy

Swiss data protection law is rooted in the civil law protection of personality rights.
The Federal Constitution of the Swiss Confederation (‘the Constitution’) provides a constitutional right to privacy. Article 13 SFC protects the right to privacy in personal or family life and in a person’s home. Article 28 of the Swiss Civil Code (‘the Civil Code’) and the Federal Act on Data Protection 1992 (‘FADP’) put this fundamental right to privacy into concrete terms at a statutory level.
In addition to criminal liability governed by the FADP, a number of provisions of the Swiss Criminal Code (‘the Criminal Code’) are relevant in a data protection and privacy context.
The 26 Cantons, the federal states of the Swiss Confederation, have enacted their own data protection acts. These govern the processing of personal data by Cantonal authorities.
On September 25, 2020, the Federal Parliament enacted a revised FADP (the final text of which is accessible in German here, French here, and Italian here) (‘the Revised FADP’).
The Revised FADP will enter into force on 1 September 2023. It implements the requirements of the Council of Europe‘s Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (‘Convention 108+’), and it aligns the FADP with the requirements of the European Union‘s General Data Protection Regulation (Regulation (EU) 2016/679 (‘GDPR’) with the aim of retaining the European Commission‘s adequacy finding.
It is important to note that whereas the Revised FADP contains similar provisions and is aligned with the requirements of the GDPR, Switzerland has enacted its own law.

Syria

Limited

There is currently no specific data protection legislation in force in Syria.

Taiwan

Robust

Data Protection in Taiwan is primarily governed by the Personal Data Protection Act 2015 (‘PDPA’) and the Enforcement Rules of the Personal Data Protection Act (‘the Enforcement Rules’).
The Government of Taiwan (‘the Government’) has submitted its application to the EU for an adequacy decision pursuant to the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and continues to dialog with EU in this regard.
Meanwhile, the Government is evaluating whether the PDPA needs to be further amended in order to further align the PDPA with the GDPR.

Tajikistan

Moderate

Prior to 2018, the rights of data subjects had been protected by a range of existing laws that indirectly applied, due to the lack of a comprehensive legislation on data protection
However, in 2018, Law of 3 August 2018 No. 1537 on Personal Data Protection (only available in Tajik here) (‘the Law on Personal Data’) was adopted, which established grounds for the regulation of relations between owners, operators, and data subjects.
The Law on Personal Data also clearly sets out rules for obtaining consent, notifying the data subject in case of the transfer of her/his data, as well as conditions for cross-border transfer
The fundamental provision of Tajik legislation which provides for the right to protection of personal data is contained in Article 23 of the Constitution of the Republic of Tajikistan of 6 November 1994, which states that the collection, storage, use, and dissemination of personal data of an individual without their consent is prohibited.

Tanzania

Limited

Tanzanian law on data protection is still in the works as there is not yet comprehensive legislation on the area.
Therefore, whatever data protection provisions there are, they are to be found to varying degrees in a number of legislations, especially from the banking, electronic, and telecommunications sectors, as well as penal statutes.

Thailand

Moderate

The Personal Data Protection Act 2019 (‘PDPA’) was published, on 27 May 2019, in the Royal Thai Government Gazette. The PDPA is the very first consolidated law governing data protection in Thailand.
the Cabinet of Parliament of the Kingdom of Thailand (‘the Parliament’) approved the Royal Decree on the Organizations and Businesses of which Personal Data Controllers are exempted from the Applicability of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2563 (2020) (only available in Thai here).
The Royal Decree initially postponed the effective date of the enforcement of the PDPA in Chapters 2, 3, 5, 6, 7 and Section 95, on exempted organisations, until 31 May 2021.
Following a second deliberation, the Parliament has approved a further one year postponement of the effective data of the enforcement of the PDPA, under the Royal Decree on the Organizations and Businesses of which Personal Data Controllers are exempted from the Applicability of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2564 (2021) (only available in Thai here) (‘the Royal Decree’), making the effective date of the PDPA, the 1 June 2022.

Togo

Limited

The personal data protection industry is emerging in Togo.
Law No. 2019-014 Relating to the Protection of Personal Data (only available in French here) (‘the Law’) provides the conditions for the collection, processing, transmission, storage, use of personal data.
In addition, in December 2020 the National Assembly issued a press release (only available in French here) announcing the adoption of a draft decree (‘the Decree’) on the organisation and functioning of the Togolese data protection authority (‘IPDCP’).

Tonga

Limited

There is currently no data protection legislation in force in Tonga.

Trinidad and Tobago

Limited

Privacy as the overarching principle of which data or information privacy is a subset has been generally guaranteed protection in Trinidad and Tobago, as in numerous other jurisdictions, through constitutional provisions and international human rights law.
In terms of specific legislation, the Data Protection Act 2011 (‘the Act’) is the sole piece of legislation on the topic and deals, not with the broad issue of privacy, but specifically with that of the protection of personal information in the public and private sectors. It is not fully proclaimed as detailed below.
The DPA was partially enacted on January 6, 2012 by Legal Notice 2 of 2012, and only Part I and sections 7 to 18, 22, 23, 25(1), 26 and 28 of Part II have come into operation.
No timetable has been set for enacting the remainder of the DPA, and it is possible that there may be changes to the remainder of the legislation before it is proclaimed.

Tunisia

Robust

Organic Act No. 2004-63 of 27 July 2004 on the Protection of Personal Data (available only in Arabic and French here) (‘the Law’) details the scope of data protection and sets up a national commission in charge of its enforcement.
Several texts have been enacted such as the Law and Decree No. 2007-3004 of 27 November 2007 Laying Down the Conditions and Procedures for the Declaration and Authorisation of the Processing Of Personal Data (available only in Arabic and French here) (‘the Decree’).
Tunisia became the 51st Member State of the Council of Europe Convention 108 on November 1, 2017.
In March 2018, it introduced a new draft law on the protection of personal data in line with the new European GDPR in Parliament.

Turkey

Moderate

In April 2016, Turkey completed the final step in a long-running process to enact the Law on Protection of Personal Data No. 6698 (‘the Data Protection Law’).
The Data Protection Law received Presidential approval and its final text was published in the Official Gazette, Number 29677 on 7 April 2016. Prior to this date, Turkey did not have specific legislation addressing personal data protection.
The LPPD is primarily based on EU Directive 95/46/EC.
To date, the legislature has enacted several regulations to implement various aspects of the LPPD.

Turkmenistan

Limited

The legislation of Turkmenistan on personal information and its protection is based on the Constitution of Turkmenistan (only available in Russian here) and consists of the Law of Turkmenistan of 20 March 2017 on Information on Private Life and its Protection No. 519-V (only available in Russian here) (‘the Law on Information’) and other regulatory legal acts.
The Law on Information sets the procedure for collecting, processing, and protecting personal information. Also, the Law on Information sets out the rights and obligations of the data subject and the operator and provides for sanctions for failure to comply with personal data protection requirements.

Tuvalu

Limited

There is currently no data protection legislation in force in Tuvalu

Uganda

Moderate

Uganda passed the Data Protection and Privacy Act, 2019 (‘the Act’) in 2019. Following the passing of the Data Protection and Privacy Regulations, 2021(‘the Regulations’) in May 2021.
It is anticipated that the Regulations will implement the Act which is not yet in effect. The Act and Regulations are intended to support privacy protections that are already guaranteed to Ugandans under the Constitution and complement sectoral laws for regulated activities that had previously incorporated data protection provisions.

Ukraine

Moderate

The Law of Ukraine No. 2297 VI ‘On Personal Data Protection as of June 1, 2010 (Data Protection Law) is the main legislative act regulating personal data protection in Ukraine.
On December 20, 2012, the Data Protection Law was substantially amended by the Law of Ukraine, ‘On introducing amendments to the Law of Ukraine’.On Personal Data Protection’ dated November 20, 2012, No. 5491-VI.
The Data Protection Law essentially complies with EU Data Protection Directive 95/46/EC.

United Arab Emirates

Limited

The Constitution of the UAE (only available in Arabic here) (‘the Constitution’) gives citizens a general right to privacy, and provisions of the Federal Law No. 5 of 1985: The Civil Code as amended by Federal Law No. 1 of 1987 (only available in Arabic here) (‘the Civil Code’) and the Federal Law No. 3 of 1987: The Penal Code (‘the Penal Code’) are also relevant when considering privacy related issues. Elsewhere, sector specific regulation (such as the telecommunications, consumer protection, and cybercrime laws) provides some limited data protection rights in certain circumstances.
The United Arab Emirates (‘UAE’) published its first federal level data protection law Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (‘the PDPL’) on 20 September 2021.

United Kingdom

Heavy

Following the UK’s exit from the European Union, the UK Government has transposed the General Data Protection Regulation (Regulation (EU) 2016/679) into UK national law (thereby creating the “UK GDPR”). In so doing, the UK has made a number of technical changes to the GDPR in order account for its status as a national law of the United Kingdom (e.g. to change references to “Member State” to “the United Kingdom”). These changes were made under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. At this time, all material obligations on controller and processors essentially remain the same under the UK GDPR as under the ‘EU GDPR’.
The Data Protection Act 2018 (“DPA”) remains in place as a national data protection law, and supplements the UK GDPR regime. It deals with matters that were previously permitted derogations and exemptions from the EU GDPR (for example, substantial public interest bases for the processing of special category data, and context-specific exemptions from parts of the GDPR such as data subject rights).
The current version of the legislative framework (as amended, following the withdrawal of the UK from the European Union on 31 January 2020) has applied in the UK since 1 January 2021.

United States of America

Heavy

The US has several sector-specific and medium-specific national privacy or data security laws, including laws and regulations that apply to financial institutions, telecommunications companies, personal health information, credit report information, children’s information, telemarketing and direct marketing.
The US also has hundreds of privacy and data security among its 50 states and territories, such as requirements for safeguarding data, disposal of data, privacy policies, appropriate use of Social Security numbers and data breach notification. California alone has more than 25 state privacy and data security laws,
In addition, the US Federal Trade Commission (FTC) has jurisdiction over a wide range of commercial entities under its authority to prevent and protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.

Uruguay

Limited

Uruguay has a data protection system that follows EU data protection rules and has regulations that adapt its data protection system to the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
In 2012, it was the second country in Latin America to be declared adequate by the European Commission with regards to Article 25(6) of the Data Protection Directive 95/46/EC (‘the Directive’).
In 2013, Uruguay ratified Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’) of the Council of Europe. It was the first non-European country to do so, and the 45th country to be part of Convention 108.

Uzbekistan

Moderate

The legislative history of data protection in Uzbekistan can be divided into two periods. The first period started with Law of Uzbekistan of 24 April 1994 No 400-I on Guarantees and Freedom of Access to Information (only available in Uzbek and Russian here) (‘the Law on Information’), and lasted for 16 years, until the enactment of Law of Uzbekistan of 2 July 2019 No. ЗРУ-547 on Personal Data (only available in Uzbek and Russian here) (‘the Law on Personal Data’), which initiated the second period.

Vanuatu

Limited

Vanuatu has not yet enacted legislation relating to data privacy.

Vatican City

Limited

In the Vatican City State, no specific laws have been adopted either by the Supreme Pontiff, the Pontifical Commission, or other legitimate Vatican City State authorities in relation to the fundamental right to privacy of natural and legal persons.
Canon 220 of the Code of Canon Law refers to the protection of a good reputation and of intimitas, but does not provide for specific or self-contained rules related to personal data protection; it contains only general principles that can (and should) be articulated in more specific regulations.

Venezuela

Limited

In Venezuela, there are no express regulations regarding data privacy.
Nevertheless, main laws and regulations on data privacy and data protection are set forth in the Constitution of the Bolivarian Republic of Venezuela (published in the Special Official Gazette No. 5.908 of February 19, 2009) (‘the Constitution’) and the Decision issued by the Constitutional Chamber of the Supreme Court of Justice on March 14, 2001(‘the 2001 Decision’);
According to the 2001 Decision, privileged information is constitutionally protected if such information, contained in one or more combined registries, could create a complete or partial profile of the individual whose data is included in such registries.

Vietnam

Moderate

In Vietnam, the right to privacy and personal secrets is a constitutional right.
However, Vietnam does not have a consolidated piece of legislation on the protection of personal data. Instead, rules and regulations on personal data protection can be found in several laws, including general laws such as the Civil Code and the Law on Cyberinformation Security and sectoral laws such as the Law on Electronic Transactions and the Law on Telecommunications.

Yemen

Limited

There is currently no general data protection legislation.
There is currently no general data protection authority.

Zambia

Limited

Zambia has enacted various pieces of legislation that provide for a safe, secure, and effective environment for the conduct and use of electronic communications.
Data privacy and protection issues in Zambia are mainly regulated by the Electronic Communications and Transactions Act No. 4 of 2021 (‘the ECT Act’), the Data Protection Act No. 3 of 2021 (‘the Data Protection Act’), the Cyber Security and Cyber Crimes Act No. 2 of 2021 (‘the CSCC Act’), and the Information and Communications Technologies Act No. 15 of 2009 (‘the ICT Act’).
Notably, on 1 April 2021 the Commencement Orders for the Data Protection Act, the CSCC Act, and the ECT Act, were published in the Government Gazette as appointed by the Minister of Transport, Works, Supply and Communications (‘the Minister’) which caused the three Acts to enter into effect at that date that the Commencement Orders were published in line with Section 1 of the respective Acts.

Zimbabwe

Limited

In Zimbabwe, the starting point in recognising the right to privacy and protection of data privacy is Section 57 of the Constitution of Zimbabwe Amendment 20 of 2013 (‘the Constitution’), which affords every person with the right to privacy.
The Freedom of Information Act (No. 1 of 2020) (‘the Freedom of Information Act’) was enacted into the laws of Zimbabwe on 1 July 2020 to provide for rights of expression, freedom of media, and the right of access to information held by entities in the interest of public accountability or for the exercise or protection of a right. It is a recently welcomed development which effectively repeals the Access to Information and Protection of Privacy Act of 2001 (‘the AIPP’).
Whilst the Freedom of Information Act does not focus on data protection rights, certain provisions stated therein regulate the handling of personal information which directly affects data rights. More relevant to the present overview is the Cybersecurity and Data Protection Bill of 2019 (‘the Bill’) which was gazetted on 15 May 2020. The Bill is a transformative measure in Zimbabwean law with the primary purpose of protecting the privacy and data rights of those susceptible to infringement.
It is difficult to predict at this point whether or not the Bill will be passed given the contentious issues raised at public hearings.
On the 3 December 2021, Zimbabwe gazetted the much anticipated Data Protection Act [Chapter 11:12] (‘the Act’) into law. Originally referred to as the Cyber Security and Data Protection Bill, this new legal framework seeks to regulate a technology driven business environment and to protect the data subjects in the cyberspace through ensuring the lawful use of technology.

Report Footnotes

For more information on data protection, visit the below sites:

1. https://ico.org.uk/for-organisations/guide-to-data-protection/

2. https://www.dataguidance.com/

Need advice?

Please get in touch via our Contact Us page

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Defence & Security

Read More

Read More

Technology & Manufacturing

Read More

Legal Advice

Read More

High-Risk Jurisdictions & Environments

Read More

Specialist Investigations

Read More

Consultancy

Read More

Notarial Services

Read More

Data Protection Regulation Tracker

Proelium Law LLP combines its legal and investigative experience to provide clients with an extensive suite of capability in the world of cyber and digital law.

Data protection regulations

A‧B‧C‧D‧E‧F‧G‧H‧I‧J‧K‧L‧M‧N‧O‧P‧Q‧R‧S‧T‧U‧V‧W‧X‧Y‧Z

Need advice?

Our Location

+44 (0) 20 3875 7422

+44 (0) 7725 329437

[email protected]

Proelium Law LLP

FIND US ON: