Global Privacy Laws
Jurisdictions
Click on a country below to dive into any privacy laws
Legend:
Privacy law
Draft privacy law
No privacy law
Comparing privacy laws
Comparing Privacy Laws
Comply with laws around the world
The Global Privacy Laws portal is the latest feature to be added to the OneTrust DataGuidance Research platform and provides the most comprehensive way of comparing privacy laws around the world. New jurisdictions are being added to the portal every week.
To research a jurisdiction not currently included, you can utilise the Laws Around The World Map to visit that country's dashboard and resources.
The US presents a plethora of laws and privacy bills posing relevant compliance challenges for privacy professionals. OneTrust DataGuidance has therefore built the USA State Law Tracker, a dedicated hub for US state law developments where organisations are able to access and understand how potential laws might affect their daily operations.
OneTrust DataGuidance's GDPR Portal also provides a central resource for more detailed research into the GDPR, its implementation in each Member State, and how such laws vary.
- There is a requirement in place.
- Click to view information for additional detail.
- There is no requirement in place.
Definitions
- title
- Data Controller
- Data Processor
- Personal Data
- Sensitive Data
- Health Data
- Biometric Data
- Pseudonymisation
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Mauritius
- Mexico
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Legal Bases
- title
- Consent
- Data Subject Contract
- Legal Obligation
- Data Subject Interest
- Public Interest
- Legitimate Interest
- Other
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Mauritius
- Mexico
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Controller and Processor Obligations
- title
- Data Processing Registration
- Data Transfers
- Data Processing Records
- DPIAs
- DPOs
- Breach Notification
- Data Retention
- Children's Data
- Special Categories
- Vendor Contracts
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Mauritius
- Mexico
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Individuals' Rights
- title
- Informed
- Access
- Rectification
- Erasure
- Object
- Portability
- Automated Decision-Making
- Other
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Mauritius
- Mexico
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Penalties and Enforcement
- title
- Penalties
- Enforcement
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Mauritius
- Mexico
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
On April 17, 2024, the Colorado Governor signed House Bill 24-1058 on Protect Privacy of Biological Data into law. The Act now amends the Colorado Privacy Act (CPA) by expanding the definition of 'sensitive data' to include biological data.
On April 17, 2024, Senate Bill 896 for the Artificial Intelligence Accountability Act was recommended for passage and re-referred to the Committee on Appropriations.
On April 17, 2024, Senate Bill 1223 for Consumer privacy: sensitive personal information: neural data was recommended for passage and re-referred to the Committee on Appropriations.
On April 17, 2024, Legislative Document 1977 for An Act to Create the Data Privacy and Protection Act died in the Maine State Senate.
On April 17, 2024, Legislative Document 1973 for An Act to Enact the Maine Consumer Privacy Act died in the House of Representatives.
On April 17, 2024, Assembly Bill 3080 relating to age verification: obscene and indecent material was amended, recommended for passage as amended, and re-referred to the Assembly Committee on Judiciary by the Committee on Privacy and Consumer Protection.
On April 17, 2024, Senate Bill 892 for Public contracts: automated decision systems: AI risk management standards was re-referred to the California State Senate Committee on Appropriations.
On April 17, 2024, the Energy and Commerce Committee announced that the Innovation, Data, and Commerce Subcommittee held a hearing titled 'Legislative Solutions to Protect Kids Online and Ensure Americans' Data Privacy Rights.'
On April 17, 2024, the House of Representatives rejected the Governor of Virginia's recommendations on House Bill 707 to amend the Virginia Consumer Data Protection Act
On April 17, 2024, the Virginia State Senate rejected the Governor of Virginia's recommendations on Senate Bill 361 for protections for children.
On April 16, 2024, the White House Office of Management and Budget (OMB) published a statement of administration policy for House Resolution 4639 for the Fourth Amendment Is Not For Sale Act (HR 4639).
On April 11, 2024, the White House Office of Management and Budget (OMB) published a statement of administration policy for the House Resolution Reforming Intelligence and Securing America Act (HR 7888).
On April 16, 2024, California Senator Josh Becker announced that the Senate Committee on Judiciary approved Senate Bill 942 on the California Artificial Intelligence Transparency Act.
On April 16, 2024, California Senator Josh Becker announced that the Senate Committee on Judiciary approved Senate Bill 1223 for Consumer privacy: sensitive personal information: neural data.
On April 16, 2024, House Bill 1891 on the Protecting Children from Social Media Act was enrolled and sent for signature to the Speaker of the House of Representatives.
