Upgrade to a premium account to save this to your customizable Workspace
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Global Privacy Laws
Jurisdictions
Click on a country below to dive into any privacy laws
Legend:
Privacy law
Draft privacy law
No privacy law
Comparing privacy laws
Comparing Privacy Laws
Comply with laws around the world
The Global Privacy Laws portal is the latest feature to be added to the OneTrust DataGuidance Research platform and provides the most comprehensive way of comparing privacy laws around the world. New jurisdictions are being added to the portal every week.
To research a jurisdiction not currently included, you can utilise the Laws Around The World Map to visit that country's dashboard and resources.
The US presents a plethora of laws and privacy bills posing relevant compliance challenges for privacy professionals. OneTrust DataGuidance has therefore built the USA State Law Tracker, a dedicated hub for US state law developments where organisations are able to access and understand how potential laws might affect their daily operations.
- There is a requirement in place.
- Click to view information for additional detail.
- There is no requirement in place.
Definitions
- title
- Data Controller
- Data Processor
- Personal Data
- Sensitive Data
- Health Data
- Biometric Data
- Pseudonymisation
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kentucky
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Maryland
- Mauritius
- Mexico
- Minnesota
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nebraska
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Rhode Island
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Legal Bases
- title
- Consent
- Data Subject Contract
- Legal Obligation
- Data Subject Interest
- Public Interest
- Legitimate Interest
- Other
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kentucky
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Maryland
- Mauritius
- Mexico
- Minnesota
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nebraska
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Rhode Island
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Controller and Processor Obligations
- title
- Data Processing Registration
- Data Transfers
- Data Processing Records
- DPIAs
- DPOs
- Breach Notification
- Data Retention
- Children's Data
- Special Categories
- Vendor Contracts
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kentucky
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Maryland
- Mauritius
- Mexico
- Minnesota
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nebraska
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Rhode Island
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Individuals' Rights
- title
- Informed
- Access
- Rectification
- Erasure
- Object
- Portability
- Automated Decision-Making
- Other
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kentucky
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Maryland
- Mauritius
- Mexico
- Minnesota
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nebraska
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Rhode Island
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Penalties and Enforcement
- title
- Penalties
- Enforcement
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kentucky
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Maryland
- Mauritius
- Mexico
- Minnesota
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nebraska
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Rhode Island
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
On December 23, 2024, House Bill 1709 for the Texas Responsible Artificial Intelligence Governance Act was filed in the House of Representatives. The bill aims to regulate the use of artificial intelligence (AI) systems by business entities and state agencies and protect consumers against algorithmic discrimination.
On December 23, 2024, the Luxembourg Parliament introduced Bill No. 8476, implementing certain provisions of the EU Artificial Intelligence Act (the AI Act).
On December 10, 2024, the Decree Proposing the Amendment of Various Articles of the Political Constitution of the United Mexican States was adopted. This includes changes related to the governance of the data protection authority.
On December 19, 2024, the Brazilian Senate published the revised text for Bill No. 2338/2023 on the use of artificial intelligence, following the Senate's approval of the bill on December 10, 2024.
On September 13, 2024, the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations 2024 were published. Among other things, the Regulations establish requirements for licensing data controllers, appointing data protection officers (DPOs), and implementing data security measures.
On December 18, 2024, the Dutch data protection authority (AP) requested public comments on prohibited social scoring artificial intelligence (AI) systems under the EU AI Act.
On December 17, 2024, the bill for the Basic Law on the Development of Artificial Intelligence and Creation of Trust Base received the approval of the Judiciary Committee of the South Korean National Assembly.
On December 16, 2024, the Office of Communications (Ofcom) announced the publication of Guidance and Codes of Practice pursuant to the Online Safety Act.
On November 20, 2024, Senate Bill 9953 for an Act to amend the general business law, in relation to establishing the New York children's online safety act was introduced and referred to the Senate's Committee on Rules.
On December 12, 2024, Senate Bill No.
On December 13, 2024, Law No. 21.719 regulating the protection and processing of personal data and creating the personal data protection agency was published in the Official Gazette of the Republic of Chile.
On December 12, 2024, Bill D.R. 60/2024, the Data Sharing Bill, passed its second reading in the House of Representatives, following its first reading on December 10, 2024.
On December 12, 2024, Bill D.R. 59/2024, the Online Safety Bill, passed its second reading in the House of Representatives, following its first reading on December 10, 2024.
On December 10, 2024, the Online Safety Amendment (Social Media Minimum Age) Bill 2024 received Royal Assent.
On December 10, 2024, the Privacy and Other Legislation Amendment Bill 2024 received Royal Assent.
On December 10, 2024, the Brazilian Senate issued Opinion No. 207, of 2024, approving Bill No.
The Personal Data Protection Law No. 6698 (the Law) was amended in March 2024, with the new regime taking effect in June 2024. Melis Mert, Managing Associate at BTS & Partners, provides an overview of the updates.
The Personal Data Protection Law No. 6698 (the Law) is the main piece of legislation concerning the protection of personal data in Turkey, which covers the processing of personal data belonging to identified or identifiable individuals and governs the obligations imposed on individuals or legal entities processing such personal data.
The Network and Information Security Directive (EU) 2022/2555) (NIS 2 Directive) is a significant new law enacted to bolster cybersecurity across the European Union. It is an update of the original NIS Directive (Directive (EU) 2016/1148), which was adopted to address the increasing threats to network and information security.
The Data (Use and Access) Bill was introduced to the House of Lords of the UK Parliament on October 3, 2024. The Bill aims to amend the UK's data protection regime by including provisions on recognized legitimate interests for lawful processing, automated decision-making, international data transfers, and cookies.
The Israeli Parliament recently adopted a new amendment to the Israeli Privacy Protection Law, 5741-1981 (PPL), entering into force on August 14, 2025.
The UK Government plans to introduce new cybersecurity legislation across the UK in the form of the Cyber Security and Resilience Bill (the Bill). The Bill's objective is to improve the law around cybersecurity generally to make the UK's critical and cyber infrastructure more resilient in the face of frequent and damaging cyberattacks.
The Consent Management Ordinance pursuant to Section 26(2) of the Telecommunications Digital Services Data Protection Act (TDDDG)1 (the Ordinance) was adopted by the Federal Government on September 4, 2024.
The Saudi Arabia Personal Data Protection Law (as amended) (the PDPL) came into effect on September 14, 2023. However, Royal Decree No.
The Regulation on digital operational resilience for the financial sector (DORA) entered into force on January 16, 2023, and forms an integral part of the European Commission's digital finance package, a package of measures to further enable and support the potential of digital finance in terms of innovation and competition, while mitigating the
In the past few years, the digital market has witnessed an outpour of artificial intelligence (AI) systems, with the AI market expected to reach a valuation of nearly $2 trillion by 2030.
On July 31, 2024, Bill D.R. 21/2024, known as the Personal Data Protection (Amendment) Act 2024, amending the Personal Data Protection Act (PDPA) (the Bill), passed in the Senate on its second reading. The Bill introduces new requirements, such as the appointment of a data protection officer (DPO) and data breach notification obligations.
On July 1, 2024, the Quebec Commission on Access to Information (CAI) announced that the Act Respecting Health and Social Services Information (LRSSS) entered into effect on the same date.
Keeping up to Date With Global Privacy Updates
As the privacy landscape continues to develop at speed, the OneTrust DataGuidance Global Privacy Updates page is the go-to resource for tracking all upcoming global privacy updates. This page outlines privacy laws from across the world that you should be aware of, their legislative status, and key dates you should know. Use the table of contents below for a quick overview of privacy updates on the horizon or click on each update to navigate directly to further information, legal texts, and further resources. Please see the US Tracker for updates on US privacy legislation and our AI Dashboard for updates on AI laws and frameworks.
