Global Privacy Laws
Jurisdictions
Click on a country below to dive into any privacy laws
Legend:
Privacy law
Draft privacy law
No privacy law
Comparing privacy laws
Comparing Privacy Laws
Comply with laws around the world
The Global Privacy Laws portal is the latest feature to be added to the OneTrust DataGuidance Research platform and provides the most comprehensive way of comparing privacy laws around the world. New jurisdictions are being added to the portal every week.
To research a jurisdiction not currently included, you can utilise the Laws Around The World Map to visit that country's dashboard and resources.
The US presents a plethora of laws and privacy bills posing relevant compliance challenges for privacy professionals. OneTrust DataGuidance has therefore built the USA State Law Tracker, a dedicated hub for US state law developments where organisations are able to access and understand how potential laws might affect their daily operations.
OneTrust DataGuidance's GDPR Portal also provides a central resource for more detailed research into the GDPR, its implementation in each Member State, and how such laws vary.
- There is a requirement in place.
- Click to view information for additional detail.
- There is no requirement in place.
Definitions
- title
- Data Controller
- Data Processor
- Personal Data
- Sensitive Data
- Health Data
- Biometric Data
- Pseudonymisation
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kentucky
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Maryland
- Mauritius
- Mexico
- Minnesota
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nebraska
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Rhode Island
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Legal Bases
- title
- Consent
- Data Subject Contract
- Legal Obligation
- Data Subject Interest
- Public Interest
- Legitimate Interest
- Other
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kentucky
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Maryland
- Mauritius
- Mexico
- Minnesota
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nebraska
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Rhode Island
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Controller and Processor Obligations
- title
- Data Processing Registration
- Data Transfers
- Data Processing Records
- DPIAs
- DPOs
- Breach Notification
- Data Retention
- Children's Data
- Special Categories
- Vendor Contracts
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kentucky
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Maryland
- Mauritius
- Mexico
- Minnesota
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nebraska
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Rhode Island
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Individuals' Rights
- title
- Informed
- Access
- Rectification
- Erasure
- Object
- Portability
- Automated Decision-Making
- Other
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kentucky
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Maryland
- Mauritius
- Mexico
- Minnesota
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nebraska
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Rhode Island
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
Penalties and Enforcement
- title
- Penalties
- Enforcement
- Albania
- Algeria
- Angola
- Argentina
- Armenia
- Australia
- Austria
- Azerbaijan
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belarus
- Belgium
- Bermuda
- Bolivia
- Bosnia & Herzegovina
- Botswana
- Brazil
- British Columbia
- British Virgin Islands
- Bulgaria
- California
- Cambodia
- Cameroon
- Canada Federal
- Cape Verde
- Chad
- Chile
- China
- Colombia
- Colorado
- Connecticut
- Costa Rica
- Croatia
- Cyprus
- Czechia
- Delaware
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Finland
- Florida
- France
- GDPR
- Georgia
- Germany
- Ghana
- Greece
- Guatemala
- Guernsey
- Honduras
- Hong Kong
- Hungary
- India
- Indiana
- Indonesia
- Iowa
- Iraq
- Ireland
- Isle of Man
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kazakhstan
- Kentucky
- Kenya
- Kuwait
- Kyrgyzstan
- Lao PDR
- Latvia
- Lebanon
- Liechtenstein
- Lithuania
- Luxembourg
- Macau
- Madagascar
- Malaysia
- Mali
- Malta
- Maryland
- Mauritius
- Mexico
- Minnesota
- Moldova
- Mongolia
- Montana
- Montenegro
- Morocco
- Myanmar
- Namibia
- Nebraska
- Nepal
- Netherlands
- New Hampshire
- New Jersey
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Norway
- Oman
- Ontario
- Oregon
- Pakistan
- Panama
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Quebec
- Rhode Island
- Romania
- Russia
- Rwanda
- Saudi Arabia
- Serbia
- Seychelles
- Singapore
- Slovakia
- Slovenia
- South Africa
- South Korea
- Spain
- Sri Lanka
- Sweden
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Tennessee
- Texas
- Thailand
- The Gambia
- Timor-Leste
- Tunisia
- Turkey
- Turkmenistan
- UAE - ADGM
- UAE - DIFC
- UAE - Federal
- Uganda
- UK
- Ukraine
- Uruguay
- Utah
- Uzbekistan
- Vietnam
- Virginia
- Zambia
On July 25, 2024, the U.S. Senate voted in favor of Senate Bill 2073 for the Eliminate Useless Reports Act of 2024, which contained Senate Amendment 3021, the Kids Online Safety and Privacy Act (KOSPA).
On July 23, 2024, the Parliament (Knesset) announced the publication of the Law on Access to Digital Content after a Person's Death in the law book. The law will enter into force on July 23, 2025.
On July 24, 2024, the Government adopted the draft law implementing the requirements of the directive on measures for a high common level of cybersecurity in the Union (the NIS 2 Directive
On July 24, 2024, the National Office for Cyber and Information Security (NÚKIB) announced that on July 23, 2024, the draft law on cyber security in the version app
On July 23, 2024, the Press Information Bureau (PIB) announced that the Minister of Finance and Corporate Affairs presented the Union Budget for 2024-2025 in which it allocated the Ministry of Electronics and Information Technology (MeitY) INR 20 million (approx.
On July 22, 2024, the Polish data protection authority (UODO) provided comments on the broad powers of the justice system and suggested amending the Telecommunications Law in terms of the rules for access by authorized entities to data covered by telecommunications secrecy.
On July 22, 2024, OneTrust DataGuidance Research confirmed with Dalit Ben Israel, Partner at Naschitz Brandes Amir, that the Constitution, Law, and Justice Committee approved, by a vote, the Privacy Protection Bill (Amendment 14), which will amend the Protection o
On July 22, 2024, the Interactive Advertising Bureau (IAB) Europe announced that it released a comprehensive paper outlining significant concerns regarding the European Parliament and European Council positions on the General Data Protection Regulation (GDPR) procedural regulation.
On June 18, 2024, the Cybersecurity Bill 2024 received Royal Assent and was subsequently published in the Official Gazette on June 26, 2024, after passing the House of Representatives on March 27, 2024, and the Senate on April 3, 2024.
On May 2, 2024, the Ministry of Justice published the draft Decree on Cybersecurity Administrative Sanctions (the Decree). The Decree regulates administrative violations, forms of sanctions, levels of sanctions, remedial measures for each administrative sanction, and specific fines for each violation under the Law on Cybersecurity No.
On July 18, 2024, the National Office for Cyber and Information Security (NÚKIB) announced that on July 17, 2024, the Government discussed and approved the new draft law on cybersecurity with an amendment.
On July 16, 2024, Bill D.R. 21/2024 for an Act to amend the Personal Data Protection Act (PDPA) passed in the House of Representatives on its second reading after being read for the first time on July 10, 2024.
The bill's provisions include:
On July 18, 2024, OneTrust DataGuidance Research confirmed with Dalit Ben Israel, Partner at Naschitz Brandes Amir, that the Constitution, Law, and Justice Committee discussion on the regulatory changes in the Privacy Protection Bill (Amendment 14), which will ame
On July 17, 2024, House Bill 333 to amend the Delaware code relating to artificial intelligence commission was signed by the Governor of Delaware into law and became effective on the same date.
On July 17, 2024, the National Office for Cyber and Information Security (NÚKIB) announced that on July 10, 2024, the Government approved its report on the state of cybersecurity for 2023.
On July 17, 2024, the Parliament of Austria announced that the Federal Act amending the Information Regulation Act, the Data Protection Act, the Civil Service Act, and the Administrative Court Act entered into effect on July 15, 2024.
On April 7, 2024, a bipartisan, bicameral Act was introduced. It aims to establish a federal-level comprehensive privacy law and eliminate the growing patchwork of US state-level comprehensive privacy laws. The initial draft of the Act has evolved since its introduction and was recently introduced as House Bill 8818 (House Bill).
On May 24, 2024, Minnesota adopted the Minnesota Consumer Data Privacy Act (MCDPA), becoming the 19th state to adopt a comprehensive state privacy law.
In this Insight article, Aztrid Camarillo, a Privacy Expert, discusses the importance of Privacy by Design and Default in algorithms, considering elements such as ethical and responsible use of data and the current regulatory landscape in various jurisdictions.
Kentucky has joined the growing count of states to enact a comprehensive data privacy law. The law, passed as House Bill 15 and titled the Kentucky Consumer Data Protection Act (KCDPA), was passed by the Kentucky legislature on March 27, 2024, and signed by Governor Andy Beshear on April 4, 2024.
Every year on January 28, data protection is commemorated across the world. This day marks the anniversary of the Council of Europe's Convention 108 on the protection of personal data. It is considered to be the first legally binding international law in the field of data protection.
The Data Protection Act, 2023 (the Act) was introduced by the Department of Information Communications Technology on March 16, 2023, and approved by the Cabinet of Seychelles on June 22, 2023.
The American Privacy Rights Act 2024 (APRA) was released on April 7, 2024, by U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell. Thereafter, on May 23, 2024, the U.S.
If passed into law, Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26), would enact the Critical Cyber Systems Protection Act (CCSPA), amend the Telecommunications Act, and make consequential amendments to several other laws.
The digital landscape continuously evolves, demanding strong and robust frameworks to safeguard personal data. Many countries have put in place laws to protect the privacy and security of individuals and organizations.
On May 24, 2024, Omnibus Senate Bill 4757, containing the Minnesota Consumer Data Privacy Act (MCDPA), was approved by the Governor of Minnesota after its passage in the Legislature on May 19, 2024, and will enter into effect on July 31, 2025.
The rapid pace of development in artificial intelligence (AI) has seemingly only been paralleled by calls for its regulation. Since there is broad consensus regarding the possible impact of unregulated AI, governments globally have responded through policymaking to mitigate this risk.
Colorado became the first state to adopt a comprehensive AI framework when Governor Polis signed Senate Bill 205. The law, unlike the EU Artificial Intelligence Act (AI Act), does not ban certain uses of artificial intelligence (AI).
Keeping up to Date With Global Privacy Updates
As the privacy landscape continues to develop at speed, the OneTrust DataGuidance Global Privacy Updates page is the go-to resource for tracking all upcoming global privacy updates. This page outlines privacy laws from across the world that you should be aware of, their legislative status, and key dates you should know. Use the table of contents below for a quick overview of privacy updates on the horizon or click on each update to navigate directly to further information, legal texts, and further resources. Please see the US Tracker within our US Privacy Law Portal for updates on US privacy legislation and our AI Portal for updates on AI laws and frameworks.
Page last updated: July 3, 2024
Table of Resources
- Botswana: Data Protection Act, Act No. 32 of 2018
- Eswatini: the Data Protection Act No.5 of 2022
Ethiopia: Personal Data Protection Bill
- Kenya: the Data Protection Regulations, 2021
- Mozambique: Draft Cybersecurity Bill
- Namibia: Draft Data Protection Bill 2022
- Nigeria: Data Protection Bill, 2023
Seychelles: Data Protection Act, 2023
Somalia: Law No. 005 the Data Protection Act
- Tanzania: Personal Data Protection Act 2022
- Zimbabwe: Draft for the Cyber and Data Protection Regulations, 2022
- Zimbabwe: Data Protection Act [Chapter 11:12]
Africa
Law: Data Protection Act, Act No. 32 of 2018 (the Act)
Status: Passed
OneTrust DataGuidance confirmed with Obakeng Lebotse, Partner at Bookbinder Business Law that the Ministry of State published an order extending the grace period for the Act to October 13, 2024.
Resources:
Eswatini
Law: The Data Protection Act No.5 of 2022 (the Data Protection Act)
Status: In force
The Data Protection Act came into operation on March 4, 2022, on the date of publication in the Gazette.
Resources:
Law: Personal Data Protection Bill (the Bill)
Status: In legislative process
On April 4, 2024, the House of Peoples Representatives of Ethiopia announced the Parliament had approved the Bill.
Resources:
- Legal Text (only available in Amharic)
- OneTrust DataGuidance Jurisdiction Overview
Kenya
Law: The Data Protection Regulations, 2021 (the Data Protection Regulations)
Status: In force
The Data Protection Regulations were published in the Official Gazette on January 14, 2022, and entered into effect on July 14, 2022.
Resources:
Law: Bill No. 22 for the Data Protection Act, 2023
Status: In legislative process
On December 7, 2023, the Parliament of Malawi introduced Bill No. 22 for the Data Protection Act, 2023.
Resources:
Mozambique
Law: Draft Cybersecurity Bill (the Bill)
Status: Proposal
The National Institute of Information and Communication Technologies published, on November 22, 2022, the Bill in line with its proposal for a cybersecurity law.
Resources:
- Legal Text (only available in Swahili)
- OneTrust DataGuidance Jurisdiction Overview
Nigeria
Law: Data Protection Act, 2023 (the Act)
Status: In force
On June 14, 2023, OneTrust DataGuidance Research confirmed with Tiwalola Osazuwa, Partner at ÆLEX, that the Act was signed by the President and became law.
Resources:
Namibia
Law: Draft Data Protection Bill 2022 (the Bill)
Status: In legislative process
The Ministry of Information and Communication Technology released on Twitter on October 26, 2022, its revised draft Data Protection Bill 2022.
Resources:
Law: Data Protection Act, 2023 (the Act)
Status: In force
On December 22, 2023, the Official Gazette of the Republic of Seychelles published the Act which entered into force on the same day.
Resources:
Law: Law No. 005 the Data Protection Act (the Law)
Status: Passed
On February 5, 2023, the Somalian Data Protection Authority informed, OneTrust DataGuidance that the Law was enacted in March 2023.
Resources:
Tanzania
Law: The Personal Data Protection Act 2022 (PDPA)
Status: In force
On May 24, 2023, OneTrust DataGuidance Research confirmed with Rachel Magege, Lawyer and Project Associate at Pollicy, that the PDPA entered into force on May 1, 2023, by means of Government Notice No. 326 of 2023, which was published on April 28, 2023.
Resources:
- Legal Text (only available in Swahili)
- OneTrust DataGuidance Jurisdiction Overview
Zimbabwe
Law: Draft for the Cyber and Data Protection Regulations, 2022 (the Draft Law)
Status: In legislative process
The Postal and Telecommunications Regulatory Authority of Zimbabwe announced the introduction of the Draft Law on November 16, 2022.
Resources:
Zimbabwe
Law: Data Protection Act [Chapter 11:12] (the Act)
Status: Enacted
OneTrust DataGuidance confirmed, on December 5, 2021, with Steve Munyaradzi Chikengezha, Associate at DLA Piper Africa Zimbabwe - Manokore Attorneys that the Act was enacted on December 3, 2021. The Media Institute of Southern Africa Zimbabwe clarified that the Act does not state a date for when it will take effect or a transition period.
Resources:
Table of Resources
- Australia: Review of Privacy Act 1988 (No. 119, 1988) (as amended)
- Australia: Privacy Legislation Amendment (Enforcement and Other Measures) 2022
Bangladesh: Draft Data Protection Act, 2023
- Brunei Darussalam: Draft Personal Data Protection Order
- China: Draft Decision Amending the Cybersecurity Law
- Hong Kong: Personal Data (Privacy) Ordinance (Cap. 486) (as amended)
- Indonesia: The Personal Data Protection Law
- Myanmar: Amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004)
- Mongolia: Law on Protection of Personal Information
Mongolia: Law of Mongolia on Cybersecurity
New Zealand: Bill 292-1 the Privacy Amendment Bill
- Pakistan: Personal Data Protection Bill 2021 (August 2021)
- Philippines: Substitute Bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173)
- Shanghai: Data Regulations
- Shenzhen: Shenzhen Special Economic Zone Data Regulation
- South Korea: Amendments to Personal Information Protection Act 2011 (as amended)
- Sri Lanka: Personal Data Protection Act, No. 9 of 2022
- Taiwan: Personal Data Protection Act 2015
- Thailand: Personal Data Protection Act 2019
- Vietnam: Decree No. 13/2023/ND-CP on the Protection of Personal Data
Asia-Pacific
Australia
Law: Review of Privacy Act 1988 (No. 119, 1988) (as amended)
Status: In legislative process
Public consultation on the reviewed Privacy Act was launched on 10 January 2022. The consultation is aimed at a review of the Act to ensure that the privacy framework empowers consumers, protects their data, and serves the Australian economy. On 16 Febuary 2023, the Attorney General publicly released a Report on the Privacy Act Review. The Report outlines the 116 proposed reforms to the Privacy Act and was informed by feedback.
Resources:
Australia
Law: Privacy Legislation Amendment (Enforcement and Other Measures) 2022 ('the Amendment Act')
Status: In force
The Amendment Act received royal assent on 12 December 2022 and entered into effect the day after, on 13 December 2022.
Resources:
Bangladesh
Law: Draft Data Protection Act, 2023 ('the Draft Act')
Status: In legislative process
On November 29, 2023, OneTrust DataGuidance Research confirmed with Nasir Doulah, Partner at Doulah & Doulah, that the Bill was passed by the Cabinet of Bangladesh.
Resources:
- Legal Text (only available in Bangla)
- OneTrust DataGuidance Jurisdiction Overview
Brunei Darussalam
Law: Draft Personal Data Protection Order ('PDPO')
Status: In legislative process
On 20 May 2021, the Authority for Info-communications Technology Industry of Brunei Darussalam ('AITI') initiated public consultation on its draft PDPO. Subsequently, on 3 December 2021, a response feedback paper on the public consultation was published, establishing comprehensive insights on the expected operation of the PDPO.
Resources:
China
Law: Draft Decision Amending the Cybersecurity Law ('the Draft Law')
Status: In legislative process
The Cyberspace Administration of China released, on 14 September 2022, the Draft Law. Public comments were open until 29 September 2022.
Resources:
Hong Kong
Law: Personal Data (Privacy) Ordinance (Cap. 486) (as amended) ('PDPO')
Status: Proposal
The Office of the Privacy Commissioner for Personal Data published, on 20 February 2023, a report in which it highlighted it is working closely with the Government of Hong Kong to comprehensively review the PDPO and formulate concrete proposals for legislative amendments.
Resources:
India
Law: The Digital Personal Data Protection Act, 2023 (Act)
Status: Adopted
On August 11, 2023, the Digital Personal Data Protection Bill, 2023, received the assent of the President of India and was published in the Official Gazette, thus enacting the Act. The entry into force of the Act is to be announced by the Indian Government via notification in the Official Gazette.
Resources:
Indonesia
Law: The Personal Data Protection Law ('PDPL')
Status: In force
The PDPL was signed by the President and entered into force, on 17 October 2022. Controllers, processors, and any other parties related to the processing of personal data will have two years from the date of promulgation to comply with the PDPL.
Resources:
- Legal Text (only available in Indonesian)
- OneTrust DataGuidance Jurisdiction Overview
Myanmar
Law: Amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004)
Status: Unknown
OneTrust DataGuidance confirmed, on 18 May 2021, with Dr Ross Taylor, Counsel and Head of Financial Services at Tilleke & Gibbins, that the State Administration Council had adopted, in February 2021, amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004).
Resources:
Mongolia
Law: Law on the Protection of Personal Information (the Law)
Status: In force
On May 1, 2022, the Law entered into effect.
Resources:
- Legal Text (only available in Mongolian)
- OneTrust DataGuidance Jurisdiction Overview
Law: Law of Mongolia on Cybersecurity (the Cybersecurity Law)
Status: In force
On May 1, 2022, the Cybersecurity Law entered into effect.
Resources:
- Legal Text (only available in Mongolian)
- OneTrust DataGuidance Jurisdiction Overview
Law: Bill 292-1 the Privacy Amendment Bill (the Bill)
Status: In legislative process
On May 3, 2024, the New Zealand Parliament opened a public consultation on the Privacy Amendment Bill after it was introduced on September 5, 2023. Public consultation is open until June 14, 2024.
Resources:
Pakistan
Law: Personal Data Protection Bill 2021
Status: Published for public consultation
OneTrust DataGuidance confirmed, on 28 February 2022, with Saeed Hasan Khan, Partner at S.U. Khan Associates Corporate & Legal Consultants, that the Federal Cabinet of Pakistan approved, on 16 February 2022, the draft of the Personal Data Protection Bill 2021.
Resources:
Philippines
Law: Substitute Bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173)
Status: Proposed
The National Privacy Commission ('NPC') issued, on 25 June 2021, a statement addressing recent efforts to strengthen the current privacy law in the Philippines, following the 55th Asia Pacific Privacy Authorities Forum. In particular, the NPC highlighted that a substitute bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173) had been approved by the Committee on Information and Communications Technology of the House of Representatives.
Resources:
Shanghai
Law: Shanghai Data Regulations
Status: In force
The Shanghai Data Regulations entered into effect on 1 January 2022.
Resources:
- Legal Text (only available in Chinese)
- OneTrust DataGuidance Jurisdiction Overview
Shenzhen
Law: Shenzhen Special Economic Zone Data Regulation
Status: In force
The Shenzhen Special Economic Zone Data Regulation entered into effect on 1 January 2022.
Resources:
- Legal Text (only available in Chinese)
- OneTrust DataGuidance Jurisdiction Overview
South Korea
Law: Amendments to Personal Information Protection Act 2011 (as amended) ('PIPA')
Status: In force
The South Korean National Assembly passed, on 27 February 2023, a proposal amending the PIPA. The amendments will enter into effect six months after promulgation.
Resources:
- Legal Text (only available in Korean)
- OneTrust DataGuidance Jurisdiction Overview
Sri Lanka
Law: Personal Data Protection Act, No. 9 of 2022
Status: Partially in force
Parts VI, VIII, IX, and X of the PDPA entered into force on December 1, 2023, while Parts I, II, III, and VII of the PDPA will enter into force on March 18, 2025.
Resources:
Taiwan
Law: Personal Data Protection Act 2015 ('PDPA')
Status: In force
On June 2, 2023, the amendments to the PDPA officially came into effect following the President's approval and the announcement by the National Development Council (NDC) on May 31, 2023.
Resources:
- Legal Text (only available in Chinese)
- OneTrust DataGuidance Jurisdiction Overview
Thailand
Law: The Personal Data Protection Act 2019 ('PDPA')
Status: In force
The PDPA entered into effect on 1 June 2022.
Resources:
Vietnam
Law: Decree No. 13/2023/ND-CP on the Protection of Personal Data
Status: In force
The PDPD entered into effect on 1 July 2023.
Resources:
- Legal Text (only available to download in Vietnamese)
- OneTrust DataGuidance Jurisdiction Overview
Table of Resources
- Canada - Federal: Bill C-27 for the Digital Charter Implementation Act 2022
Canada – Federal: Government Bill C-26 for an Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts
Canada
Canada - Federal
Law: Bill C-27 for the Digital Charter Implementation Act 2022
Status: In legislative process
On 16 June 2022, Bill C-27 for the Digital Charter Implementation Act 2022 was introduced to the House of Commons. Bill C-27 passed second reading on 24 April 2023 and was thereafter referred to the Standing Committee on Industry and Technology.
Resources:
Canada - Federal
Law: Government Bill C-26 for an Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts ('Bill C-26')
Status: In legislative process
On April 19, 2024, Bill C-26 passed the Standing Committee on Public Safety and National Security consideration. The Committee presented its report with proposed amendments to the bill.
Resources:
Quebec
Law: An Act to modernize legislative provisions as regards the protection of personal information, 2021, Chapter 25 ('the Amendment Act') (formerly known as Bill 64).
Status: Partially in force
The Amendment Act will enter into force over a three year period with provisions entering into force in September 2022, September 2023, September 2024.
Resources:
Table of Resources
- Belize: Data Protection Act, 2021
- Bermuda: Personal Information Protection Act 2016
- Cuba: Law 149/2022 on Personal Data Protection
- Grenada: The Grenada Data Protection Act, No. 1 of 2023
- Jamaica: Protection Act No. 7 of 2020
- Suriname: Bill for the Privacy Protection Act and Personal Data
Caribbean
Law: Data Protection Act, 2021 ('the Act')
Status: Adopted
In 2021, the National Assembly in Belize adopted the Act which will enter into force on a day to be appointed by the Minister by Order published in the Gazette.
Resources:
Law: Personal Information Protection Act 2016 (PIPA)
Status: Adopted
On June 16, 2023, the Bermuda Office of the Privacy Commissioner (PrivCom) announced, in a joint press release with the Bermuda Government, that the PIPA will be implemented on January 1, 2025.
Resources:
Law: Law 149/2022 on Personal Data Protection ('the Law')
Status: In force
The Law was published, on 25 August 2022, in the Official Gazette of the Republic of Cuba. Having been published in the Official Gazette, the Law entered into force 180 days from that date i.e. 21 February 2023.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Grenada
Law: The Grenada Data Protection Act, No. 1 of 2023 (the GDPA)
Status: Adopted
The GDPA was published, on May 10, 2023, in the Official Gazette, following their assent by the Deputy to the Grenada Governor-General
Resources:
Guyana
Law: Data Protection Act No.18 of 2023 (the Act)
Status: Adopted
On August 16, 2023, the Act was published in the Official Gazette of Guyana and, on the same date, received Presidential assent. The Act will come into effect on the day the Minister responsible for data protection may, by order, appoint, and different days may be appointed for different provisions of the Act.
Resources:
Jamaica
Law: Protection Act No. 7 of 2020
Status: Partially in force
OneTrust DataGuidance confirmed, on 21 January 2021, with the Kellye-Rae Fisher Campbell, Attorney-at-Law, that, on 30 November 2021, Sections 2,4, 56, 57, 60, 66, 74, 77, and the First Schedule of the Data Protection Act no. 7 of 2020 had become operational following the publication of Supplement No. 160 of Volume CXLIV of 30 November 2021in the Jamaica Gazette Supplement.
Resources:
Law: Bill for the Privacy Protection Act and Personal Data ('the Bill')
Status: In legislative process
The Bill was presented to the Suriname National Assembly in 2018 and considered by the Committee of Rapporteurs on 21 January 2021.
Resources:
- Legal Text (only available in Dutch)
- OneTrust DataGuidance Jurisdictional Overview
Table of Resources
- Russia: Draft amendments to Federal Law of 27 July 2006 No. 152-FZ on Personal Data
- Ukraine: Draft Data Protection Law
- Uzbekistan:
CIS
Russian Federation
Law: Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data ('the Amendment Law').
Status: In force
The Federal Service for the Supervision of Communications, Information Technology, and Mass Media announced, on 1 September 2022, the entry into effect of the Amendment Law. Importantly, notification requirements for the cross-border transfer of personal data entered into effect on 1 March 2023.
Resources:
- Legal Text (only available in Russian)
- OneTrustDataGuidance Jurisdiction Overview
Ukraine
Law: Draft Data protection Law ('the Draft Law')
Status: In legislative process
The Parliament of Ukraine announced, on 25 October 2022, that it had received the Draft Law, following the rejection of the previous data protection bill.
Resources:
- Legal Text (only available in Ukranian)
- OneTrustDataGuidance Jurisdiction Overview
Uzbekistan
Law: Resolution of the Cabinet of Ministers of the Republic of Uzbekistan of 5 October 2022 No. 570 on Approval of Certain Normative Legal Documents in the Field of Processing of Personal Data ('the Resolution')
Status: In force
The Resolution was adopted on 5 October 2022, and entered into force on 7 January 2023.
Resources:
- Legal Text (only available in Uzbek)
- OneTrustDataGuidance Jurisdiction Overview
Uzbekistan
Law: Law on Cybersecurity (No. RK-764) ('the Cybersecurity Law')
Status: Passed
The Cybersecurity Law entered into force on 17 July 2022, following its adoption on 15 April 2022.
Resources:
- Legal Text (only available in Uzbek)
- OneTrust DataGuidance Jurisdiction Overview
Table of Resources
- Andorra: Law 29/2021, of 28 October, of Personal Data Protection
- Czech Republic: Draft Law on Cybersecurity and Other Related Regulations
- Estonia: Cyber Security and Other Laws Amendment Act 531 SE
- EU: Cyber Resilience Act
- EU: the Data Governance Act
- EU: the ePrivacy Regulation
- EU: Revised Directive on Security of Network and Information Systems
- EU: Regulation on Harmonised Rules on Fair Access to and Use of Data
- EU: Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence
- Georgia: Draft law on personal data protection
- Monaco: Data Protection Act No. 3 of 2021
- Netherlands: Collective Data Protection Act
- Slovenia: Personal Data Protection Act
- Switzerland: Revised Federal Act on Data Protection 1992
- Turkey: Personal Data Protection Law
- UK: Data Protection and Digital Information Bill
Europe
Andorra
Law: Law 29/2021, of 28 October, of Personal Data Protection ('the Law')
Status: In force
The Andorran data protection authority announced, on 17 May 2022, the Law entered into force.
Resources:
- Legal Text (only available in Catalan)
- OneTrust DataGuidance Jurisdiction Overview
Estonia
Law: Cyber Security and Other Laws Amendment Act 531 SE ('the Cybersecurity Law')
Status: Passed
The Parliament of Estonia announced, on 19 July 2022, that it had adopted the Cybersecurity Law proposed by the Government in February 2022.
Resources:
- Legal Text (only available for download in Estonian)
- OneTrust DataGuidance Jurisdiction Overview
Czech Republic
Law: Draft Law on Cybersecurity and Other Related Regulations ('Draft Cybersecurity Law')
Status: In legislative process
The National Cyber and Information Security Agency stated that the Draft Cybersecurity Law was published for public consultation until 26 February 2023.
Resources:
- Legal Text (only available for download in Czech)
- OneTrust DataGuidance Jurisdiction Overview
EU
Law: The Cyber Resilience Act
Status: In legislative process
The European Commission ('the Commission') announced, on 15 September 2022, that it had presented a proposal for a new Cyber Resilience Act. The Commission explained that the proposed Cyber Resilience Act will now be passed to the European Parliament and the Council for examination, and that, once adopted, economic operators and Member States will have two years to adapt to most of the new requirements.
Resources:
EU
Law: The Data Governance Act ('DGA')
Status: In force
The DGA was published in the Official Journal of the European Union on 3 June 2022 and entered into force 20 days after publication i.e. on 23 June 2022. The DGA will apply from 24 September 2023.
Resources:
EU
Law: Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) ('the Draft ePrivacy Regulation')
Status: The Council and the Parliament will now start negotiations on the text.
The Council of the European Union has agreed on a negotiating mandate with the European Parliament. If passed, the ePrivacy Regulation will replace the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive').
Resources:
EU
Law: Revised Directive on Security of Network and Information Systems ('NIS 2 Directive')
Status: Adopted
The NIS 2 Directive was published in the Official Gazette of the European Union on 27 December 2022 and will repeal the NIS Directive as of 18 October 2024.
Resources:
EU
Law: Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act)
Status: Adopted
The Data Act will become applicable in 20 months i.e. September 12, 2025.
Resources:
EU
Law: Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (the AI Act)
Status: In legislative process
On June 13, 2024, the President of the European Parliament and the President of the Council of the European Union signed the AI Act. The AI Act will be published in the EU's Official Journal after being signed by the Presidents of the Parliament and Council. The AI Act will enter into force 20 days after its publication and will apply two years after its entry into force, with some exceptions for specific provisions.
Resources:
Georgia
Law: Draft law on personal data protection
Status: In force
On June 1, 2024, the Personal Data Protection Service (PDPS) announced that the Law of Georgia on Personal Data Protection from June 14, 2023 (the Data Protection Act 2023) fully entered into force on the same day.
Resources:
- Legal Text (only in Georgian)
- OneTrust DataGuidance Jurisdiction Overview
Monaco
Law: Data Protection Act No. 3 of 2021
Status: In legislative process
The Monegasque data protection authority issued, on 28 January 2022, a statement, in commemoration of Data Protection Day, highlighting the bill relating to the protection of personal data recently submitted to the Office of the National Council.
Resources:
- Legal Text (only in French)
- OneTrust DataGuidance Jurisdiction Overview
Law: Collective Data Protection Act
Status: In legislative process
On December 2, 2022, the bill was introduced to the House of Representatives.
Resources:
- Legal Text (only available to download in Dutch)
- OneTrust DataGuidance Jurisdiction Overview
Slovenia
Law: Personal Data Protection Act ('ZVOP-2')
Status: In force
The ZVOP-2 implements the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') into Slovenian law and entered into effect on 26 January 2023, replacing the existing Personal Data Protection Act 2004.
Resources:
- Legal Text (only available in Slovenian)
- OneTrust DataGuidance Jurisdiction Overview
Switzerland
Law: Revised Federal Act on Data Protection 1992 ('FADP')
Status: In force
The revised FADP entered into force on 1 September 2023.
Resources:
- Legal Text (only available in French)
- OneTrust DataGuidance Jurisdiction Overview
Law: Personal Data Protection Law (the Law)
Status: In force
On June 1, 2024, the Personal Data Protection Authority (KVKK) announced via LinkedIn that the amendments to the Law on Protection of Personal Data (the Law) approved on March 12, 2024, came into force on June 1, 2024.
Resources:
- Legal Text (only in Turkish)
- OneTrust DataGuidance Jurisdiction Overview
UK
Law: Data Protection and Digital Information Bill (the Bill)
Status: In legislative process
On April 24, 2024, the Bill underwent its final day of the committee stage. The next stage is the reporting stage. As of now, a schedule for this stage has not been determined.
Resources:
Table of Resources
- Argentina: Personal Data Protection Bill
Bolivia: Legislative Assembly of bill No. 349/2020-2021 for the protection of personal data
Colombia: General Regime for the Protection of Personal Data
- Chile: Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority
Costa Rica: Bill No. 23097 for the Data Protection Law
- Guatemala: Bill No. 6105 of 23 June 2022 for the approval of the Data Protection Law
- Paraguay: Bill on the Protection of Personal Data of the Republic of Paraguay
- Uruguay: Law No. 20075 of 20 October 2022
Latin America
Argentina
Law: Personal Data Protection Bill (the Bill)
Status: In legislative process
On June 30, 2023, the Argentinian Data Protection Authority (AAIP) announced that the National Executive Power had sent the Personal Data Protection Bill to the National Congress of Argentina.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Draft Law on Protection of Personal Data ('the Draft Law')
Status: In legislative process
OneTrust DataGuidance Research confirmed, on 25 April 2023, with Ana Valeria Escobar, Partner at PPO Abogados, that the Agency of Electronic Government and Information and Communication Technologies had presented, on 31 March 2023, to the Bolivian Senate, the Draft Law.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Legislative Assembly of bill No. 349/2020-2021 for the protection of personal data ('the Bill')
Status: In legislative process
A motion for the reintroduction in the Bill was filed, on 3 March 2023, by National Deputy Renan Cabezas Veizan, following its initial presentation on 19 October 2021.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: General Regime for the Protection of Personal Data (the Bill)
Status: In legislative process
On August 31, 2023, OneTrust DataGuidance Research confirmed with Jorge Pinilla, Associate at Pinilla & Pinilla, that the Chamber of Representatives of Colombia the Bill.
Resources:
- Legal Text (only available for download in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Costa Rica
Law: Bill No. 23097 for the Data Protection Law ('the Bill')
Status: In legislative process
Bill No. 23097 for the Data Protection Law was added to the Legislative Assembly's agenda, on 10 March 2023, following its introduction in 2022.
Resources:
- Legal Text (only available to download in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority ('the Bill')
Status: In legislative process
On January 3, 2024, the Chilean Senate approved the Bill.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Law: Bill No. 6105 of 23 June 2022 for the approval of the Data Protection Law ('the Bill')
Status: In legislative process
The Bill was sent to the Transparency and Probity Commission for an opinion on April 12, 2023. Subsequently, on April 28, 2023, the President of the Transparency and Probity Commission issued a favorable opinion on the Bill.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Paraguay
Law: Bill on the Protection of Personal Data of the Republic of Paraguay
Status: In legislative process
The Chamber of Deputies announced, on 30 April 2021, the official presentation of the bill on the Protection of Personal Data of the Republic of Paraguay. The bill will be submitted for consideration to the advisory commissions in the Chamber of Deputies.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Uruguay
Law: Law No. 20075 of 20 October 2022 ('the Law')
Status: In force
The Law was enacted on 20 October 2022 and entered into force on 1 January 2023.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Table of Resources
- DIFC: DIFC Law No. 2 of 2022
- Israel: Privacy Protection Bill (Amendment No. 14) 5722-2022
Israel: Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022
- Jordan: the Law No. 24 of 2023 Personal Data Protection Law
- Oman: Draft law on the protection of personal data of 2021
- Qatar: Data Protection Regulations 2021 and Data Protection Rules 2021
- Saudi Arabia: Personal Data Protection Law
- UAE - Federal: Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data
Middle East
DIFC
Law: DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law')
Status: In legislative process
The Dubai International Financial Centre Director of Data Protection announced, on 18 April 2023, via LinkedIn, that the DIFC Authority had launched a public consultation on proposed amendments to the the Data Protection Law.
Resources:
Oman
Law: Royal Decree No. 6 of 2022 Promulgating the Law on the Protection of Personal Data ('the Data Protection Law')
Status: In force
The Data Protection Law entered into force on 13 February 2023, a year after its publication in the Official Gazette No. 1429, on 13 February 2022.
Resources:
- Legal Text (only available in Arabic)
- OneTrust DataGuidance Jurisdiction Overview
Israel
Law: Privacy Protection Bill (Amendment No. 14) 5722-2022 ('the Bill')
Status: In legislative process
The Privacy Protection Authority announced, via LinkedIn, on 3 April 2023, that the Ministerial Committee on Legislation has approved the application of the rule of continuity for the advancement of the Bill, after its progress had been stalled due to the dissolution of the Israeli Legislature.
Resources:
- Legal Text (only available in Hebrew)
- OneTrust DataGuidance Jurisdiction Overview
Israel
Law: Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022
Status: In legislative process
OneTrust DataGuidance confirmed, on 3 February 2022, with Dalit Ben-Israel, Partner, Chair of IT and Privacy Practice at Naschitz, Brandes, Amir & Co., that the draft bill for Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022 had been submitted, on 31 January 2022, to the Parliament.
Resources:
- Legal Text (both only available in Hebrew)
- OneTrust DataGuidance Jurisdiction Overview
Jordan
Law: Law No. 24 of 2023 Personal Data Protection Law ('the Law')
Status: Passed
On September 17, 2023, the Law was published in the Official Gazette and will enter into effect in six months, i.e. on March 17, 2024. However, the Directorate provided that all entities dealing with personal data are required, upon the law's enforcement, to align their conditions with the Law within a period not exceeding one year, ending on March 16, 2025.
Resources:
- Legal Text (only available in Arabic)
- OneTrust DataGuidance Jurisdiction Overview
Qatar - Qatar Financial Centre
Law: Data Protection Regulations 2021 and Data Protection Rules 2021
Status: In force
The Data Protection Regulations 2021 and the Data Protection Rules 2021 entered into effect on 21 May 2022, and has repealed the QFC Data Protection Regulations and Rules of 2005.
Resources:
Saudi Arabia
Law: Personal Data Protection Law ('PDPL')
Status: In force
On September 14, 2023, the PDPL entered into force. Pursuant to the PDPL's preamble, entities will have a one-year transition period from such date to bring their operations into compliance.
Resources:
- Legal Text (only available in Arabic)
- OneTrust DataGuidance Jurisdiction Overview
UAE Federal
Law: Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law')
Status: In force
The UAE Cabinet announced, on 28 November 2021, that Law had been enacted. However, the Law is yet to be published with Executive Regulations to be published within six months from that date and, following a 12-month transition period, it will be enforceable from 2 January 2023.
Resources: