Select Page

Data protection Regulation tracker

Proelium Law LLP | The UK’s foremost legal authority on high-risk jurisdictions and specialist risk services

Proelium Law LLP combines its legal and investigative experience to provide clients with an extensive suite of capability in the world of cyber and digital law.

In an increasingly technology-focused world, data protection has become a matter of great importance. Whilst some countries are yet to address data privacy, many are now implementing laws that bear similarities with the GDPR.

Today, there are more than 120 countries already engaged in some form of international privacy laws for data protection data is managed through rigorous protections and controls. With many countries still in the process of drafting dedicated legislation for data protection, it is clear that data regulation will continue to evolve. 

This tracker aims to outline the data privacy legislation in each country, ranking their regulation and enforcement as one of the below:

  • Heavy  
  • Robust 
  • Moderate 
  • Limited 

Click below to jump to countries and territories by letter: 

ABCDEFGHIJKLMNOPQRSTUVWXYZ

 

A
Afghanistan

Limited

  • There is currently no general data protection law in Afghanistan.
  • The Constitution of Afghanistan does provide for the right to confidentiality and privacy of communications.
  • Additionally, sectoral laws such as the Telecommunications Services Law (available in Pashto and Dari here) and the Banking Law of Afghanistan contain some limited clauses on data protection.
  • The Penal Code of Afghanistan was amended in 2017 to include penalties for cybercrime, although these tend to focus more on AML/CTF issues.
Albania

Robust

The implementation of the Law is subject to several sub-legal acts, including but not limited to the following:

  • The decision of the Parliament No. 95/2019 of 12 September 2019, ‘On the appointment of the Commissioner for the Protection of Personal Data;’ and
  • The decision of the Parliament No. 86 dated 19 July 2018, ‘On the Approval of the Structure, Staff and Classification of Salaries of the Commissioner for the Right to Information and Protection of Personal Data.’

The Republic of Albania has also ratified the following international treaties:

Algeria

Moderate

  • Algeria enacted Law No. 18-07 of 25 Ramadhan 1439 Corresponding on June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data. 
  • The law has set out the conditions of the collection, recording, organisation, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, as well as locking, encryption, erasure or destruction of any information, whatever its support, concerning an identified or identifiable person, directly or indirectly, in particular by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, biometric, psychic, economic, cultural or social identity.
  • Despite its publication in 2018, the entry in force of this Law is subject to the actual installation of the authority in charge of the protection of personal data which is until now (2021) not installed yet.
  • In addition, an e-commerce law was also enacted in 2018, Law No. 18-05 of 24 Chaâbane 1439 corresponding to May 10, 2018 relating to electronic commerce (only available to download in French here) (‘Law 18-05’). This legislation 18-05, among other things, sets out further protections for e-consumers, regulates cross-border e-commerce, and details obligations related to advertising through electronic means.
  • In broad terms, although these new laws have been introduced, there is little information released publicly on the enforcement of data protection or official guidance on compliance in Algeria.
Andorra

Robust

Angola

Moderate

  • Angola regulates data privacy and has issued multiple laws for this matter.
  • Angola issued the Data Protection Law (Law no. 22/11, 17 June 2011), the Electronic Communications and Information Society Services Law (Law no. 23/11, 20 June 2011) in 2011
  • Angola then issued the Protection of Information Systems and Networks Law (Law no. 7/17, 16 February 2017) in 2017.
Antigua/ Barbuda

Robust

  • Data Protection Act, 2013 (No. 10 of 2013)
  • The Act creates obligations for public and private bodies by establishing certain principles regarding the use of information, which include the principles of notice and choice, disclosure, security, integrity and access, among others.
  • It also provides various rights to data subjects, such as the right of access, the right to rectification of personal data and the right to not have their sensitive personal data processed unless certain conditions apply.
  • Finally, the Act appoints the Information Commissioner, established under the Freedom of Information Act, 2004 as the authority relevant for carrying out and enforcing the protection of data pursuant to its provisions.
  • Other relevant laws in Antigua and Barbuda include the Electronic Transactions Act, 2006, the Banking Act, 2015 and the Money Laundering (Prevention) Act, 1996.
Argentina

Robust

  •  The Personal Data Protection Act 25.326 (PDPA) (Ley de Protección de los Datos Personales) was executed in 2000 to help protect the privacy of personal data, and to give individuals access to any information stored in public and private databases and registries.
  • The PDPA includes basic personal data rules. It follows international standards and has been considered as granting adequate protection by the European Commission.
  • Article 43(3) of the Federal Consitution recognizes the right to access and correct personal records held in public or private bodies (habeas data).
  • These provisions are not held to be an express constitutional right to privacy or data protection but do create the basic framework.
Armenia

Robust

  • Armenia’s first step in the protection of data came in the form of the Law of the Republic of Armenia of 13 June 2015 No. 49-ZR on the Protection of Personal Data.
  • Amendments to other regulatory acts were also conducted in relation the Personal Data Law, for instance, amendments to the Labour Code of the Republic of Armenia of 2004 to enhance the protection of employee’s personal data and regulation of their processing by the employer.
  • The main regulatory body for Personal Data in Armenia is the Personal Data Protection Agency.
  • The transfer of personal data is one of the directions highly regulated by the Personal Data Protection Agency.
  • In 2017, an exhaustive list of the countries providing a sufficient level of personal data protection was drafted by the Agency. In the case of data transfers to all other countries, which have not been included in this list, the consent of the Agency must be obtained.
  • The regulations are currently being reprocessed, the Government of the Republic of Armenia (‘the Government’) has developed a strategy for 2019-2023 for the adoption of new regulations and amendments to the existing ones.
Australia

Heavy 

Austria

Heavy

  • Austria is a member of the European Union and so is required to comply with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
  • Austria has implemented GDPR gradually into its domestic legislation. In 2017, the existing Data Protection Act (Datenschutzgesetz 2000) was amended by the Data Protection Amendment Act 2018 (Datenschutz-Anpassungsgesetz 2018) (‘DSG’) in order to implement various regulations related to GDPR.
  • In addition to the DSG, further amendments to other statutory laws were adopted in order to implement the GDPR (mostly to adapt to the terminology of the GDPR). These amendments were included in the General Data Protection Adjustment Act (Materien-Datenschutz-Anpassungsgesetz 2018) and the research-sector specific Data Protection Adjustment Act – Science and Research (Datenschutz- Anpassungsgesetz 2018 – Wissenschaft und Forschung – WFDSAG 2018).
  • Further amendments in other laws have been made by the Second General Data Protection Adjustment Act, which was passed in June 2018 and applies retroactively.
  • Finally, ordinances were also passed regulating respectively the cases where a data privacy impact assessment is obligatory (the Obligatory DPIA Ordinance – DSFA-V) and the exemptions from the obligation to conduct a data privacy impact assessment (the DPIA Exemptions Ordinance – DSFA-AV).
Azerbaijan

Heavy

 

B

The Bahamas

Moderate

  • The Bahamas was one of the first Caribbean countries to enact a Data Protection (Privacy of Personal Information) Act, 2003 (DPA) which applies to the processing of personal data by both the private and public sectors.
  • The Commissioner has various powers under the Act, such as the capacity to prohibit the transfer of personal data outside the Bahamas under specific circumstances.
  • The Commissioner published several informational brochures, a Guide for Data Controllers, and other material between 2010-2015.
Bahrain

Moderate

  • Bahrain enacted Law No. 30 of 2018 with respect to Personal Data Protection (“PDPL”) on July 12, 2018.
  • The PDPL is the main data protection regulation in Bahrain, and came into force on August 1st 2019. 
  • The Law serves as the main piece of legislation with respect to data protection issues.
  • It is worth noting that the Law recently entered into force, therefore many procedural and regulatory issues which are to be decided by the Data Protection Authority’s resolution are yet to be issued.
  • It should be noted that, as per Resolution No. 78 of 2019 (only available in Arabic here), published in the Official Gazette on 3 October 2019, the Ministry of Justice and Islamic Affairs shall exercise the duties of the Authority.
Bangladesh

Limited

  • The basic framework of data protection and privacy are laid out by the rights of privacy granted under the Constitution of Bangladesh (‘the Constitution’), along with the Information Communication Technology Act 2006 (only available in Bengali here) (‘the Technology Act’) and the Digital Security Act, 2018 (‘the Digital Security Act’).
Barbados

Limited

  • Barbados is much closer to the implementation of a modern data protection regime.
  • The Data Protection Bill 2019 (‘the Bill’) was passed by the Senate on 24 July 2019 and by the House of Assembly on 6 August 2019. Whilst it is not yet passed into law, it is forthcoming.
Belarus

Moderate

  • Belarus’ data protection regulation is based on the Law of Information, Informatisation and Data Protection of 10 November 2008 and the Law on Population Register of 21 July 2008.
  • Legal requirements on technical measures are developed in a number of legal acts. The Edict of the President of the Republic of Belarus of 18 April 2013 No 196 is one of the most significant of these acts. 
  • Belarus is expected to adopt the Law on Personal Data Protection in 2021. This will be the first legal act intended especially for the regulation of personal data protection issues.
  • The Law of 7 May 2021 No. 99-Z on Personal Data Protection (‘the PDP Law’) sets out general principles of processing of personal data, provides for basic terminology in that field, defines the rights of data subjects as well as obligations of operators (similar to data controllers in General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)) and their authorised persons (similar to data processors in the GDPR), including obligations on measures for the protection of personal data. The PDP Law comes into force on 15 November 2021.
  • There is a number of legislative amendments expected in order to implement the provisions of the PDP Law. In particular, it is expected that there will be amendments to the system of information relations currently established in the Law of 10 November 2008 No. 455-Z on Information, Informatization and Protection of Information.
    Belgium

    Heavy

    Belize

    Limited

    • Belize is lacking thorough regulation of privacy.
    • Currently, privacy is only expressly considered in the Belize Constitution, though references can be found in some laws which regulate public and private entities, and which are required to obtain personal information.
    Benin

    Moderate

    Bhutan

    Limited

    Bolivia

    Limited

    Bosnia and Herzegovina

    Moderate

    • The Law on Protection of Personal Data (‘Official Gazette of BIH’, nos. 49/06, 76/11 and 89/11) (DP Law) is the governing law regulating data protection issues in Bosnia and Herzegovina (BiH). The DP Law came into force on July 4, 2006 and was amended on October 3, 2011.
    • Due to the deficiencies and non-alignment of the DP Law with the GDPR, in 2018, the competent authorities initiated the procedure for the adoption of a new GDPR compliant data protection law.
    • According to the publicly available information the draft of the new data protection law (Draft Data Protection Law), was forwarded to the  Ministry of Civil Affairs and the adoption procedure before the Parliament should have been initiated.
    • However, due to the complex political situation as well as the Covid-19 pandemic, the Draft Data Protection Law is not adopted to date. However, we expect the Draft Data Protection Law to be adopted in its current text within 2021.
    Botswana

    Limited

    • Prior to the introduction of the Data Protection Act, 2018  Botswana did not have any primary legislation that regulated the protection of personal data.

