Data Protection Laws, Acts or Regulations

Find the data protection laws, Acts and regulations in the various different countries around the globe. Almost every country has one and those that don’t are enacting them fast. The new data protection laws of 2018 are highlighted in the list so that you can find them quickly. It is important to know what data protection laws apply in different countries. We list the most important jurisdictions and provide a link to the data protection law in that jurisdiction.

We have not done an extensive report on the differences between all of these laws because we believe that the common 80% is much more important than the 20% differences. Our data protection programmes are based on the common overlap amongst these laws.

List of Data Protection Laws, Acts or Regulations around the Globe

European Union

• EU Data Act (New)
• ePrivacy Regulation on Privacy and Electronic Communications (PECR) (New)
• General Data Protection Regulation (GDPR) (replaced the EU Data Protection Directive 95/46/EC) Key Insights
• Irish Data Protection Act 2018 (which replaced the Data Protection Act 1988)
• Belgium’s Protection of Natural Persons with regard to the Processing of Personal Data Act, 2018 (‘the GDPR Implementing Law‘) (unofficial translation)
• In Germany, the GDPR mainly governs data protection. The law is supplemented by the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (‘BDSG‘)
• In France, the French Act No. 2018-493 of 20 June 2018 (‘the Amendment Law‘) (available in French only) incorporates the GDPR provisions in the existing Act on Information Technology, Data Files and Civil Liberties (‘the 1978 Act‘) (only available in French), which governs the protection of personal data.
• Italy implemented the GDPR by amending the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) (‘the Code‘). The Code repealed sections that conflict with the GDPR.
• Spain implemented the GDPR with its Protection of Personal Data and Guarantee of Digital Rights (‘the LOPDGDD‘) (only available in Spanish)
• Malta Data Protection Act 2001

The United Kingdom

• The UK GDPR (New)
  • The General Data Protection Regulation (EU) 2016/679) (‘GDPR’) applied in the UK until 1 January 2021, when the UK adopted the EU GDPR as domestic law with some changes to work effectively in the UK context, now referred to as the ‘UK GDPR’.
  • UK GDPR (replaced the Data Protection Act 1998)
  • The UK GDPR is supplemented by the UK Data Protection Act 2018 and together these laws set out the data protection framework in the UK.

Americas

• United States
  • Sector-specific data protection laws
  • California Privacy Act, 2020 (CPRA) (New)
  • California Consumer Privacy Act (CCPA)
  • Virginia Consumer Data Protection Act (CDPA) (New) (The CDPA came into force on 1 January 2023)
  • Colorado Privacy Act (‘CPA‘) (New) (The CPA came into effect on 1 July 2023)
  • Connecticut Senate Bill 6 for an Act Concerning Personal Data Privacy and Online Monitoring (The Act was expected to come into force on 1 July 2023 but there has not been an official announcement yet) (New)
  • Utah Senate Bill 227 for the Consumer Privacy Act (will enter into effect on 1 December 2023) (New)
  • Florida Digital Bill of Rights (will enter into effect on 1 July 2024) (New)
  • Texas Data Privacy and Security Act (will enter into effect on 1 July 2024) (New)
  • Montana Consumer Data Privacy Act (will enter into effect on 1 October 2024) (New)
  • Iowa Act relating to consumer data protection (will enter into effect on 1 January 2025) (New)
  • Oregon Consumer Privacy Act (will enter into effect on 1 July 2025) (New)
  • Tennessee Information Protection Act (will enter into effect on 1 July 2025) (New)
  • Indiana Consumer Data Protection Act (will enter into effect on 1 January 2026) (New)
  • Senate Bill for the New York Privacy Act (New) (reintroduced in the State Senate in January 2022)
  • Assembly Bill for the New York Privacy Act (New) (reintroduced in the State Assembly in January 2022)
  • Draft Consumer Privacy Bill of Rights Act (CPBORA) (still not in force and probably won’t be signed into law)
  • The EU-US Privacy Shield
• Canada
  • Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA)
  • British Columbia: Personal Information Protection Act, SBC 2003 c 63 (‘BC PIPA’)
  • Alberta: Personal Information Protection Act, SA 2003 c P-6.5 (‘AB PIPA’)
  • Quebec: Act respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 (‘Quebec Private Sector Act‘)
• South America
  • Argentinian Personal Data Protection Act
  • Brazilian General Data Protection Law (in Portuguese) (New)
  • Bermuda Personal Information Protection Act (PIPA)
  • Chile’s Law No. 19.628 on the Protection of Private Life 1999 (in Spanish)
  • Colombia Law 1581 of 2012 on the Protection of Personal Data (in Spanish)
  • Costa Rica Protection of Persons Regarding the Processing of their Personal Data 8968 of 2011 (in Spanish)
  • Uruguay’s Law No. 18.331 on the Protection of Personal Data and the Habeas Data Action 2008 (in Spanish)
  • Paraguay’s Law No. 1682 which Regulates Private Information 2001 (in Spanish)
  • Peru’s Law No. 29.733 on the Protection of Personal Data 2011 (in Spanish)
  • Ecuador’s Organic Law on the Protection of Personal Data (in Spanish)
  • Mexico Federal Law on Protection of Personal Data Held by Private Parties and Regulations

Africa

• Various Data Protection Laws of Africa
• South Africa Protection of Personal Information Act (POPI Act) Key Insights
• Mauritian Data Protection Act 2017, which replaces the Data Protection Act 2004

Australia and New Zealand

• Australian Privacy Act
• New Zealand Privacy Act (New)

Asia

• India’s Digital Personal Data Protection Bill (DPDP) 2023 (New)
• China’s Personal Information Protection Law (PIPL) (New)
• The APEC Privacy Framework and the OECD Privacy Framework
• Japan Act on the Protection of Personal Information (APPI)
  • Japan passed the Amended Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020). The 2020 Amendments will come into force on 1 April 2022. (New)
  • The Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No. 27 of 2013 as amended) (‘the My Number Act‘) (New)
• Hong Kong Personal Data (Privacy) Ordinance.
• Singapore Personal Data Protection Act 2012 (PDPA)

Middle East

• Saudi Arabia Personal Data Protection Law 2021 (New)
• Bahrain’s Personal Data Protection Law (New)
• Isreali Protection of Privacy Law 2014
• UAE’s Federal Law on Protection of Personal Data (New) (Not in operation yet)

Other places to find a Data Protection Law, Act or Regulation

Data Guidance by OneTrust is an online research and global regulatory monitoring tool. We use Data Guidance to monitor global regulatory developments and updates. Contact us for more information about Data Guidance or if you want to subscribe to Data Guidance. Michalsons is a OneTrust partner so we might be able to negotiate a discount for you. You can also download a Global Table of Data Privacy Laws and Bills and DLA Piper has a world map. You can also find a list of data protection authorities, commissioners or regulators.