
Keeping up to Date With Global Privacy Updates
Keeping up to Date With Global Privacy Updates
As the privacy landscape continues to develop at speed, the OneTrust DataGuidance Global Privacy Updates page is the go-to resource for tracking all upcoming global privacy updates. This page outlines privacy laws from across the world that you should be aware of, their legislative status, and key dates you should know. Use the table of contents below for a quick overview of privacy updates on the horizon or click on each update to navigate directly to further information, legal texts, and further resources.
Page last updated: 9 June 2022
The following laws have been added or updated in the latest release:
Africa
- Eswatini: The Data Protection Act No.5 of 2022
- Kenya: The Data Protection Regulations, 2021
Asia-Pacific
- Japan: The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020)
- Thailand: The Personal Data Protection Act 2019
CIS
- Russian Federation: Amendments to Federal Law of 27 July 2006 No. 152-FZ on Personal Data
- Uzbekistan: Law on Cybersecurity (No. RK-764)
Europe
- Andorra: Law 29/2021, of 28 October, of Personal Data Protection
- EU: The Data Governance Act
Table of Contents
Africa
- Botswana: Data Protection Act (Act No. 32 of 2018
- Eswatini: The Data Protection Act No.5 of 2022
- Kenya: The Data Protection Regulations, 2021
- South Africa: Protection of Personal Information Act, 2013 (Act 4 of 2013)
- Rwanda: Law relating to Personal Data Protection and Privacy
- Uganda: Data Protection and Privacy Regulations
- Zambia: Data Protection Act No. 3 of 2021
- Zambia: The Cyber Security and Cyber Crimes Act No. 2 of 2021
- Zimbabwe: Data Protection Act [Chapter 11:12]
Asia-Pacific
- Australia: Review of Privacy Act 1988 (No. 119, 1988) (as amended)
- Australia: Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021
- Brunei Darussalam: Draft Personal Data Protection Order
- China: Personal Information Protection Law
- China: Data Security Law
- Hong Kong: Personal Data (Privacy) (Amendment) Bill 2021
- India: Personal Data Protection Bill, 2019
- Indonesia: Draft Personal Data Protection Act
- Japan: Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015)
- Myanmar: Amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004)
- Mongolia: Draft Law on Protection of Personal Information
- Pakistan: Personal Data Protection Bill 2021 (August 2021)
- Philippines: Substitute Bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173)
- Shanghai: Data Regulations
- Shenzhen: Shenzhen Special Economic Zone Data Regulation
- South Korea: Amendments to Personal Information Protection Act 2011 (as amended in 2020
- Sri Lanka: Draft Bill for an Act to Provide for the Regulation of Processing of Personal Data (July 2021)
- Thailand: Personal Data Protection Act 2019
- Vietnam: Decree No. 70/2021/ND-CP Amending & Supplementing Several Articles of Decree No. 181/2013/ND-CP dated 14 November 2013 implementing the Law on Advertising
- Vietnam: Draft Decree on Personal Data Protection
Canada
- Canada - Federal: Bill C-11 for the Digital Charter Implementation Act, 2020
Caribbean
- British Virgin Islands: Data Protection Act, 2021
- Jamaica: Protection Act no. 7 of 2020
CIS
- Belarus: Law on Personal Data
- Kazakhstan: Amendments to Law of the Republic of Kazakhstan of 21 May 2013 No. 94-V on Personal Data and its Protection
- Russia:
- Ukraine: Draft Data Protection Law
- Uzbekistan:
Europe
- Andorra: Law 29/2021, of 28 October, of Personal Data Protection
- EU: The Data Governance Act
- EU: The ePrivacy Regulation
- EU: Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law
- EU: Revised Directive on Security of Network and Information Systems
- EU: Regulation on a framework for Digital Green Certificates to facilitate free movement during the COVID-19 pandemic
- EU: Proposed AI Regulation
- EU: Proposal for a Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act)
- Germany: Law on data protection and the protection of privacy in telecommunications and telemedia
- Italy: National Cybersecurity Agency by Law No. 109 of 4 August 2021
- Monaco: Data Protection Act No. 3 of 2021
- Switzerland: Revised Federal Act on Data Protection 1992
Latin America
- Brazil: Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019)
- Ecuador: Law for the Protection of Personal Data
- El Salvador: Law on Protection of Personal Data and Habeas Data
- Mexico: Bill to reform the Federal Law on Protection of Personal Data Held by Private Parties
- Paraguay: Bill on the Protection of Personal Data of the Republic of Paraguay
- Panama: Executive Decree No. 285 of 28 May 2021 that regulates the Law No. 81 on Personal Data Protection
- Peru: Bill creating the National Authority for Transparency, Access to Public Information and Protection of Personal Data
Middle East
- Israel: Privacy Protection Bill (Amendment No. 14) 5722-2022
Israel: Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022
- Jordan: Draft Law on Personal Data
- Oman: Draft law on the protection of personal data of 2021
- Qatar: Amendments to the QFC Data Protection Regulations and Rules 2005
- Saudi Arabia: Personal Data Protection Law
- UAE - ADGM: Data Protection Regulations 2021
- UAE - Federal: Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data
- DIFC: DIFC Law No. 2 of 2022
USA
- California: California Consumer Privacy Act ('CCPA') - Amendment
- California: California Privacy Rights Act of 2020 ('CPRA')
- Colorado: Senate Bill ('SB') 21-190 for an Act concerning additional protection of data relating to personal privacy ('CPA')
- Ohio: HB 37
- Puerto Rico: House Bill ('HB') 655 for the Electronic Information Privacy Act
- Virginia: Consumer Data Protection Act ('CDPA')
- Wisconsin: 2021 Wisconsin Act 73
- Utah: Senate Bill ('SB') 227 for the Consumer Privacy Act ('UCPA')
Global Privacy Updates
Africa
Botswana
Law: Data Protection Act, 2018
Status: In force
OneTrust DataGuidance confirmed, on 20 October 2021, with Senwelo Monise, Associate Attorney at Botlhole Law Group, and Lesedi Dingake, Associate at Desai Law Group, that it was announced, on 15 October 2021, in the Botswana Government Gazette, that the Data Protection Act (Act No. 32 of 2018) ('the Act') came into effect, upon the issuance of the Data Protection Act (Commencement Date) Order 2021 by the Minister of Presidential Affairs, Governance and Public Administration.
Resources:
Eswatini
Law: The Data Protection Act No.5 of 2022 ('the Act')
Status: In force
The Eswatini Communications Commission published, on 4 March 2022, the Data Protection Act No.5 of 2022.
Resources:
Kenya
Law: The Data Protection Regulations, 2021
Status: In force
OneTrust DataGuidance confirmed the development with with Nzilani Mweu, Partner at Rilani Advocates, who noted that the 2021 Regulations are now in effect.
Resources:
South Africa
Law: Protection of Personal Information Act, 2013 (Act 4 of 2013)
Status: Partially into force
The President of South Africa announced, on 22 June 2020, the commencement of certain sections of the Protection of Personal Information Act, 2013 ('POPIA'). More specifically, Sections 2 to 38, 55 to 109, 111, and 114(1), (2), and (3) will commence on 1 July 2020. Furthermore, Sections 110 and 114(4) will commence on the later date of 30 June 2021.
The Regulator further issued, on 24 March 2021, a media statement marking 100 days till the deadline for public and private bodies to ensure compliance with POPIA. In particular, the Regulator outlined that it would be prioritising the following:
- consideration of applications for approval of codes of conducts;
- processing public comments on the draft guidelines for registration of information officers;
- consideration of applications for prior authorisation;
- finalising the guidance note on exclusions and exemptions from POPIA;
- finalising the template for notification of security compromises in terms of Section 22 of POPIA; and
- finalising the guidance note on processing of personal information across borders.
In addition, several Sections from POPIA and the Regulations, such as those regulating the processing of personal data and data subject rights, did not become operational until 1 July 2020. Furthermore, Regulation 4 entered into effect on 1 May 2021, while Regulation 5 became effective on 1 March 2021, and the residual Regulations entered into effect on 1 July 2021.
Resources:
Rwanda
Law: Law relating to Personal Data Protection and Privacy
Status: In force
Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy was published, on 15 October 2021, in the Rwanda Official Gazette ('the Law'). The Law entered into effect upon its publication in the Official Gazette.
Resources:
Uganda
Law: Data Protection and Privacy Regulations
Status: In force
The Data Protection and Privacy Regulations, 2021 were approved and published in the Official Gazette on 12 March 2021.
Resources:
Zambia
Law: Data Protection Act No. 3 of 2021
Status: In force
OneTrust DataGuidance confirmed, on 20 January 2022, with Christine Mwambazi, Associate at Corpus Legal Practitioners, that the Data Protection Act No. 3 of 2021 and the Electronic Communications and Transactions Act No. 4 of 2021 entered into force on 31 March 2021.
Resources:
Zambia
Law: The Cyber Security and Cyber Crimes Act No. 2 of 2021
Status: In force
OneTrust DataGuidance confirmed, on 7 February 2022, with Christine Mwambazi, Associate at Corpus Legal Practitioners, that the Cyber Security and Cyber Crimes Act entered into force on 1 April 2021.
Resources:
Zimbabwe
Law: Data Protection Bill
Status: Enacted
OneTrust DataGuidance confirmed, on 5 December 2021, with Steve Munyaradzi Chikengezha, Associate at DLA Piper Africa Zimbabwe - Manokore Attorneys that the Data Protection Act [Chapter 11:12] ('the Act') was enacted on 3 December 2021
Resources:
Asia-Pacific
Australia
Law: Review of Privacy Act 1988 (No. 119, 1988) (as amended)
Status: In legislative process
The public consultation on the reviewed Privacy Act has been launched on 10 January 2022. The consultation is aimed at a review of the Act to ensure that the privacy framework empowers consumers, protects their data, and serves the Australian economy. The submissions and feedback they receive will inform the review's final report.
Resources:
Australia
Law: Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021
Status: In legislative process
The Australian Government is accepting submissions on the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 ('the Online Privacy Bill') until 6 December 2021.
Resources:
Brunei Darussalam
Law: Draft Personal Data Protection Order
Status: In legislative process
The Authority for Info-communications Technology Industry of Brunei Darussalam ('AITI') initiated, on 20 May 2021, a public consultation on its draft Personal Data Protection Order ('the PDPO'). In particular, the PDPO establishes comprehensive obligations to data controllers, intermediaries, and processors including the mandatory designation of a data protection officer, the receipt of consent prior to the use and processing of personal information, a limit on the use of data for the purposes communicated to data subjects, and providing notification to authorities of a data breach within three calendar days. In addition, the PDPO requires data controllers to facilitate the data subject rights under the PDPO which establishes the right to withdraw consent, the right to access information, the right to rectification, and data portability.
Resources:
China
Law: Personal Information Protection Law of the People's Republic of China
Status: In force
The PIPL entered into effect on 1 November 2021.
Resources:
China
Law: Data Security Law
Status: In force
The Data Security Law entered into effect on 1 September 2021.
Resources:
Hong Kong
Law: Personal Data (Privacy) (Amendment) Bill 2021
Status: In force
The Privacy Commissioner for Personal Data ('PCPD') announced, on 8 October 2021, that the Personal Data (Privacy) (Amendment) Bill 2021 ('PDPO Amendment Bill') was gazetted and entered into force on 8 October 2021.
Resources:
India
Law: Personal Data Protection Bill, 2019
Status: In legislative process
Lok Sabha, the lower House of Parliament, published, on 16 December 2021, the revised list of business for the same date, in which it confirmed that Shri P.P. Chaudhary and Shri Manish Tewari had presented the Joint Parliamentary Committee ('JPC') report on the Personal Data Protection Bill, 2019 ('the Bill').
Resources:
Indonesia
Law: Draft Personal Data Protection Act
Status: First Reading
The House of Representatives of the Republic of Indonesia confirmed, on 11 November 2021, it would continue its discussion on the draft of the Personal Data Protection Act, with time allowed for the discussion extended for the third time.
Resources:
- Legal Text (only available in Indonesian)
- OneTrust DataGuidance Jurisdiction Overview
Japan
Law: The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020) ('APPI')
Status: In force
The APPI entered into effect on 1 April 2022.
Resources:
Myanmar
Law: Amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004)
Status: Unknown
OneTrust DataGuidance confirmed, on 18 May 2021, with Dr Ross Taylor, Counsel and Head of Financial Services at Tilleke & Gibbins, that the State Administration Council had adopted, in February 2021, amendments to the Law Protecting the Privacy and Security of Citizens (2017) and the Electronic Transactions Law (2004).
Resources:
Mongolia
Law: Draft Law on Protection of Personal Information
Status: Submitted for Discussion
OneTrust DataGuidance confirmed, on 4 July 2021, with Erdenedalai Odkhuu, Partner at Melville Erdenedalai LLP, that currently five draft laws on information and information security are being discussed by the Parliament of Mongolia, namely: Law on Protection of Personal Information; Law on Public Information; Law on Information Transparency and the Right for Information; Revised Law on Electronic Signature; and Law on Cybersecurity.
Resources:
Pakistan
Law: Personal Data Protection Bill 2021 (August 2021)
Status: Published for public consultation
OneTrust DataGuidance confirmed, on 28 February 2022, with Saeed Hasan Khan, Partner at S.U. Khan Associates Corporate & Legal Consultants, that the Federal Cabinet of Pakistan approved, on 16 February 2022, the draft of the Personal Data Protection Bill 2021.
Resources:
Philippines
Law: Substitute Bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173)
Status: Proposed
The National Privacy Commission ('NPC') issued, on 25 June 2021, a statement addressing recent efforts to strengthen the current privacy law in the Philippines, following the 55th Asia Pacific Privacy Authorities ('APPA') Forum. In particular, the NPC highlighted that a substitute bill to amend the Data Privacy Act of 2012 (Republic Act No. 10173) had been approved by the Committee on Information and Communications Technology of the House of Representatives.
Resources:
Shanghai
Law: Shanghai Data Regulations
Status: In force
The Shanghai Municipal People's Government announced on 29 November 2021, that the Standing Committee of the 15th Shanghai Municipal People's Congress adopted the Shanghai Data Regulations. The Regulations entered into effect on 1 January 2022.
Resources:
- Legal Text (only available in Chinese)
- OneTrust DataGuidance Jurisdiction Overview
Shenzhen
Law: Shenzhen Special Economic Zone Data Regulation
Status: In force
The Standing Committee of Shenzhen Municipal People's Congress announced, on 7 July 2021, that the Shenzhen Special Economic Zone Data Regulation had passed. The Regulations entered into effect on 1 January 2022.
Resources:
- Legal Text (only available in Chinese)
- OneTrust DataGuidance Jurisdiction Overview
South Korea
Law: Amendments to Personal Information Protection Act 2011 (as amended in 2020) ('PIPA')
Status: In legislative process
The Personal Information Protection Commission ('PIPC') published, on 17 May 2021, its public consultation on the amendments to the Personal Information Protection Act 2011 (as amended in 2020) ('PIPA').
Resources:
- Legal Text (only available in Korean)
- OneTrust DataGuidance Jurisdiction Overview
Sri Lanka
Law: Draft Bill for an Act to Provide for the Regulation of Processing of Personal Data (2021)
Status: Passed
The Parliament of Sri Lanka published, on 22 March 2022, the Personal Data Protection Act, No. 9 of 2022 ('PDPA'), following its passage on 9 March 2022 and subsequent certification on 19 March 2022.
Resources:
Thailand
Law: The Personal Data Protection Act 2019 ('PDPA')
Status: In force
The Personal Data Protection Act 2019 entered into effect on 1 June 2022.
Resources:
Vietnam
Law: Decree No. 70/2021/ND-CP Amending & Supplementing Several Articles of Decree No. 181/2013/ND-CP dated 14 November 2013 implementing the Law on Advertising
Status: In legislative process
The Ministry of Information and Communications ('MIC') announced, on 26 July 2021, that the Government had promulgated the Draft Decree No. 70/2021/ND-CP Amending & Supplementing Several Articles of Decree No. 181/2013/ND-CP dated 14 November 2013 implementing the Law on Advertising ('Decree 70').
Resources:
Vietnam
Law: Draft Decree on Personal Data Protection
Status: In legislative process
A consultation was launched on draft decree on 9 February 2021. If passed, the bill would be the first comprehensive data protection legislation in Vietnam, covering topics such as the introduction of definitions, including personal data, sensitive data, and data processing, data subject rights, and consent, as well as data principles such as purpose limitation, data retention, and cross-border data transfers.
Resources:
- Legal Text (only available to download in Vietnamese)
- OneTrust DataGuidance Jurisdiction Overview
Canada
Canada - Federal
Law: Bill C-11 for the Digital Charter Implementation Act, 2020
Status: In legislative process
Bill introduced to the House of Commons on 17 November 2020. If passed, the bill would enact the Consumer Privacy Protection Act ('CPPA'), which would protect the personal information of individuals while regulating organisations' collection, use, or disclosure of personal information in the course of commercial activities, and would repeal Part 1 of PIPEDA and amend PIPEDA's short title to the Electronic Documents Act.
The Office of the Privacy Commissioner of Canada ('OPC') submitted, on 11 May 2021, comments on Bill C-11, the Digital Charter Implementation Act, 2020 to the Standing Committee on Access to Information, Privacy and Ethics, outlining a number of enhancements the OPC believes are required to both aid in responsible innovation and protect the privacy rights of Canadians.
Resources:
Quebec
Law: Bill 64, An Act to modernize legislative provisions as regards the protection of personal information
Status: Passed
Bill 64 received royal assent, on 22 September 2021, in the National Assembly of Quebec.
Resources:
Caribbean
British Virgin Islands
Law: Data Protection Act, 2021
Status: The Act will enter into force on a date appointed by the Minister, by notice published in the Gazette, and different dates may be appointed for different provisions of the Act.
The Data Protection Act, 2021 was enacted, on 13 April 2021, in the Official Gazette. The Act represents a comprehensive data protection legislation, addressing, among other things, general privacy principles, data subjects' rights, and the establishment of the Office of the Information Commissioner.