On April 16, 2024, the European Parliament published a corrigendum on its position on the Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (the AI Act). In particular, the corrigendum corrects er
On March 13, 2024, the European Parliament adopted the European Union's (EU) Regulation laying down harmonized rules on artificial intelligence (AI), commonly known as the Artificial Intelligence Act (the AI Act) (see the
Part one of this comparison outlined the differences in the scope, definitions, and legal bases for processing between the Jordanian Personal Data Protection Act 2023 (JPDPA) and the General Data Protection Regulation (GDPR).
The Utah Consumer Privacy Act (UCPA), which entered into force on December 31, 2023, functions as comprehensive privacy legislation in Utah. However, the Utah State legislature has been active in both amending state privacy legislation and providing for new additions.
In its current legislative session, Maryland's General Assembly is considering the Maryland Online Data Privacy Act of 2024 (MODPA).
On September 17, 2023, the Jordanian Personal Data Protection Act 2023 (JPDPA), which regulates privacy in Jordan, was issued and entered into force on March 17, 2024.
The Data Protection and Digital Information (No. 2) Bill was first introduced to Parliament by the UK Government on March 8, 2023.
The Parliament of Malawi introduced the Data Protection Bill on December 7, 2023, which provides a comprehensive legal framework for data protection in compliance with internationally accepted principles of da
New Jersey became the 13th state to enact comprehensive privacy legislation when Governor Murphy signed S332 into law on January 16, 2024.
In this Insight article, Kwang Bae Park, Sunghee Chae, and Matt Younghoon Mok, from Lee & Ko, explore South Korea's Digital Bill of Rights, emphasizing its international cooperation principles and the government's preference for self-regulation in the artificial intelligence (AI) industry.
On January 11, 2024, the European Commission issued a press release marking the entry into force of the Regulation on Harmonised Rules on Fair Access to and Use of Data (the Data Act) on the same date, as part of the European Union's (EU) digital strategy.
In this Insight article, Crosbby Buleje, Associate at Baker & McKenzie LLP, discusses Peru's Draft Regulation of Law No. 29.733 on the Protection of Personal Data 2011, as proposed in 2023, including extraterritorial application and enhanced consent requirements.
This Insight article delves into the recent adoption of the Act on the Protection of Whistleblowers (the Act) in Czechia, highlighting changes for employers. It covers key rules, the role of designated competent persons, and control mechanisms, offering practical recommendations for companies adjusting to the new whistleblowing regulations.
Keeping up to Date With Global Privacy Updates
As the privacy landscape continues to develop at speed, the OneTrust DataGuidance Global Privacy Updates page is the go-to resource for tracking all upcoming global privacy updates. This page outlines privacy laws from across the world that you should be aware of, their legislative status, and key dates you should know. Use the table of contents below for a quick overview of privacy updates on the horizon or click on each update to navigate directly to further information, legal texts, and further resources. Please see the US Tracker within our US Privacy Law Portal for updates on US privacy legislation and our AI Portal for updates on AI laws and frameworks.
Page last updated: March 18, 2024
Table of Resources
- Botswana: Data Protection Act, Act No. 32 of 2018
- Eswatini: the Data Protection Act No.5 of 2022
- Kenya: the Data Protection Regulations, 2021
- Mozambique: Draft Cybersecurity Bill
- Namibia: Draft Data Protection Bill 2022
- Nigeria: Data Protection Bill, 2023
Seychelles: Data Protection Bill, 2023
Somalia: Law No. 005 the Data Protection Act
- Tanzania: Personal Data Protection Act 2022
- Zimbabwe: Draft for the Cyber and Data Protection Regulations, 2022
- Zimbabwe: Data Protection Act [Chapter 11:12]
Africa
Law: Data Protection Act, Act No. 32 of 2018 (the Act)
Status: Passed
OneTrust DataGuidance confirmed with Obakeng Lebotse, Partner at Bookbinder Business Law that the Ministry of State published an order extending the grace period for the Act to October 13, 2024.
Resources:
Eswatini
Law: The Data Protection Act No.5 of 2022 ('the Data Protection Act')
Status: In force
The Data Protection Act came into operation on 4 March 2022, on the date of publication in the Gazette.
Resources:
Kenya
Law: The Data Protection Regulations, 2021 ('the Data Protection Regulations')
Status: In force
The Data Protection Regulations were published in the Official Gazette on 14 January 2022 and enter into effect on 14 July 2022.
Resources:
Law: Bill No. 22 for the Data Protection Act, 2023
Status: In legislative process
On December 7, 2023, the Parliament of Malawi introduced Bill No. 22 for the Data Protection Act, 2023.
Resources:
Mozambique
Law: Draft Cybersecurity Bill ('the Bill')
Status: Proposal
The National Institute of Information and Communication Technologies published, on 22 November 2022, the Bill in line with its proposal for a cybersecurity law.
