Global Privacy Laws

Angola

• Data Protection Law No. 22/11
• Electronic Communication and Information Society Services Law No. 23/11
• Protection of Information Systems and Network Law No. 7/11

Back to top

Argentina

• Argentine Personal Data Protection Law No. 25,326
• Argentine Personal Data Protection Regulatory Decree No. 1558/2001
• Argentine International Personal Data Transfer Disposition No. E-60/2016
• Argentine Data Protection Agency Resolution No. 47/2018: Recommended security measures for the processing and retention of personal data in computerized and non-computerized media

Recently, Bill No. MEN-2018-147-APN-PTE has been placed aiming to replace the Act in lines with the GDPR

Back to top

Australia

Privacy (Commonwealth):

• Privacy Act 1988 (Cth) (“Privacy Act”) (this contains the Australian Privacy Principles(“APPs”))
• [Spam Act 2003 (Cth) (“Spam Act”) (regulates sending of commercial electronic messages)
• Do Not Call Register Act 2006 (Cth) (“DNCR Act”) (regulates telemarketing activities)]
• Online Safety Bill

Privacy (State and Territory — public sector only):

• Information Privacy Act 2014 (ACT)
• Privacy and Personal Information Protection Act 1998 (NSW)
• Information Act 2002 (NT)
• Information Privacy Act 2009 (Qld)
• Personal Information and Protection Act 2004 (Tas)
• Privacy and Data Protection Act 2014 (Vic)
• South Australia (“SA”) and Western Australia (“WA”) have public sector privacy policies/guidelines (e.g., in SA, the PC012 Information Privacy Principles (IPPS). Instructions), although these do not have the force of law.

Health sector-specific (Commonwealth):

• Healthcare Identifiers Act 2010 (Cth)
• My Health Records Act 2012 (Cth) (MHR Act)

Health sector-specific (State / Territory):

• Health Records (Privacy and Access) Act 1997 (ACT)
• Health Records and Information Privacy Act 2002 (NSW)
• Health Records Act 2001 (Vic)

Telecommunications-specific:

• Telecommunications Act 1997 (Cth) (“Telecommunications Act”) (particularly, Part 14 — National Interest Matters and Part 15 – Industry Assistance)
• Telecommunications (Interception and Access) Act 1979 (Cth)

Surveillance (including workplace surveillance):

• Listening Devices Act 1992 (ACT)
• Workplace Privacy Act 2011 (ACT)
• Surveillance Devices Act 2007 (NSW)
• Workplace Surveillance Act 2005 (NSW)
• Surveillance Devices Act 2007 (NT)
• Invasion of Privacy Act 1971 (QLD)
• Surveillance Devices Act 2016 (SA)
• Listening Devices Act 1991 (Tas)
• Surveillance Devices Act 1999 (Vic)
• Surveillance Devices (Workplace Privacy) Act 2006 (Vic) (inserted Part 2A into main Surveillance Devices Act 1999)
• Surveillance Devices Act 1998 (WA)

Security:

• Security of Critical Infrastructure Act 2018 (Cth) (“SOCI Act”)
• Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (amends certain of the telecommunications and surveillance laws listed above and other legislation)

Various other laws deal with aspects of national security in Australia, which may have implications for data security, including:

• Australian Security Intelligence Organisation Act 1979 (Cth)
• Crimes Act 1914 (Cth) (e.g., section 3, “terrorism offences”)
• Criminal Code Act 1995 (Cth) (e.g., Divisions 91 and 92, espionage and foreign interference)
• Foreign Influence Transparency Scheme Act 2018 (Cth)
• Intelligence Services Act 2001 (Cth)
• Office of National Intelligence Act 2018 (Cth)
• National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 (Cth)

Freedom of information (FOI) laws:

• Freedom of Information Act 1982 (Cth)
• Freedom of Information Act 2016 (ACT)
• Government Information (Public Access) Act 2009 (NSW)
• Information Act 2002 (NT)
• Right to Information Act 2009 (QLD)
• Freedom of Information Act 1991 (SA)
• Right to Information Act 2009 (Tas)
• Freedom of Information Act 1982 (Vic)
• Freedom of Information Act 1992 (WA)]

Other:

• Data-matching Program (Assistance and Tax) Act 1990 (Cth)
• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
• Anti-Money Laundering and Counter-Terrorism Financing Rules
• Protective Security Policy Framework (PSPF)

Bahrain

• Personal Data Protection Law (Data Protection Law) No. 30/18 *
• Constitution of Bahrain 2002 provides citizens with a right to privacy, including confidentiality relating to postal, telegraphic, telephone and electronic communications *
• Amiri Decree No. 15 of 1976 with respect to the Penal Code, protects individuals’ right to privacy with provisions allowing sanctions against those who disclose information without consent from the concerned person
• Legislative Decree No. 9 of 1984 with respect to Central Population Register, prohibits divulging demographic information and imposes sanctions against those who disclose information without the consent from the concerned person
• Legislative Decree No. 54 of 2018 with respect to Electronic Letters and Transactions, which will come into force on February 1, 2019, protects the confidentiality of electronic records
• Legislative Decree No. 48 of 2002 with respect to Telecommunications, prohibits divulging confidential information
• Decree No. 64 of 2006 with respect to the Central Bank of Bahrain and Financial Institutions Law, contains provisions relating to confidential information and disclosing such information
• Resolution No. 8 of 2009 with respect to Licensees to implement Lawful Access, protects the subscriber’s right to privacy in the telecommunications services domain
• Consumer Protection Guidelines Reference No. CCA/1112/451 (December 29, 2011), contains provisions on consumer privacy relating to personal information and calling patterns
• Law No. 35 of 2012 with respect to Consumer Protection, protects consumer privacy to maintain personal information and keep it from being exploited for other purposes
• Law No. 36 of 2012 with respect to Labour Law in the Private Sector, provides a right to privacy for employee data
• Decree No. 16 of 2014 with respect to the Protection of Information and National Documents, covers the importance of information relating to national security
• The Resolution No. 3 of 2015 with respect to Bulk Messaging protects recipients from unsolicited and solicited messages
• Law No. 60 of 2014 with respect to Information Technology Crimes, mentions the penalties of unlawful taping, capturing or intercepting, by technical means, any non-public transmission of information devices data to, from or within an information technology system.

Belarus

• Draft of ‘Personal Data Protection Law’ as on 14 May 2021.
• Law on Information Protection No. 455-Z (Information Protection Law)
• Law on Population Register No. 418-Z (Population Register Law).
• Law on Advertising of May 10, 2007 No. 225-Z (the “Advertising Law”)
• Law on Mass Media of July 17, 2008 No. 427 Z (Mass Media Law).

Bermuda

• Personal Information Protection Act 2016 (PIPA).
• Electronic Transactions Act 1999

Bolivia

• Bolivian Political Constitution, 7 February 2009
• the Supreme Decree No. 1793, 13 November 2013
• Telecommunications Law No 164, 8 August 2011
• Bolivian Criminal Code, 3 November 1834
• Supreme Decree 28168, 18 May 2005
• Code for Children and Adolescents, 27 October 1999 Law 018, 16 June 2010
• Draft law No.185/2019-2020- the Citizen Law of Privacy and Data Protection in Bolivia currently pending consideration in the Legislative Assembly

Bosnia And Herzegovina

• The Law on Protection of Personal Data (‘Official Gazette of BIH’) nos. 49/06

Brazil

• Brazilian Federal Constitution
• Brazilian Civil Code – Law No. 10,406/02
• Brazilian Consumer Protection Code (“CDC”) – Law No. 8,078/90
• Internet Legal Framework – Law No. 12,965/14
• Brazilian Criminal Code – as amended by Law No. 12,737/12
• Interception of Telephone Communication Law – Federal Law 9,296/96
• Complementary Law No. 105/01
• Brazilian Information Access Law– Federal Law No 12,527/11
• Good Payer’s Registry Law – Federal Law No 12,414/11, amended by Complimentary Law No. 166/2019
• General Data Protection Law (LGPD)

British Virgin Islands

• The British Virgin Islands (BVI) has not enacted formal legislation to regulate data protection. However, it is expected that BVI will promulgate data protection legislation in the near future to adapt internationally recognized standards. *
• The British Virgin Islands has enacted new personal data protection legislation in the form of the Data Protection Act, 2021 (the DPA). While the law has been enacted, it is yet to come into force.
• BVI Proceeds of Criminal Conduct Act, 1997
• Anti-Money Laundering Regulations, 2008.
• Computer Misuse and Cyber crime Act, 2014
• The Telecommunications Act (No 10 2006) regulates the BVI telecommunications industry and provides sanctions to protect the confidentiality of personal data.

Burundi

• Burundi does not have a law that specifically regulates personal data protection.
• Law no 1/012 of May 30, 2018 governs the Code of Health Care and Health Services Provision in Burundi, healthcare institutions
• Law No. 1/17 of August 22, 2017 governs banking activities
• Legislative Decree No. 100/153 of June 17, 2013 governs the Regulation of the Control and Taxation System for International Telephone Communications entering Burundi
• Decree-Law No. 100/112 of April 5, 2012 governs the Reorganization and Operation of the Telecommunications Regulatory
• Control Agency ‘ARCT’; Ministerial Ordinance No. 730/1056 of November 7, 2007 governs the interconnection of telecommunications networks and services opened to the public.

Canada

• Federal — Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”)
• Alberta — Personal Information Protection Act, SA 2003, c P-6.5 (“Alberta PIPA”)
• British Columbia — Personal Information Protection Act, SBC 2003, c 63 (“BC PIPA”)
• Quebec — Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (“Quebec Act”)
• Digital Charter Implementation Act, 2020 (C-11  Bill)

Cape Verde

• Data Protection Law (Law 133/V/2001)
• Amendment to Law 133/V/2001 by the introduction of Law 121/IX/ 2021 on 17 March, 2021.
• Law 42/VIII/2013 of 17 September for the formulation of National Commission of Data Protection (‘CNPD’).
• Video surveillance law of 2015

Cayman Islands

• Data Protection Act (2021 Revision)
• 2017 Data Protection Law (Law)
• 2016 Confidential Information Disclosure Law

Chile

• Act on the Protection of Personal Data, 1998
• Law 19,628/1999– ‘On the protection of private life’, commonly referred to as ‘Personal Data Protection Law’ (hereinafter, the ‘PDPL’)

China

• The Cybersecurity Law
• Civil Code of People’s republic of china effective as of January 1st 2021
• The Criminal Code, last amended on November 4, 2017
• The Law on Protection of Rights and Interests of Consumers, last amended on March 15, 2014
• The Interpretations of the Supreme People’s Court and the Supreme Procuratorate on Several Issues Concerning Handling of Cases Involving Infringement Upon Personal Information of Citizens
• PRC Encryption Law, 2020
• ‘Draft Data Security Law’ of people’s republic of china which was open for public comment
• ‘the Draft Personal Information Law’
• Second draft of the Personal Information PerAct.

Colombia

• Regulatory Decree 1377/ 2013
• Law No. 1581 of 2012
• External Circular No. 002 of 2015
• External Circular No. 007 of 2018

Costa Rica

• Law No. 7975, the Undisclosed Information Law
• Law No. 8968, Protection in the Handling of the Personal Data of Individuals *

Dominican Rebublic

• Section 44 of the Dominican Constitution recognizes citizens’ right to access their personal data stored in public or private databases, as well as their right to information concerning the purpose and use of the same.
• Protection of Personal Data Law No. 172-13
• Sending of Commercial Unsolicited Messages (SPAM)Law No. 310-14

Egypt

• 151 of 2020- the Data Protection Law

Ethiopia

• 1995 Constitution of the Federal Democratic Republic of Ethiopia
• 2005 Criminal Code of the Federal Democratic Republic of Ethiopia
• 1960 Civil Code Computer
• Crime Proclamation No. 958/2016
• Freedom of the Mass Media and Access to Information Proclamation No. 590/2008.

Ghana

• Data Protection Act, 2012 (Act 843) (‘Act’).

Gibraltar

• EU data Protection directive 95/46 EC in 2006
• The Data Protection Act 2004 (‘Act’)

Guernsey

• Data Protection (Bailiwick of Guernsey) Law 2017 (DPL 2017)
• Data Protection (Commencement, Amendment and Transitional) (Bailiwick of Guernsey) Ordinance, 2018 (DP Ordinance)

Honduras

• Article 182 of the National Commission
• Article 109, Decree 62-2004 of Law of the Civil Registry
• Article 3.5, Decree 170-2006 of Law for Transparency and for Access to Public Information
• Article 42, Accord 001-2008 of Rulings on the Law for Transparency and for Access to Public Information.

Hong Kong

• Personal Data (Privacy) Ordinance (Chapter 486 of Laws of Hong Kong) (“PDPO”)

Iceland

• The Data Protection Act of 2000
• Act 90/2018 on Data Protection and Processing of Personal Data (“Data Protection Act”) implementing the GDPR into Icelandic law (only available in Icelandic)

India

• The Information Technology Act, 2000 (“IT Act”)
• The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Privacy Rules”)
• Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”)
• In lines with GDPR, India is soon to adopt The Personal Data Protection Bill, 2019.

Iran

• Sharia law principles
• Personal Data Protection and Safeguarding Draft Act, July 2019
• The Constitution of the Islamic Republic of Iran
• Draft of the Bill on Protection of Data and Privacy in the Cyber Space 2018
• Charter of Citizen’s Rights 2016
• Cyber Crime law 2009
• The Law Concerning Protection of Consumers Rights 2010
• The Law on Publishing and Access to Data 2009
• Stock Market Law 2006
• Electronic Commerce Law (ECL 2004)
• The Law on Facilitation of Competition and Prevention of Monopoly 2004
• The Law on respect for Legitimate Rights and Citizen Rights 2004
• The Law on Establishment of the Ministry of Justice Official Experts 2003
• Press Law 2002
• Criminal Code 1997
• Bylaw Concerning Official Translators 1996
• Criminal Procedures Code 1994
• Direct Taxation Act as amended 1988
• The Law on Statistic Centre of Iran1976
• Civil Liability Code 1960
• The Law on Establishment of Notary Public Offices 1937
• Iranian Bar Association Law 1936

Indonesia

• Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions (“EIT Law”)
• Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions (“GR 82”)
• Minister of Communication and Informatics (“MOCI”) Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (“MOCI Regulation 20”) (together, “Data Protection Regulations”)
• Law No. 23 of 2006, as amended by Law No. 24 of 2013 on Demographic Administration

Israel

• The Protection of Privacy Law, 1981 (the “Privacy Law”)
• The Protection of Privacy Regulations (Data Security), 2017 (the “Data Security Regulations”)
• The Protection of Privacy Regulations (Transfer of Information to Databases outside the State’s Boundaries), 2001 (the “Transfer Regulations”)
• Israeli Protection of Privacy Authority (the “PPA”)

Japan

• The Act on Protection of Personal Information, (APPI)
• Amended Act on the Protection of Personal Information
• Basic Policy for protecting Personal Information
• Enforcement Regulation of APPI
• Enforcement Order of APPI
• Guidelines on the Act on Protection of Personal Information
• Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision
• Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No. 27 of 2013, as amended)

Jersey

• Data Protection (Jersey) Law, 2018
• Data Protection Authority (Jersey) Law, 2018

Kazakhstan

• ‘On Personal Data and Its Protection’ (the ‘Law’).

Kenya

• Constitution of Kenya 2010
• Access to Information Act 2016
• Health Act 2017
• Computer Misuse and Cybercrimes Act 2018
• Kenya’s Consumer Protection Act 2012
• Data Protection (Civil Registration) Regulations, 2020.
• Data Protection Act 2019

Kuwait

• Law No. 20 of 2014 (the E-Commerce Law)*

Kyrgyzstan

• The Law on Personal Data No.58

Lesotho

• Constitution of the Kingdom of Lesotho.
• Data Protection Act 2011 (the DP Act).

Macau

• Macau personal data protection Law no. 8/2005

Madagascar

• The Data Protection Law No. 2014-038
• Law No. 2/2012 which establishes the legal framework for video surveillance in public spaces

Malaysia

• Personal Data Protection Act 2010
• Personal Data Protection Regulations 2013
• Personal Data Protection Standard 2015
• Personal Data Protection (Compounding of Offences) Regulations 2016
• Personal Data Protection (Class of Data Users) (Amendment) Order 2016

Mauritius

• Data Protection Act (DPA) 2017
• Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981) as amended on 4 September 2020

Mexico

• The Federal Law for the Protection of Personal Data
• The Constitution of the United Mexican States
• The Federal Law on the Protection of Personal Data held by Private Parties (“FDPL”) and its Implementing Regulations
• The Privacy Notice Guidelines
• Minimum Guidelines for contracting cloud services
• Guidelines for Processing Biometric Personal Data
• Data Incidents’ (breaches) recommendations
• Binding Corporate Rules Guidelines
• Federal Consumer Protection Law

Monaco

• Data Protection Law no 1.165
• Law no 1.353 of December 4, 2008
• Law no 1.462 of June 28, 2018

Montenegro

• Official Journal of Montenegro No 79/2008
• Official Journal of Montenegro No 70/2009
• Official Journal of Montenegro No 44/2012
• Official Journal of Montenegro No 22/2017

Morocco

• Data Protection Act 

Mozambique

• The Civil Code (Decree-Law no. 47344)
• The Penal Code (Law no 35/2014)
• The Labour Law (Law no 23/2007)
• The Advertisement Code (Decree no 38/2016)
• The Electronic Transactions Law (Law no 3/2017)

Namibia

• Article 13 of the Namibian Constitution recognizes right to privacy as a fundamental human right.

New Zealand

• Privacy Act of 2020

Nigeria

• Constitution of the Federal Republic of Nigeria 1999
• Child Rights Act 2003
• Consumer Code of Practice Regulations 2007
• Consumer Protection Framework 2016
• Credit Reporting Act 2017
• Cybercrimes (Prohibition, Prevention Etc) Act 2015
• Freedom of Information Act, 2011 (FOI Act)
• National Identity Management Commission (NIMC) Act 2007
• National Health Act 2014 (NHA)
• Nigerian Communications Commission (registration of telephone subscribers) Regulation 2011
• Nigeria Data Protection Regulation established under the NITDA Act, 2007
• Federal Competition and Consumer Protection Act, 2018
• Nigeria Data Protection Regulation, 2019
• National Cyber Security Policy and Strategy, 2021

North Macedonia

• Law on Personal Data Protection (Official Gazette of the Republic of Macedonia) effective February 2005, amended March 2014.
• Law on Personal Data Protection 2020 is implemented for the Macedonia’s obligation to align its national legislation with the EU regulatory framework derives from its status as an EU candidate country, whereby the implementation of the EU legislation is mandatory

Norway 

• Norwegian Personal Data Act (in Norwegian only)
• EU General Data Protection Regulation Although not being a member of the EU, Norway is a member of the European Economic Area (EEA). The GDPR was incorporated into the EEA agreement and became applicable in Norway. Norway is thus bound by the GDPR in the same manner as EU Member States.

Pakistan

• The Prevention of Electronic Crimes Act, 2016 criminalizes unauthorized: access to information systems or data, copying or transmission of data and use of identity information.
• Personal Data Protection Bill 2020 (‘the bill’)

Panama

• Law 51 of July 22, 2008, as amended by Law 82 of November 9, 2012 (“Law 51”)
• Executive Decree No. 40 of May 19, 2009 (“Decree 40”)
• Executive Decree No. 684 of October 18, 2013 (“Decree 684”)
• Law 81 of March 26th 2019

Paraguay

• National Constitution
• Law No. 6534 Personal Credit Data Protection Law
• Law No. 5543 of 2015 (‘the Private Information Law’) – 2nd Amendment of the Data Privacy Law

Peru

• Law 29733 – Data Protection Law
• Supreme Decree 003-2013-JUS, which approves Regulation of Law 29733
• Directive on the Security of Information Managed by Personal Data Banks
• Legislative Decree 1353, which creates the National Authority for Transparency and Access to Public Information, and amends Data Protection Law
• Supreme Decree 019-2017-JUS, which amends the Regulation of the Data Protection Law
• Emergency Decree No. 007-2020 which approves the Digital Trust Framework
• Directorial Resolution No. 02-2020-JUS/DGTAIPD the Directive for the Processing of Personal Data by Video Surveillance Systems was published, in order to establish obligations regarding the collection, processing, and storage of personal data obtained through video surveillance systems, as well as security measures related to the implementation of user identification and authentication procedures.

Philippines

• Under the Republic Act No. 10173; The Data Privacy Act of 2012
• Implementing Rules and Regulations of the Data Privacy Act
• National Privacy Commission Circulars
• National Privacy Commission Advisories

Qatar

• Law No. (13) of 2016 Concerning Personal Data Protection (“the Data Protection Law”).
• QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations (DPL).
• Data Protection Rules 2005 (DPR).

Russia

• Federal Law of 27 July 2006 N 152-FZ On Personal Data
• Federal Law No. 149-FZ of 27 July 2006, on Information, Information Technology and Data Protection
• Federal Law of 24 April 2020 No. 123-FZ
• Code of Administrative Offences
• Federal Law of 30 December 2020 No 519-FZ on Personal Data as amended on 1 March 2021.
• Code of Administrative Offenses Amended on 24 February 2021- Federal Law of 24 February 2021 No. 19-FZ.

Saudi Arabia

• Islamic Law (Shari’ah )
• Law of Civil Affairs
• Banking Control Law
• Banking Consumer Protection Principles
• Regulations for Consumer Credit
• Insurance Market Code of Conduct Regulation
• Insurance Intermediaries Regulation
• Telecommunications Law and Regulations
• Cloud Computing Regulatory Framework
• Anti-Cyber Crime Law

Serbia

• The Personal Data Protection Law (Enacted on 21st August 2019)

Seychelles

• The Data Protection Act (the ‘Act’) was enacted in 2003 (not yet in force)

Singapore

• The Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”)

South Africa

• Electronic Communications and Transactions Act 
• The Protection of Personal Information Act, 2013 (POPIA)
• Proclamation No. R21 of 2020 on the Commencement of Certain Sections of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013)
• Cyber Crimes Act 19 of 2020.

South Korea

• The Act on Promotion of Information and Communications Network Utilization and Data Protection
• The Framework Act on Telecommunications 
• Personal Information Protection Act 2011 (as amended in 2020)
• Amendments of 2020 to the PIPA 2011.

Switzerland

• Federal Act on Data Protection (“FADP”) of 19 June 1992
• Ordinance to the Federal Act on Data Protection of 14 June 1993
• The revised FDPA

Taiwan

• The Computer-Processed Personal Data Protection Law
• Enforcement Rules of the Personal Data Protection Act 2016

Tajikistan

• Personal Data Protection Law, No.1537 of 3 August 2018
• Protection Data Law, No.631 of 15 May 2002
• Informatization Law, No. 40 of 6 August 2001
• Information Law, No.609 of 10 May, 2002
• Regulation on Certification of Information Security Facilities, Attestation of Information Objects and the Procedure for
• Their State Registration, No.404 of 1 October 2004
• The List of Information Security Facilities Subject to State Certification, No.424 of 24 February 2008

Thailand

• The Personal Data Protection Act B.E. (2020)
• Personal Data Protection Act 2019
• The Notification of the National Telecommunications Commission Re: Measures to Protect Telecommunications Users, Data Privacy, Privacy Rights and Freedom of Communications
• The Official Information Act B.E. 2540 (1997)
• The Credit Information Business Act B.E. 2545 (2002)
• The Child Protection Act B.E. 2546 (2003)
• The National Health Act B.E. 2550 (2007)
• The Payment System Act B.E. 2560 (2017)

Trinidad and Tobago

• The Data Protection Act, 2011 partially enacted on January 6, 2012.

Tunisia

• Protection of Personal Data (Law No 2004-63)
• Articles 56, 61 and 75 of the Organic Law no 2015-26
• The Electronic Exchanges and Electronic Commerce Law No 2000-83

Turkey

• Law No. 6698 on the Protection of Personal Data (the “Data Protection Law”)
• The Regulation on data controllers registry
• The Regulation on Deletion, Destruction or Anonymization of Personal Data

Turkmenistan

• The Law of Turkmenistan No.519-V ‘On Information about Private Life and its Protection’ (the ‘Data Protection Law’)

UAE- Abu dhabi

• Data Protection (Amendment) Regulation 2018.
• Data Protection Regulation 2021

UAE- Dubai

• DIFC Law No 5 of 2012 Data protection Law (THE ENACTMENT NOTICE)
• Data Protection Regulations
• DIFC Law no.5 of 2020

UAE- Dubai Health Care City Free Zone

• Health Data Protection Regulation. No 7 of 2008

UAE- General

• UAE in general has sector-specific data protection provisions in certain laws.
• Article 379 of the UAE Penal Code– This law prohbits a person who by reason of profession or craft is entrusted with a “secret,” from using or disclosing that “secret,” without the consent of the person to whom the secret pertains
• Regulatory Framework for stored values and electronic payment systems (Digital Payment Regulation)- data stored with Payment Service Providors (PSP) can only be made available to the corresponding User, the Central Bank, to other regulatory authorities following prior approval of the Central Bank, or by UAE court order.
• The Constitution(Federal Law 1 of 1971)
• Penal Code (Federal Law 3 of 1987 as amended)
• Cyber Crime Law (Federal Law 5 of 2012 regarding Information Technology Crime Control) (as amended by Federal Law No. 12 of 2016 and Federal Decree Law No. 2 of 2018)
• Regulating Telecommunications (UAE Federal Law by Decree No. 3 of 2003), which includes several implementing regulations/policies enacted by the Telecoms Regulatory Authority (‘TRA’) in respect of data protection of telecoms consumers in the UAE.
• The Cyber Crime Law criminalizes obtaining, possessing, modifying, destroying or disclosing (without authorization) electronic documents or electronic information relating to medical records. The Federal Law No. (2) of 2006 on The Prevention of Information Technology Crimes
• Article 13.5 of TRA Consumer Protection Regulations.

Uganda

• Data protection act 2019
• Article 27 of the Constitution of the Republic of Uganda.
• The Access to Information Act, 2005
• The Regulation of Interception of Communications Act, 2010
• Computer Misuse Act, 2010
• Registration of persons act , 2015

Ukraine

• Law of Ukraine No. 2297 VI ‘On Personal Data Protection
• Law of Ukraine ‘On Amendments to Certain Laws of Ukraine regarding Improvement of Personal Data Protection System’ No. 383-VII
• The Constitution of Ukraine
• The Civil Code of Ukraine No 435 IV
• Law of Ukraine ‘On Information’ No 2657 XII
• Law of Ukraine ‘On Protection of Information in the Information and Telecommunication Systems’ No. 80/94 VR
• Law of Ukraine ‘On Electronic Commerce’ No 675-VIII

United Kingdom

• UK Data Protection Act 2018 (“DPA 2018”)

United States

• The FTC (Federal Trade Commission) regulates business privacy laws.
• US Privacy Act of 1974 which deals with data in government agencies
• Health Insurance Portability and Accountability Act of 1996 (HIPPA), which deals with health-related information
• Children’s Online Privacy Protection Rule (COPPA), which applies to websites that collect data from children under the age of 13.
• GLBA (The Gramm-Leach-Bliley Act) deals with financial institutions to document what information is shared and how it is protected.
• The various states in the US have also formulated their own laws for data protection.
• California Online Privacy Protection Act (CalOPPA), which is the first law in the United States that specifically requires websites to post a Privacy Policy
• California Consumer Privacy Act (CCPA)
• Washington Privacy Act (WPA).
• California Privacy Rights Act (CPRA)
• The Internet of Things (IoT) Cybersecurity Improvement Act of 2020
• Colorado Privacy Act

Uruguay

• Law No 18,331 (Law on the Protection of Personal Data and Habeas Data Action and its decree Decreto No 414/009
• Law No 19,670 (Accountability Act and Balancing of Budget Execution of the Exercise 2017)
• Decree 64/2020

Uzbekistan

• The Law on Personal Data No. ЗРУ-547 (The Law) (enacted on 2nd July, 2019) and further amended on 16 April 2021.
• Constitution of Uzbekistan
• Law No. 439-II ‘On Principles and Guarantees of Freedom of Information’
• Law No. 560-II ‘On Informatization’
• Law No. 530-II ‘On Bank Secrecy’ under which a bank is prohibited to disclose bank secrecy, and should guarantee its protection
• Law No. 822-I ‘On Telecommunications’ under which all operators and service providers are obliged to ensure the secrecy of communications
• Law No. 265-I ‘On Protection of Citizens’ Health’ under which the medical secrecy is protected
• Law No. 358-II ‘On Insurance Activities’ under which insurance companies should guarantee the confidentiality of information which became available in course of provision of insurance services.
• Law No. ZRU-385 of the Republic of Uzbekistan ‘On E-Commerce’ (new version)

Venezuela

• August 4, 2011, the Constitutional Chamber of the Supreme Court issued Decision N° 1318 May 8, 2012, the Constitutional Chamber of the Supreme Court issued decision No 568
• Decision No. 1318 of the Constitutional Chamber of the Supreme Court issued on August 4, 2011.
• Decision No. 568 of the Constitutional Chamber of the Supreme Court issued on May 8, 2012.
• The Constitution of the Bolivarian Republic of Venezuela published in the Extraordinary Official Gazette No 5.908 dated February 19, 2009
• Law of Informatic Crimes published in the Official Gazette No 37.313 dated October 30, 2001
• Law Protecting the Privacy of Communications published in Official Gazette N° 34.863 dated December 16, 1991
• Law on Data Messages and Electronic Signatures published in the Official Gazette No 37.148 dated February 28, 2001
• Law of Credit, Debit, Prepaid and any other Financial Card or Electronic Payment published in the Official Gazette No 39.021 dated September 22, 2008
• Law for the Protection of Children and Adolescents, published in the Official Gazette No 5.859 dated December 10, 2007
• Law on Banking Sector Institutions published in the Official Gazette No 40.557 dated December 8, 2014
• The InfoLaw, published in the Official Gazette No 40.274 dated October 17, 2013
• The Organic Labor Law published in the Extraordinary Official Gazette No 6.076 dated May 12,2012
• Regulation for the Protection of the Rights of Users in the Provision of Telecommunications Services published in the Official Gazette No 41.533 dated November 27, 2018

Vietnam

• Law No. 91/2015/QH13, adopted by the National Assembly on 24 November 2015 (“Civil Code”)
• Law No. 67/2006/QH11, adopted by the National Assembly on 29 June 2006 (“ITLaw”)
• Law on Cyber Information Security No. 86/2015/QH13, adopted by the NationalAssembly on 19 November 2015 (“LOCIS”)
• Law No. 24/2018/QH14, adopted by the National Assembly on 12 June 2018 (“Law on Cybersecurity”)
• Law No. 59/2010/QH12, adopted by the National Assembly on 17 November 2010 (“Law on Consumer Protection”)
• Law No. 10/2016/QH13 dated 5 April 2016, effective from 1 June 2017 (“Law on Children”).
• Decree No. 72/2013/ND-CP, dated 15 July 2013, on the management, provision and use of internet services and online information, as amended and supplemented by Decree No. 27/2018/ND-CP (“Decree No. 72”)
• Decree No. 52/2013/ND-CP dated May 16, 2013 of the Government on e-commerce
• Draft Decree on Personal Data Protection
• Decree No. 174/2013/ND-CP, dated 13 November 2013, providing penalties for administrative violations pertaining to postal, telecommunication, information technology and radio frequency areas (“Decree No. 174”)
• Draft Decree on Personal Data Protection 2021.

Zambia

• Electronic Communications and Transactions Act No. 4 of 2021 (‘the ECT Act’)
• The Data Protection Act No 3 of 2021 (‘the data protection act’)
• The Cyber Securities and Cyber crimes Act No 2 of 2021 (‘the CSSC Act’)
• Information and Communications Technologies Act No. 15 of 2009

Zimbabwe

• Freedom of Information Act (1/2020)
• Cybersecurity and Data Protection Bill, H.B. 18, 2019
• The Access to Information and Protection of Privacy Act (Chapter 10:247) contains the most provisions on data protection.
• The Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04)
• Census And Statistics Act [Chapter 10:29]
• Banking Act (Chapter 24:20)
• National Registration Act (Chapter 10:17)
• The Interception of Communications Act (Chapter 11:20).
• Revised National Policy for Information Communication Technology (“ICT Policy”).