    • The Data Protection Act, which was assented to by Parliament on 3 August 2018, is currently on notice, awaiting commencement.

    • The Data Protection Act defines what constitutes personal data, as well as outlines the rights and obligations of parties involved in the processing of personal data, including the data subject, data controller and data processor.

    • Further, the Data Protection Act establishes the Information and Data Protection Commission (‘the Commission’), which will be responsible for ensuring the effective application of the Data Protection Act after its commencement.

    Brazil

    Moderate

    • The Brazillian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, has been in force since September 18, 2020 after several discussions and postponements. This LGPD was largely aligned to the EU General Data Protection Act (GDPR). 
    • The LGPD is in force, however, any penalties issued will only be enforceable starting August 2021.
    • Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread out across Brazilian legislation.
    Brunei

    Limited

    • No legislation or common law protects the privacy of information upon which an individual can be directly or indirectly identified. 
    Bulgaria

    Heavy

    Burkina Faso

    Moderate

    Burundi

    Limited

    • Burundi does not have a law that specifically regulates personal data protection. 
    • Several laws and regulations do contain data protection provisions or impose confidentiality obligations on specific types of personal information such as laws surrounding employment, telecommunications, and health sectors. However, Burundi is yet to implement a stand-alone statutory provision for the protection of data. 
     

    C

    Cabo Verde

    Moderate

    • Cape Verde provides individuals with several constitutional and statutory rights to personal data protection.
    • Major provisions in the data protection laws are effectively reproduced in the Constitution, which provides an additional layer of legitimacy.
    • Law No. 133, passed in 2001, was Cape Verde’s original data protection law. It closely mirrored European data protection laws at the time, as Cape Verde’s legal system largely draws from that of the Portuguese.
    • Law No. 41 was passed in 2013 to supplement and update Law No. 133, and Law No. 42 was subsequently passed to detail the responsibilities of the Cape Verdean data protection authority, known as the Comissão Nacional de Proteção de Dados Pessoais (CNPD).
    • Law No. 42 establishes the CNPD as an independent administrative authority responsible for enforcing the data protection laws of Cape Verde.
    Cambodia

    Limited

    Cameroon

    Limited

    • Protecting data has become a major regulatory and legislative concern in Cameroon.
    •  As a specific data protection law is still yet to be adopted, it is quite challenging for users to control the use of their data.
    • However, Cameroon is preparing a privacy bill (‘the Bill’), according to the competent services of the Ministry of Posts and Telecommunications.
    • The drafting of the Bill is ongoing.
    Canada

    Heavy

    Chad

    Limited

    • By Law No. 007/PR/2015 on the Protection of Personal Data, the Republic of Chad has organised the protection of personal data.
    • The purpose of this law is to put in place a mechanism to protect private and professional life following the collection, processing, transmission, storage, and use of personal data, subject to the protection of public order.

     

     

    Chile

    Moderate

    • Chile approved its first regulation on data privacy back in 1999, Law No. 19.628 on the Protection of Private Life 1999, which was the first of its kind in Latin America.
    • After a very short period, the Law became obsolete and has practically no enforcement due to the lack of a catalogue of violations, no official data privacy authority, and low fines, among other flaws.
    • In 2010, Chile became a member of the Organisation for Economic Co-operation and Development (‘OECD’) countries, committing to adapt data protection regulation and regularise the cross-border data flow.
    • On 15 March 2017, the Government presented Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority that modifies the Law based on GDPR standards and creates a data protection agency.
    • Its legislative process has been very slow, with countless indications, and it is still in the first legislative process.
    • Moreover, in 2018, data protection was incorporated as a constitutional guarantee.
    • In order to expedite the legislative procedure, on 15 December 2020, the Government decided to place the Bill into an ‘urgent’ category, in order to speed up the remaining stages. The Government expects the Bill to be approved during 2021.
    China

    Heavy

    There is not a single comprehensive data protection law in the People’s Republic of China (PRC), although one has now been proposed (see below).

    Instead, rules relating to personal information protection and data security are part of a complex framework and are found across various laws and regulations.

    On June 1, 2017, the PRC Cybersecurity Law came into effect and became the first national-level law to address cybersecurity and data privacy protection

    .Following this, there has been an abundance of implementing regulations and guidelines (herein referred to as Guidelines) proposed, issued or revised to flesh out the essentials and concepts introduced under the PRC Cybersecurity Law. These include, non-exhaustively:

    The Decision has the same legal effect as law, and its purpose is to protect the online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. While the PIS Specification and other Guidelines are only technical guides (covering in detail key issues such as data transfers, sensitive personal information and data subject rights), and thus not legally binding, they are highly persuasive.

    Provisions contained in other laws and regulations may also apply depending on the industry or type of information involved (for example, personal information obtained by financial institutions and e-commerce businesses, personal information collected by telecom or Internet service/content providers, healthcare and genetic information, etc.).

    On October 21, 2020, a draft PRC Personal Information Protection Law (Draft PIPL) was published for consultation. If passed, the Draft PIPL would be the first comprehensive national level personal information protection law in the PRC, creating binding compliance obligations previously considered recommended practice (under the Guidelines), and requiring organizations to comply with new compliance steps. It remains unclear when the Draft PIPL will be promulgated, though further draft(s) are anticipated and likely before it is finalised.

    Colombia

    Moderate

    • Colombia has various statutory provisions relating to data privacy.
    • Statutory Law 1266 of 2008 (Law 1266) regulates the processing of financial data, credit records and commercial information collected in Colombia or abroad.
    • Law 1266 defines general terms on habeas data and establishes basic data processing principles, data subject rights, data controller obligations and specific rules for financial data.
    • Furthermore, Statutory Law 1581 of 2012 (Law 1581) regulates all personal data processing, as well as databases. Law 1581 defines special categories of personal data, including sensitive data and data collected from minors.
    • The law further regulates the obtention of authorisation to treat personal data and the procedures for data processing. Moreover, the law creates the National Register of Data Bases (NRDB).
    • Law 1581 is applicable to all data collection and processing in Colombia, except data regulated under Law 1266 and certain other types of data or regulated industries.
    • Decree 1377 of 2013 (Decree 1377), is a piece of secondary regulation related to Law 1581 which outlines requirements for personal and domestic databases regarding authorization of personal data usage and recollection, limitations to data processing, cross-border transfer of databases and privacy warnings, among others. This Decree also requires controllers and processors to adopt a privacy policy and privacy notice.
    • Decree 886 of 2014 (Decree 886) and Decree 090 of 2018 (Decree 090) issued by the Ministry of Commerce, Industry and Tourism as well as the Resolution 090 of 2018 issued by the Superintendence of Industry and Commerce, regulate the National Register of Data Bases and sets deadlines for registration of existing data bases in Colombia.
    Congo, Republic of the

    Limited

    • Specific legislation on data protection has been approved relatively recently in the country.
    • On 10 October of 2019, the Republic of Congo (‘Congo’) adopted Law 29-2019 on the Protection of Personal Data  The Law’s main objectives are to:
      • set up a framework that ensures the protection of the fundamental rights and freedoms of natural persons, namely their privacy, regarding the processing of personal data;
      • guarantee that information technology and communication remain at the service of citizens and do not infringe private and public freedoms, in particular the right to private life;
      • ensure that, while the processing of personal data is conducted according to the fundamental rights, State prerogatives are also considered, as well as the rights of decentralised public administration entities, and the interest of companies and the civil society.
    • The majority of the essential principles and diligence arising from the Law are similar to those established under the GDPR. this may be related to the fact that it is a very recent law, that was enacted following the EU application of the GDPR.
    • Moreover, the Law also contains provisions regarding privacy on the electronic communications sector that also reflects the principles underlying the EU’s Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (‘the ePrivacy Directive’).
      Costa Rica

      Moderate

      • Data privacy regulation in Costa Rica is contained in two laws.
      • Law No. 7975, the Undisclosed Information Law, which makes it a crime to disclose confidential and/or personal information without authorization.
      • Law No. 8968, Protection in the Handling of the Personal Data of Individuals together with its by-laws, which were enacted to regulate the activities of companies that administer databases containing personal information. Therefore, the scope of the second law is limited.
      Côte d’Ivoire

      Limited

      • Data protection in Ivory Coast is governed by Law No. 2013-450, which details enforcement responsibilities for the Autorité de régulation des télécommunications/TIC de Cote d’Ivoire (ARTCI).
      • Under Law No. 2013-450, individuals have the right to:
        • obtain all of their personal data in an understandable form, as well as any available information as to the origin;
        • object, for legitimate reasons, to the processing of personal data concerning them;
        • oppose the processing of their personal data for prospecting purposes;
        • correct, supplement, update, lock, or delete personal data where it is inaccurate or incomplete; and
        • not be subject to decisions made on the sole basis of automated processing that would produce significant or detrimental legal repercussions for them.
      Croatia

      Heavy

      • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
      • The Act on the Implementation of the General Data Protection Regulation (in Croatian as Zakon o provedbi Opće uredbe o zaštiti podataka) was enacted in the Croatian Parliament on April 27, 2018 and came into force on May 25, 2018 (the ‘Act’).
      • Also, the Act on Healthcare Data and Information, which came into force on 15 February 2019, regulates rights, obligations and responsibilities of legal and natural persons within the Croatian healthcare system with respect to healthcare data and information and, inter alia, sets out fundamental principles and standards of their collection, processing and protection.
      Cuba

      Limited

      • There is currently no data protection legislation enacted in Cuba. 
      Cyprus

      Heavy

      Czech Republic

      Heavy

      • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
      • The new Czech Act No. 110/2019 Coll., on Personal Data Processing, being the Czech GDPR implementation law, finally came into effect on 24th April 2019.
      • This statute fully replaced the older Personal Data Protection Law (Act No. 101/2000 Coll., as amended) and regulates personal data processing within the scope of Regulation (EU) 2016/679 and then processing of this data by competent authorities for preventing, searching for and detecting criminal activity, ensuring safety and public order etc.
      • It also regulates the jurisdiction of the Office for personal data protection and personal data processing at the time of ensuring defence and security of the Czech Republic.
       

      D

      Denmark

      Heavy

      • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
      • To implement the GDPR, the Danish Parliament enacted the Danish Act on Data Protection on May 17, 2018, enforceable on May 25, 2018 and replacing the previous Danish Act on Processing of Personal Data (Act no. 429 of 31/05/2000).
      • Hence, data protection and processing in Denmark is now regulated by the GDPR as supplemented by the Danish Data Protection Act.
      • The Danish Data Protection Act does not apply to Greenland and the Faroe Islands.
      Dijibouti

      Limited

      • There is currently no general data protection legislation.
      • There is currently no general data protection authority.
      Dominica

      Limited

      • There is currently no general data protection legislation.
      • There is currently no general data protection authority.
      Dominican Republic

      Moderate

      • Section 44 of the Dominican Constitution recognizes citizens’ right to access their personal data stored in public or private databases, as well as their right to information concerning the purpose and use of the same.
      • The Constitution also establishes that the processing of personal data must be carried out in accordance to the principles of:
        • Reliability
        • Legality
        • Integrity
        • Security, and
        • Purpose of the information
      • The collection, storage and safekeeping of personal data, as well as usage and access rights concerning such personal data, are governed by the provisions of Law No. 172-13 on the Protection of Personal Data enacted December 13, 2013 (DPL).

       

       

      E

      East Timor (Timor-Leste)

      Limited

      • There is currently no general data protection legislation.
      • There is currently no general data protection authority.
      Ecuador

      Moderate

      • The National Assembly of Ecuador enacted on 26 May 2021 the Personal Data Protection Law. This is the first specific legal regulation about personal data protection.
      • The Law is currently in force, however some provisions will enter into force within the next two years (until May 2023), such as:
        • any processing of personal data carried out prior to the entry into force of the Law must be brought into compliance with the provisions of the Law within two years of its publication.
        • provisions related to corrective measures and sanctioning regime.
        • All personal data controllers must adapt the international transfer of personal data to the new legislation.
      • In general terms, the Law reflects the principles and procedures set forth in the General Data Protection Regulation (‘GDPR’) enacted by the European Union. Therefore, if the company has experience in the regulatory and day-to-day aspects of the GDPR, it will not be inconvenient to comply with the requirements of the local law.
      • The appointment of the person who will head the Personal Data Protection Authority, known as the Data Protection Superintendency (‘the Superintendency’), is pending, which in turn must issue the secondary regulations to regulate different aspects of the Law.
      Egypt

      Robust

      • On 13 July 2020, Egypt’s Government issued its long-awaited Data Protection Law, which establishes various standards and controls governing the processing and handling of personal data. The Law was published in the Official Gazette on 15 July 2020.
      • The Law is part of a growing trend of countries enacting comprehensive data protection laws, which reflect the European General Data Protection Regulation (GDPR).
      • The Law aims to safeguard the rights of individuals in Egypt in respect of their personal data and to place responsibilities on businesses in how they process personal data.
      • The enactment of the Law brings a new standalone data protection and privacy regime to Egypt.
      El Salvador

      Limited

      • Currently, El Salvador does not have a law that specifically regulates data protection. 
      • The Government is currently working on a data protection bill that would provide more specific rules and norms that facilitate an effective protection of this right.
      • Its enactment was expected for 2020, however it is still pending.
      Equatorial Guinea

      Limited

      • Law No. 1/2016 on the Protection of Personal Data (there is currently no available copy of the Law)
      • Governing Body for the Protection of Personal Data is to be the authority governing data protection law, although it is not yet operational.

       

      Eritrea

      Limited

      • There is currently no general data protection legislation.
      • There is currently no general data protection authority.
      Estonia

      Heavy

      • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
      • In Estonia, all derogations / additional requirements to the GDPR are provided in the new Personal Data Protection Act (PDPA) and the Personal Data Protection Implementation Act (Implementation Act).
      • The new PDPA was adopted by the Estonian parliament on December 12, 2018 and entered into force on January 15, 2019. The Implementation Act was adopted on February 20, 2019 and entered into force on March 15, 2019.
       

      F

      Fiji

      Limited

      • There is currently no general data protection legislation.
      • There is currently no general data protection authority.
      •  Whilst there is no general data protection law in Fiji, the Constitution of the Republic of Fiji (2013) provides for a right to privacy, which includes a right to the confidentiality of personal information.
      • In addition, there are sectoral laws regulating electronic transactions, cybercrime, and consumer protection.
      Finland

      Heavy

      France

      Heavy

      • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
       

      G

      Gabon

      Limited

      • Gabon has a data protection law specifically addressing global protection for information identifying individuals.
      • The Gabon data protection authority, the Commission Nationale pour la Protection des Données à Caractère Personnel is (‘CNPDCP’) has entered into discussions periodically with civil society and its representatives regarding various matters (such as employee unions), addresses formal data complaints and has carried out training programs and awareness activities, so there is awareness to data protection in the country.
      • However, there is very limited available information on sanctions and penalties issued by the local data protection authority, and enforcement trends are therefore difficult to identify and predict.
      The Gambia

      Limited

      • There is currently no general data protection legislation.
      • There is currently no general data protection authority.
      • However, data protection provisions are included in both sectoral national legislation and policies and continental conventions and acts.
      Georgia

      Heavy

      Germany

      Heavy

      • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
      • Germany has adjusted the German legal framework to the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (Bundesdatenschutzgesetz – ‘BDSG’).
      • The BDSG was officially published on July 5, 2017 and came into force together with the GDPR on May 25, 2018. The purpose of the BDSG is especially to make use of the numerous opening clauses under the GDPR which enable Member States to specify or even restrict the data processing requirements under the GDPR.
      • In addition to the BDSG, there exist a number of data protection rules in area-specific laws, for example those regulating financial trade or the energy sector. Many of these laws have been adapted to the GDPR by the Second Data Protection Adaptation and Implementation Act EU (Zweites Datenschutz-Anpassungs- und Umsetzungsgesetz EU – ‘2. DSAnpUG-EU’), which generally entered into force on November 26, 2019. However, some particularly relevant laws have so far remained unchanged, most notably the Telemedia Act (Telemediengesetz – ‘TMG’), raising questions about the continued applicability of the data protection rules contained therein.
      Ghana

      Moderate

      • The primary legislation governing privacy/ data protection in Ghana is the Data Protection Act, 2012 (Act 843)
      • The 1992 Constitution of the Republic of Ghana (‘the Constitution) is the supreme law of Ghana and it is the instrument from which every piece of legislation derives its validity in Ghana.
      • The primary legislation which protects data privacy is the Data Protection Act, 2012 (‘the Data Protection Act’). The purpose of the Data Protection Act is to establish a Data Protection Commission (‘DPC’), to protect individuals’ privacy and personal data by regulating the processing of personal information.
      Greece

      Heavy

      • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
      • The Greek Law 4624/2019 “on the Hellenic Data Protection Authority, the implementation of Regulation 2016/679 and the transposition of Directive 2016/680” (Government Gazette A/137/29.08.2019) was enacted and entered into force in August 28, 2019.
      • The Law regulates the operation of the Hellenic Data Protection Authority, introduces GDPR supplementary rules and transposes the Law Enforcement Directive into Greek Law.
      Grenada

      Limited

      • There is currently no general data protection legislation.
      • There is currently no general data protection authority.
      Guatemala

      Limited

      • There is currently no general data protection authority.
      • Although the Political Constitution of the Republic of Guatemala (‘the Constitution’) recognises privacy and data privacy rights as a constitutional right, there is no specific law currently regulating data privacy.
        Guinea

        Limited

        • There is currently no general data protection legislation.
        • There is currently no general data protection authority.
        • Although, as yet, there is no general data protection framework in Guinea, data privacy is addressed in several pieces of legislation
        • These include the Constitution of Guinea 2010, as well as previous iterations of the constitution, which states under Article 12 that the secrecy of correspondence and communication is inviolable, and highlights the right to the protection of privacy.
        Guinea-Bissau

        Limited

        • There is currently no general data protection legislation.
        • There is currently no general data protection authority.
        Guyana

        Limited

         

        H

        Haiti

        Limited

        • There is currently no general data protection legislation.
        • There is currently no general data protection authority.
        Honduras

        Limited

        • Personal data protection is regulated mainly in:
        • National Constitution: Article 182 provides the constitutional protection of habeas data, giving individuals the right ‘to access any file or record, private or public, electronic or hand written, that contains information which may produce damage to personal honour and family privacy. It is also a method to prevent the transmission or disclosure of such data, rectify inaccurate or misleading data, update data, require confidentiality and to eliminate false information. This guarantee does not affect the secrecy of journalistic sources.’
        • In addition, the Law for the Protection of Confidential Personal Data (the “Law”) is currently in discussion in the Honduran Congress. Congress has approved the first chapters of the Law. The complete approval of the Law and the date for when the Law will enter into force is expected in the first half of 2019.
        Hungary

        Heavy

        Hong Kong

        Heavy

        The Personal Data (Privacy) Ordinance (Cap. 486) (Ordinance) regulates the collection and handling of personal data. The Ordinance has been in force since 1996, but in 2012/2013 was significantly amended (notably with regard to direct marketing).

        A consultation paper was put before the Legislative Council in January 2020 (Consultation Paper) to propose certain changes to the Ordinance with the aim of strengthening data protection in Hong Kong. There is no indication on the timeline of any legislative amendments to the Ordinance.

         

        I

        Iceland

        Heavy

        • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
        • The Act No. 90/2018 on Data Protection and the Processing of Personal Data (the ‘DPA’) implements the GDPR in Iceland. The law contains derogations and exemptions from the position under the GDPR in certain permitted areas.
        India

        Limited

        • The Constitution of India (‘the Constitution’) recognises a fundamental right to privacy.
        • This constitutional right casts a long shadow on Indian law and influences policy and judicial action and acts as a check on legislative and executive action. In addition to the public law implications, this right has influenced the development of a tortious right against the invasion of privacy and the interpretation of rights embodied in laws on consumer protection, health, IT, telecom licences, and the financial sector.
        • At present, the Information Technology Act, 2000 (the Act) and rules notified thereunder largely govern data protection in India.
        Indonesia

        Limited

        • In Indonesia, as of the date of this publication there is no general law on data protection.
        • Currently, Indonesia takes a patchwork approach to personal data protection legislation, with provisions related to data privacy appearing in several different pieces of legislation. In particular, Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 on the Amendment to Law No. 11 of 2008 on Electronic Information and Transactions  provides certain data privacy rights.
        • In addition, the Kominfo Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (‘Kominfo Regulation 20’) establishes significant data protection requirements for electronic system providers, and Government Regulation No. 71 of 2019 regarding the Implementation of Electronic Systems and Transactions (only available in Indonesian here) (‘GR 71’) outlines the procedural guidelines for the Law No. 11 of 2008 on Electronic Information and Transactions.
        • However, for a number of years, a new draft Bill on the Protection of Private Personal Data is being discussed but to this date, it has not been issued. Although the exact date remains uncertain and the Bill is still to be considered by the House of Representatives, if passed, this will become Indonesia’s first comprehensive law to specifically deal with the issue of data privacy.
        • The PDP Bill, if enacted, is expected to unify this system under a singular, comprehensive approach to personal data protection.
        • The PDP Bill is further anticipated to establish data sovereignty and security as the keystone of Indonesia’s data protection regime, and to introduce notable obligations for data owners and users. However, there are certain regulations concerning the use of electronic data.
        Iran

        Limited

        • Iran has not enacted comprehensive data protection legislation.
        • A Draft Protection of Personal Data Law (only available in Persian here) (‘the Draft Law’) has been announced by MICEX and it is awaiting review from the Islamic Parliament of Iran, however the expected timeframe for parliamentary deliberations has not been clarified.

        • In particular, the Draft Law provides for the establishment of the Supervisory Board of Personal Data, which would be tasked with receiving and processing stakeholder complaints to protect personal data.

        • In the absence of an overarching data privacy law, the legal framework for privacy derives from a patchwork of other laws and regulations dealing with data protection alongside additional matters. Such legislation includes the Law on Publication and Access to Data 2009, the Electronic Commerce Law 2004, and the Cybercrime Law 2009 (only available to download in Persian here).

        Iraq

        Limited

        • There is no codified law that governs data protection in Iraq.
        • Data protection is governed briefly under various laws including the Iraqi Constitution, the Iraqi Penal Code No. 111 of 1969 (‘the Penal Code’), the Iraqi Civil Code (only available in Arabic here), and other laws which are sector-specific (e.g. banking laws, securities laws, labour laws, tax laws, etc.).
        • While a data protection law has been recently passed, it only applies to government entities, with the private sector remaining largely unregulated and subject to only piecemeal rules.
        • There are no data protection initiatives for the private sector. However, the Iraqi Government has been contemplating a cybercrime law for some time now.
        Ireland

        Heavy

        • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
        • The Irish Data Protection Act 2018 (“DP Act”) came into force on 25 May 2018 in order to give further effect to the GDPR in Ireland. The DP Act includes certain derogations, provides for the establishment of a new Data Protection Commission, implements the Law Enforcement Directive and otherwise addresses procedural aspects of the enforcement of data protection in Ireland.
        • The previous data protection legislation in Ireland, the Data Protection Acts 1988 to 2003, were largely repealed by the DP Act, however those Acts continue to apply in relation to certain limited purposes including national security and defence. Additionally, the previous legislation continues to apply in relation to complaints or infringements which occurred prior to 25 May 2018 as well as to investigations commenced (but not completed) prior to that date.
        Israel

        Robust

        Italy

        Heavy

        • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.
        • The Italian data protection law framework has been harmonized with the GDPR by means of the Legislative Decree 101/2018, that entered into force on 19 September 2018, and amended a number of provisions of the Legislative Decree 196/2003 (the “Privacy Code”), as well as introduced some transitional provisions regulating the migration to the new regime.
         

        J

        Jamaica

        Heavy

        • Since the implementation of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) there has been a race amongst territories in the Caribbean to enforce data protection legislation.
        • The bill for the Data Protection Act, 2020 (‘the Act’) was recently passed by the Government of Jamaica (‘the Government’) but has not yet been enacted.
        • The Act will not come into operation until the Government has publicly appointed a date that the Act will take effect. Additionally, data controllers will have a transition period of two years from the appointed date to take the necessary steps to ensure full compliance with the requirements under the Act.
        Japan

        Robust

        • The Act on the Protection of Personal Information (“APPI”) regulates privacy protection issues in Japan and the Personal Information Protection Commission (“PPC”), a central agency acts as a supervisory governmental organization on issues of privacy protection.
        • The APPI was originally enacted in 2003 but was amended and the amendments came into force on 30 May 2017. Note that a bill to amend the APPI (‘the 2020 Amendments’) passed the National Diet of Japan on 5 June 2020 and was promulgated on 12 June 2020.
        • The 2020 Amendments will come into force on a date specified by a cabinet order, which is not later than two years from the date of promulgation.
        Jordan

        Limited

        • Although Jordan does not currently have a data protection law in place, the country is taking steps to bring in legislation aimed at the protection of personal data.
        • In 2014, the Ministry of Digital Economy and Entrepreneurship submitted a draft data protection bill (‘the Draft Bill’) which proposed, among other things, the establishment of an assigned council for the privacy commission.
        • In addition, a committee consisting of different ministries, governmental authorities and civil society organisations, was formed to discuss the Draft Bill.
        • The Draft Bill appears to be based on the EU’s General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and incorporates some of the main principles of the GDPR such as transparency, accuracy, storage limitation, and data minimisation.
        • An updated version of the Draft Bill was issued on 23 January 2020, however, a final version has yet to be approved. Until such a law comes into effect, data protection in Jordan will be regulated through the Constitution and sectoral legislation.
         

        K

        Kazakhstan

        Limited

        • The main legal act regulating personal data in Kazakhstan is the law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 ‘On Personal Data and Its Protection’ (the ‘Law’).
        • Data protection has been a significant area of interest for the Government of the Republic of Kazakhstan (‘the Government’).
        • At present, the Personal Data Law provides general regulations on the collection and processing of personal data, and notably includes broad requirements for data localisation.
        • In addition, the Law on Amendments and Additions to Some Legislative Acts of the Republic of Kazakhstan on the Regulation of Digital Technologies (only available in Kazakh here) (‘the Amendment Law’) was introduced in July 2020, significantly extending data protection obligations for organisations.
        • The Amendment Law introduces, among other things, further requirements for data collection and processing, obligations for data operators (similar to data processors), and redefines key concepts. The Amendment Law further establishes the competency of the data protection authority including its powers and role.
          Kenya

          Moderate

          • The Constitution of Kenya (‘the Constitution’) guarantees the right to privacy as a fundamental right.

          • To give effect to this constitutional right under Article 31(c) and (d), the Data Protection Act, 2019 (‘the Act’) was enacted and came into effect on 25 November 2019.

          • The Act has not been implemented and progress towards implementation started in November 2020 with the appointment of the Data Protection Commissioner (‘the Commissioner’).

          • As of the date of publication, the Office of the Data Protection Commissioner is in the process of setting up operations.

          • A key action the Office of the Data Protection Commissioner has taken, through the ICT Advisory Committee on COVID-19, was the development of the Guidance Note on Access to Personal Data During COVID-19 Pandemic (‘COVID-19 Guidelines’).

          • The COVID-19 Guidelines were put out for public and stakeholder participation on 12 January 2021, and closed on 9 February 2021. Upon implementation, the COVID-19

          • Guidelines are expected to provide policy guidance on processing personal data to actualise responses to and research on the COVID-19 pandemic.

          Kiribati

          Limited

          • There is currently no general data protection legislation.
          • There is currently no general data protection authority.
          Korea, South

          Moderate

          • Under the Constitution of South Korea (‘the Constitution’), the rights to privacy, privacy of communications and freedom of expression are recognised as fundamental rights.
          • In addition, the Constitutional Court of South Korea (‘Constitutional Court’) and Supreme Court of South Korea (‘Supreme Court’) have established through subsequent court decisions that the right to informational self-determination should be viewed as a separate fundamental right, despite not being stipulated in the Constitution.
          • The main law and regulations related to data protection are the Personal Information Protection Act 2011 (as amended in 2020) (‘the PIPA’) and its implementing regulations, which regulate the collection, usage, disclosure, and other processing of personal information by governmental or private entities as well as individuals.
          • The data protection laws in South Korea provide very prescriptive specific requirements throughout the lifecycle of the handling of personal data. Under these laws, the data subject’s consent is almost always required, in principle, to process his/her personal data.
          Kosovo

          Heavy

          • The protection of personal data in Kosovo is guaranteed by the Constitution of the Republic of Kosovo (‘the Constitution’).
          • Article 36, paragraph 4 of the Constitution stipulates that the collection, storage, access, correction, and use of personal data is regulated by law.
          • The first law regulating personal data protection was approved and entered into force in 2010, Law No.03/L – 172 on the Protection of Personal Data (‘the Law’). The Law established the basic principles and measures concerning the protection of personal data and the institution responsible for monitoring the legitimacy of data processing.
          • Following the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), the data protection law in Kosovo has been amended and aligned with the GDPR.
          Kuwait

          Limited

          • There is currently no general data protection legislation.
          • There is currently no general data protection authority.
          Kyrgyzstan

          Limited

          • The Law of the Kyrgyz Republic of 14 April 2008 No. 58 on Personal Information as amended by the Law of the Kyrgyz Republic of 20 July 2017 No. 129 (only available in Kyrgyz here and Russian here)  was adopted to govern personal data matters, on the basis of generally accepted international principles and standards in accordance with the Constitution of the Kyrgyz Republic (only available in Kyrgyz here and Russian here)  and other laws of the Kyrgyz Republic.
          • The Law on Personal Data ensures the protection of rights and freedoms related to the collection, processing, and use of personal data.
           

          L

          Laos

          Limited

          • From 2012, Laos has introduced this framework by circulating relevant information only. This trend has accelerated since 2015 with the publication of the Law on Cyber Crime. In addition, for both professionals or non-professionals, the authorities have provided a series of guidelines of best practices for the use of software and hardware, social media platforms, and better protection of electronic data.
          • The Electronic Data Protection Act 2017 (only available in Lao here) (‘the Act’) and The Ministry of Post, Telecommunications and Communications  regulate Data Protetion in Laos.
          • The Act came into force in 2017 providing data protection to Lao citizens in circumstances where electronic information is collected, accessed, used or disclosed.
          • The Act is supplemented by the Introduction on Implementation of the Electronic Data Protection Act (only available in Lao here), which sets out examples of how data protection procedures may be implemented by companies.
          Latvia

          Heavy

          • The General Data Protection Regulation (Regulation (EU) 2016/679)  (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
          • The Personal Data Processing Law has been approved by the parliament and came into force on July 5, 2018. This law provides legal prerequisites for the implementation of the GDPR in Latvia and replaced the current Personal Data Protection Law.
          Lebanon

          Limited

          • While Lebanon does not have a comprehensive data protection legislation, privacy provisions are contained in Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data (‘the Law’).
          • The Law does not establish an independent data protection authority; however, it provides that any intended data processing activity must be notified to the Ministry of Economy and Trade (‘the Ministry’).
          Lesotho

          Limited

          • The right to privacy is recognized and protected under the Constitution of the Kingdom of Lesotho.
          • Lesotho has established a Data Protection Act, 2013 (the DP Act). The DP Act provides principles for the regulation of the processing of any personal information in order to protect and reconcile the fundamental and competing values of personal information privacy.
          Liberia

          Limited

          • There is currently no general data protection legislation.
          • There is currently no general data protection authority.
          Libya

          Limited

          • There is currently no general data protection legislation.
          • There is currently no general data protection authority.
          Lichtenstein

          Heavy

          Luxembourg

          Heavy

          • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
          • Two Luxembourg Data Protection Laws of August 1, 2018 have been enacted to implement the GDPR:
            • The Law on the organization of the National Data Protection Commission (CNPD) and the general data protection framework. It has repealed the previous Law on Data Protection (amended Law of August 2, 2002) and completes the GDPR at the national level. Most of all it gives the framework for the CNPD’s organization, composition and powers under the GDPR and the applicable national law
            • The Law on the protection of individuals with regard to the processing of personal data in criminal matters as well as in matters of national security
             

            M

            Macedonia

            Heavy

            Madagascar

            Limited

            • Law No. 2014-038 relating to the protection of personal data is the main regulatory framework in Madagascar (the ‘Data Protection Law’).
            • The Law, adopted on 16 December 2014 and promulgated on 9 January 2015, declares that the processing of personal data is based on four main pillars, namely the principles of legitimate purpose and fairness of collection and processing, the existence of data subjects’ rights, the presence of an independent supervisory authority, and the establishment of an enforcement regime.
            • In relation to its scope of application, the Law covers the processing of personal data carried out by controllers established on the state territory, as well as processing that utilises means that are located on the national territory, even when the controller is not established in Madagascar.
            • CMIL, the independent authority responsible for the compliance with the principles provided in the Law, has not yet been established.
            Malawi

            Limited

            Malaysia

            Robust

            Maldives

            Limited

            • The Maldives has not yet enacted any comprehensive data protection legislation.
            • Therefore, matters pertaining to data protection fall under the right to privacy, which is protected in broad terms under the Constitution of the Republic of Maldives 2008 (‘the Constitution’), and Law No 6/2014 Penal Code of Maldives (‘the Penal Code’).
            • In addition, for specific industries, there are other laws of general application that involve data protection issues.
            Mali

            Moderate

            Malta

            Heavy

            • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
            • The  Data Protection Act 2018 (Act) (Chapter 586 of the Laws of Malta) and the Regulations (at present 8 in number) issued under it implement the requirements under GDPR.
            • The Act repealed and replaced the previous Data Protection Act (Chapter 440 of the Laws of Malta).
            • See Maltese legislation here.
            Marshall Islands

            Limited

            • While the Republic of Marshall Islands does not have a personal data protection law, nor any legislation governing cybersecurity, the Marshall Islands has participated in international discussions related to cybersecurity and is a member of the Pacific Cyber Security Operational Network which, among other things, aims to strengthen cybersecurity across the across the Pacific.
            • In addition, on 26 February 2018, the Parliament of the Republic of Marshall Islands (‘Nitijela’) passed the Declaration and Issuance of the Sovereign Currency Act 2018, which set the ground for the issuance of a digital decentralised currency based on blockchain technology, the Sovereign (‘SOV’), as a legal tender.
            • The SOV is set to be the first legal tender digital currency in the world, and a system of accredited verifiers and cryptographically signed SOV IDs are expected to be employed to protect user privacy.
            Mauritiana

            Limited

            • Draft Law No. 2017 – 020 on the protection of the personal data (only available in French here) (‘the Draft Law’)
            • The Draft Law was adopted by the National Assembly on 22 June 2017 and sets out, among other things, requirements for data processing as well as data subject rights.
            • The Draft Law also lays the groundwork for the creation of a data protection authority. However, since the adoption of the Draft Law there have been minimal developments.
            • The Prime Minister outlined in his review of 2015-2017 and plan for 2018 (only available in French here) that the legal basis for Mauritanian information society, including the formation of a data protection authority and electronic certification authority, had been established.
            • Mauritania is one of several jurisdictions to have signed but not yet ratified the African Union Convention on Cyber Security and Personal Data Protection.
            Mauritius

            Moderate

            Mexico

            Moderate

            Micronesia, Federated States of

            Limited

            • There is currently no general data protection legislation.
            • There is currently no general data protection authority.
            Moldova

            Moderate

            • Law of 8 July 2011 No. 133 on Personal Data Protection (‘the Law’) provides general personal data protection provisions, establishing data subject rights such as the rights to access, rectification, or erasure, and requirements to appoint data protection officers and provide data processing notifications.
            • The Governmental Decision of 14 December 2010 No. 1123 on the Security of Personal Data within Automatic Databases (only available in Romanian here) established data breach notification requirements, as well as sanctions for failure to notify the NCPDP.
            • Moldova has an Association Agreement with the EU through which it has committed to ensuring adequate safeguards for the protection of personal data, and is a signatory of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’).
            • The Moldova EU Twinning Project is also particularly active, and a draft personal data protection law (only available in Romanian here) has been in discussion over the past few years that would further align Moldovan law with data protection requirements in the EU.
            Monaco

            Robust

            • Since then, the Act has been revised several times, most notably in 2008 to grant the Monegasque data protection authority (‘CCIN’) the status of an independent authority, and in 2015, to create a constitutionally compliant legal framework for the CCIN’s investigatory powers.
            • In consideration of the importance of the finance sector (which is officially classified as a ‘sector of vital importance’ in Monaco), the CCIN works closely with local professional associations such as the Monaco Association for Financial Activities and has issued several recommendations for financial entities on issues such as anti-money laundering and tax transparency obligations.
            Mongolia

            Limited

            • There is currently no general data protection legislation.
            • There is currently no general data protection authority.
            Montenegro

            Moderate

            • The Ministry of Interior prepared a draft of the new Personal Data Protection Act (only available for download in Croatian here) (‘Draft Law’), which was generally consistent with the text of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), but omitted some important elements which the GDPR contains.
            • On 10 April 2019, the Ministry of Interior invited stakeholders to take part in a public consultations about the Draft Law.
            • On 9 July 2019, the Ministry published a document detailing the received suggestions which it will accept or reject.
            • The Draft Law was under consideration by the European Commission as of October 2020, and the Parliament of Montenegro is expected to adopt the Draft Law in the first half of 2021.
            Morocco

            Robust

            • In Morocco, personal data protection is governed by Law n° 09-08 of 18 February 2009 (in French), relating to the protection of individuals with respect to the processing of personal data and by its Implementation Decree n° 2-09-165 of 21 May 2009 (in French).
            • The law was initially enacted to encourage foreign investment, including the offshoring and outsourcing of processing activities related to European residents’ personal data. Morocco is, indeed, an important player in the offshoring and outsourcing market due to its proximity to European markets as well as its competitive telecommunication infrastructure and multilingual workforce.
            • Since the adoption of the law, Morocco has made large efforts to ensure the effective protection of personal data and to have its data protection level recognized by the European Union to promote further international business. Moreover, Morocco requested an adequacy recognition decision from the European Commission as early as 2009. Today this request is still pending.
            Mozambique

            Limited

            • In Mozambique there is no specific legislation on data protection or privacy.
            Myanmar (Burma)

            Limited

            • There is no general data protection law in Myanmar.
             

            N

            Namibia

            Limited

            • Namibia has not enacted comprehensive data privacy legislation.
            Nauru

            Limited

            • Nauru has not enacted comprehensive data privacy legislation
            Nepal

            Limited

            • Currently, Nepal does not have a unified data protection legislation.
            • The Individual Privacy Act 2075 (2018) enacted to implement and safeguard the fundamental right to privacy guaranteed by the Constitution and the Individual Privacy Regulation 2077 (2020) (only available in Nepali here), framed thereunder are regarded as the data protection legislation.
            • Other general laws such as the Country Civil Code 2074 (2017) (‘the Act’Civil Code’) and the National Penal (Code) Act (2017) (‘the Criminal Code’) also contain general provisions relating to privacy and data protection.
            • Thus, in the absence of a specific data control legislation, the Privacy Act and Privacy Regulation shall govern all aspects of data protection and privacy in Nepal.
            • In recent years, incidents of data breach have been observed frequently in Nepal wherein a large number of customers’ data including their names, mailing id, phone numbers were leaked in public.
            Netherlands

            Heavy

            • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
            • The Dutch GDPR Implementation Act (Uitvoeringswet AVG, the Implementation Act) constitutes the local implementation of the GDPR in the Netherlands.
            • The Implementation Act follows a policy-neutral approach, meaning that the requirements of the previous Dutch Data Protection Act (Wet bescherming persoonsgegevens) are maintained insofar as possible under the GDPR.
            • The Implementation Act provides for, among other things, national rules where this is necessary for the implementation of GDPR provisions on the position of the regulatory authority or the fulfilment of discretionary powers provided by the GDPR.

             

            New Zealand

             Robust

            • The Privacy Act 2020 and its Information Privacy Principles (IPPs) govern how agencies collect, use, disclose, store, retain and give access to personal information.
            • The Act gives the Privacy Commissioner the power to issue codes of practice that modify the operation of the Act in relation to specific industries, agencies, activities or types of personal information.
            • Enforcement is through the Privacy Commissioner.
            • The Privacy Commissioner can also issue compliance notices requiring agencies to do or refrain from doing something in order to comply with the Act.
            Nicaragua

             Moderate

            • Data protection in Nicaragua is regulated by the Law on Personal Data Protection No. 787 of 21 March 2012 (only available in Spanish here) (‘the Law’), published in the Official Gazette on 29 March 2012; and the Regulation of Law No. 787, Decree No. 36-2012 of 17 October 2012 (only available in Spanish here) (‘the Regulation’).
            • The purpose of the Law is to protect personal information filed/stored in public and/or private records.
            • Prior to the establishment of the Law and the Regulation, there was only a general constitutional provision establishing that all individuals are entitled to privacy.
            Niger

            Moderate

            • Niger hastened to legislate in the field to regulate the protection of personal data by providing a ‘legal arsenal’ of a preventive but also repressive nature.
            • In this respect, it referred to Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data Law , amended and supplemented by Law N° 2019-71 of December 24, 2019 (only available in French here) (‘the Law’), which creates the High Authority for the Protection of Personal Data (‘HAPDP’).
            Nigeria

            Limited

            • Nigeria has not enacted comprehensive data privacy and protection legislation. However, various pending and enacted sector-specific laws contain privacy and data protection provisions.
            North Macdeonia

            Moderate

            • The Republic of North Macedonia regulates personal data protection issues with the Law on Personal Data Protection, effective 24 February 2020. Data controllers and data processors have an 18-month period from the DP Law’s entry into force (i.e. until 24 August 2021) to harmonize their operations with the DP Law.
            • The DP Law is largely harmonized with the General Data Protection Regulation (GDPR) of the European Union (EU).
            Norway

            Heavy

            • The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.
            • The GDPR was incorporated in the EEA Agreement by a Joint Committee Decision dated July 6, 2018. The new Norweigan Personal Data Act (“PDA”) implements GDPR and became effective as of July 20, 2018.
             

            O

            Oman

            Limited

            • Oman does not currently have a standalone data protection law. Whilst Oman’s Constitution (Royal Decree No. 101 of 96) recognises an individual’s right to confidentiality in all forms of communication, it does not recognise the right to privacy as a fundamental right beyond this.
             

            P

            Pakistan

            Limited

            • Pakistan currently has not enacted data protection legislation per se similar to data protection legislation enacted in other countries of the world, however the Prevention of Electronic Crimes Act, 2016 (“PECA 2016”) at present serves the same purpose to a certain extent.
            • Moreover, a consultation draft of the Personal Data Protection Bill 2020 (“PDPB”) has been introduced by the Ministry of Information Technology and Telecommunications with a view to having the same being promulgated into law after public consultation, approval from both Houses of Parliament and receipt of assent from the President of Pakistan.
            Palau

            Limited

            • Palau has not enacted any data protection legislation
            Panama

            Moderate

            • The Law No. 81 on Personal Data Protection 2019 (only available in Spanish here) (‘the Law’) has been enacted and entered into force on 29 March 2021.

            • In addition, rules to the Law were published on 28 May 2021, through Executive Order 285/2021 (only available in Spanish here) (‘the Rule’).

            • There are several laws, such as the National Constitution of the Republic of Panama (only available in Spanish here) (‘the Constitution’), which regulate personal data protection.

            • The Constitution outlines the right to privacy of personal communications and documents, the right to access information contained in databases held by public bodies or by private persons providing public services, as well as to request the correction, rectification, or deletion of such information.

            Papua New Guinea

            Limited

            Paraguay

            Limited

            • Law No. 6534/20 on the Protection of Personal Credit Data (only available in Spanish here) (‘the Credit Data Law’) entered into in force on 28 October 2020 in Paraguay.
            •  In particular, a new regime for the protection of credit data of all citizens, on the matters of the incorporation, organisation, operation, rights, obligations, and termination of companies dedicated to obtaining and providing credit information; as well as the collection and processing of personal data was established.
            • The Credit Data Law also appoints two authorities able to impose sanctions for breaches. 
            Peru

            Moderate

            • Currently, in the midst of a technological era, the protection of personal data has acquired greater relevancy in Peru.
            • Not only has it been established, through regulation, the obligations that must be fulfilled by data controllers and/or data processors to ensure an adequate processing of personal data; but also, due to the proactivity of the Peruvian data protection authority (‘APDP’), it has been verified by audits of the compliance of such obligations.
            • This, together with an awareness of the importance of the protection of personal data, not only to those who are in charge of its processing, but also to those who share it without knowing the consequences that this may entail, have been a fundamental part to strengthen this area of law in Peru.
            Phillipines

            Moderate

            Poland

            Heavy

              Portugal

              Heavy

              • The fundamental right to personal data protection was established in the Constitution of the Portuguese Republic 1976 (‘the Constitution’).

              • The first Portuguese Data Protection Act No. 10/91 (only available in Portuguese here) was adopted in 1991, foreseeing the creation of the Portuguese supervisory authority in data protection matters.

              • Prior to the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), the general rule was the following: before initiating any personal data processing, the controller had to notify the Portuguese data protection authority (‘CNPD’) or obtain prior processing authorisation from the same entity.

              •  

                The CNPD’s decisions taken in accordance with authorisation procedures have been very inconsistent.

               

              Q

              Qatar

              Moderate

              • Qatar has implemented Law No. (13) of 2016 Concerning Personal Data Protection (“the Data Protection Law”).
              • With its Data Protection Law—adopted in 2016—Qatar became the first Gulf Cooperation Council (GCC) member state to issue a generally applicable data protection law.
              • While the Data Protection Law took effect in 2017, executive regulations further implementing this law are expected to be passed in 2021.
              • The Qatar Financial Centre (“QFC”), a business center located on-shore in Qatar with its own regulations that are separate and distinct from those of the State of Qatar, implemented QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations (“DPL”).
              • Additionally, under the powers granted to the QFC Authority under Article 21 of the DPL, the QFC Authority has issued the Data Protection Rules 2005 (DPR).
               

              R

              Romania

              Heavy

              Russia

              Moderate

              • Fundamental provisions of data protection law in Russia can be found in the Russian Constitution, international treaties and specific laws.
              • Russia is a member of the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention) (ratified by Russia in 2006) and the Russian Constitution establishes the right to privacy of each individual (articles. 23 and 24).
              • Most rules are found in specific legislation, particularly the Data Protection Act No. 152 FZ dated 27 July 2006 (DPA) and various regulatory acts adopted to implement the DPA.
              Rwanda

              Limited

              • Rwanda is on the verge of passing its first single and comprehensive legal instrument regulating privacy and data protection.
              • As of 27 October 2020, Rwanda’s Cabinet approved the Rwanda Draft Data Protection Law 2020 (‘the Draft Law’) which was then sent to President Paul Kagame to sign into law.
              • Whilst the Draft Law will regulate the obligations of data controllers and processors, as well as afford data subjects general rights that protect their personal information, it does not establish a national data protection authority.
              • However, there are other laws that deal directly or indirectly with data privacy and/or data protection as noted below.
               

              S

              Saint Kitts and Nevis

              Limited

              • Saint Kitts & Nevis currently does not have specific data protection legislation in force.
              San Marino

              Moderate

               

              Sao Tome and Principe

              Limited

              • Law No. 03/2016 on the Protection of Personal Data (only available in Portuguese here) establishes a relatively comprehensive data protection framework and addresses matters such as data processing notifications, data protection principles, data processor agreements, and essential data subject rights.
              • Although the Law also requires notifications to the ANPDP in relation to data transfers, it does not provide for data breach notifications, nor does it cover data protection officer appointments or impact assessments.
              • In 2018, a series of Resolutions were issued by the ANPDP that generally exempted data processing notifications under certain circumstances, and primarily in relation to employment and employee’s data.
              Saudi Arabia

              Limited

              • There is currently no specific national data protection legislation in the Kingdom of Saudi Arabia (‘KSA’) but privacy provisions and concepts can be found in specific legislation.
              • It has been reported that the Government of KSA is considering the introduction of personal data protection laws. However, there has been no formal confirmation or public consultation on any draft legislation in this area, so far.
              Senegal

              Moderate

              • In January 2008, Senegal adopted Law No. 2008-12 of 25 which provides a legal and institutional framework for the protection of personal data.
              • The law established an independent authority known as the Commission of Personal Data (CDP) whose mandate is to ensure that the processing of personal data is implemented in accordance with the provisions of this law, and upholds the rights of data subjects and the obligations of data processors.
              • A few years later in 2016, Senegal went on to become the first African country to ratify the continent-wide convention on Cyber Security and Personal Data Protection, which was adopted by the African Union in 2014.
              Serbia

              Moderate

              • The main piece of legislation currently regulating personal data protection in the Republic of Serbia is the Law on Protection of Personal Data (Official Gazette of the Republic of Serbia, No. 87/2018 (only available in Serbian here) (‘the Law’).
              • The former Poverenik, Mr. Rodoljub Šabić, has, on many occasions, pointed out the drawbacks of the Law, stating that the existing legal framework in the field of protection of personal data is far from adequate especially in terms of its completeness.

                With regards to the Law, the former Poverenik has stressed that the content is convoluted, confusing, and therefore likely to be quite difficult to implement in practice.

              Seychelles

              Limited

              • The key piece of legislation is the Data Protection Act 2002 (Act 9 of 2003) (‘the Act’) which was enacted in 2003 to provide individuals with privacy rights regarding the processing of personal data; however, at the time of writing, the Act is not yet in force.
              • The Act will enter into force on such date as notified by the Minister in the Official Gazette.
              Sierra Leone

              Limited 

              • No specific data protection legislation has been adopted.
              Singapore

              Robust

              • The Personal Data Protection Act 2012 (No. 26 of 2012) (‘PDPA’) governs the collection, use, and disclosure of individuals’ personal data by organisations in a manner that recognises both the right of individuals to protect their personal data, and the need of organisations to collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
              • Apart from the obligations imposed on organisations under the PDPA, there has been a general push towards a culture of accountability by the Personal Data Protection Commission (‘PDPC’), the regulator for data protection.
              • For example, the PDPC implemented the Data Protection Trustmark Certification in 2019, which is a voluntary enterprise-wide certification program for organisations to demonstrate accountable data protection practices.
              • The PDPA has recently undergone its first comprehensive revision since its enactment in 2012 under the Personal Data Protection (Amendment) Bill 2020 (‘the Amendment Bill’) which was passed on 2 November 2020 and which was formally enacted as the Personal Data Protection (Amendment) Act 2020 (‘the Amendment Act’).
              • The PDPC has stated, in its Advisory Guidelines on Enforcement of Data Protection Provisions, that the enhanced financial penalty regime will come into effect no earlier than 1 February 2022. Similarly, the provisions on the new data portability obligation will also take effect on a later date.
              Slovakia

              Heavy

              Slovenia

              Limited

              • Personal Data Protection Act 2004 (‘the Act’). Slovenia has not yet adopted the new Personal Data Protection Act (only available in Slovenian here) (‘the Draft Act’)
              • Slovenia is the only remaining EU Member State that has yet to implement the GDPR.
              • The Draft Act is currently progressing through the legislative procedure but there is no set date for its passage in the National Assembly.
              • The Commissioner issued an opinion on the Draft Act in 2019, which highlights that differences between the Draft Act, which was subject to public consultation at the time, and the GDPR would lead to difficulties with cross-border procedures, and hinder legal harmonisation across the EU Member States.
              Somalia

              Limited

              South Africa

              Moderate

              • The right to privacy is recognized as a fundamental human right in the Bill of Rights of the Constitution of the Republic of South Africa and is protected in terms of the Constitution and the common law.
              • This right to privacy is not absolute and may be limited where it is reasonable and justifiable to do so.
              • The Protection of Personal Information Act, 2013 (Act 4 of 2013) came into effect on 1 July 2020, save for certain provisions, but there is a one year grace period within which to comply with POPIA. POPIA specifically regulates the processing of personal information that is entered into a record pertaining to natural living persons as well as existing legal persons.
              Spain

              Heavy

              • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.
              • After a very long delay and amidst rumors that the Spanish Parliament could be dissolved and early elections called, the Spanish Senate speedily dismissed all proposals for further changes and approved the new Spanish Fundamental Law on Data Protection and digital rights guarantee, which is in force from 7 December 2018 (“NLOPD”).
              Sri Lanka

              Limited

              Sudan

              Limited

              • There is currently no enacted data protection legislation in Sudan.
              South Sudan

              Limited

              • There is currently no enacted data protection legislation in Sudan.
              Suriname

              Limited

              • No specific data protection legislation has been adopted.
              Sweden

              Heavy

              • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.
              • The Data Protection Act (2018:218) and the Data Protection Ordinance (2018:19) (the “DPA”) – The DPA regulates general aspects of data protection where the GDPR allows, e.g. processing of social security numbers and processing of data pertaining to criminal offences. The DPA entered into force on 25 May 2018.
              • In addition to the Swedish DPA, a vast number of sector specific acts have been adopted in Sweden, for example relating to the sectors of healthcare, finance, energy, environment, education, referendums/elections, enterprise, communication, labour market, etc.
              Switzerland

              Heavy

              Syria

              Limited

              • There is currently no specific data protection legislation in force in Syria.
               

              T

              Taiwan

              Robust

              Tajikistan

              Moderate

              • Prior to 2018, the rights of data subjects had been protected by a range of existing laws that indirectly applied, due to the lack of a comprehensive legislation on data protection
              • However, in 2018, Law of 3 August 2018 No. 1537 on Personal Data Protection (only available in Tajik here) (‘the Law on Personal Data’) was adopted, which established grounds for the regulation of relations between owners, operators, and data subjects.
              • The Law on Personal Data also clearly sets out rules for obtaining consent, notifying the data subject in case of the transfer of her/his data, as well as conditions for cross-border transfer.
              Tanzania

              Limited

              • Tanzanian law on data protection is still in the works as there is not yet comprehensive legislation on the area.
              • Therefore, whatever data protection provisions there are, they are to be found to varying degrees in a number of legislations, especially from the banking, electronic, and telecommunications sectors, as well as penal statutes.
              Thailand

              Moderate

              • The Personal Data Protection Act 2019 (‘PDPA’) was published, on 27 May 2019, in the Royal Thai Government Gazette. The PDPA is the very first consolidated law governing data protection in Thailand.
              • the Cabinet of Parliament of the Kingdom of Thailand (‘the Parliament’) approved the Royal Decree on the Organizations and Businesses of which Personal Data Controllers are exempted from the Applicability of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2563 (2020) (only available in Thai here).
              • The Royal Decree initially postponed the effective date of the enforcement of the PDPA in Chapters 2, 3, 5, 6, 7 and Section 95, on exempted organisations, until 31 May 2021.
              • Following a second deliberation, the Parliament has approved a further one year postponement of the effective data of the enforcement of the PDPA, under the Royal Decree on the Organizations and Businesses of which Personal Data Controllers are exempted from the Applicability of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2564 (2021) (only available in Thai here) (‘the Royal Decree’), making the effective date of the PDPA, the 1 June 2022.
              Togo

              Limited

              • The personal data protection industry is emerging in Togo.
              • Law No. 2019-014 Relating to the Protection of Personal Data (only available in French here) (‘the Law’) provides the conditions for the collection, processing, transmission, storage, use of personal data.
              • In addition, in December 2020 the National Assembly issued a press release (only available in French here) announcing the adoption of a draft decree (‘the Decree’) on the organisation and functioning of the Togolese data protection authority (‘IPDCP’).
              Tonga

              Limited 

              • There is currently no data protection legislation in force in Tonga.
              Trinidad and Tobago

              Limited

              • Privacy as the overarching principle of which data or information privacy is a subset has been generally guaranteed protection in Trinidad and Tobago, as in numerous other jurisdictions, through constitutional provisions and international human rights law.

              • In terms of specific legislation, the Data Protection Act 2011 (‘the Act’) is the sole piece of legislation on the topic and deals, not with the broad issue of privacy, but specifically with that of the protection of personal information in the public and private sectors. It is not fully proclaimed as detailed below.

              • The DPA was partially enacted on January 6, 2012 by Legal Notice 2 of 2012, and only Part I and sections 7 to 18, 22, 23, 25(1), 26 and 28 of Part II have come into operation.

              • No timetable has been set for enacting the remainder of the DPA, and it is possible that there may be changes to the remainder of the legislation before it is proclaimed.

              Tunisia

              Robust

              • Organic Act No. 2004-63 of 27 July 2004 on the Protection of Personal Data (available only in Arabic and French here) (‘the Law’) details the scope of data protection and sets up a national commission in charge of its enforcement.
              • Several texts have been enacted such as the Law and Decree No. 2007-3004 of 27 November 2007 Laying Down the Conditions and Procedures for the Declaration and Authorisation of the Processing Of Personal Data (available only in Arabic and French here) (‘the Decree’).
              • Tunisia became the 51st Member State of the Council of Europe Convention 108 on November 1, 2017.
              • In March 2018, it introduced a new draft law on the protection of personal data in line with the new European GDPR in Parliament.
              Turkey

              Moderate

              • In April 2016, Turkey completed the final step in a long-running process to enact the Law on Protection of Personal Data No. 6698 (‘the Data Protection Law’).
              • The Data Protection Law received Presidential approval and its final text was published in the Official Gazette, Number 29677 on 7 April 2016. Prior to this date, Turkey did not have specific legislation addressing personal data protection.
              • The LPPD is primarily based on EU Directive 95/46/EC.
              • To date, the legislature has enacted several regulations to implement various aspects of the LPPD.
              Turkmenistan

              Limited

              • The legislation of Turkmenistan on personal information and its protection is based on the Constitution of Turkmenistan (only available in Russian here) and consists of the Law of Turkmenistan of 20 March 2017 on Information on Private Life and its Protection No. 519-V (only available in Russian here) (‘the Law on Information’) and other regulatory legal acts.
              • The Law on Information sets the procedure for collecting, processing, and protecting personal information. Also, the Law on Information sets out the rights and obligations of the data subject and the operator and provides for sanctions for failure to comply with personal data protection requirements.
              Tuvalu

              Limited 

              • There is currently no data protection legislation in force in Tuvalu
               

              U

              Uganda

              Moderate

              • Uganda passed the Data Protection and Privacy Act, 2019 (‘the Act’) in 2019. Following the passing of the Data Protection and Privacy Regulations, 2021(‘the Regulations’) in May 2021.
              • It is anticipated that the Regulations will implement the Act which is not yet in effect. The Act and Regulations are intended to support privacy protections that are already guaranteed to Ugandans under the Constitution and complement sectoral laws for regulated activities that had previously incorporated data protection provisions.
                Ukraine

                Moderate

                • The Law of Ukraine No. 2297 VI ‘On Personal Data Protection as of June 1, 2010 (Data Protection Law) is the main legislative act regulating personal data protection in Ukraine.
                • On December 20, 2012, the Data Protection Law was substantially amended by the Law of Ukraine, ‘On introducing amendments to the Law of Ukraine’.On Personal Data Protection’ dated November 20, 2012, No. 5491-VI.
                • The Data Protection Law essentially complies with EU Data Protection Directive 95/46/EC.
                United Arab Emirates

                Limited

                • There is currently no federally applicable data protection law in the United Arab Emirates (‘UAE’), and there is no single national data protection regulator.
                • That being said, the Constitution of the UAE (only available in Arabic here) (‘the Constitution’) gives citizens a general right to privacy, and provisions of the Federal Law No. 5 of 1985: The Civil Code as amended by Federal Law No. 1 of 1987 (only available in Arabic here) (‘the Civil Code’) and the Federal Law No. 3 of 1987: The Penal Code (‘the Penal Code’) are also relevant when considering privacy related issues. Elsewhere, sector specific regulation (such as the telecommunications, consumer protection, and cybercrime laws) provides some limited data protection rights in certain circumstances.
                • Whilst there has been no formal confirmation or release, a draft federal data protection law is understood to be under consideration by the UAE Government.
                United Kingdom

                Heavy

                • Following the UK’s exit from the European Union, the UK Government has transposed the General Data Protection Regulation (Regulation (EU) 2016/679) into UK national law (thereby creating the “UK GDPR”). In so doing, the UK has made a number of technical changes to the GDPR in order account for its status as a national law of the United Kingdom (e.g. to change references to “Member State” to “the United Kingdom”). These changes were made under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. At this time, all material obligations on controller and processors essentially remain the same under the UK GDPR as under the ‘EU GDPR’.
                • The Data Protection Act 2018 (“DPA”) remains in place as a national data protection law, and supplements the UK GDPR regime.  It deals with matters that were previously permitted derogations and exemptions from the EU GDPR (for example, substantial public interest bases for the processing of special category data, and context-specific exemptions from parts of the GDPR such as data subject rights).
                United States of America

                Heavy

                • The US has several sector-specific and medium-specific national privacy or data security laws, including laws and regulations that apply to financial institutions, telecommunications companies, personal health information, credit report information, children’s information, telemarketing and direct marketing.
                • The US also has hundreds of privacy and data security among its 50 states and territories, such as requirements for safeguarding data, disposal of data, privacy policies, appropriate use of Social Security numbers and data breach notification. California alone has more than 25 state privacy and data security laws,
                •  In addition, the US Federal Trade Commission (FTC) has jurisdiction over a wide range of commercial entities under its authority to prevent and protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.
                Uruguay

                Limited

                Uzbekistan

                Moderate

                • The legislative history of data protection in Uzbekistan can be divided into two periods. The first period started with Law of Uzbekistan of 24 April 1994 No 400-I on Guarantees and Freedom of Access to Information (only available in Uzbek and Russian here) (‘the Law on Information’), and lasted for 16 years, until the enactment of Law of Uzbekistan of 2 July 2019 No. ЗРУ-547 on Personal Data (only available in Uzbek and Russian here) (‘the Law on Personal Data’), which initiated the second period.
                   

                  V

                  Vanuatu

                  Limited

                  • Vanuatu has not yet enacted legislation relating to data privacy.
                  Vatican City

                  Limited

                  • In the Vatican City State, no specific laws have been adopted either by the Supreme Pontiff, the Pontifical Commission, or other legitimate Vatican City State authorities in relation to the fundamental right to privacy of natural and legal persons.
                  • Canon 220 of the Code of Canon Law refers to the protection of a good reputation and of intimitas, but does not provide for specific or self-contained rules related to personal data protection; it contains only general principles that can (and should) be articulated in more specific regulations.
                  Venezuela

                  Limited

                  • In Venezuela, there are no express regulations regarding data privacy.
                  • Nevertheless, main laws and regulations on data privacy and data protection are set forth in the Constitution of the Bolivarian Republic of Venezuela (published in the Special Official Gazette No. 5.908 of February 19, 2009) (‘the Constitution’) and the Decision issued by the Constitutional Chamber of the Supreme Court of Justice on March 14, 2001(‘the 2001 Decision’);
                  • According to the 2001 Decision, privileged information is constitutionally protected if such information, contained in one or more combined registries, could create a complete or partial profile of the individual whose data is included in such registries.
                  Vietnam

                  Moderate

                  • In Vietnam, the right to privacy and personal secrets is a constitutional right.
                  • However, Vietnam does not have a consolidated piece of legislation on the protection of personal data. Instead, rules and regulations on personal data protection can be found in several laws, including general laws such as the Civil Code and the Law on Cyberinformation Security and sectoral laws such as the Law on Electronic Transactions and the Law on Telecommunications.
                   

                  Y

                  Yemen

                  Limited

                  • There is currently no general data protection legislation.
                  • There is currently no general data protection authority.
                   

                  z

                  Zambia

                  Limited

                  Zimbabwe

                  Limited

                  • In Zimbabwe, the starting point in recognising the right to privacy and protection of data privacy is Section 57 of the Constitution of Zimbabwe Amendment 20 of 2013 (‘the Constitution’), which affords every person with the right to privacy.
                  • The Freedom of Information Act (No. 1 of 2020) (‘the Freedom of Information Act’) was enacted into the laws of Zimbabwe on 1 July 2020 to provide for rights of expression, freedom of media, and the right of access to information held by entities in the interest of public accountability or for the exercise or protection of a right. It is a recently welcomed development which effectively repeals the Access to Information and Protection of Privacy Act of 2001 (‘the AIPP’).
                  • Whilst the Freedom of Information Act does not focus on data protection rights, certain provisions stated therein regulate the handling of personal information which directly affects data rights. More relevant to the present overview is the Cybersecurity and Data Protection Bill of 2019 (‘the Bill’) which was gazetted on 15 May 2020. The Bill is a transformative measure in Zimbabwean law with the primary purpose of protecting the privacy and data rights of those susceptible to infringement.
                  • It is difficult to predict at this point whether or not the Bill will be passed given the contentious issues raised at public hearings.
                  Further information

                  For more information on data protection, visit the below sites:

                  1. https://ico.org.uk/for-organisations/guide-to-data-protection/

                  2. https://www.dataguidance.com/

                   

                  Need advice?
                  Contact us to discuss your requirements and how we can help