Resources:
- Legal Text (only available in swahili)
- OneTrust DataGuidance Jurisdiction Overview
Nigeria
Law: Data Protection Act, 2023 (the Act)
Status: In legislative process
On June 14, 2023, OneTrust DataGuidance Research confirmed with Tiwalola Osazuwa, Partner at ÆLEX, that the Act was signed by the President and became law.
Resources:
Namibia
Law: Draft Data Protection Bill 2022 ('the Bill')
Status: In legislative process
The Ministry of Information and Communication Technology released on Twitter on, 26 October 2022, its revised draft Data Protection Bill 2022.
Resources:
Law: Data Protection Bill, 2023 (the Bill)
Status: In legislative process
On June 22, 2023, the Cabinet of Seychelles approved the Bill, which was introduced on March 16, 2023, by the Department of Information Communications Technology.
Resources:
Law: Law No. 005 the Data Protection Act (the Law)
Status: Passed
On February 5, 2023, the Somalian Data Protection Authority informed, OneTrust DataGuidance that the Law was enacted in March 2023.
Resources:
Tanzania
Law: The Personal Data Protection Act 2022 (PDPA)
Status: In force
On May 24, 2023, OneTrust DataGuidance Research confirmed with Rachel Magege, Lawyer and Project Associate at Pollicy, that the PDPA entered into force on May 1, 2023, by means of Government Notice No. 326 of 2023, which was published on April 28, 2023.
Resources:
- Legal Text (only available in Swahili)
- OneTrust DataGuidance Jurisdiction Overview
Zimbabwe
Law: Draft for the Cyber and Data Protection Regulations, 2022 ('the Draft Law')
Status: In legislative process
The Postal and Telecommunications Regulatory Authority of Zimbabwe announced the introduction of the Draft Law on 16 November 2022.
Resources:
Zimbabwe
Law: Data Protection Act [Chapter 11:12] ('the Act')
Status: Enacted
OneTrust DataGuidance confirmed, on 5 December 2021, with Steve Munyaradzi Chikengezha, Associate at DLA Piper Africa Zimbabwe - Manokore Attorneys that the Act was enacted on 3 December 2021. The Media Institute of Southern Africa Zimbabwe clarified that the Act does not state a date for when it will take effect or a transition period.
Resources:
Table of Resources
- Australia: Review of Privacy Act 1988 (No. 119, 1988) (as amended)
- Australia: Privacy Legislation Amendment (Enforcement and Other Measures) 2022
Bangladesh: Draft Data Protection Act, 2023
- Brunei Darussalam: Draft Personal Data Protection Order
- China: Draft Decision Amending the Cybersecurity Law
- Hong Kong: Personal Data (Privacy) Ordinance (Cap. 486) (as amended)
- Indonesia: The Personal Data Protection Law
- Japan: Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020)
- Myanmar: Amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004)
- Mongolia: Law on Protection of Personal Information
Mongolia: Law of Mongolia on Cybersecurity
New Zealand: Bill 292-1 the Privacy Amendment Bill
- Pakistan: Personal Data Protection Bill 2021 (August 2021)
- Philippines: Substitute Bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173)
- Shanghai: Data Regulations
- Shenzhen: Shenzhen Special Economic Zone Data Regulation
- South Korea: Amendments to Personal Information Protection Act 2011 (as amended)
- Sri Lanka: Personal Data Protection Act, No. 9 of 2022
- Taiwan: Personal Data Protection Act 2015
- Thailand: Personal Data Protection Act 2019
- Vietnam: Decree No. 13/2023/ND-CP on the Protection of Personal Data
Asia-Pacific
Australia
Law: Review of Privacy Act 1988 (No. 119, 1988) (as amended)
Status: In legislative process
Public consultation on the reviewed Privacy Act was launched on 10 January 2022. The consultation is aimed at a review of the Act to ensure that the privacy framework empowers consumers, protects their data, and serves the Australian economy. On 16 Febuary 2023, the Attorney General publicly released a Report on the Privacy Act Review. The Report outlines the 116 proposed reforms to the Privacy Act and was informed by feedback.
Resources:
Australia
Law: Privacy Legislation Amendment (Enforcement and Other Measures) 2022 ('the Amendment Act')
Status: In force
The Amendment Act received royal assent on 12 December 2022 and entered into effect the day after, on 13 December 2022.
Resources:
Bangladesh
Law: Draft Data Protection Act, 2023 ('the Draft Act')
Status: In legislative process
On November 29, 2023, OneTrust DataGuidance Research confirmed with Nasir Doulah, Partner at Doulah & Doulah, that the Bill was passed by the Cabinet of Bangladesh.
Resources:
- Legal Text (only available in Bangla)
- OneTrust DataGuidance Jurisdiction Overview
Brunei Darussalam
Law: Draft Personal Data Protection Order ('PDPO')
Status: In legislative process
On 20 May 2021, the Authority for Info-communications Technology Industry of Brunei Darussalam ('AITI') initiated public consultation on its draft PDPO. Subsequently, on 3 December 2021, a response feedback paper on the public consultation was published, establishing comprehensive insights on the expected operation of the PDPO.
Resources:
China
Law: Draft Decision Amending the Cybersecurity Law ('the Draft Law')
Status: In legislative process
The Cyberspace Administration of China released, on 14 September 2022, the Draft Law. Public comments were open until 29 September 2022.
Resources:
Hong Kong
Law: Personal Data (Privacy) Ordinance (Cap. 486) (as amended) ('PDPO')
Status: Proposal
The Office of the Privacy Commissioner for Personal Data published, on 20 February 2023, a report in which it highlighted it is working closely with the Government of Hong Kong to comprehensively review the PDPO and formulate concrete proposals for legislative amendments.
Resources:
India
Law: The Digital Personal Data Protection Act, 2023 (Act)
Status: Adopted
On August 11, 2023, the Digital Personal Data Protection Bill, 2023, received the assent of the President of India and was published in the Official Gazette, thus enacting the Act. The entry into force of the Act is to be announced by the Indian Government via notification in the Official Gazette.
Resources:
Indonesia
Law: The Personal Data Protection Law ('PDPL')
Status: In force
The PDPL was signed by the President and entered into force, on 17 October 2022. Controllers, processors, and any other parties related to the processing of personal data will have two years from the date of promulgation to comply with the PDPL.
Resources:
- Legal Text (only available in Indonesian)
- OneTrust DataGuidance Jurisdiction Overview
Japan
Law: The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020) ('APPI')
Status: In force
The APPI entered into effect on 1 April 2022. Further amendments to the APPI in regard to academic research institutes and local administrative agencies will enter into effect on 1 April 2023.
Resources:
Myanmar
Law: Amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004)
Status: Unknown
OneTrust DataGuidance confirmed, on 18 May 2021, with Dr Ross Taylor, Counsel and Head of Financial Services at Tilleke & Gibbins, that the State Administration Council had adopted, in February 2021, amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004).
Resources:
Mongolia
Law: Law on the Protection of Personal Information (the Law)
Status: In force
On May 1, 2022, the Law entered into effect.
Resources:
- Legal Text (only available in Mongolian)
- OneTrust DataGuidance Jurisdiction Overview
Law: Law of Mongolia on Cybersecurity (the Cybersecurity Law)
Status: In force
On May 1, 2022, the Cybersecurity Law entered into effect.
Resources:
- Legal Text (only available in Mongolian)
- OneTrust DataGuidance Jurisdiction Overview
Law: Bill 292-1 the Privacy Amendment Bill (the Bill)
Status: In legislative process
On September 5, 2023, Bill 292-1 the Privacy Amendment Bill was introduced to the New Zealand Parliament.
Resources:
Pakistan
Law: Personal Data Protection Bill 2021
Status: Published for public consultation
OneTrust DataGuidance confirmed, on 28 February 2022, with Saeed Hasan Khan, Partner at S.U. Khan Associates Corporate & Legal Consultants, that the Federal Cabinet of Pakistan approved, on 16 February 2022, the draft of the Personal Data Protection Bill 2021.
Resources:
Philippines
Law: Substitute Bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173)
Status: Proposed
The National Privacy Commission ('NPC') issued, on 25 June 2021, a statement addressing recent efforts to strengthen the current privacy law in the Philippines, following the 55th Asia Pacific Privacy Authorities Forum. In particular, the NPC highlighted that a substitute bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173) had been approved by the Committee on Information and Communications Technology of the House of Representatives.
Resources:
Shanghai
Law: Shanghai Data Regulations
Status: In force
The Shanghai Data Regulations entered into effect on 1 January 2022.
Resources:
- Legal Text (only available in Chinese)
- OneTrust DataGuidance Jurisdiction Overview
Shenzhen
Law: Shenzhen Special Economic Zone Data Regulation
Status: In force
The Shenzhen Special Economic Zone Data Regulation entered into effect on 1 January 2022.
Resources:
- Legal Text (only available in Chinese)
- OneTrust DataGuidance Jurisdiction Overview
South Korea
Law: Amendments to Personal Information Protection Act 2011 (as amended) ('PIPA')
Status: In force
The South Korean National Assembly passed, on 27 February 2023, a proposal amending the PIPA. The amendments will enter into effect six months after promulgation.
Resources:
- Legal Text (only available in Korean)
- OneTrust DataGuidance Jurisdiction Overview
Sri Lanka
Law: Personal Data Protection Act, No. 9 of 2022
Status: Partially in force
Parts VI, VIII, IX, and X of the PDPA entered into force on December 1, 2023, while Parts I, II, III, and VII of the PDPA will enter into force on March 18, 2025.
Resources:
Taiwan
Law: Personal Data Protection Act 2015 ('PDPA')
Status: In force
On June 2, 2023, the amendments to the PDPA officially came into effect following the President's approval and the announcement by the National Development Council (NDC) on May 31, 2023.
Resources:
- Legal Text (only available in Chinese)
- OneTrust DataGuidance Jurisdiction Overview
Thailand
Law: The Personal Data Protection Act 2019 ('PDPA')
Status: In force
The PDPA entered into effect on 1 June 2022.
Resources:
Vietnam
Law: Decree No. 13/2023/ND-CP on the Protection of Personal Data
Status: In force
The PDPD entered into effect on 1 July 2023.
Resources:
- Legal Text (only available to download in Vietnamese)
- OneTrust DataGuidance Jurisdiction Overview
Table of Resources
- Canada - Federal: Bill C-27 for the Digital Charter Implementation Act 2022
Canada – Federal: Government Bill C-26 for an Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts
Canada
Canada - Federal
Law: Bill C-27 for the Digital Charter Implementation Act 2022
Status: In legislative process
On 16 June 2022, Bill C-27 for the Digital Charter Implementation Act 2022 was introduced to the House of Commons. Bill C-27 passed second reading on 24 April 2023 and was thereafter referred to the Standing Committee on Industry and Technology.
Resources:
Canada - Federal
Law: Government Bill C-26 for an Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts ('Bill C-26')
Status: In legislative process
Bill C-26 passed, on 27 March 2023, its second reading in the House of Commons of Canada, and was thereafter referred, on the same date, to the Standing Committee on Public Safety and National Security.
Resources:
Quebec
Law: An Act to modernize legislative provisions as regards the protection of personal information, 2021, Chapter 25 ('the Amendment Act') (formerly known as Bill 64).
Status: Partially in force
The Amendment Act will enter into force over a three year period with provisions entering into force in September 2022, September 2023, September 2024.
Resources:
Table of Resources
- Belize: Data Protection Act, 2021
- Bermuda: Personal Information Protection Act 2016
- Cuba: Law 149/2022 on Personal Data Protection
- Grenada: The Grenada Data Protection Act, No. 1 of 2023
- Jamaica: Protection Act No. 7 of 2020
- Suriname: Bill for the Privacy Protection Act and Personal Data
Caribbean
Law: Data Protection Act, 2021 ('the Act')
Status: Adopted
In 2021, the National Assembly in Belize adopted the Act which will enter into force on a day to be appointed by the Minister by Order published in the Gazette.
Resources:
Law: Personal Information Protection Act 2016 (PIPA)
Status: Adopted
On June 16, 2023, the Bermuda Office of the Privacy Commissioner (PrivCom) announced, in a joint press release with the Bermuda Government, that the PIPA will be implemented on January 1, 2025.
Resources:
Law: Law 149/2022 on Personal Data Protection ('the Law')
Status: In force
The Law was published, on 25 August 2022, in the Official Gazette of the Republic of Cuba. Having been published in the Official Gazette, the Law entered into force 180 days from that date i.e. 21 February 2023.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Grenada
Law: The Grenada Data Protection Act, No. 1 of 2023 (the GDPA)
Status: Adopted
The GDPA was published, on May 10, 2023, in the Official Gazette, following their assent by the Deputy to the Grenada Governor-General
Resources:
Guyana
Law: Data Protection Act No.18 of 2023 (the Act)
Status: Adopted
On August 16, 2023, the Act was published in the Official Gazette of Guyana and, on the same date, received Presidential assent. The Act will come into effect on the day the Minister responsible for data protection may, by order, appoint, and different days may be appointed for different provisions of the Act.
Resources:
Jamaica
Law: Protection Act No. 7 of 2020
Status: Partially in force
OneTrust DataGuidance confirmed, on 21 January 2021, with the Kellye-Rae Fisher Campbell, Attorney-at-Law, that, on 30 November 2021, Sections 2,4, 56, 57, 60, 66, 74, 77, and the First Schedule of the Data Protection Act no. 7 of 2020 had become operational following the publication of Supplement No. 160 of Volume CXLIV of 30 November 2021in the Jamaica Gazette Supplement.
