Data Protection

Comprehensive data-protection statute enacted in 2000, covering personal data in public- and private-sector databases and providing the habeas data action. The enforcement authority is the Agencia de Acceso a la Información Pública (AAIP), created in 2016. Several modernization bills aligning the regime with the GDPR were before Congress as of 2025-2026 but had not yet been enacted.

Authority: Agencia de Acceso a la Información Pública (AAIP)

Ley 25.326 - Protección de los Datos Personales (InfoLEG)

Australia's comprehensive federal privacy statute, in force since 1988 and built around the Australian Privacy Principles. The Privacy and Other Legislation Amendment Act 2024 introduced significant reforms (new civil penalties, a statutory tort for serious invasions of privacy) but did not replace the 1988 Act. The OAIC regulates and enforces it.

Authority: Office of the Australian Information Commissioner (OAIC)

History of the Privacy Act - OAIC

Bahrain enacted Law No. 30 of 2018 on Personal Data Protection on 12 July 2018, in force from 1 August 2019. It establishes the Personal Data Protection Authority (currently operating under the Ministry of Justice, Islamic Affairs and Awqaf) as an independent supervisory body with powers to issue guidelines, grant authorizations, audit, investigate, and impose sanctions.

Authority: Personal Data Protection Authority (PDPA)

About Personal Data Protection Authority - Kingdom of Bahrain (PDPA official site)

Comprehensive privacy statute enacted August 14, 2018, in force from September 18, 2020 (administrative-penalty provisions from August 2021). Covers processing of personal data across public and private sectors, with extraterritorial reach over processing aimed at individuals in Brazil. Enforced by the ANPD, an autonomous authority confirmed by Law No. 13.853/2019.

Authority: Autoridade Nacional de Proteção de Dados (ANPD)

Lei No. 13.709 de 14 de agosto de 2018 (Planalto)

As an EU member state, Bulgaria applies the GDPR directly; the Personal Data Protection Act, originally promulgated in State Gazette No. 1 of 2002, was substantially amended (in force 1 March 2019) to align with the GDPR and transpose the Law Enforcement Directive. The Commission for Personal Data Protection is the supervisory authority.

Authority: Commission for Personal Data Protection (Komisia za zashtita na lichnite danni, CPDP)

Commission for Personal Data Protection - Personal Data Protection Act

Federal statute (Royal Assent April 13, 2000) governing how private-sector organizations collect, use, and disclose personal information in commercial activity, phased in 2001-2004. Provinces with substantially similar laws (e.g. Quebec, BC, Alberta) are exempt for intra-provincial activity. The OPC oversees compliance under an ombudsman model.

Authority: Office of the Privacy Commissioner of Canada (OPC)

Personal Information Protection and Electronic Documents Act (Justice Laws Canada)

Comprehensive GDPR-aligned statute published December 13, 2024, which overhauls the prior Law 19.628 (1999) and creates the new Agencia de Protección de Datos Personales. The law has a 24-month transition and enters into full force on December 1, 2026, with the APDP empowered to investigate, fine, and order suspension of processing.

Authority: Agencia de Protección de Datos Personales (APDP)

Ley 21.719 (Biblioteca del Congreso Nacional de Chile)

China's first comprehensive national personal-information-protection law, adopted 20 August 2021 and effective 1 November 2021. It works alongside the Cybersecurity Law and Data Security Law; the Cyberspace Administration of China is the primary coordinating regulator, with sectoral departments sharing enforcement.

Authority: Cyberspace Administration of China (CAC)

Data protection laws in China - DLA Piper Data Protection Laws of the World

Comprehensive statutory law (October 17, 2012) developing the constitutional right to know, update, and rectify personal data, applicable to data in public- and private-sector databases. Supervised by the SIC through its Data Protection Deputy Office, which also runs the National Database Registry. A modernization bill was before Congress as of 2025-2026.

Authority: Superintendencia de Industria y Comercio (SIC) - Delegatura para la Protección de Datos Personales

Ley 1581 de 2012 (Funcion Publica - Gestor Normativo)

As an EU member state, Czechia applies the GDPR directly; Act No. 110/2019 Coll., in force from 24 April 2019, is the GDPR-implementing act and replaced the earlier Act No. 101/2000 Coll. The Office for Personal Data Protection (UOOU) is the supervisory authority.

Authority: Office for Personal Data Protection (Urad pro ochranu osobnich udaju, UOOU)

UOOU - Act No. 110/2019 Coll. (unofficial English translation)

Law No. 151 of 2020 is Egypt's first comprehensive personal-data-protection statute, enacted 13 July 2020 and in force from 14 October 2020. It establishes the Personal Data Protection Center (PDPC) under the Ministry of Communications and Information Technology; Executive Regulations issued in 2025 operationalized the PDPC, with active enforcement following a transitional grace period.

Authority: Personal Data Protection Center (PDPC)

Egypt's Personal Data Protection Law No. 151 of 2020 - Ministry of Communications and Information Technology

As an EU member state, Estonia applies the GDPR directly; the Personal Data Protection Act, adopted by the Riigikogu on 12 December 2018 and in force from 15 January 2019, supplements the Regulation in areas of national discretion. The Data Protection Inspectorate is the supervisory authority.

Authority: Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI)

Riigi Teataja - Personal Data Protection Act (consolidated, English)

The EU GDPR applies directly and is supplemented by the national Data Protection Act (1050/2018), which entered into force on 1 January 2019 and repealed the former Personal Data Act (523/1999). The Data Protection Ombudsman's Office is the national supervisory authority.

Authority: Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)

Tietosuojalaki 1050/2018 (Finlex)

The EU GDPR applies directly and is adapted into French law by Law No. 2018-493 of 20 June 2018, which amended the 1978 Loi Informatique et Libertés (later recodified by an ordinance in December 2018). The CNIL is the national supervisory authority.

Authority: Commission Nationale de l'Informatique et des Libertés (CNIL)

LOI n° 2018-493 du 20 juin 2018 relative à la protection des données personnelles (Légifrance)

Georgia (a non-EU state, EU candidate) adopted a comprehensive, GDPR-aligned Law on Personal Data Protection on 14 June 2023, in force from 1 March 2024, replacing the 2011 law. Supervision was carried out by the Personal Data Protection Service (PDPS) until Law No. 1054 of 12 November 2025 abolished the PDPS and transferred all data-protection functions to the constitutional State Audit Office of Georgia, effective 2 March 2026.

Authority: State Audit Office of Georgia (assumed supervisory functions on 2 March 2026, replacing the Personal Data Protection Service / PDPS)

DLA Piper Data Protection Laws of the World - Georgia

The EU GDPR applies directly and is supplemented by the Federal Data Protection Act (BDSG), in force since 25 May 2018, which legislates in the areas the GDPR leaves to member states. Supervision is split: the BfDI oversees federal bodies and telecoms, while each of the 16 states has its own authority for the private sector and state bodies.

Authority: Federal Commissioner for Data Protection and Freedom of Information (BfDI), alongside 16 Länder supervisory authorities

Federal Data Protection Act (BDSG) (gesetze-im-internet.de)

The Data Protection Act, 2012 (Act 843) is Ghana's comprehensive data-protection statute regulating the processing of personal data by data controllers and processors, who must register with the regulator. It establishes the Data Protection Commission (DPC) as an independent statutory supervisory body.

Authority: Data Protection Commission (DPC)

Data Protection Commission, Ghana - official site

As an EU member state, Hungary applies the GDPR directly; the Info Act (Act CXII of 2011) was amended in July 2018 to align with the GDPR and to transpose the Law Enforcement Directive, and it supplements the Regulation with procedural and freedom-of-information rules. The NAIH is the autonomous supervisory authority.

Authority: National Authority for Data Protection and Freedom of Information (Nemzeti Adatvedelmi es Informacioszabadsag Hatosag, NAIH)

NAIH - About the Authority

India's first comprehensive personal-data-protection statute, enacted August 2023, governs the processing of digital personal data by data fiduciaries and grants rights to data principals. The Data Protection Board of India was established in November 2025; substantive obligations are being brought into force in phases through 2027.

Authority: Data Protection Board of India

Digital Personal Data Protection Act, 2023 - Wikipedia

Indonesia's comprehensive personal-data-protection law, in effect since October 2022 with a two-year compliance transition that ended October 2024. As of 2026 a dedicated independent supervisory authority (PDP Agency) had not yet become operational; enforcement is exercised by the Ministry of Communication and Digital Affairs (Komdigi).

Authority: Ministry of Communication and Digital Affairs (Komdigi); dedicated PDP Agency pending establishment

Data protection laws in Indonesia - DLA Piper Data Protection Laws of the World

The EU GDPR applies directly and is given further effect in Irish law by the Data Protection Act 2018 (enacted 24 May 2018). The Data Protection Commission is the national supervisory authority and frequently acts as lead supervisory authority for many multinationals headquartered in Ireland.

Authority: Data Protection Commission (DPC)

Data Protection Act 2018 (Irish Statute Book)

Israel's general data-protection statute is the Protection of Privacy Law of 1981, substantially modernized by Amendment No. 13 (enacted August 2024, in force August 2025), which expanded definitions, added governance obligations, and strengthened the Privacy Protection Authority's investigative and sanctioning powers. The PPA, within the Ministry of Justice, supervises and enforces the law.

Authority: Privacy Protection Authority (PPA)

Israel Privacy Protection Authority (Gov.il)

The EU GDPR applies directly and is harmonised into Italian law by Legislative Decree 101/2018 (in force 19 September 2018), which amended the existing Personal Data Protection Code (Legislative Decree 196/2003). The Garante per la protezione dei dati personali is the national supervisory authority.

Authority: Italian Data Protection Authority (Garante per la protezione dei dati personali)

Italian Data Protection Authority (Garante per la protezione dei dati personali)

Comprehensive data-protection statute passed in 2020 and brought into full force by ministerial proclamation on December 1, 2023, following a transition period, with a six-month registration grace period for data controllers. Establishes eight data-protection standards and is regulated by the Office of the Information Commissioner.

Authority: Office of the Information Commissioner (OIC)

The Data Protection Act, 2020 (Parliament of Jamaica)

Japan's comprehensive data-protection statute, enacted in 2003 and substantially amended (notably 2015, 2017 and 2020). The Personal Information Protection Commission, an independent body, is the central supervisory and enforcement authority.

Authority: Personal Information Protection Commission (PPC)

Act on the Protection of Personal Information - Japanese Law Translation

Jordan's first comprehensive data-protection statute, Law No. 24 of 2023, was published in the Official Gazette on 17 September 2023 and entered into force on 17 March 2024. It establishes a Personal Data Protection Council as policy and supervisory body, with a Data Protection Unit handling licensing and complaints; institutional build-out was still in progress as of 2026.

Authority: Personal Data Protection Council (Ministry of Digital Economy and Entrepreneurship)

Personal Data Protection Law No. (24) of 2023 (MoDEE official PDF)

The Data Protection Act, No. 24 of 2019, is Kenya's comprehensive data-protection statute, modelled on the EU GDPR; it came into force in November 2019. It regulates the processing of personal data by controllers and processors and establishes the Office of the Data Protection Commissioner (ODPC) as the supervisory authority.

Authority: Office of the Data Protection Commissioner (ODPC)

Office of the Data Protection Commissioner (ODPC), Kenya - official site

Malaysia's comprehensive data-protection law, passed in 2010 and brought into force in 2013, regulating the processing of personal data in commercial transactions. The Personal Data Protection Commissioner, heading the Department of Personal Data Protection (JPDP) under the digital ministry, administers it; a 2024 amendment strengthened obligations.

Authority: Personal Data Protection Commissioner / Department of Personal Data Protection (JPDP)

Data protection laws in Malaysia - DLA Piper Data Protection Laws of the World

A new LFPDPPP was published in the Official Gazette on March 20, 2025 and entered into force March 21, 2025, abrogating the prior 2010 law. It preserves the ARCO rights framework, expressly covers data processors, and adds AI/automated-decision provisions. Following the constitutional dissolution of INAI, enforcement was transferred to the Secretariat of Anti-Corruption and Good Governance.

Authority: Secretaría Anticorrupción y Buen Gobierno (Secretariat of Anti-Corruption and Good Governance)

Mexico enacts new data protection regime (White & Case LLP)

Law No. 09-08 (promulgated 18 February 2009) is Morocco's comprehensive data-protection statute, applying to wholly or partly automated and certain manual processing of personal data. It establishes the Commission Nationale de controle de la protection des Donnees a caractere Personnel (CNDP) as the supervisory authority; controllers must notify the CNDP before processing.

Authority: Commission Nationale de controle de la protection des Donnees a caractere Personnel (CNDP)

Law No. 09-08 on the protection of personal data - DGSSI (Morocco)

The EU GDPR applies directly and is implemented in Dutch law by the GDPR Implementation Act (Uitvoeringswet AVG), which has applied since 25 May 2018 and sets out national derogations and the powers of the supervisory authority. The Autoriteit Persoonsgegevens is the national supervisory authority.

Authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP)

Uitvoeringswet Algemene verordening gegevensbescherming (wetten.overheid.nl)

New Zealand's comprehensive data-protection statute, which received Royal Assent in June 2020 and came into force on 1 December 2020, repealing and replacing the Privacy Act 1993. It is built around the Information Privacy Principles and overseen by the Privacy Commissioner.

Authority: Office of the Privacy Commissioner

Privacy Act 2020 - New Zealand Legislation

The NDPA is Nigeria's first comprehensive federal data-protection statute, signed into law on 12 June 2023. It replaces the earlier 2019 Nigeria Data Protection Regulation (NDPR) and establishes the Nigeria Data Protection Commission (NDPC) as the supervisory authority overseeing compliance and enforcement.

Authority: Nigeria Data Protection Commission (NDPC)

Nigeria Data Protection Commission - About Us

Norway is an EEA member; the GDPR was incorporated into the EEA Agreement and applied in Norway from 20 July 2018 through the Personal Data Act of 15 June 2018, which makes the regulation Norwegian law and adds national provisions. Datatilsynet is the supervisory authority.

Authority: Norwegian Data Protection Authority (Datatilsynet)

Lov om behandling av personopplysninger (personopplysningsloven) (Lovdata)

Comprehensive statute published July 3, 2011, guaranteeing the constitutional right to personal-data protection across data banks held by public or private entities, with implementing rules under Supreme Decree 003-2013-JUS and amendments via Legislative Decree 1353 (2017). Enforced by the National Authority for Personal Data Protection within the Ministry of Justice and Human Rights.

Authority: Autoridad Nacional de Protección de Datos Personales (ANPDP), Ministerio de Justicia y Derechos Humanos

Ley N. 29733 - Ley de Proteccion de Datos Personales (Congreso de la Republica del Peru)

The Philippines' comprehensive data-protection law, signed in August 2012 and effective September 2012, applying to public- and private-sector processing of personal information. The National Privacy Commission, an independent body attached to the Department of Information and Communications Technology, administers and enforces it.

Authority: National Privacy Commission (NPC)

Republic Act 10173 - Data Privacy Act of 2012 - National Privacy Commission

As an EU member state, Poland applies the GDPR (Regulation (EU) 2016/679) directly; the national Act of 10 May 2018 supplements it where member states have discretion (e.g. digital-consent age of 16, caps on public-body fines) and establishes the UODO. The Act entered into force on 25 May 2018.

Authority: President of the Personal Data Protection Office (Urzad Ochrony Danych Osobowych, UODO)

DLA Piper Data Protection Laws of the World - Poland

The EU GDPR applies directly and is implemented in Portuguese law by Law No. 58/2019 of 8 August (in force 9 August 2019), which adapts the GDPR and designates the supervisory authority. The Comissão Nacional de Proteção de Dados is the national supervisory authority.

Authority: National Data Protection Commission (Comissão Nacional de Proteção de Dados, CNPD)

Lei n.º 58/2019 (Diário da República)

Qatar's PDPPL (Law No. 13 of 2016) was the first comprehensive data-privacy law in the GCC, promulgated in November 2016. It is enforced by the National Data Privacy Office, which sits within the National Cyber Security Agency and monitors compliance, investigates complaints, and issues enforcement rulings. The Qatar Financial Centre maintains a separate data-protection regime.

Authority: National Data Privacy Office (NDPO), National Cyber Security Agency (NCSA)

Personal Data Privacy Protection Law (Qatar NCSA assurance portal)

As an EU member state, Romania applies the GDPR directly; Law No. 190/2018, published in Official Gazette No. 651 of 26 July 2018, sets national implementing measures and derogations (e.g. for genetic/biometric data and public-body fines). The National Supervisory Authority for Personal Data Processing (ANSPDCP) is the supervisory authority.

Authority: National Supervisory Authority for Personal Data Processing (ANSPDCP)

ANSPDCP - Law No. 190/2018

Law No. 058/2021 is Rwanda's comprehensive data-protection statute, gazetted on 15 October 2021, with provisions closely mirroring the EU GDPR. The National Cyber Security Authority (NCSA) is designated the supervisory authority, operating through its Data Protection and Privacy Office, with powers to register controllers/processors and enforce compliance.

Authority: National Cyber Security Authority (NCSA) - Data Protection and Privacy Office

Law relating to the Protection of Personal Data and Privacy - RwandaLII

Saudi Arabia's PDPL was issued by Royal Decree M/19 in September 2021, amended in March 2023, and entered into force on 14 September 2023 with a one-year transition period ending 14 September 2024. SDAIA is the competent supervisory authority; the law allows possible future transfer of oversight to the National Data Management Office (NDMO), but as of 2026 SDAIA remains the active regulator.

Authority: Saudi Data and Artificial Intelligence Authority (SDAIA)

SDAIA - Laws and Regulations (Personal Data Protection Law)

Serbia (a non-EU EU-accession candidate) adopted a comprehensive GDPR-aligned data-protection law on 9 November 2018 (Official Gazette No. 87/2018), in force from 21 November 2018 with application from 21 August 2019. The independent Commissioner for Information of Public Importance and Personal Data Protection is the supervisory authority.

Authority: Commissioner for Information of Public Importance and Personal Data Protection (Poverenik)

Commissioner (Poverenik) - Law on Personal Data Protection (English)

Singapore's comprehensive private-sector data-protection law, enacted October 2012 and phased into full effect by July 2014, with major amendments in 2020 adding mandatory data-breach notification. The Personal Data Protection Commission is the regulator.

Authority: Personal Data Protection Commission (PDPC)

Personal Data Protection Act 2012 - Singapore Statutes Online

As an EU member state, Slovenia applies the GDPR directly; ZVOP-2, adopted by the National Assembly in December 2022 and in force from 26 January 2023, is the GDPR-implementing act (Slovenia was the last EU member to adopt one). The Information Commissioner is the supervisory authority.

Authority: Information Commissioner (Informacijski pooblascenec, IP)

Information Commissioner of Slovenia - Personal Data Protection Act (ZVOP-2)

POPIA is a general personal-data-protection statute applying to public and private bodies that process personal information. Assented to in 2013; most operative provisions commenced 1 July 2020 with enforcement from 1 July 2021. Enforced by the Information Regulator, established under section 39 of the Act.

Authority: Information Regulator (South Africa)

Information Regulator (South Africa) - official site

South Korea's comprehensive data-protection law, enacted September 2011, covering public and private sectors and regarded as among the strictest globally. The Personal Information Protection Commission became a fully independent regulator under a 2020 amendment.

Authority: Personal Information Protection Commission (PIPC)

Personal Information Protection Commission (South Korea) - Wikipedia

The EU GDPR applies directly and is supplemented by Organic Law 3/2018 of 5 December (LOPDGDD), in force from 7 December 2018, which adapts the GDPR and adds a catalogue of digital rights. The AEPD is the national supervisory authority (with regional authorities in Catalonia, the Basque Country and Andalusia for their public sectors).

Authority: Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD)

Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (BOE)

The EU GDPR applies directly and is supplemented by the Act with supplementary provisions to the GDPR (SFS 2018:218), in force since 25 May 2018. The supervisory authority is IMY (Integritetsskyddsmyndigheten), formerly Datainspektionen until its 2021 renaming.

Authority: Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY)

Act containing supplementary provisions to the EU GDPR (SFS 2018:218) (Government.se)

Switzerland is not in the EU/EEA. Its totally revised Federal Act on Data Protection was adopted by Parliament on 25 September 2020 and entered into force on 1 September 2023, modernising the prior 1992 Act and broadly aligning with the GDPR. The Federal Data Protection and Information Commissioner is the supervisory authority.

Authority: Federal Data Protection and Information Commissioner (FDPIC)

Federal Act on Data Protection (FADP), SR 235.1 (Fedlex)

The Personal Data Protection Act No. 11 of 2022 is Tanzania's comprehensive data-protection statute, passed on 1 November 2022 and in force from 1 May 2023 (GN No. 326 of 2023). It applies to Mainland Tanzania and Zanzibar (union matters) and establishes the Personal Data Protection Commission (PDPC) as the supervisory authority.

Authority: Personal Data Protection Commission (PDPC)

Personal Data Protection Commission (PDPC), Tanzania - official site

Thailand's first comprehensive data-protection statute, enacted in 2019, with its main operative provisions taking effect on 1 June 2022 after deferrals. The Personal Data Protection Committee and its Office, under the Ministry of Digital Economy and Society, supervise and enforce the law.

Authority: Office of the Personal Data Protection Committee (PDPC)

Overview of Thailand Personal Data Protection Act B.E. 2562 (2019) - Norton Rose Fulbright

Organic Law No. 2004-63 of 27 July 2004 is Tunisia's comprehensive data-protection statute and the first such law in the Maghreb, applying to automated and manual processing by natural and legal persons. It establishes the Instance Nationale de Protection des Donnees a Caractere Personnel (INPDP) as the supervisory authority; controllers must declare or seek prior authorization for processing.

Authority: Instance Nationale de Protection des Donnees a Caractere Personnel (INPDP)

Instance Nationale de Protection des Donnees a Caractere Personnel (INPDP) - official site

Turkey's comprehensive data-protection statute, Law No. 6698 (KVKK), entered into force on 7 April 2016 and draws heavily on EU data-protection principles. It is administered by the Personal Data Protection Authority, an independent body whose decision-making organ is the Personal Data Protection Board and which maintains the VERBIS controllers' registry.

Authority: Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu, KVKK)

Purpose and Scope of the Personal Data Protection Law No. 6698 (KVKK official site)

The Data Protection and Privacy Act, 2019 (Act No. 9 of 2019) is Uganda's comprehensive data-protection statute governing the collection and processing of personal data by public and private entities within and outside Uganda. The Personal Data Protection Office (PDPO), established under NITA-U, oversees implementation, maintains the data protection register, and enforces the Act.

Authority: Personal Data Protection Office (PDPO), under the National Information Technology Authority - Uganda (NITA-U)

Personal Data Protection Office (PDPO), Uganda - official site

Ukraine (a non-EU state, EU candidate) has a general personal-data-protection statute, Law No. 2297-VI of 1 June 2010; the Ukrainian Parliament Commissioner for Human Rights (Ombudsman) has served as the supervisory authority since 1 January 2014. A GDPR-harmonization bill (Draft Law No. 8153) passed first reading in November 2024 but had not been enacted as of 2026, so the 2010 act remains the comprehensive law in force.

Authority: Ukrainian Parliament Commissioner for Human Rights (Ombudsman of the Verkhovna Rada)

Verkhovna Rada Legislation Portal - Law No. 2297-VI On Protection of Personal Data

The UAE's federal data-protection framework, Federal Decree-Law No. 45 of 2021, took effect on 2 January 2022 and applies with GDPR-style extraterritorial reach to controllers and processors handling UAE residents' data. The UAE Data Office is the designated national regulator. Note: the DIFC and ADGM financial free zones operate their own separate data-protection regimes.

Authority: UAE Data Office

Federal Decree-Law No. 45 of 2021 (UAE Official Legislation Portal)

Post-Brexit the UK retained the GDPR as the 'UK GDPR', applied alongside the Data Protection Act 2018; both were amended by the Data (Use and Access) Act 2025 (Royal Assent 19 June 2025), which is being commenced in stages through 2026. The supervisory authority is the ICO, being reconstituted as the Information Commission.

Authority: Information Commissioner's Office (ICO), transitioning to the Information Commission under the DUAA 2025

Data Protection Act 2018 (legislation.gov.uk)

Comprehensive statute published August 18, 2008, recognizing personal-data protection as a constitutional right (Art. 72) and providing the habeas data action; it applies to public- and private-sector data and requires registration of databases. Supervised by the URCDP. Uruguay is recognized by the EU as providing an adequate level of protection.

Authority: Unidad Reguladora y de Control de Datos Personales (URCDP)

Ley N. 18.331 de Proteccion de Datos Personales (gub.uy)

Vietnam's first comprehensive personal-data-protection statute at the legislative level, passed by the National Assembly on 26 June 2025 and effective 1 January 2026, elevating earlier decree-level rules (notably Decree 13/2023) into a unified law. The Ministry of Public Security is the lead state authority overseeing personal-data protection.

Authority: Ministry of Public Security (lead authority for data protection)

Data protection laws in Vietnam - DLA Piper Data Protection Laws of the World

No single comprehensive federal data-protection statute. Privacy is governed by a patchwork of sectoral federal laws (HIPAA for health, GLBA for finance, FERPA for education records, COPPA for children) plus a growing set of comprehensive state consumer-privacy laws led by California's CCPA/CPRA, with roughly 20 states having comprehensive laws in effect by 2026.

Authority: none / sectoral regulators (FTC; sector-specific agencies; state attorneys general)

Data Protection Laws and Regulations Report 2025-2026 USA (ICLG)