Resources:
Jamaica
Law: Protection Act no. 7 of 2020
Status: Partially in force
OneTrust DataGuidance confirmed, on 21 January 2021, with the Kellye-Rae Fisher Campbell, Attorney-at-Law, that, on 30 November 2021, Sections 2,4, 56, 57, 60, 66, 74, 77, and the First Schedule of the Data Protection Act no. 7 of 2020 had become operational following the publication of Supplement No. 160 of Volume CXLIV of 30 November 2021in the Jamaica Gazette Supplement.
Resources:
CIS
Belarus
Law: Law on Personal Data
Status: In force
The Law on Personal Data entered in force on 15 November 2021.
Resources:
- Legal Text (only available in Russian)
- OneTrust DataGuidance Jurisdiction Overview
Kazakhstan
Law: Amendments to Law of the Republic of Kazakhstan of 21 May 2013 No. 94-V on Personal Data and its Protection
Status: The proposed amendments have been submitted for public consultation with no clear timeline of an enforcement date.
The Ministry of Digital Development, Innovations and Aerospace ('MDAI') published, on 13 April 2021, its draft amendments to Law of the Republic of Kazakhstan of 21 May 2013 No. 94-V on Personal Data and its Protection. The amendments would introduce, among other things, registrar and notification requirements for data processing operators, a prohibition on the use of publicly available personal data without consent, the introduction of the right to erasure, stricter requirements to informing data subjects of the use of their data, and new data security measures and obligations.
Resources:
- Legal Text (only available in Russian)
- OneTrust DataGuidance Jurisdiction Overview
Russian Federation
Law: Amendments to Federal Law of 27 July 2006 No. 152-FZ on Personal Data ('the Law')
Status: Passed
The State Parliament ('Duma') announced, on 24 May 2022, a bill amending the Law was adopted at first reading.
Resources:
Legal Text (only available in Russian)
OneTrustDataGuidance Jurisdiction Overview
Russian Federation
Law: Bill No. 1176731-7 on the activities of foreign persons in the information and telecommunications network 'Internet' on the territory of the Russian Federation
Status: Passed
The Duma announced, on 17 June 2021, that Bill No. 1176731-7 had been adopted with amendments following its third reading.
Resources:
- Legal Text (only available in Russian)
- OneTrustDataGuidance Jurisdiction Overview
Ukraine
Law: Draft Data protection Law
Status: In legislative process
The Parliament of Ukraine ('Verkhovna Rada') announced, on 7 June 2021, that it had received a draft data protection law addressing, among other things, grounds for the processing of personal and sensitive information, data subject rights, responsibilities for data controllers and operators including the adoption of Privacy by Design and requirements for the security of processing, and the carrying out of Data Protection Impact Assessments.
Resources:
- Legal Text (only available in Ukranian)
- OneTrustDataGuidance Jurisdiction Overview
Uzbekistan
Law: Bill to Improve the Legal Framework for Personal Data
Status: In legislative process
The Legislative Chamber of the Oliy Majlis of the Republic of Uzbekistan ('the Chamber') announced, on 25 May 2021, that it had adopted a bill to improve the legal framework for personal data at its first reading. In particular, the Chamber noted the rising number of violations committed as a result of the misuse of personal data, as well as the increasing use of personal data via the internet and other networks.
Resources:
Uzbekistan
Law: Draft law on Advertising
Status: In legislative process
The Legislative Chamber of the Oliy Majlis of the Republic of Uzbekistan submitted, on 21 May 2021, a draft law on advertising for public consultation. In particular, if enacted, the draft law would replace Law of the Republic of Uzbekistan of 25 December 1998 No. 723-I on Advertising to establish favourable conditions for the development of the advertising market in Uzbekistan.
Resources:
- Legal text (only available in Russian)
- OneTrustDataGuidance Jurisdiction Overview
Uzbekistan
Law: Law on Cybersecurity (No. RK-764) ('the Cybersecurity Law')
Status: Passed
The Legislative Chamber of the Oliy Majlis of the Republic of Uzbekistan adopted, on 15 April 2022, the Cybersecurity Law. The Cybersecurity Law will enter into force on 17 July 2022.
Resources:
- Legal Text (only available in Uzbek)
- OneTrust DataGuidance Jurisdiction Overview
Europe
Andorra
Law: Law 29/2021, of 28 October, of Personal Data Protection ('the Law')
Status: In force
The Andorran data protection authority ('APDA') announced, on 17 May 2022, the Law entered into force.
Resources:
- Legal Text (only available in Catalan)
- OneTrust DataGuidance Jurisdiction Overview
EU
Law: The Data Governance Act ('DGA')
Status: Passed
The Council of the European Union announced, on 16 May 2022, that the DGA had been adopted following the Council's approval of the European Parliament's position.
Resources:
EU
Law: Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) ('the Draft ePrivacy Regulation')
Status: The Council and the Parliament will now start negotiations on the text.
The Council of the European Union has agreed on a negotiating mandate with the European Parliament. If passed, the ePrivacy Regulation will replace the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive').
Resources:
EU
Law: Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law
Status: In force. Awaiting Member State implementation
The Directive was published in the EU Official Journal on 16 November 2019 and entered into force on the twentieth day after its publication. Member States must implement Directive into national law by 17 December 2021.
Resources:
EU
Law: Revised Directive on Security of Network and Information Systems ('NIS 2 Directive')
Status: In legislative process
The draft of the Revised NIS Directive was published on 16 December 2020. In particular, the NIS 2 Directive, among other things, adds new sectors based on their critical nature thereby expanding the scope of the current NIS Directive, as well as eliminates the distinction between digital service providers and operators of essential services.
Resources:
EU
Law: Regulation on a framework for Digital Green Certificates to facilitate free movement during the COVID-19 pandemic
Status: Passed
The European Commission announced, on 14 June 2021, that the Regulation on the EU Digital COVID Certificate had been signed into law.
The Regulation will apply for 12 months as of 1 July 2021.
Resources:
EU
Law: Proposal for a Regulation on laying down harmonised rules on artificial intelligence
Status: In legislative process
The European Commission released, on 21 April 2021, its proposal for a regulation on laying down harmonised rules on artificial intelligence ('the Proposed AI Regulation'), a regulation on machinery products ('the Proposed Machinery Products Regulation'), as well as a new Coordinated Plan on AI. In particular, the Commission highlighted that the proposals aim to turn Europe into a global hub for trustworthy AI and that the regulations would apply directly in the same way across all Member States based on a future-proof definition of AI.
Resources:
EU
Law: Proposal for a Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act)
Status: In legislative process
The European Commission published, on 23 February 2022, its proposal for a Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act) which includes an explanatory memorandum.
Resources:
Germany
Law: Law on data protection and the protection of privacy in telecommunications and telemedia
Status: Passed
The German Federal Parliament ('Bundestag') passed, on 20 May 2021, the draft law regulating data protection and the protection of privacy in telecommunications and telemedia ('TTDSG'). The TTDSG will enter into force on 1 December 2021.
Resources:
- Legal Text (only available in German)
- OneTrust DataGuidance Jurisdiction Overview
Italy
Law: National Cybersecurity Agency by Law No. 109 of 4 August 2021
Status: In force
Decree No. 82 of 14 June 2021 ('the Decree') was published, on 4 August 2021, in the Official Gazette. Specifically, the Decree contains urgent provisions on cybersecurity, a definition of national cybersecurity architecture, as well as the establishment of the National Cybersecurity Agency by Law No. 109 of 4 August 2021. The law came into effect on 5 August 2021, a day after its publication in the Official Gazette
Resources:
- Legal Text (only available in Italian)
- OneTrust DataGuidance Jurisdiction Overview
Monaco
Law: Data Protection Act No. 3 of 2021
Status: In legislative process
The Monegasque data protection authority ('CCIN') issued, on 28 January 2022, a statement, in commemoration of Data Protection Day, highlighting the bill relating to the protection of personal data recently submitted to the Office of the National Council.
Resources:
- Legal Text (only in French)
- OneTrust DataGuidance Jurisdiction Overview
Switzerland
Law: Revised Federal Act on Data Protection 1992 ('FADP')
Status: Passed and awaiting Council of State approval
The Revised FADP was published in the official gazette on 6 October 2020. The revised FADP broadly seeks alignment with the GDPR, introducing comprehensive provisions for data protection issues.
Resources:
- Legal Text (only available in French)
- OneTrust DataGuidance Jurisdiction Overview
Latin America
Brazil
Law: Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD')
Status: In force
The LGPD entered into force on 18 September 2020. However, its enforcement provisions entered into force on 1 August 2021.
Resources:
Ecuador
Law: Law for the Protection of Personal Data
Status: Published in Official Registry
The Organic Law on the Protection of Personal Data was published, on 21 May 2021, in the Official Registry. Organisations have two years from the date of publication in the Official Registry to commence their processes of adaptation to the law.
Resources
- Legal text (only available in Spanish)
- OneTrust DataGuidance Jurisdiction Overview
El Salvador
Law: Law on Protection of Personal Data and Habeas Data
Status: Archived
OneTrust DataGuidance confirmed, on 8 June 2021, with Fernando Farrar, Associate at BLP Legal, that Legislative Decree No. 875 for the Law on the Protection of Personal Data and Habeas Data was vetoed, on 7 May 2021, by the President on the grounds of inconvenience. Farrar noted that the Commission of Economy of the Legislative Assembly permanently archived the Law on the Protection of Personal Data and Habeas Data on 20 May 2021.
Resources:
Mexico
Law: Bill to reform the Federal Law on Protection of Personal Data Held by Private Parties
Status: In legislative process
Senator José Alberto Galarza Villaseñor of the Parliamentary Group of the Citizen Movement introduced, on 29 April 2021, a bill to reform and add various provisions to the Federal Law on Protection of Personal Data Held by Private Parties in relation to its territorial scope.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Panama
Law: Executive Decree No. 285 of 28 May 2021 that regulates the Law No. 81 on Personal Data Protection
Status: Approved
The National Authority of Transparency and Access to Information ('ANTAI') announced, on 28 May 2021, that the President of the Republic of Panama approved the Executive Decree No. 285 of 28 May 2021 that regulates the Law No. 81 on Personal Data Protection, which establishes principles, rights, obligations, and procedures to regulate the protection of personal data in Panama.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Paraguay
Law: Bill on the Protection of Personal Data of the Republic of Paraguay
Status: In legislative process
The Chamber of Deputies announced, on 30 April 2021, the official presentation of the bill on the Protection of Personal Data of the Republic of Paraguay. The bill will be submitted for consideration to the advisory commissions in the Chamber of Deputies.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Peru
Law: Bill creating the National Authority for Transparency, Access to Public Information and Protection of Personal Data
Status: In legislative process
The Council of Ministers approved, on 9 June 2021, a bill that creates the National Authority for Transparency, Access to Public Information and Protection of Personal Data.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Middle East
DIFC
Law: DIFC Law No. 2 of 2022
Status: In legislative process
The Dubai International Financial Centre ('DIFC') announced, on 8 March 2022, that it had enacted the DIFC Laws Amendment Law, DIFC Law No. 2 of 2022 to incorporate amendments to several DIFC laws, including the DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law').
Resources:
Oman
Law: Draft law on the protection of personal data of 2021
Status: Enacted
The Ministry of Information ('MoI') announced, on 9 February 2022, that Royal Decree No. 6 of 2022 Promulgating the Law on the Protection of Personal Data ('the Data Protection Law') had been issued by HRH Sultan Haytham, and published in the Official Gazette No. 1429 on 13 February 2022.
The Data Protection Law shall come into force a year from its date of issuance, i.e. 9 February 2023.
Resources:
- Legal Text (only available in Arabic)
- OneTrust DataGuidance Jurisdiction Overview
Israel
Law: Privacy Protection Bill (Amendment No. 14) 5722-2022
Status: In legislative process
On 5 January 2021, the Israeli Parliament laid the Privacy Protection Bill (Amendment No. 14), 5722-2022, amending the Protection of Privacy Law, 5741-1981 on the table for its first reading.
Resources:
- Legal Text (only available in Hebrew)
- OneTrust DataGuidance Jurisdiction Overview
Israel
Law: Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022
Status: In legislative process
OneTrust DataGuidance confirmed, on 3 February 2022, with Dalit Ben-Israel, Partner, Chair of IT and Privacy Practice at Naschitz, Brandes, Amir & Co., that the draft bill for Privacy Protection Law (Amendment - Reinforcement of the Right to Privacy and its Protection), 2022 ('the Bill') had been submitted, on 31 January 2022, to the Parliament.
Resources:
- Legal Text (both only available in Hebrew)
- OneTrust DataGuidance Jurisdiction Overview
Jordan
Law: Draft law on the protection of personal data of 2021
Status: In legislative process
The Prime Minister's Office announced, on 30 December 2021, that the Council of Ministers approved, on 29 December 2021, a draft law on the protection of personal data of 2021.
Resources:
- Legal Text (only available in Arabic)
- OneTrust DataGuidance Jurisdiction Overview
Qatar - Qatar Financial Centre
Law: Data Protection Regulations 2021 and Data Protection Rules 2021 (previously Data Protection Regulations 2005 and Data Protection Rules 2005)
Status: Approved (takes effect 21 May 2022)
The Qatar Financial Centre Authority ('QFCA') issued, on 21 December 2021, the Data Protection Regulations 2021 and the Data Protection Rules 2021, noting that the new regulations will take effect 6 months after their issue date (i.e. 21 May 2022), after which the QFC Data Protection Regulations and Rules of 2005 shall be repealed.
Resources:
Saudi Arabia
Law: Personal Data Protection Law
Status: Passed
The Saudi Authority for Data and Artificial Intelligence announced on Twitter, on 22 March 2022, it had decided to postpone the full enforcement of the Law from its original date, 23 March 2022, to 17 March 2023.
Resources:
- Legal Text (only available in Arabic)
- OneTrust DataGuidance Jurisdiction Overview
UAE - ADGM
Law: Data Protection Regulations 2021
Status: Partially in force
The Abu Dhabi Global Market's Data Protection Regulations 2021 have come into effect for establishments, after a 12-month transition period had begun on 14 February 2021.
Resources:
UAE Federal
Law: Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data
Status: Passed
On 28 November 2021, the UAE Cabinet announced that it had enacted Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data.
Resources:
USA
California
Law: Additional Regulations under the California Consumer Privacy Act of 2018 ('CCPA')
Status: Approved
The California Attorney General ('AG') announced, on 15 March 2021, the approval of additional regulations to the California Consumer Privacy Act of 2018 ('CCPA') by the Office of Administrative Law, affecting Sections 999.306, 999.315, 999.326, and 999.332 of the CCPA Regulations. In particular, the AG noted that the approved regulations ban 'dark patterns' that delay or obscure the process for opting out of the sale of personal information, and prohibit the burdening of consumers with confusing language or unnecessary steps, such as forcing them to click through multiple screens, or presenting reasons why they should not opt out.
Resources:
California
Law: California Privacy Rights Act of 2020 ('CPRA')
Status: Approved
CPRA was approved on 4 November 2020. In particular, the CPRA amends the California Consumer Privacy Act of 2018 ('CCPA') and require businesses to, among other things, not share a consumer's personal information upon the consumer's request, provide consumers with an opt-out option for having their sensitive personal information, as defined in law, used or disclosed for advertising or marketing, obtain permission before collecting data from consumers who are younger than 16, obtain permission from a parent or guardian before collecting data from consumers who are younger than 13, and correct a consumer's inaccurate personal information upon the consumer's request.
The CPRA will enter into force on 1 January 2023 and would apply only to personal information collected after 1 January 2022.
Resources:
Colorado
Law: Senate Bill ('SB') 21-190 for an Act concerning additional protection of data relating to personal privacy ('CPA')
Status: Waiting for Governor's signature
The Colorado Senate repassed, on 8 June 2021, Senate Bill ('SB') 21-190 for an Act concerning additional protection of data relating to personal privacy, following their consideration of amendments made to SB 21-190 by the Colorado House of Representatives. In particular, SB 21-190 now requires the signature of the Governor, or it can become law without the Governor's signature if not expressly vetoed.
Once enacted, SB 21-190 will go into effect on 1 July 2023.
Resources:
Ohio
Law: HB 376
Status: Introduced
House Bill ('HB') 376 to enact sections 1355.01, 1355.02, 1355.03, 1355.04, 1355.05, 1355.06, 1355.07, 1355.08, and 1355.09 of the Ohio Revised Code to enact the Ohio Personal Privacy Act was introduced to the Ohio House of Representatives, on 12 July 2021, by Representatives Rick Carfagna and Thomas Hall.
Resources:
Puerto Rico
Law: House Bill ('HB') 655 for the Electronic Information Privacy Act
Status: In legislative process
The House Bill ('HB') 655 for the Electronic Information Privacy Act was introduced, on 20 April 2021, to the Puerto Rico House of Representatives.
Resources:
- Legal Text (only available in Spanish)
- OneTrust DataGuidance Jurisdictional Overview
Virginia
Law: House Bill 2307 for the Consumer Data Protection Act ('CDPA')
Status: Passed
House Bill ('HB') 2307 to Amend the Code of Virginia by adding in Title 59.1 a Chapter Numbered 52, Consisting of Sections Numbered 59.1-571 - 59.1-581, relating to the Consumer Data Protection Act ('CDPA'), and its State Senate companion bill 1392 were both signed, on 2 March 2021, by the Virginia State Governor.
The CDPA will enter into effect on 1 January 2023.
Resources:
Wisconsin
Law: 2021 Wisconsin Act 73
Status: Enacted
The Office of the Commissioner of Insurance ('OCI') announced, on 15 July 2021, that Governor Tony Evers had signed Act 73, which creates Chapter 601, Subchapter IX of the Wisconsin Statutes on Insurance Data Security.
Resources:
Utah
Law: Senate Bill ('SB') 227 for the Consumer Privacy Act ('UCPA')
Status: Passed
The Utah State Governor signed, on 24 March 2022, Senate Bill ('SB') 227 for the Consumer Privacy Act ('UCPA'), thereby enacting the legislation.
Resources: