{ "meta": { "version": "v0", "buildDate": "2026-06-23", "scope": "A reference map of national data-protection / personal-privacy laws: which countries have a comprehensive personal-data-protection statute, its name, year of adoption, and the supervisory authority (DPA). Public-domain legislative facts from official legal sources. Contains ZERO personal data. Records the LAW, not any data subject. Not a ranking — no proprietary scores. The companion to Right to Information: the right to PROTECT personal data, alongside the right to ACCESS government data.", "countryCount": 61, "byStatus": { "comprehensive": 60, "sectoral-only": 1 }, "earliestLaw": 1981, "latestLaw": 2025 }, "countries": [ { "country": "Argentina", "iso2": "AR", "hasLaw": "comprehensive", "lawName": "Ley de Protección de los Datos Personales (Law No. 25.326)", "yearAdopted": "2000", "authority": "Agencia de Acceso a la Información Pública (AAIP)", "scopeNote": "Comprehensive data-protection statute enacted in 2000, covering personal data in public- and private-sector databases and providing the habeas data action. The enforcement authority is the Agencia de Acceso a la Información Pública (AAIP), created in 2016. Several modernization bills aligning the regime with the GDPR were before Congress as of 2025-2026 but had not yet been enacted.", "sourceUrl": "https://servicios.infoleg.gob.ar/infolegInternet/anexos/60000-64999/64790/texact.htm", "sourceTitle": "Ley 25.326 - Protección de los Datos Personales (InfoLEG)", "confidence": "high" }, { "country": "Australia", "iso2": "AU", "hasLaw": "comprehensive", "lawName": "Privacy Act 1988 (Cth)", "yearAdopted": "1988", "authority": "Office of the Australian Information Commissioner (OAIC)", "scopeNote": "Australia's comprehensive federal privacy statute, in force since 1988 and built around the Australian Privacy Principles. The Privacy and Other Legislation Amendment Act 2024 introduced significant reforms (new civil penalties, a statutory tort for serious invasions of privacy) but did not replace the 1988 Act. The OAIC regulates and enforces it.", "sourceUrl": "https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act/history-of-the-privacy-act", "sourceTitle": "History of the Privacy Act - OAIC", "confidence": "high" }, { "country": "Bahrain", "iso2": "BH", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Law No. 30 of 2018 (PDPL)", "yearAdopted": "2018", "authority": "Personal Data Protection Authority (PDPA)", "scopeNote": "Bahrain enacted Law No. 30 of 2018 on Personal Data Protection on 12 July 2018, in force from 1 August 2019. It establishes the Personal Data Protection Authority (currently operating under the Ministry of Justice, Islamic Affairs and Awqaf) as an independent supervisory body with powers to issue guidelines, grant authorizations, audit, investigate, and impose sanctions.", "sourceUrl": "https://www.pdp.gov.bh/en/about-PDPA.html", "sourceTitle": "About Personal Data Protection Authority - Kingdom of Bahrain (PDPA official site)", "confidence": "high" }, { "country": "Brazil", "iso2": "BR", "hasLaw": "comprehensive", "lawName": "LGPD (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018)", "yearAdopted": "2018", "authority": "Autoridade Nacional de Proteção de Dados (ANPD)", "scopeNote": "Comprehensive privacy statute enacted August 14, 2018, in force from September 18, 2020 (administrative-penalty provisions from August 2021). Covers processing of personal data across public and private sectors, with extraterritorial reach over processing aimed at individuals in Brazil. Enforced by the ANPD, an autonomous authority confirmed by Law No. 13.853/2019.", "sourceUrl": "https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm", "sourceTitle": "Lei No. 13.709 de 14 de agosto de 2018 (Planalto)", "confidence": "high" }, { "country": "Bulgaria", "iso2": "BG", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Act (Zakon za zashtita na lichnite danni), as amended in 2019 to implement GDPR", "yearAdopted": "2002", "authority": "Commission for Personal Data Protection (Komisia za zashtita na lichnite danni, CPDP)", "scopeNote": "As an EU member state, Bulgaria applies the GDPR directly; the Personal Data Protection Act, originally promulgated in State Gazette No. 1 of 2002, was substantially amended (in force 1 March 2019) to align with the GDPR and transpose the Law Enforcement Directive. The Commission for Personal Data Protection is the supervisory authority.", "sourceUrl": "https://cpdp.bg/en/legislation/personal-data-protection-act/", "sourceTitle": "Commission for Personal Data Protection - Personal Data Protection Act", "confidence": "high" }, { "country": "Canada", "iso2": "CA", "hasLaw": "comprehensive", "lawName": "PIPEDA (Personal Information Protection and Electronic Documents Act)", "yearAdopted": "2000", "authority": "Office of the Privacy Commissioner of Canada (OPC)", "scopeNote": "Federal statute (Royal Assent April 13, 2000) governing how private-sector organizations collect, use, and disclose personal information in commercial activity, phased in 2001-2004. Provinces with substantially similar laws (e.g. Quebec, BC, Alberta) are exempt for intra-provincial activity. The OPC oversees compliance under an ombudsman model.", "sourceUrl": "https://laws-lois.justice.gc.ca/eng/acts/p-8.6/", "sourceTitle": "Personal Information Protection and Electronic Documents Act (Justice Laws Canada)", "confidence": "high" }, { "country": "Chile", "iso2": "CL", "hasLaw": "comprehensive", "lawName": "Ley 21.719 (que regula la protección y el tratamiento de los datos personales)", "yearAdopted": "2024", "authority": "Agencia de Protección de Datos Personales (APDP)", "scopeNote": "Comprehensive GDPR-aligned statute published December 13, 2024, which overhauls the prior Law 19.628 (1999) and creates the new Agencia de Protección de Datos Personales. The law has a 24-month transition and enters into full force on December 1, 2026, with the APDP empowered to investigate, fine, and order suspension of processing.", "sourceUrl": "https://www.bcn.cl/leychile/navegar?idNorma=1209272", "sourceTitle": "Ley 21.719 (Biblioteca del Congreso Nacional de Chile)", "confidence": "high" }, { "country": "China", "iso2": "CN", "hasLaw": "comprehensive", "lawName": "Personal Information Protection Law (PIPL)", "yearAdopted": "2021", "authority": "Cyberspace Administration of China (CAC)", "scopeNote": "China's first comprehensive national personal-information-protection law, adopted 20 August 2021 and effective 1 November 2021. It works alongside the Cybersecurity Law and Data Security Law; the Cyberspace Administration of China is the primary coordinating regulator, with sectoral departments sharing enforcement.", "sourceUrl": "https://www.dlapiperdataprotection.com/index.html?c=CN", "sourceTitle": "Data protection laws in China - DLA Piper Data Protection Laws of the World", "confidence": "high" }, { "country": "Colombia", "iso2": "CO", "hasLaw": "comprehensive", "lawName": "Ley Estatutaria 1581 de 2012", "yearAdopted": "2012", "authority": "Superintendencia de Industria y Comercio (SIC) - Delegatura para la Protección de Datos Personales", "scopeNote": "Comprehensive statutory law (October 17, 2012) developing the constitutional right to know, update, and rectify personal data, applicable to data in public- and private-sector databases. Supervised by the SIC through its Data Protection Deputy Office, which also runs the National Database Registry. A modernization bill was before Congress as of 2025-2026.", "sourceUrl": "https://www.funcionpublica.gov.co/eva/gestornormativo/norma.php?i=49981", "sourceTitle": "Ley 1581 de 2012 (Funcion Publica - Gestor Normativo)", "confidence": "high" }, { "country": "Czechia", "iso2": "CZ", "hasLaw": "comprehensive", "lawName": "Act No. 110/2019 Coll. on Personal Data Processing, implementing GDPR", "yearAdopted": "2019", "authority": "Office for Personal Data Protection (Urad pro ochranu osobnich udaju, UOOU)", "scopeNote": "As an EU member state, Czechia applies the GDPR directly; Act No. 110/2019 Coll., in force from 24 April 2019, is the GDPR-implementing act and replaced the earlier Act No. 101/2000 Coll. The Office for Personal Data Protection (UOOU) is the supervisory authority.", "sourceUrl": "https://uoou.gov.cz/media/act-no-110-2019-coll.pdf", "sourceTitle": "UOOU - Act No. 110/2019 Coll. (unofficial English translation)", "confidence": "high" }, { "country": "Egypt", "iso2": "EG", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Law No. 151 of 2020", "yearAdopted": "2020", "authority": "Personal Data Protection Center (PDPC)", "scopeNote": "Law No. 151 of 2020 is Egypt's first comprehensive personal-data-protection statute, enacted 13 July 2020 and in force from 14 October 2020. It establishes the Personal Data Protection Center (PDPC) under the Ministry of Communications and Information Technology; Executive Regulations issued in 2025 operationalized the PDPC, with active enforcement following a transitional grace period.", "sourceUrl": "https://mcit.gov.eg/Upcont/Documents/Reports%20and%20Documents_1232021000_Law_No_151_2020_Personal_Data_Protection.pdf", "sourceTitle": "Egypt's Personal Data Protection Law No. 151 of 2020 - Ministry of Communications and Information Technology", "confidence": "high" }, { "country": "Estonia", "iso2": "EE", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Act (Isikuandmete kaitse seadus), implementing GDPR", "yearAdopted": "2018", "authority": "Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI)", "scopeNote": "As an EU member state, Estonia applies the GDPR directly; the Personal Data Protection Act, adopted by the Riigikogu on 12 December 2018 and in force from 15 January 2019, supplements the Regulation in areas of national discretion. The Data Protection Inspectorate is the supervisory authority.", "sourceUrl": "https://www.riigiteataja.ee/en/eli/523012019001/consolide", "sourceTitle": "Riigi Teataja - Personal Data Protection Act (consolidated, English)", "confidence": "high" }, { "country": "Finland", "iso2": "FI", "hasLaw": "comprehensive", "lawName": "GDPR (Regulation (EU) 2016/679) as implemented by the Data Protection Act (Tietosuojalaki 1050/2018)", "yearAdopted": "2018", "authority": "Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)", "scopeNote": "The EU GDPR applies directly and is supplemented by the national Data Protection Act (1050/2018), which entered into force on 1 January 2019 and repealed the former Personal Data Act (523/1999). The Data Protection Ombudsman's Office is the national supervisory authority.", "sourceUrl": "https://www.finlex.fi/en/legislation/2018/1050", "sourceTitle": "Tietosuojalaki 1050/2018 (Finlex)", "confidence": "high" }, { "country": "France", "iso2": "FR", "hasLaw": "comprehensive", "lawName": "GDPR (Regulation (EU) 2016/679) as implemented by the Loi Informatique et Libertés (Law No. 2018-493)", "yearAdopted": "2018", "authority": "Commission Nationale de l'Informatique et des Libertés (CNIL)", "scopeNote": "The EU GDPR applies directly and is adapted into French law by Law No. 2018-493 of 20 June 2018, which amended the 1978 Loi Informatique et Libertés (later recodified by an ordinance in December 2018). The CNIL is the national supervisory authority.", "sourceUrl": "https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000037085952", "sourceTitle": "LOI n° 2018-493 du 20 juin 2018 relative à la protection des données personnelles (Légifrance)", "confidence": "high" }, { "country": "Georgia", "iso2": "GE", "hasLaw": "comprehensive", "lawName": "Law of Georgia on Personal Data Protection (No. 3144-RS of 14 June 2023)", "yearAdopted": "2023", "authority": "State Audit Office of Georgia (assumed supervisory functions on 2 March 2026, replacing the Personal Data Protection Service / PDPS)", "scopeNote": "Georgia (a non-EU state, EU candidate) adopted a comprehensive, GDPR-aligned Law on Personal Data Protection on 14 June 2023, in force from 1 March 2024, replacing the 2011 law. Supervision was carried out by the Personal Data Protection Service (PDPS) until Law No. 1054 of 12 November 2025 abolished the PDPS and transferred all data-protection functions to the constitutional State Audit Office of Georgia, effective 2 March 2026.", "sourceUrl": "https://www.dlapiperdataprotection.com/?t=law&c=GE", "sourceTitle": "DLA Piper Data Protection Laws of the World - Georgia", "confidence": "high" }, { "country": "Germany", "iso2": "DE", "hasLaw": "comprehensive", "lawName": "GDPR (Regulation (EU) 2016/679) as implemented by the Bundesdatenschutzgesetz (BDSG)", "yearAdopted": "2018", "authority": "Federal Commissioner for Data Protection and Freedom of Information (BfDI), alongside 16 Länder supervisory authorities", "scopeNote": "The EU GDPR applies directly and is supplemented by the Federal Data Protection Act (BDSG), in force since 25 May 2018, which legislates in the areas the GDPR leaves to member states. Supervision is split: the BfDI oversees federal bodies and telecoms, while each of the 16 states has its own authority for the private sector and state bodies.", "sourceUrl": "https://www.gesetze-im-internet.de/englisch_bdsg/", "sourceTitle": "Federal Data Protection Act (BDSG) (gesetze-im-internet.de)", "confidence": "high" }, { "country": "Ghana", "iso2": "GH", "hasLaw": "comprehensive", "lawName": "Data Protection Act, 2012 (Act 843)", "yearAdopted": "2012", "authority": "Data Protection Commission (DPC)", "scopeNote": "The Data Protection Act, 2012 (Act 843) is Ghana's comprehensive data-protection statute regulating the processing of personal data by data controllers and processors, who must register with the regulator. It establishes the Data Protection Commission (DPC) as an independent statutory supervisory body.", "sourceUrl": "https://dataprotection.org.gh/", "sourceTitle": "Data Protection Commission, Ghana - official site", "confidence": "high" }, { "country": "Hungary", "iso2": "HU", "hasLaw": "comprehensive", "lawName": "Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act), as amended for GDPR", "yearAdopted": "2011", "authority": "National Authority for Data Protection and Freedom of Information (Nemzeti Adatvedelmi es Informacioszabadsag Hatosag, NAIH)", "scopeNote": "As an EU member state, Hungary applies the GDPR directly; the Info Act (Act CXII of 2011) was amended in July 2018 to align with the GDPR and to transpose the Law Enforcement Directive, and it supplements the Regulation with procedural and freedom-of-information rules. The NAIH is the autonomous supervisory authority.", "sourceUrl": "https://www.naih.hu/about-the-authority", "sourceTitle": "NAIH - About the Authority", "confidence": "high" }, { "country": "India", "iso2": "IN", "hasLaw": "comprehensive", "lawName": "Digital Personal Data Protection Act, 2023 (DPDP Act)", "yearAdopted": "2023", "authority": "Data Protection Board of India", "scopeNote": "India's first comprehensive personal-data-protection statute, enacted August 2023, governs the processing of digital personal data by data fiduciaries and grants rights to data principals. The Data Protection Board of India was established in November 2025; substantive obligations are being brought into force in phases through 2027.", "sourceUrl": "https://en.wikipedia.org/wiki/Digital_Personal_Data_Protection_Act,_2023", "sourceTitle": "Digital Personal Data Protection Act, 2023 - Wikipedia", "confidence": "high" }, { "country": "Indonesia", "iso2": "ID", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Law (Law No. 27 of 2022, UU PDP)", "yearAdopted": "2022", "authority": "Ministry of Communication and Digital Affairs (Komdigi); dedicated PDP Agency pending establishment", "scopeNote": "Indonesia's comprehensive personal-data-protection law, in effect since October 2022 with a two-year compliance transition that ended October 2024. As of 2026 a dedicated independent supervisory authority (PDP Agency) had not yet become operational; enforcement is exercised by the Ministry of Communication and Digital Affairs (Komdigi).", "sourceUrl": "https://www.dlapiperdataprotection.com/?t=law&c=ID", "sourceTitle": "Data protection laws in Indonesia - DLA Piper Data Protection Laws of the World", "confidence": "high" }, { "country": "Ireland", "iso2": "IE", "hasLaw": "comprehensive", "lawName": "Data Protection Act 2018 (implementing GDPR, Regulation (EU) 2016/679)", "yearAdopted": "2018", "authority": "Data Protection Commission (DPC)", "scopeNote": "The EU GDPR applies directly and is given further effect in Irish law by the Data Protection Act 2018 (enacted 24 May 2018). The Data Protection Commission is the national supervisory authority and frequently acts as lead supervisory authority for many multinationals headquartered in Ireland.", "sourceUrl": "https://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/html", "sourceTitle": "Data Protection Act 2018 (Irish Statute Book)", "confidence": "high" }, { "country": "Israel", "iso2": "IL", "hasLaw": "comprehensive", "lawName": "Protection of Privacy Law, 5741-1981 (as amended by Amendment No. 13)", "yearAdopted": "1981", "authority": "Privacy Protection Authority (PPA)", "scopeNote": "Israel's general data-protection statute is the Protection of Privacy Law of 1981, substantially modernized by Amendment No. 13 (enacted August 2024, in force August 2025), which expanded definitions, added governance obligations, and strengthened the Privacy Protection Authority's investigative and sanctioning powers. The PPA, within the Ministry of Justice, supervises and enforces the law.", "sourceUrl": "https://www.gov.il/en/departments/the_privacy_protection_authority/govil-landing-page", "sourceTitle": "Israel Privacy Protection Authority (Gov.il)", "confidence": "high" }, { "country": "Italy", "iso2": "IT", "hasLaw": "comprehensive", "lawName": "GDPR (Regulation (EU) 2016/679) as implemented by the Personal Data Protection Code (Legislative Decree 196/2003 as amended by Legislative Decree 101/2018)", "yearAdopted": "2018", "authority": "Italian Data Protection Authority (Garante per la protezione dei dati personali)", "scopeNote": "The EU GDPR applies directly and is harmonised into Italian law by Legislative Decree 101/2018 (in force 19 September 2018), which amended the existing Personal Data Protection Code (Legislative Decree 196/2003). The Garante per la protezione dei dati personali is the national supervisory authority.", "sourceUrl": "https://www.garanteprivacy.it/web/garante-privacy-en", "sourceTitle": "Italian Data Protection Authority (Garante per la protezione dei dati personali)", "confidence": "high" }, { "country": "Jamaica", "iso2": "JM", "hasLaw": "comprehensive", "lawName": "Data Protection Act, 2020", "yearAdopted": "2020", "authority": "Office of the Information Commissioner (OIC)", "scopeNote": "Comprehensive data-protection statute passed in 2020 and brought into full force by ministerial proclamation on December 1, 2023, following a transition period, with a six-month registration grace period for data controllers. Establishes eight data-protection standards and is regulated by the Office of the Information Commissioner.", "sourceUrl": "https://japarliament.gov.jm/attachments/article/339/The%20Data%20Protection%20Act,%202020.pdf", "sourceTitle": "The Data Protection Act, 2020 (Parliament of Jamaica)", "confidence": "high" }, { "country": "Japan", "iso2": "JP", "hasLaw": "comprehensive", "lawName": "Act on the Protection of Personal Information (APPI), Act No. 57 of 2003", "yearAdopted": "2003", "authority": "Personal Information Protection Commission (PPC)", "scopeNote": "Japan's comprehensive data-protection statute, enacted in 2003 and substantially amended (notably 2015, 2017 and 2020). The Personal Information Protection Commission, an independent body, is the central supervisory and enforcement authority.", "sourceUrl": "https://www.japaneselawtranslation.go.jp/en/laws/view/4241/en", "sourceTitle": "Act on the Protection of Personal Information - Japanese Law Translation", "confidence": "high" }, { "country": "Jordan", "iso2": "JO", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Law No. 24 of 2023", "yearAdopted": "2023", "authority": "Personal Data Protection Council (Ministry of Digital Economy and Entrepreneurship)", "scopeNote": "Jordan's first comprehensive data-protection statute, Law No. 24 of 2023, was published in the Official Gazette on 17 September 2023 and entered into force on 17 March 2024. It establishes a Personal Data Protection Council as policy and supervisory body, with a Data Protection Unit handling licensing and complaints; institutional build-out was still in progress as of 2026.", "sourceUrl": "https://www.modee.gov.jo/ebv4.0/root_storage/en/eb_list_page/pdpl.pdf", "sourceTitle": "Personal Data Protection Law No. (24) of 2023 (MoDEE official PDF)", "confidence": "high" }, { "country": "Kenya", "iso2": "KE", "hasLaw": "comprehensive", "lawName": "Data Protection Act, 2019 (No. 24 of 2019)", "yearAdopted": "2019", "authority": "Office of the Data Protection Commissioner (ODPC)", "scopeNote": "The Data Protection Act, No. 24 of 2019, is Kenya's comprehensive data-protection statute, modelled on the EU GDPR; it came into force in November 2019. It regulates the processing of personal data by controllers and processors and establishes the Office of the Data Protection Commissioner (ODPC) as the supervisory authority.", "sourceUrl": "https://www.odpc.go.ke/", "sourceTitle": "Office of the Data Protection Commissioner (ODPC), Kenya - official site", "confidence": "high" }, { "country": "Malaysia", "iso2": "MY", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Act 2010 (PDPA)", "yearAdopted": "2010", "authority": "Personal Data Protection Commissioner / Department of Personal Data Protection (JPDP)", "scopeNote": "Malaysia's comprehensive data-protection law, passed in 2010 and brought into force in 2013, regulating the processing of personal data in commercial transactions. The Personal Data Protection Commissioner, heading the Department of Personal Data Protection (JPDP) under the digital ministry, administers it; a 2024 amendment strengthened obligations.", "sourceUrl": "https://www.dlapiperdataprotection.com/?t=law&c=MY", "sourceTitle": "Data protection laws in Malaysia - DLA Piper Data Protection Laws of the World", "confidence": "high" }, { "country": "Mexico", "iso2": "MX", "hasLaw": "comprehensive", "lawName": "LFPDPPP (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, 2025)", "yearAdopted": "2025", "authority": "Secretaría Anticorrupción y Buen Gobierno (Secretariat of Anti-Corruption and Good Governance)", "scopeNote": "A new LFPDPPP was published in the Official Gazette on March 20, 2025 and entered into force March 21, 2025, abrogating the prior 2010 law. It preserves the ARCO rights framework, expressly covers data processors, and adds AI/automated-decision provisions. Following the constitutional dissolution of INAI, enforcement was transferred to the Secretariat of Anti-Corruption and Good Governance.", "sourceUrl": "https://www.whitecase.com/insight-alert/mexico-enacts-new-data-protection-regime", "sourceTitle": "Mexico enacts new data protection regime (White & Case LLP)", "confidence": "high" }, { "country": "Morocco", "iso2": "MA", "hasLaw": "comprehensive", "lawName": "Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data", "yearAdopted": "2009", "authority": "Commission Nationale de controle de la protection des Donnees a caractere Personnel (CNDP)", "scopeNote": "Law No. 09-08 (promulgated 18 February 2009) is Morocco's comprehensive data-protection statute, applying to wholly or partly automated and certain manual processing of personal data. It establishes the Commission Nationale de controle de la protection des Donnees a caractere Personnel (CNDP) as the supervisory authority; controllers must notify the CNDP before processing.", "sourceUrl": "https://www.dgssi.gov.ma/en/loi-09-08-relative-la-protection-des-personnes-physiques-legard-du-traitement-des", "sourceTitle": "Law No. 09-08 on the protection of personal data - DGSSI (Morocco)", "confidence": "high" }, { "country": "Netherlands", "iso2": "NL", "hasLaw": "comprehensive", "lawName": "GDPR (Regulation (EU) 2016/679) as implemented by the GDPR Implementation Act (Uitvoeringswet AVG, UAVG)", "yearAdopted": "2018", "authority": "Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP)", "scopeNote": "The EU GDPR applies directly and is implemented in Dutch law by the GDPR Implementation Act (Uitvoeringswet AVG), which has applied since 25 May 2018 and sets out national derogations and the powers of the supervisory authority. The Autoriteit Persoonsgegevens is the national supervisory authority.", "sourceUrl": "https://wetten.overheid.nl/BWBR0040940/", "sourceTitle": "Uitvoeringswet Algemene verordening gegevensbescherming (wetten.overheid.nl)", "confidence": "high" }, { "country": "New Zealand", "iso2": "NZ", "hasLaw": "comprehensive", "lawName": "Privacy Act 2020", "yearAdopted": "2020", "authority": "Office of the Privacy Commissioner", "scopeNote": "New Zealand's comprehensive data-protection statute, which received Royal Assent in June 2020 and came into force on 1 December 2020, repealing and replacing the Privacy Act 1993. It is built around the Information Privacy Principles and overseen by the Privacy Commissioner.", "sourceUrl": "https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html", "sourceTitle": "Privacy Act 2020 - New Zealand Legislation", "confidence": "high" }, { "country": "Nigeria", "iso2": "NG", "hasLaw": "comprehensive", "lawName": "Nigeria Data Protection Act (NDPA), 2023", "yearAdopted": "2023", "authority": "Nigeria Data Protection Commission (NDPC)", "scopeNote": "The NDPA is Nigeria's first comprehensive federal data-protection statute, signed into law on 12 June 2023. It replaces the earlier 2019 Nigeria Data Protection Regulation (NDPR) and establishes the Nigeria Data Protection Commission (NDPC) as the supervisory authority overseeing compliance and enforcement.", "sourceUrl": "https://ndpc.gov.ng/about-us/", "sourceTitle": "Nigeria Data Protection Commission - About Us", "confidence": "high" }, { "country": "Norway", "iso2": "NO", "hasLaw": "comprehensive", "lawName": "GDPR (Regulation (EU) 2016/679) incorporated via the Personal Data Act (Personopplysningsloven, LOV-2018-06-15-38)", "yearAdopted": "2018", "authority": "Norwegian Data Protection Authority (Datatilsynet)", "scopeNote": "Norway is an EEA member; the GDPR was incorporated into the EEA Agreement and applied in Norway from 20 July 2018 through the Personal Data Act of 15 June 2018, which makes the regulation Norwegian law and adds national provisions. Datatilsynet is the supervisory authority.", "sourceUrl": "https://lovdata.no/dokument/NL/lov/2018-06-15-38", "sourceTitle": "Lov om behandling av personopplysninger (personopplysningsloven) (Lovdata)", "confidence": "high" }, { "country": "Peru", "iso2": "PE", "hasLaw": "comprehensive", "lawName": "Ley de Protección de Datos Personales (Ley No. 29733)", "yearAdopted": "2011", "authority": "Autoridad Nacional de Protección de Datos Personales (ANPDP), Ministerio de Justicia y Derechos Humanos", "scopeNote": "Comprehensive statute published July 3, 2011, guaranteeing the constitutional right to personal-data protection across data banks held by public or private entities, with implementing rules under Supreme Decree 003-2013-JUS and amendments via Legislative Decree 1353 (2017). Enforced by the National Authority for Personal Data Protection within the Ministry of Justice and Human Rights.", "sourceUrl": "https://www.leyes.congreso.gob.pe/documentos/leyes/29733.pdf", "sourceTitle": "Ley N. 29733 - Ley de Proteccion de Datos Personales (Congreso de la Republica del Peru)", "confidence": "high" }, { "country": "Philippines", "iso2": "PH", "hasLaw": "comprehensive", "lawName": "Data Privacy Act of 2012 (Republic Act No. 10173)", "yearAdopted": "2012", "authority": "National Privacy Commission (NPC)", "scopeNote": "The Philippines' comprehensive data-protection law, signed in August 2012 and effective September 2012, applying to public- and private-sector processing of personal information. The National Privacy Commission, an independent body attached to the Department of Information and Communications Technology, administers and enforces it.", "sourceUrl": "https://privacy.gov.ph/data-privacy-act/", "sourceTitle": "Republic Act 10173 - Data Privacy Act of 2012 - National Privacy Commission", "confidence": "high" }, { "country": "Poland", "iso2": "PL", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Act (Act of 10 May 2018), implementing GDPR", "yearAdopted": "2018", "authority": "President of the Personal Data Protection Office (Urzad Ochrony Danych Osobowych, UODO)", "scopeNote": "As an EU member state, Poland applies the GDPR (Regulation (EU) 2016/679) directly; the national Act of 10 May 2018 supplements it where member states have discretion (e.g. digital-consent age of 16, caps on public-body fines) and establishes the UODO. The Act entered into force on 25 May 2018.", "sourceUrl": "https://www.dlapiperdataprotection.com/index.html?t=law&c=PL", "sourceTitle": "DLA Piper Data Protection Laws of the World - Poland", "confidence": "high" }, { "country": "Portugal", "iso2": "PT", "hasLaw": "comprehensive", "lawName": "GDPR (Regulation (EU) 2016/679) as implemented by Law 58/2019", "yearAdopted": "2019", "authority": "National Data Protection Commission (Comissão Nacional de Proteção de Dados, CNPD)", "scopeNote": "The EU GDPR applies directly and is implemented in Portuguese law by Law No. 58/2019 of 8 August (in force 9 August 2019), which adapts the GDPR and designates the supervisory authority. The Comissão Nacional de Proteção de Dados is the national supervisory authority.", "sourceUrl": "https://diariodarepublica.pt/dr/detalhe/lei/58-2019-123815982", "sourceTitle": "Lei n.º 58/2019 (Diário da República)", "confidence": "high" }, { "country": "Qatar", "iso2": "QA", "hasLaw": "comprehensive", "lawName": "Law No. 13 of 2016 Concerning Personal Data Privacy Protection (PDPPL)", "yearAdopted": "2016", "authority": "National Data Privacy Office (NDPO), National Cyber Security Agency (NCSA)", "scopeNote": "Qatar's PDPPL (Law No. 13 of 2016) was the first comprehensive data-privacy law in the GCC, promulgated in November 2016. It is enforced by the National Data Privacy Office, which sits within the National Cyber Security Agency and monitors compliance, investigates complaints, and issues enforcement rulings. The Qatar Financial Centre maintains a separate data-protection regime.", "sourceUrl": "https://assurance.ncsa.gov.qa/en/privacy/law", "sourceTitle": "Personal Data Privacy Protection Law (Qatar NCSA assurance portal)", "confidence": "high" }, { "country": "Romania", "iso2": "RO", "hasLaw": "comprehensive", "lawName": "Law No. 190/2018 on measures for the application of GDPR", "yearAdopted": "2018", "authority": "National Supervisory Authority for Personal Data Processing (ANSPDCP)", "scopeNote": "As an EU member state, Romania applies the GDPR directly; Law No. 190/2018, published in Official Gazette No. 651 of 26 July 2018, sets national implementing measures and derogations (e.g. for genetic/biometric data and public-body fines). The National Supervisory Authority for Personal Data Processing (ANSPDCP) is the supervisory authority.", "sourceUrl": "https://www.dataprotection.ro/index.jsp?page=Legea_nr_190_2018&lang=en", "sourceTitle": "ANSPDCP - Law No. 190/2018", "confidence": "high" }, { "country": "Rwanda", "iso2": "RW", "hasLaw": "comprehensive", "lawName": "Law No. 058/2021 relating to the Protection of Personal Data and Privacy", "yearAdopted": "2021", "authority": "National Cyber Security Authority (NCSA) - Data Protection and Privacy Office", "scopeNote": "Law No. 058/2021 is Rwanda's comprehensive data-protection statute, gazetted on 15 October 2021, with provisions closely mirroring the EU GDPR. The National Cyber Security Authority (NCSA) is designated the supervisory authority, operating through its Data Protection and Privacy Office, with powers to register controllers/processors and enforce compliance.", "sourceUrl": "https://rwandalii.org/akn/rw/act/law/2021/58/eng@2021-10-15", "sourceTitle": "Law relating to the Protection of Personal Data and Privacy - RwandaLII", "confidence": "high" }, { "country": "Saudi Arabia", "iso2": "SA", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Law (PDPL), Royal Decree M/19 of 2021 (amended 2023)", "yearAdopted": "2021", "authority": "Saudi Data and Artificial Intelligence Authority (SDAIA)", "scopeNote": "Saudi Arabia's PDPL was issued by Royal Decree M/19 in September 2021, amended in March 2023, and entered into force on 14 September 2023 with a one-year transition period ending 14 September 2024. SDAIA is the competent supervisory authority; the law allows possible future transfer of oversight to the National Data Management Office (NDMO), but as of 2026 SDAIA remains the active regulator.", "sourceUrl": "https://sdaia.gov.sa/en/SDAIA/about/Pages/RegulationsAndPolicies.aspx", "sourceTitle": "SDAIA - Laws and Regulations (Personal Data Protection Law)", "confidence": "high" }, { "country": "Serbia", "iso2": "RS", "hasLaw": "comprehensive", "lawName": "Law on Personal Data Protection (Zakon o zastiti podataka o licnosti), Official Gazette No. 87/2018", "yearAdopted": "2018", "authority": "Commissioner for Information of Public Importance and Personal Data Protection (Poverenik)", "scopeNote": "Serbia (a non-EU EU-accession candidate) adopted a comprehensive GDPR-aligned data-protection law on 9 November 2018 (Official Gazette No. 87/2018), in force from 21 November 2018 with application from 21 August 2019. The independent Commissioner for Information of Public Importance and Personal Data Protection is the supervisory authority.", "sourceUrl": "https://www.poverenik.rs/images/stories/dokumentacija-nova/zakon-o-zastiti-podataka-o-licnosti_en.pdf", "sourceTitle": "Commissioner (Poverenik) - Law on Personal Data Protection (English)", "confidence": "high" }, { "country": "Singapore", "iso2": "SG", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Act 2012 (PDPA)", "yearAdopted": "2012", "authority": "Personal Data Protection Commission (PDPC)", "scopeNote": "Singapore's comprehensive private-sector data-protection law, enacted October 2012 and phased into full effect by July 2014, with major amendments in 2020 adding mandatory data-breach notification. The Personal Data Protection Commission is the regulator.", "sourceUrl": "https://sso.agc.gov.sg/Act/PDPA2012", "sourceTitle": "Personal Data Protection Act 2012 - Singapore Statutes Online", "confidence": "high" }, { "country": "Slovenia", "iso2": "SI", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Act (Zakon o varstvu osebnih podatkov, ZVOP-2), implementing GDPR", "yearAdopted": "2022", "authority": "Information Commissioner (Informacijski pooblascenec, IP)", "scopeNote": "As an EU member state, Slovenia applies the GDPR directly; ZVOP-2, adopted by the National Assembly in December 2022 and in force from 26 January 2023, is the GDPR-implementing act (Slovenia was the last EU member to adopt one). The Information Commissioner is the supervisory authority.", "sourceUrl": "https://www.ip-rs.si/en/legislation/personal-data-protection-act/", "sourceTitle": "Information Commissioner of Slovenia - Personal Data Protection Act (ZVOP-2)", "confidence": "high" }, { "country": "South Africa", "iso2": "ZA", "hasLaw": "comprehensive", "lawName": "Protection of Personal Information Act (POPIA), Act 4 of 2013", "yearAdopted": "2013", "authority": "Information Regulator (South Africa)", "scopeNote": "POPIA is a general personal-data-protection statute applying to public and private bodies that process personal information. Assented to in 2013; most operative provisions commenced 1 July 2020 with enforcement from 1 July 2021. Enforced by the Information Regulator, established under section 39 of the Act.", "sourceUrl": "https://inforegulator.org.za/", "sourceTitle": "Information Regulator (South Africa) - official site", "confidence": "high" }, { "country": "South Korea", "iso2": "KR", "hasLaw": "comprehensive", "lawName": "Personal Information Protection Act (PIPA)", "yearAdopted": "2011", "authority": "Personal Information Protection Commission (PIPC)", "scopeNote": "South Korea's comprehensive data-protection law, enacted September 2011, covering public and private sectors and regarded as among the strictest globally. The Personal Information Protection Commission became a fully independent regulator under a 2020 amendment.", "sourceUrl": "https://en.wikipedia.org/wiki/Personal_Information_Protection_Commission_(South_Korea)", "sourceTitle": "Personal Information Protection Commission (South Korea) - Wikipedia", "confidence": "high" }, { "country": "Spain", "iso2": "ES", "hasLaw": "comprehensive", "lawName": "GDPR (Regulation (EU) 2016/679) as implemented by Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD)", "yearAdopted": "2018", "authority": "Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD)", "scopeNote": "The EU GDPR applies directly and is supplemented by Organic Law 3/2018 of 5 December (LOPDGDD), in force from 7 December 2018, which adapts the GDPR and adds a catalogue of digital rights. The AEPD is the national supervisory authority (with regional authorities in Catalonia, the Basque Country and Andalusia for their public sectors).", "sourceUrl": "https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673", "sourceTitle": "Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (BOE)", "confidence": "high" }, { "country": "Sweden", "iso2": "SE", "hasLaw": "comprehensive", "lawName": "GDPR (Regulation (EU) 2016/679) as implemented by the Data Protection Act (Dataskyddslagen, SFS 2018:218)", "yearAdopted": "2018", "authority": "Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY)", "scopeNote": "The EU GDPR applies directly and is supplemented by the Act with supplementary provisions to the GDPR (SFS 2018:218), in force since 25 May 2018. The supervisory authority is IMY (Integritetsskyddsmyndigheten), formerly Datainspektionen until its 2021 renaming.", "sourceUrl": "https://www.government.se/government-policy/the-constitution-of-sweden-and-personal-privacy/act-containing-supplementary-provisions-to-the-eu-sfs-2018218-general-data-protection-regulation/", "sourceTitle": "Act containing supplementary provisions to the EU GDPR (SFS 2018:218) (Government.se)", "confidence": "high" }, { "country": "Switzerland", "iso2": "CH", "hasLaw": "comprehensive", "lawName": "Federal Act on Data Protection (revised FADP / nFADP / nDSG)", "yearAdopted": "2020", "authority": "Federal Data Protection and Information Commissioner (FDPIC)", "scopeNote": "Switzerland is not in the EU/EEA. Its totally revised Federal Act on Data Protection was adopted by Parliament on 25 September 2020 and entered into force on 1 September 2023, modernising the prior 1992 Act and broadly aligning with the GDPR. The Federal Data Protection and Information Commissioner is the supervisory authority.", "sourceUrl": "https://www.fedlex.admin.ch/eli/cc/2022/491/en", "sourceTitle": "Federal Act on Data Protection (FADP), SR 235.1 (Fedlex)", "confidence": "high" }, { "country": "Tanzania", "iso2": "TZ", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Act, 2022 (Act No. 11 of 2022)", "yearAdopted": "2022", "authority": "Personal Data Protection Commission (PDPC)", "scopeNote": "The Personal Data Protection Act No. 11 of 2022 is Tanzania's comprehensive data-protection statute, passed on 1 November 2022 and in force from 1 May 2023 (GN No. 326 of 2023). It applies to Mainland Tanzania and Zanzibar (union matters) and establishes the Personal Data Protection Commission (PDPC) as the supervisory authority.", "sourceUrl": "https://www.pdpc.go.tz/", "sourceTitle": "Personal Data Protection Commission (PDPC), Tanzania - official site", "confidence": "high" }, { "country": "Thailand", "iso2": "TH", "hasLaw": "comprehensive", "lawName": "Personal Data Protection Act B.E. 2562 (2019) (PDPA)", "yearAdopted": "2019", "authority": "Office of the Personal Data Protection Committee (PDPC)", "scopeNote": "Thailand's first comprehensive data-protection statute, enacted in 2019, with its main operative provisions taking effect on 1 June 2022 after deferrals. The Personal Data Protection Committee and its Office, under the Ministry of Digital Economy and Society, supervise and enforce the law.", "sourceUrl": "https://www.nortonrosefulbright.com/en/knowledge/publications/e29d223d/overview-of-thailand-personal-data-protection-act-be2562-2019", "sourceTitle": "Overview of Thailand Personal Data Protection Act B.E. 2562 (2019) - Norton Rose Fulbright", "confidence": "high" }, { "country": "Tunisia", "iso2": "TN", "hasLaw": "comprehensive", "lawName": "Organic Law No. 2004-63 of 27 July 2004 on the Protection of Personal Data", "yearAdopted": "2004", "authority": "Instance Nationale de Protection des Donnees a Caractere Personnel (INPDP)", "scopeNote": "Organic Law No. 2004-63 of 27 July 2004 is Tunisia's comprehensive data-protection statute and the first such law in the Maghreb, applying to automated and manual processing by natural and legal persons. It establishes the Instance Nationale de Protection des Donnees a Caractere Personnel (INPDP) as the supervisory authority; controllers must declare or seek prior authorization for processing.", "sourceUrl": "https://www.inpdp.tn/", "sourceTitle": "Instance Nationale de Protection des Donnees a Caractere Personnel (INPDP) - official site", "confidence": "high" }, { "country": "Turkey", "iso2": "TR", "hasLaw": "comprehensive", "lawName": "Law No. 6698 on the Protection of Personal Data (KVKK)", "yearAdopted": "2016", "authority": "Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu, KVKK)", "scopeNote": "Turkey's comprehensive data-protection statute, Law No. 6698 (KVKK), entered into force on 7 April 2016 and draws heavily on EU data-protection principles. It is administered by the Personal Data Protection Authority, an independent body whose decision-making organ is the Personal Data Protection Board and which maintains the VERBIS controllers' registry.", "sourceUrl": "https://www.kvkk.gov.tr/Icerik/7456/Purpose-and-Scope-of-The-Personal-Data-Protection-Law-No-6698", "sourceTitle": "Purpose and Scope of the Personal Data Protection Law No. 6698 (KVKK official site)", "confidence": "high" }, { "country": "Uganda", "iso2": "UG", "hasLaw": "comprehensive", "lawName": "Data Protection and Privacy Act, 2019 (Act No. 9 of 2019)", "yearAdopted": "2019", "authority": "Personal Data Protection Office (PDPO), under the National Information Technology Authority - Uganda (NITA-U)", "scopeNote": "The Data Protection and Privacy Act, 2019 (Act No. 9 of 2019) is Uganda's comprehensive data-protection statute governing the collection and processing of personal data by public and private entities within and outside Uganda. The Personal Data Protection Office (PDPO), established under NITA-U, oversees implementation, maintains the data protection register, and enforces the Act.", "sourceUrl": "https://pdpo.go.ug/", "sourceTitle": "Personal Data Protection Office (PDPO), Uganda - official site", "confidence": "high" }, { "country": "Ukraine", "iso2": "UA", "hasLaw": "comprehensive", "lawName": "Law of Ukraine On Personal Data Protection (No. 2297-VI)", "yearAdopted": "2010", "authority": "Ukrainian Parliament Commissioner for Human Rights (Ombudsman of the Verkhovna Rada)", "scopeNote": "Ukraine (a non-EU state, EU candidate) has a general personal-data-protection statute, Law No. 2297-VI of 1 June 2010; the Ukrainian Parliament Commissioner for Human Rights (Ombudsman) has served as the supervisory authority since 1 January 2014. A GDPR-harmonization bill (Draft Law No. 8153) passed first reading in November 2024 but had not been enacted as of 2026, so the 2010 act remains the comprehensive law in force.", "sourceUrl": "https://zakon.rada.gov.ua/laws/show/2297-17?lang=en", "sourceTitle": "Verkhovna Rada Legislation Portal - Law No. 2297-VI On Protection of Personal Data", "confidence": "high" }, { "country": "United Arab Emirates", "iso2": "AE", "hasLaw": "comprehensive", "lawName": "Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)", "yearAdopted": "2021", "authority": "UAE Data Office", "scopeNote": "The UAE's federal data-protection framework, Federal Decree-Law No. 45 of 2021, took effect on 2 January 2022 and applies with GDPR-style extraterritorial reach to controllers and processors handling UAE residents' data. The UAE Data Office is the designated national regulator. Note: the DIFC and ADGM financial free zones operate their own separate data-protection regimes.", "sourceUrl": "https://uaelegislation.gov.ae/en/legislations/1972", "sourceTitle": "Federal Decree-Law No. 45 of 2021 (UAE Official Legislation Portal)", "confidence": "high" }, { "country": "United Kingdom", "iso2": "GB", "hasLaw": "comprehensive", "lawName": "UK GDPR + Data Protection Act 2018 (amended by Data (Use and Access) Act 2025)", "yearAdopted": "2018", "authority": "Information Commissioner's Office (ICO), transitioning to the Information Commission under the DUAA 2025", "scopeNote": "Post-Brexit the UK retained the GDPR as the 'UK GDPR', applied alongside the Data Protection Act 2018; both were amended by the Data (Use and Access) Act 2025 (Royal Assent 19 June 2025), which is being commenced in stages through 2026. The supervisory authority is the ICO, being reconstituted as the Information Commission.", "sourceUrl": "https://www.legislation.gov.uk/ukpga/2018/12/contents", "sourceTitle": "Data Protection Act 2018 (legislation.gov.uk)", "confidence": "high" }, { "country": "United States", "iso2": "US", "hasLaw": "sectoral-only", "lawName": "", "yearAdopted": "", "authority": "none / sectoral regulators (FTC; sector-specific agencies; state attorneys general)", "scopeNote": "No single comprehensive federal data-protection statute. Privacy is governed by a patchwork of sectoral federal laws (HIPAA for health, GLBA for finance, FERPA for education records, COPPA for children) plus a growing set of comprehensive state consumer-privacy laws led by California's CCPA/CPRA, with roughly 20 states having comprehensive laws in effect by 2026.", "sourceUrl": "https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa/", "sourceTitle": "Data Protection Laws and Regulations Report 2025-2026 USA (ICLG)", "confidence": "high" }, { "country": "Uruguay", "iso2": "UY", "hasLaw": "comprehensive", "lawName": "Ley de Protección de Datos Personales y Acción de Habeas Data (Ley No. 18.331)", "yearAdopted": "2008", "authority": "Unidad Reguladora y de Control de Datos Personales (URCDP)", "scopeNote": "Comprehensive statute published August 18, 2008, recognizing personal-data protection as a constitutional right (Art. 72) and providing the habeas data action; it applies to public- and private-sector data and requires registration of databases. Supervised by the URCDP. Uruguay is recognized by the EU as providing an adequate level of protection.", "sourceUrl": "https://www.gub.uy/ministerio-economia-finanzas/institucional/normativa/ley-n-18331-fecha-18082008-ley-proteccion-datos-personales", "sourceTitle": "Ley N. 18.331 de Proteccion de Datos Personales (gub.uy)", "confidence": "high" }, { "country": "Vietnam", "iso2": "VN", "hasLaw": "comprehensive", "lawName": "Law on Personal Data Protection (Law No. 91/2025/QH15, PDPL)", "yearAdopted": "2025", "authority": "Ministry of Public Security (lead authority for data protection)", "scopeNote": "Vietnam's first comprehensive personal-data-protection statute at the legislative level, passed by the National Assembly on 26 June 2025 and effective 1 January 2026, elevating earlier decree-level rules (notably Decree 13/2023) into a unified law. The Ministry of Public Security is the lead state authority overseeing personal-data protection.", "sourceUrl": "https://www.dlapiperdataprotection.com/?t=law&c=VN", "sourceTitle": "Data protection laws in Vietnam - DLA Piper Data Protection Laws of the World", "confidence": "high" } ] }