Page last updated: November 28, 2024
Table of Resources
- Botswana: Data Protection Act, Act No. 32 of 2018
Ethiopia: Personal Data Protection Act
- Namibia: Draft Data Protection Bill 2022
Somalia: Law No. 005 the Data Protection Act
- Zimbabwe: Draft for the Cyber and Data Protection Regulations, 2022
- Zimbabwe: Data Protection Act [Chapter 11:12]
Africa
Law: Data Protection Act 2024 No. 32 of 2018 (the Act)
Status: Adopted
On November 12, 2024, OneTrust DataGuidance Research confirmed with Senwelo Modise, Partner at Bookbinder Business Law, that, on October 29, 2024, the Act was published in the Official Gazette, after being assented on October 24, 2024. The Act will enter into force on a date appointed by the Minister in the Official Gazette.
Resources:
Law: Personal Data Protection Proclamation No. 1321/2024 (the Act)
Status: In force
OneTrust DataGuidance Research confirmed with Liya Tamrat, Junior Associate at Dadimos & Partners LLP, that on July 24, 2024, the Act was officially published in the Federal Negarit Gazette and entered into force on the same date.
Resources:
Law: Bill No. 22 for the Data Protection Act, 2023
Status: Published
On February 2, 2024, the Parliament of Malawi published the Data Protection Act, 2024.
Resources:
Namibia
Law: Draft Data Protection Bill 2022 (the Bill)
Status: In legislative process
The Ministry of Information and Communication Technology released its revised draft of the Bill on Twitter on October 26, 2022.
Resources:
Law: Law No. 005 the Data Protection Act (the Law)
Status: Passed
On February 5, 2023, the Somalian Data Protection Authority informed OneTrust DataGuidance that the Law was enacted in March 2023.
Resources:
Zimbabwe
Law: Draft for the Cyber and Data Protection Regulations, 2022 (the Draft Law)
Status: In legislative process
The Postal and Telecommunications Regulatory Authority of Zimbabwe announced the introduction of the Draft Law on November 16, 2022.
Resources:
Zimbabwe
Law: Data Protection Act [Chapter 11:12] (the Act)
Status: Enacted
OneTrust DataGuidance confirmed, on December 5, 2021, with Steve Munyaradzi Chikengezha, Associate at DLA Piper Africa Zimbabwe - Manokore Attorneys that the Act was enacted on December 3, 2021. The Media Institute of Southern Africa Zimbabwe clarified that the Act does not state a date for when it will take effect or a transition period.
Resources:
Table of Resources
- Australia: Privacy and Other Legislation Amendment Bill 2024
Bangladesh: Draft Data Protection Act, 2023
- Brunei Darussalam: Draft Personal Data Protection Order
- Hong Kong: Personal Data (Privacy) Ordinance (Cap. 486) (as amended)
- Malaysia: Act to amend the Personal Data Protection Act
- Myanmar: Amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004)
New Zealand: Bill 292-1 the Privacy Amendment Bill
- Pakistan: Personal Data Protection Bill 2023
- Philippines: Substitute Bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173)
- Sri Lanka: Personal Data Protection Act, No. 9 of 2022
Asia-Pacific
Australia
Law: Privacy and Other Legislation Amendment Bill 2024 (the Bill)
Status: In legislative process
On November 18, 2024, the Bill was introduced and read for the first time in the Senate after passing the third reading in the House of Representatives on November 6, 2024.
Resources:
Bangladesh
Law: Draft Data Protection Act, 2023 (the Draft Act)
Status: In legislative process
On November 29, 2023, OneTrust DataGuidance Research confirmed with Nasir Doulah, Partner at Doulah & Doulah, that the Bill was passed by the Cabinet of Bangladesh.
Resources:
- Legal Text (only available in Bangla)
- OneTrust DataGuidance Jurisdiction Overview
Brunei Darussalam
Law: Draft Personal Data Protection Order (PDPO)
Status: In legislative process
On December 3, 2021, the Authority for Info-communications Technology Industry of Brunei Darussalam (AITI) published a response feedback paper on the public consultation it had initiated on May 20, 2021, establishing comprehensive insights on the expected operation of the PDPO.
Resources:
Hong Kong
Law: Personal Data (Privacy) Ordinance (Cap. 486) (as amended) (PDPO)
Status: Proposal
The Office of the Privacy Commissioner for Personal Data published, on February 20, 2023, a report in which it highlighted it is working closely with the Government of Hong Kong to comprehensively review the PDPO and formulate concrete proposals for legislative amendments.
Resources:
India
Law: The Digital Personal Data Protection Act, 2023 (Act)
Status: Adopted
On August 11, 2023, the Digital Personal Data Protection Bill, 2023, received the assent of the President of India and was published in the Official Gazette, thus enacting the Act. The entry into force of the Act is to be announced by the Indian Government via notification in the Official Gazette.
Resources:
Malaysia
Law: Bill D.R. 21/2024 for an Act to amend the Personal Data Protection Act (the Bill)
Status: In legislative process
On July 31, 2024, the Bill passed in the Senate on its second reading after being read for the first time on July 22, 2024. The Bill was previously passed in the House of Representatives on July 16, 2024.
Resources:
- Legal Text (only available in Malaysian)
- OneTrust DataGuidance Jurisdiction Overview
Myanmar
Law: Amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004)
Status: Unknown
OneTrust DataGuidance confirmed, on May 18, 2021, with Dr. Ross Taylor, Counsel and Head of Financial Services at Tilleke & Gibbins, that the State Administration Council had adopted, in February 2021, amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004).
Resources:
Law: Bill 292-1 the Privacy Amendment Bill (the Bill)
Status: In legislative process
On May 3, 2024, the New Zealand Parliament opened a public consultation on the Privacy Amendment Bill after it was introduced on September 5, 2023.
Resources:
Pakistan
Law: Personal Data Protection Bill 2023
Status: In legislative process
On August 15, 2024, the Information Technology and Telecommunication Committee of the Senate announced that the Committee deliberated on the bill. Previously Federal Cabinet of Pakistan approved the bill, together with the E-Safety Bill 2023, as confirmed by Mustafa Munir Ahmed, Partner at Legal Oracles by OneTrust DataGuidance Research on August 3, 2023.
Resources:
Philippines
Law: Substitute Bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173)
Status: Proposed
The National Privacy Commission (NPC) issued, on June 25, 2021, a statement addressing recent efforts to strengthen the current privacy law in the Philippines, following the 55th Asia Pacific Privacy Authorities Forum. In particular, the NPC highlighted that a substitute bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173) had been approved by the Committee on Information and Communications Technology of the House of Representatives.
Resources:
Sri Lanka
Law: Personal Data Protection Act, No. 9 of 2022
Status: Partially in force
Parts VI, VIII, IX, and X of the PDPA entered into force on December 1, 2023, while Parts I, II, III, and VII of the PDPA will enter into force on March 18, 2025.
Resources:
Table of Resources
- Canada - Federal: Bill C-27 for the Digital Charter Implementation Act 2022
Canada
Canada - Federal
Law: Bill C-27 for the Digital Charter Implementation Act 2022
Status: In legislative process
On June 28, 2024, the Office of the Privacy Commissioner of Canada (OPC) announced that it provided 15 key recommendations to the Standing Committee on Industry and Technology in the House of Commons to further improve the Bill. On April 24, 2023, Bill C-27 passed a second reading before the House of Commons. The Bill was introduced before the House of Commons on June 16, 2022.
Resources:
Quebec
Law: An Act to modernize legislative provisions as regards the protection of personal information, 2021, Chapter 25 (the Amendment Act) (formerly known as Bill 64).
Status: Partially in force
The Amendment Act will enter into force over a three year period with provisions entering into force in September 2022, September 2023, September 2024.
Resources:
Table of Resources
- Belize: Data Protection Act, 2021
- Bermuda: Personal Information Protection Act 2016
- Bermuda: Personal Information Protection Amendment Act 2023
- Grenada: The Grenada Data Protection Act, No. 1 of 2023
- Jamaica: Data Protection Act No. 7 of 2020
- Suriname: Bill for the Privacy Protection Act and Personal Data
Caribbean
Law: Data Protection Act, 2021 (the Act)
Status: Adopted
In 2021, the National Assembly in Belize adopted the Act which will enter into force on a day to be appointed by the Minister by Order published in the Gazette.
Resources:
Law: Personal Information Protection Act 2016 (the Act)
Status: Adopted
On November 7, 2024, the Minister responsible for information and communication technologies policy and innovation published a notice in the Official Gazette on the commencement days for certain sections of the Act. Specifically, the notice provides that Sections 3-25, 30-34, and 37-50 of the Act shall come into operation on January 1, 2025.
Resources:
Law: Personal Information Protection Amendment Act 2023 (the Act)
Status: Adopted
On November 7, 2024, the Minister responsible for information and communication technologies policy and innovation published a notice in the Official Gazette on the commencement date for the Act. Specifically, the notice provides that the Act shall come into operation on January 1, 2025.
Resources:
Grenada
Law: The Grenada Data Protection Act, No. 1 of 2023 (the GDPA)
Status: Adopted
The GDPA was published on May 10, 2023, in the Official Gazette, following their assent by the Deputy to the Grenada Governor-General.
Resources:
Guyana
Law: Data Protection Act No.18 of 2023 (the Act)
Status: Adopted
On August 16, 2023, the Act was published in the Official Gazette of Guyana and, on the same date, received Presidential assent. The Act will come into effect on the day the Minister responsible for data protection may, by order, appoint, and different days may be appointed for different provisions of the Act.
Resources:
Jamaica
Law: Data Protection Act No. 7 of 2020
Status: In force
The Protection Act No. 7 of 2020 entered into force on December 1, 2023, and the entities had a six-month grace period following the entry to register with the Office of the Information Commissioner (OIC).
Resources:
Law: Bill for the Privacy Protection Act and Personal Data (the Bill)
Status: In legislative process
The Bill was presented to the Suriname National Assembly in 2018 and considered by the Committee of Rapporteurs on January 21, 2021.
Resources:
- Legal Text (only available in Dutch)
- OneTrust DataGuidance Jurisdictional Overview
Table of Resources
CIS
Moldova
Law: Law No. 195/2024 on the Protection of Personal Data (Law No. 195/2024)
Status: Adopted
On August 23, 2024, the Law No. 195/2024 was published in the Official Gazette of the Republic of Moldova. Law No. 195/2024, detailed in issues 367-369, Article 574 of the Gazette. The National Center for the Protection of Personal Data clarified that Law No. 195/2024 will come into effect two years after its publication and that in the meantime, Law No. 133/2011 on the protection of personal data remains in force until then.
Resources:
- Legal Text (only available in Romanian)
- OneTrustDataGuidance Jurisdiction Overview
Ukraine
Law: Draft Data protection Law (the Draft Law)
Status: In legislative process
The Parliament of Ukraine announced on October 25, 2022, that it had received the Draft Law following the rejection of the previous data protection bill.
Resources:
- Legal Text (only available in Ukranian)
- OneTrustDataGuidance Jurisdiction Overview
Table of Resources
- EU: the ePrivacy Regulation
- EU: Revised Directive on Security of Network and Information Systems
- EU: Regulation on Harmonised Rules on Fair Access to and Use of Data
- EU: Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence
- Monaco: Data Protection Act No. 3 of 2021
- Netherlands: Collective Data Protection Act
- Switzerland: Revised Federal Act on Data Protection 1992
- Turkey: Personal Data Protection Law
- UK: Data Protection and Digital Information Bill
Europe
EU
Law: Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (the Draft ePrivacy Regulation)
Status: The Council and the Parliament will start negotiations on the text.
The Council of the European Union has agreed on a negotiating mandate with the European Parliament. If passed, the ePrivacy Regulation will replace the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (the ePrivacy Directive).
Resources:
EU
Law: Revised Directive on Security of Network and Information Systems (NIS 2 Directive)
Status: In force
The NIS 2 Directive became fully applicable on October 18, 2024, repealing the NIS Directive on the same day.
Resources:
EU
Law: Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act)
Status: In force
The Data Act will become applicable in 20 months i.e., September 12, 2025.
Resources:
EU
Law: Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (the EU AI Act)
Status: In force
The EU AI Act entered into force on August 1, 2024, following its publication in the Official Journal of the European Union on July 12, 2024.
Resources:
Monaco
Law: Data Protection Act No. 3 of 2021
Status: In legislative process
The Monegasque data protection authority issued, on January 28, 2022, a statement, in commemoration of Data Protection Day, highlighting the bill relating to the protection of personal data recently submitted to the Office of the National Council.
Resources:
- Legal Text (only in French)
- OneTrust DataGuidance Jurisdiction Overview
Law: Collective Data Protection Act
Status: In legislative process
On December 2, 2022, the bill was introduced to the House of Representatives.
Resources:
- Legal Text (only available to download in Dutch)
- OneTrust DataGuidance Jurisdiction Overview
Switzerland
Law: Revised Federal Act on Data Protection 1992 ('FADP')
Status: In force
The revised FADP entered into force on September 1, 2023.
Resources:
- Legal Text (only available in French)
- OneTrust DataGuidance Jurisdiction Overview
Law: Personal Data Protection Law (the Law)
Status: In force
On June 1, 2024, the Personal Data Protection Authority (KVKK) announced via LinkedIn that the amendments to the Law on Protection of Personal Data (the Law) approved on March 12, 2024, came into force on June 1, 2024.
Resources:
- Legal Text (only in Turkish)
- OneTrust DataGuidance Jurisdiction Overview
UK
Law: Data Protection and Digital Information Bill (the Bill)
Status: Died in the committee stage
On May 30, 2024, the Data Protection and Digital Information Bill died in the committee stage in the House of Lords as the bill failed to pass when the Parliament dissolved on the same date. The bill passed its first and second reading in the House of Lords on December 6 and December 19, 2023, respectively.
Resources:
Table of Resources
- Argentina: Personal Data Protection Bill
Bolivia: Legislative Assembly of bill No. 349/2020-2021 for the protection of personal data
Colombia: General Regime for the Protection of Personal Data
- Chile: Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority
- Chile: Bill No. 11092-07 on the protection of personal data
Costa Rica: Bill No. 23097 for the Data Protection Law
El Salvador: The Data Protection Law
- Guatemala: Bill No. 6105 of 23 June 2022 for the approval of the Data Protection Law
- Paraguay: Bill on the Protection of Personal Data of the Republic of Paraguay
Latin America
Argentina
Law: Personal Data Protection Bill (the Bill)
Status: In legislative process
On August 2, 2023, the Argentinian data protection authority (AAIP) announced the presentation of the updated Personal Data Protection Law project before the Deputies' Chamber. This follows the announcement by AAIP on June 30, 2023, that the National Executive Power had sent the Bill to the National Congress of Argentina.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Draft Law on Protection of Personal Data (the Draft Law)
Status: In legislative process
OneTrust DataGuidance Research confirmed, on April 25, 2023, with Ana Valeria Escobar, Partner at PPO Abogados, that the Agency of Electronic Government and Information and Communication Technologies had presented on March 31, 2023, to the Bolivian Senate the Draft Law.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Legislative Assembly of bill No. 349/2020-2021 for the protection of personal data (the Bill)
Status: In legislative process
A motion for the reintroduction in the Bill was filed, on March 3, 2023, by National Deputy Renan Cabezas Veizan, following its initial presentation on October 19, 2021.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: General Regime for the Protection of Personal Data (the Bill)
Status: In legislative process
On August 31, 2023, OneTrust DataGuidance Research confirmed with Jorge Pinilla, Associate at Pinilla & Pinilla, that the Chamber of Representatives of Colombia introduced the Bill.
Resources:
- Legal Text (only available for download in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Costa Rica
Law: Bill No. 23097 for the Data Protection Law (the Bill)
Status: In legislative process
Bill No. 23097 for the Data Protection Law was added to the Legislative Assembly's agenda on March 10, 2023, following its introduction in 2022.
Resources:
- Legal Text (only available to download in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority (the Bill)
Status: Adopted
On November 14, 2024, the Constitutional Court of Chile reviewed the constitutionality of the Bill following its passage by the Senate on August 28, 2024, and its approval by the President on September 3, 2024. The Bill is now waiting to be published by Decree of the President.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Bill No. 11092-07 on the protection of personal data (the Bill)
Status: Adopted
On November 14, 2024, the Constitutional Court of Chile reviewed the constitutionality of the Bill following its passage by the Senate on August 28, 2024, and its approval by the President on September 3, 2024. The Bill is now waiting to be published by Decree of the President.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: The Data Protection Law (the Law)
Status: Adopted
On November 13, 2024, the Legislative Assembly of El Salvador announced that it approved the Data Protection Law. The Law will enter into effect eight days after its publication in the Official Gazette.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Bill No. 6105 of 23 June 2022 for the approval of the Data Protection Law (the Bill)
Status: In legislative process
On April 28, 2023, the President of the Transparency and Probity Commission issued a favorable opinion on the Bill.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Paraguay
Law: Bill on the Protection of Personal Data of the Republic of Paraguay (the Bill)
Status: In legislative process
On August 29, 2023, the Chamber of Deputies of Paraguay announced that the Commission of Industry, Commerce, Tourism, and Cooperativism issued a favorable opinion, with amendments, on the Bill.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Table of Resources
- Israel: Privacy Protection Bill (Amendment No. 13) (formerly Amendment No.14)
Israel: Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022
- Jordan: the Law No. 24 of 2023 Personal Data Protection Law
- Saudi Arabia: Personal Data Protection Law
Middle East
Israel
Law: Privacy Protection Bill (Amendment No. 13) (formerly known as Amendment 14) (the Bill)
Status: Adopted
On August 14, 2024, the Bill was officially published following the announcement on August 8, 2024, by the Privacy Protection Authority (PPA) that the Parliament (Knesset) passed the Bill. Amendment No. 13 will become effective one year from the date of its publication.
Resources:
- Legal Text (only available in Hebrew)
- OneTrust DataGuidance Jurisdiction Overview
Israel
Law: Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022
Status: In legislative process
OneTrust DataGuidance confirmed, on February 3, 2022, with Dalit Ben-Israel, Partner, Chair of IT and Privacy Practice at Naschitz, Brandes, Amir & Co., that the draft bill for Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022 had been submitted, on January 31, 2022, to the Parliament.
Resources:
- Legal Text (both only available in Hebrew)
- OneTrust DataGuidance Jurisdiction Overview
Jordan
Law: Law No. 24 of 2023 Personal Data Protection Law ('the Law')
Status: In force
On September 17, 2023, the Law was published in the Official Gazette and will enter into effect in six months, i.e. on March 17, 2024. However, the Directorate provided that all entities dealing with personal data are required, upon the law's enforcement, to align their conditions with the Law within a period not exceeding one year, ending on March 16, 2025.
Resources:
- Legal Text (only available in Arabic)
- OneTrust DataGuidance Jurisdiction Overview
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