Resources:
Law: Bill for the Privacy Protection Act and Personal Data ('the Bill')
Status: In legislative process
The Bill was presented to the Suriname National Assembly in 2018 and considered by the Committee of Rapporteurs on 21 January 2021.
Resources:
- Legal Text (only available in Dutch)
- OneTrust DataGuidance Jurisdictional Overview
Table of Resources
- Russia: Draft amendments to Federal Law of 27 July 2006 No. 152-FZ on Personal Data
- Ukraine: Draft Data Protection Law
- Uzbekistan:
CIS
Russian Federation
Law: Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data ('the Amendment Law').
Status: In force
The Federal Service for the Supervision of Communications, Information Technology, and Mass Media announced, on 1 September 2022, the entry into effect of the Amendment Law. Importantly, notification requirements for the cross-border transfer of personal data entered into effect on 1 March 2023.
Resources:
- Legal Text (only available in Russian)
- OneTrustDataGuidance Jurisdiction Overview
Ukraine
Law: Draft Data protection Law ('the Draft Law')
Status: In legislative process
The Parliament of Ukraine announced, on 25 October 2022, that it had received the Draft Law, following the rejection of the previous data protection bill.
Resources:
- Legal Text (only available in Ukranian)
- OneTrustDataGuidance Jurisdiction Overview
Uzbekistan
Law: Resolution of the Cabinet of Ministers of the Republic of Uzbekistan of 5 October 2022 No. 570 on Approval of Certain Normative Legal Documents in the Field of Processing of Personal Data ('the Resolution')
Status: In force
The Resolution was adopted on 5 October 2022, and entered into force on 7 January 2023.
Resources:
- Legal Text (only available in Uzbek)
- OneTrustDataGuidance Jurisdiction Overview
Uzbekistan
Law: Law on Cybersecurity (No. RK-764) ('the Cybersecurity Law')
Status: Passed
The Cybersecurity Law entered into force on 17 July 2022, following its adoption on 15 April 2022.
Resources:
- Legal Text (only available in Uzbek)
- OneTrust DataGuidance Jurisdiction Overview
Table of Resources
- Andorra: Law 29/2021, of 28 October, of Personal Data Protection
- Czech Republic: Draft Law on Cybersecurity and Other Related Regulations
- Estonia: Cyber Security and Other Laws Amendment Act 531 SE
- EU: Cyber Resilience Act
- EU: the Data Governance Act
- EU: the ePrivacy Regulation
- EU: Revised Directive on Security of Network and Information Systems
- EU: Regulation on Harmonised Rules on Fair Access to and Use of Data
- Georgia: Draft law on personal data protection
- Monaco: Data Protection Act No. 3 of 2021
- Netherlands: Collective Data Protection Act
- Slovenia: Personal Data Protection Act
- Switzerland: Revised Federal Act on Data Protection 1992
- Turkey: Personal Data Protection Law
- UK: Data Protection and Digital Information Bill
Europe
Andorra
Law: Law 29/2021, of 28 October, of Personal Data Protection ('the Law')
Status: In force
The Andorran data protection authority announced, on 17 May 2022, the Law entered into force.
Resources:
- Legal Text (only available in Catalan)
- OneTrust DataGuidance Jurisdiction Overview
Estonia
Law: Cyber Security and Other Laws Amendment Act 531 SE ('the Cybersecurity Law')
Status: Passed
The Parliament of Estonia announced, on 19 July 2022, that it had adopted the Cybersecurity Law proposed by the Government in February 2022.
Resources:
- Legal Text (only available for download in Estonian)
- OneTrust DataGuidance Jurisdiction Overview
Czech Republic
Law: Draft Law on Cybersecurity and Other Related Regulations ('Draft Cybersecurity Law')
Status: In legislative process
The National Cyber and Information Security Agency stated that the Draft Cybersecurity Law was published for public consultation until 26 February 2023.
Resources:
- Legal Text (only available for download in Czech)
- OneTrust DataGuidance Jurisdiction Overview
EU
Law: The Cyber Resilience Act
Status: In legislative process
The European Commission ('the Commission') announced, on 15 September 2022, that it had presented a proposal for a new Cyber Resilience Act. The Commission explained that the proposed Cyber Resilience Act will now be passed to the European Parliament and the Council for examination, and that, once adopted, economic operators and Member States will have two years to adapt to most of the new requirements.
Resources:
EU
Law: The Data Governance Act ('DGA')
Status: In force
The DGA was published in the Official Journal of the European Union on 3 June 2022 and entered into force 20 days after publication i.e. on 23 June 2022. The DGA will apply from 24 September 2023.
Resources:
EU
Law: Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) ('the Draft ePrivacy Regulation')
Status: The Council and the Parliament will now start negotiations on the text.
The Council of the European Union has agreed on a negotiating mandate with the European Parliament. If passed, the ePrivacy Regulation will replace the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive').
Resources:
EU
Law: Revised Directive on Security of Network and Information Systems ('NIS 2 Directive')
Status: Adopted
The NIS 2 Directive was published in the Official Gazette of the European Union on 27 December 2022 and will repeal the NIS Directive as of 18 October 2024.
Resources:
EU
Law: Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act)
Status: Adopted
The Data Act will become applicable in 20 months i.e. September 12, 2025.
Resources:
Georgia
Law: Draft law on personal data protection
Status: In legislative process
The Parliament of Georgia announced, on June 14, 2023, that it had unanimously adopted the draft law on personal data protection at the third reading.
Resources:
- Legal Text (only in Georgian)
- OneTrust DataGuidance Jurisdiction Overview
Monaco
Law: Data Protection Act No. 3 of 2021
Status: In legislative process
The Monegasque data protection authority issued, on 28 January 2022, a statement, in commemoration of Data Protection Day, highlighting the bill relating to the protection of personal data recently submitted to the Office of the National Council.
Resources:
- Legal Text (only in French)
- OneTrust DataGuidance Jurisdiction Overview
Law: Collective Data Protection Act
Status: In legislative process
On December 2, 2022, the bill was introduced to the House of Representatives.
Resources:
- Legal Text (only available to download in Dutch)
- OneTrust DataGuidance Jurisdiction Overview
Slovenia
Law: Personal Data Protection Act ('ZVOP-2')
Status: In force
The ZVOP-2 implements the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') into Slovenian law and entered into effect on 26 January 2023, replacing the existing Personal Data Protection Act 2004.
Resources:
- Legal Text (only available in Slovenian)
- OneTrust DataGuidance Jurisdiction Overview
Switzerland
Law: Revised Federal Act on Data Protection 1992 ('FADP')
Status: In force
The revised FADP entered into force on 1 September 2023.
Resources:
- Legal Text (only available in French)
- OneTrust DataGuidance Jurisdiction Overview
Law: Personal Data Protection Law (the Law)
Status: In legislative process
On March 12, 2024, the Personal Data Protection Authority announced amendments to the Law through the Law on Amendments to the Criminal Procedure Code and Certain Laws.
Resources:
- Legal Text (only in Turkish)
- OneTrust DataGuidance Jurisdiction Overview
UK
Law: Data Protection and Digital Information Bill (the Bill)
Status: In legislative process
On February 7, 2024, the House of Commons passed a carry-over motion on the Bill.
Resources:
Table of Resources
- Argentina: Personal Data Protection Bill
Bolivia: Legislative Assembly of bill No. 349/2020-2021 for the protection of personal data
Colombia: General Regime for the Protection of Personal Data
- Chile: Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority
Costa Rica: Bill No. 23097 for the Data Protection Law
- Guatemala: Bill No. 6105 of 23 June 2022 for the approval of the Data Protection Law
- Paraguay: Bill on the Protection of Personal Data of the Republic of Paraguay
- Uruguay: Law No. 20075 of 20 October 2022
Latin America
Argentina
Law: Personal Data Protection Bill (the Bill)
Status: In legislative process
On June 30, 2023, the Argentinian Data Protection Authority (AAIP) announced that the National Executive Power had sent the Personal Data Protection Bill to the National Congress of Argentina.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Draft Law on Protection of Personal Data ('the Draft Law')
Status: In legislative process
OneTrust DataGuidance Research confirmed, on 25 April 2023, with Ana Valeria Escobar, Partner at PPO Abogados, that the Agency of Electronic Government and Information and Communication Technologies had presented, on 31 March 2023, to the Bolivian Senate, the Draft Law.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Legislative Assembly of bill No. 349/2020-2021 for the protection of personal data ('the Bill')
Status: In legislative process
A motion for the reintroduction in the Bill was filed, on 3 March 2023, by National Deputy Renan Cabezas Veizan, following its initial presentation on 19 October 2021.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: General Regime for the Protection of Personal Data (the Bill)
Status: In legislative process
On August 31, 2023, OneTrust DataGuidance Research confirmed with Jorge Pinilla, Associate at Pinilla & Pinilla, that the Chamber of Representatives of Colombia the Bill.
Resources:
- Legal Text (only available for download in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Costa Rica
Law: Bill No. 23097 for the Data Protection Law ('the Bill')
Status: In legislative process
Bill No. 23097 for the Data Protection Law was added to the Legislative Assembly's agenda, on 10 March 2023, following its introduction in 2022.
Resources:
- Legal Text (only available to download in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority ('the Bill')
Status: In legislative process
On January 3, 2024, the Chilean Senate approved the Bill.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Bill No. 6105 of 23 June 2022 for the approval of the Data Protection Law ('the Bill')
Status: In legislative process
The Bill was sent to the Transparency and Probity Commission for an opinion on April 12, 2023. Subsequently, on April 28, 2023, the President of the Transparency and Probity Commission issued a favorable opinion on the Bill.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Paraguay
Law: Bill on the Protection of Personal Data of the Republic of Paraguay
Status: In legislative process
The Chamber of Deputies announced, on 30 April 2021, the official presentation of the bill on the Protection of Personal Data of the Republic of Paraguay. The bill will be submitted for consideration to the advisory commissions in the Chamber of Deputies.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Uruguay
Law: Law No. 20075 of 20 October 2022 ('the Law')
Status: In force
The Law was enacted on 20 October 2022 and entered into force on 1 January 2023.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Table of Resources
- DIFC: DIFC Law No. 2 of 2022
- Israel: Privacy Protection Bill (Amendment No. 14) 5722-2022
Israel: Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022
- Jordan: the Law No. 24 of 2023 Personal Data Protection Law
- Oman: Draft law on the protection of personal data of 2021
- Qatar: Data Protection Regulations 2021 and Data Protection Rules 2021
- Saudi Arabia: Personal Data Protection Law
- UAE - Federal: Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data
Middle East
DIFC
Law: DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law')
Status: In legislative process
The Dubai International Financial Centre Director of Data Protection announced, on 18 April 2023, via LinkedIn, that the DIFC Authority had launched a public consultation on proposed amendments to the the Data Protection Law.
Resources:
Oman
Law: Royal Decree No. 6 of 2022 Promulgating the Law on the Protection of Personal Data ('the Data Protection Law')
Status: In force
The Data Protection Law entered into force on 13 February 2023, a year after its publication in the Official Gazette No. 1429, on 13 February 2022.
Resources:
- Legal Text (only available in Arabic)
- OneTrust DataGuidance Jurisdiction Overview
Israel
Law: Privacy Protection Bill (Amendment No. 14) 5722-2022 ('the Bill')
Status: In legislative process
The Privacy Protection Authority announced, via LinkedIn, on 3 April 2023, that the Ministerial Committee on Legislation has approved the application of the rule of continuity for the advancement of the Bill, after its progress had been stalled due to the dissolution of the Israeli Legislature.
Resources:
- Legal Text (only available in Hebrew)
- OneTrust DataGuidance Jurisdiction Overview
Israel
Law: Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022
Status: In legislative process
OneTrust DataGuidance confirmed, on 3 February 2022, with Dalit Ben-Israel, Partner, Chair of IT and Privacy Practice at Naschitz, Brandes, Amir & Co., that the draft bill for Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022 had been submitted, on 31 January 2022, to the Parliament.
Resources:
- Legal Text (both only available in Hebrew)
- OneTrust DataGuidance Jurisdiction Overview
Jordan
Law: Law No. 24 of 2023 Personal Data Protection Law ('the Law')
Status: Passed
On September 17, 2023, the Law was published in the Official Gazette and will enter into effect in six months, i.e. on March 17, 2024. However, the Directorate provided that all entities dealing with personal data are required, upon the law's enforcement, to align their conditions with the Law within a period not exceeding one year, ending on March 16, 2025.
Resources:
- Legal Text (only available in Arabic)
- OneTrust DataGuidance Jurisdiction Overview
Qatar - Qatar Financial Centre
Law: Data Protection Regulations 2021 and Data Protection Rules 2021
Status: In force
The Data Protection Regulations 2021 and the Data Protection Rules 2021 entered into effect on 21 May 2022, and has repealed the QFC Data Protection Regulations and Rules of 2005.
Resources:
Saudi Arabia
Law: Personal Data Protection Law ('PDPL')
Status: In force
On September 14, 2023, the PDPL entered into force. Pursuant to the PDPL's preamble, entities will have a one-year transition period from such date to bring their operations into compliance.
Resources:
- Legal Text (only available in Arabic)
- OneTrust DataGuidance Jurisdiction Overview
UAE Federal
Law: Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law')
Status: In force
The UAE Cabinet announced, on 28 November 2021, that Law had been enacted. However, the Law is yet to be published with Executive Regulations to be published within six months from that date and, following a 12-month transition period, it will be enforceable from 2 January 2023.
Resources: