At present, nearly 110 countries have data protection and privacy laws in place. An extensive list and links to Data Protection and Privacy laws of various countries around the globe is provided below*
European Union
GDPR is applicable to Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
Apart from GDPR each member states have specific law applicable the list of which is enumerated below:
Austria
Belgium
- The ‘Data Protection Act’ of July 30, 2018
- Act of 3 December 2017 on the creation of the Belgian Data Protection Authority
- Act of 8 August 1983 organizing a National Registry for natural persons as amended by The Belgian law of 25 November 2018
- Belgian Economic Law Code of 28 February 2013
- Belgian Act of 3 August 2012 laying down various provisions as regards the processing of personal data carried out by the Federal Public Service Finance within the framework of its missions (as amended by the Act of 5 September 2018)
- Belgian Act of 21 March 2007 regarding the installation of surveillance camera, as amended by the Act of 21 March 2018
- Act of 5 September 2018 establishing the information security committee and amending various acts regarding the implementation of Regulation (EU) 2016/679
- Act of 13 June 2005 on Electronic Communications
- Act of 13 December 2006 containing various health provisions, as amended by the Act of 5 September 2018
Bulgaria
Croatia
- The act for the Implementation of GDPR came into force on 27 April 2018 repelling the Act on Personal Data Protection
- Act on Healthcare Data and Information came into force on 15 February 2019.
Cyprus
Czech Republic
Denmark
Estonia
- The Personal Data Protection Act of 2003
- Personal Data Protection Act, passed on 12.12.2018
- Public Information Act
- Electronic Communications Act
- Cybersecurity Act
Finland
- Finnish Data Protection Act (1050/2018) (currently available only in Finnish)
- Finnish Act on Electronic Communications Services (917/2014)
- The Finnish Act on the Protection of Privacy in Working Life (759/2004)
France
- Privacy and Electronic Communications 2002/58/EC Regulations of 12 July 2002 (“ePrivacyDirective“)
- Data Protection Act n° 78-17 of 6 January 1978 as modified 12 December 2018 (“Data Protection Act“).
- Decree n° 2005-1309 of 20 October 2005 as modified 1 August 2018
- Law on Confidence in the Digital Economy, 21 June 2004 (“LCEN“)
- Decree no. 2011-219 of 25 February 2011 on the conservation and communication of data identifying any person who has contributed to the creation of online content
- Digital Republic Act no 2016-1321 of 7 October 2016
Germany
- German Federal Data Protection Act of 2018
- Federal Data Protection Act (BDSG)
- Second Data Protection Adaptation and Implementation Act EU
- Draft law on Data Protection in Telecommunications and Tele-media
Greece
- The Processing of Personal Data laws. *
- Law 4624/ 2019 Protection of Personal Data and measures for the implementation of the GDPR
Hungary
- Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests
- Act No. CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information
- Act XLVII of 1997 on Processing and Protection of Medical and Other Related Personal Data
- Act C of 2003 on Electronic Communications
Ireland
- Data Protection Act 1988, including a 2003 amendment.
- ePrivacy Regulations 2011 (S.I. 336 of 2011).
- Irish Data Protection Act (DPA) 2018
Italy
- Data Protection Code : Legislative Decree of 30 June 2003
- Legislative Decree 101/2018, 19 September 2018 amending the Decree of 2003
Latvia
Lithuania
- Law on Legal Protection of Personal Data
- Draft law amending Law No I-1374 on legal protection of personal data
Luxembourg
- Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data as modified by Law of 27 July,2007
- Luxembourg Data Protection Law of 1 August 2018
Netherlands
- The Dutch Personal Data Protection Act.
- The Dutch GDPR Implementation Act which serves to supplement the GDPR (“UAVG”) of 16 May 2018
- Dutch Telecommunications Act (“Telecommunicatiewet”) of 19 October 1998, implementing the ePrivacy Directive.
Malta
- The right to privacy is considered a fundamental human right, and is protected in part by the Data Protection Act of 2001
- Chapter 586- Data Protection Act
- ACT No. XII of 2021(Amendments to the Data Protection Act)
- Subsidiary Legislation 586.07 (Processing of Personal Data (Education Sector) Regulations
- Subsidiary Legislation 586.10 (‘Processing Of Data Concerning Health for Insurance Purposes Regulations’)
Poland
- Act of the Protection of Personal Data, passed in 1997.
- Act of 10 May 2018 on Personal Data Protection.
- Act of 14 December 2018 on the Protection of Personal Data Processed in Connection with the Prevention and Combating of Crime
Portugal
- Personal Data Protection and Telecommunication Privacy Act
- Portuguese Data Protection Act (Law no. 67/98) which transposed the Data Protection Directive 95/46/EC into law (incoming Portuguese law that will implement the GDPR and replace the Portuguese Data Protection Act)
- Regulation no. 798/2018 that foresees a list of personal data processing activities that must be subject to a Data Protection Impact Assessment (“DPIA”)
- The Portuguese Law No. 58/2019
- The Portuguese Law no 59/2019
Romania
Slovakia
Slovenia
- Personal Data Protection Act (ZVOP-1)
- Personal Information Protection Act (ZVOP-2)
- Law on the protection of personal data in the field of criminal investigation (ZVOPOKD)
Spain
- Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights
- Royal Decree 1720/2007, of 21 December, by which the Regulation of development of the Organic Law 15/1999, of 13 December, of protection of personal data is approved
- Royal Decree-Law 12/2018, of 7 September, on security of networks and information systems
- Law 9/2014, of 9 May, General of Telecommunications
Sweden
Other than European Union
Argentina
- Argentine Personal Data Protection Law No. 25,326
- Argentine Personal Data Protection Regulatory Decree No. 1558/2001
- Argentine International Personal Data Transfer Disposition No. E-60/2016
- Argentine Data Protection Agency Resolution No. 47/2018: Recommended security measures for the processing and retention of personal data in computerized and non-computerized media
Recently, Bill No. MEN-2018-147-APN-PTE has been placed aiming to replace the Act in lines with the GDPR
Australia
Privacy (Commonwealth):
- Privacy Act 1988 (Cth) (“Privacy Act”) (this contains the Australian Privacy Principles(“APPs”))
- [Spam Act 2003 (Cth) (“Spam Act”) (regulates sending of commercial electronic messages)
- Do Not Call Register Act 2006 (Cth) (“DNCR Act”) (regulates telemarketing activities)]
- Online Safety Bill
Privacy (State and Territory — public sector only):
- Information Privacy Act 2014 (ACT)
- Privacy and Personal Information Protection Act 1998 (NSW)
- Information Act 2002 (NT)
- Information Privacy Act 2009 (Qld)
- Personal Information and Protection Act 2004 (Tas)
- Privacy and Data Protection Act 2014 (Vic)
- South Australia (“SA”) and Western Australia (“WA”) have public sector privacy policies/guidelines (e.g., in SA, the PC012 Information Privacy Principles (IPPS). Instructions), although these do not have the force of law.
Health sector-specific (Commonwealth):
Health sector-specific (State / Territory):
- Health Records (Privacy and Access) Act 1997 (ACT)
- Health Records and Information Privacy Act 2002 (NSW)
- Health Records Act 2001 (Vic)
Telecommunications-specific:
- Telecommunications Act 1997 (Cth) (“Telecommunications Act”) (particularly, Part 14 — National Interest Matters and Part 15 – Industry Assistance)
- Telecommunications (Interception and Access) Act 1979 (Cth)
Surveillance (including workplace surveillance):
- Listening Devices Act 1992 (ACT)
- Workplace Privacy Act 2011 (ACT)
- Surveillance Devices Act 2007 (NSW)
- Workplace Surveillance Act 2005 (NSW)
- Surveillance Devices Act 2007 (NT)
- Invasion of Privacy Act 1971 (QLD)
- Surveillance Devices Act 2016 (SA)
- Listening Devices Act 1991 (Tas)
- Surveillance Devices Act 1999 (Vic)
- Surveillance Devices (Workplace Privacy) Act 2006 (Vic) (inserted Part 2A into main Surveillance Devices Act 1999)
- Surveillance Devices Act 1998 (WA)
Security:
- Security of Critical Infrastructure Act 2018 (Cth) (“SOCI Act”)
- Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (amends certain of the telecommunications and surveillance laws listed above and other legislation)
Various other laws deal with aspects of national security in Australia, which may have implications for data security, including:
- Australian Security Intelligence Organisation Act 1979 (Cth)
- Crimes Act 1914 (Cth) (e.g., section 3, “terrorism offences”)
- Criminal Code Act 1995 (Cth) (e.g., Divisions 91 and 92, espionage and foreign interference)
- Foreign Influence Transparency Scheme Act 2018 (Cth)
- Intelligence Services Act 2001 (Cth)
- Office of National Intelligence Act 2018 (Cth)
- National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 (Cth)
Freedom of information (FOI) laws:
- Freedom of Information Act 1982 (Cth)
- Freedom of Information Act 2016 (ACT)
- Government Information (Public Access) Act 2009 (NSW)
- Information Act 2002 (NT)
- Right to Information Act 2009 (QLD)
- Freedom of Information Act 1991 (SA)
- Right to Information Act 2009 (Tas)
- Freedom of Information Act 1982 (Vic)
- Freedom of Information Act 1992 (WA)]
Other:
Bahrain
- Personal Data Protection Law (Data Protection Law) No. 30/18
- Constitution of Bahrain 2002 provides citizens with a right to privacy, including confidentiality relating to postal, telegraphic, telephone and electronic communications *
- Amiri Decree No. 15 of 1976 with respect to the Penal Code, protects individuals’ right to privacy with provisions allowing sanctions against those who disclose information without consent from the concerned person
- Legislative Decree No. 9 of 1984 with respect to Central Population Register, prohibits divulging demographic information and imposes sanctions against those who disclose information without the consent from the concerned person
- Legislative Decree No. 54 of 2018 with respect to Electronic Letters and Transactions, which will come into force on February 1, 2019, protects the confidentiality of electronic records
- Legislative Decree No. 48 of 2002 with respect to Telecommunications, prohibits divulging confidential information
- Decree No. 64 of 2006 with respect to the Central Bank of Bahrain and Financial Institutions Law, contains provisions relating to confidential information and disclosing such information
- Resolution No. 8 of 2009 with respect to Licensees to implement Lawful Access, protects the subscriber’s right to privacy in the telecommunications services domain
- Consumer Protection Guidelines Reference No. CCA/1112/451 (December 29, 2011), contains provisions on consumer privacy relating to personal information and calling patterns
- Law No. 35 of 2012 with respect to Consumer Protection, protects consumer privacy to maintain personal information and keep it from being exploited for other purposes
- Law No. 36 of 2012 with respect to Labour Law in the Private Sector, provides a right to privacy for employee data
- Decree No. 16 of 2014 with respect to the Protection of Information and National Documents, covers the importance of information relating to national security
- The Resolution No. 3 of 2015 with respect to Bulk Messaging protects recipients from unsolicited and solicited messages
- Law No. 60 of 2014 with respect to Information Technology Crimes, mentions the penalties of unlawful taping, capturing or intercepting, by technical means, any non-public transmission of information devices data to, from or within an information technology system.
Belarus
- Law on Protection of Personal Data of May 7, 2021
- Draft of ‘Personal Data Protection Law’ as on 14 May 2021.
- Law on Information Protection No. 455-Z (Information Protection Law)
- Law on Population Register No. 418-Z (Population Register Law).
- Law on Advertising of May 10, 2007 No. 225-Z (the “Advertising Law”)
- Law on Mass Media of July 17, 2008 No. 427 Z (Mass Media Law).
Bolivia
- Bolivian Political Constitution, 7 February 2009
- the Supreme Decree No. 1793, 13 November 2013
- Telecommunications Law No 164, 8 August 2011
- Bolivian Criminal Code, 3 November 1834
- Supreme Decree 28168, 18 May 2005
- Code for Children and Adolescents, 27 October 1999 Law 018, 16 June 2010
- Draft law No.185/2019-2020- the Citizen Law of Privacy and Data Protection in Bolivia currently pending consideration in the Legislative Assembly
Bosnia And Herzegovina
Brazil
- Brazilian Federal Constitution
- Brazilian Civil Code – Law No. 10,406/02
- Brazilian Consumer Protection Code (“CDC”) – Law No. 8,078/90
- Internet Legal Framework – Law No. 12,965/14
- Brazilian Criminal Code – as amended by Law No. 12,737/12
- Interception of Telephone Communication Law – Federal Law 9,296/96
- Complementary Law No. 105/01
- Brazilian Information Access Law– Federal Law No 12,527/11
- Good Payer’s Registry Law – Federal Law No 12,414/11, amended by Complimentary Law No. 166/2019
- General Data Protection Law (LGPD)
British Virgin Islands
- The British Virgin Islands (BVI) has not enacted formal legislation to regulate data protection. However, it is expected that BVI will promulgate data protection legislation in the near future to adapt internationally recognized standards. *
- The British Virgin Islands has enacted new personal data protection legislation in the form of the Data Protection Act, 2021 (the DPA). While the law has been enacted, it is yet to come into force.
- BVI Proceeds of Criminal Conduct Act, 1997
- Anti-Money Laundering Regulations, 2008.
- Computer Misuse and Cyber crime Act, 2014
- The Telecommunications Act (No 10 2006) regulates the BVI telecommunications industry and provides sanctions to protect the confidentiality of personal data.
Burundi
- Burundi does not have a law that specifically regulates personal data protection.
- Law no 1/012 of May 30, 2018 governs the Code of Health Care and Health Services Provision in Burundi, healthcare institutions
- Law No. 1/17 of August 22, 2017 governs banking activities
- Legislative Decree No. 100/153 of June 17, 2013 governs the Regulation of the Control and Taxation System for International Telephone Communications entering Burundi
- Decree-Law No. 100/112 of April 5, 2012 governs the Reorganization and Operation of the Telecommunications Regulatory
- Control Agency ‘ARCT’; Ministerial Ordinance No. 730/1056 of November 7, 2007 governs the interconnection of telecommunications networks and services opened to the public.
Canada
- Federal — Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”)
- Alberta — Personal Information Protection Act, SA 2003, c P-6.5 (“Alberta PIPA”)
- British Columbia — Personal Information Protection Act, SBC 2003, c 63 (“BC PIPA”)
- Quebec — Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (“Quebec Act”)
- Digital Charter Implementation Act, 2020 (C-11 Bill)
Cape Verde
- Data Protection Law (Law 133/V/2001)
- Amendment to Law 133/V/2001 by the introduction of Law 121/IX/ 2021 on 17 March, 2021.
- Law 42/VIII/2013 of 17 September for the formulation of National Commission of Data Protection (‘CNPD’).
- Video surveillance law of 2015
Chile
- Act on the Protection of Personal Data, 1998
- Law 19,628/1999– ‘On the protection of private life’, commonly referred to as ‘Personal Data Protection Law’ (hereinafter, the ‘PDPL’)
China
- Personal Information Protection Law of the People’s Republic of China on August 20, 2021
- The Cybersecurity Law
- Civil Code of People’s Republic of China effective as of January 1st 2021
- The Criminal Code, last amended on November 4, 2017
- The Law on Protection of Rights and Interests of Consumers, last amended on March 15, 2014
- The Interpretations of the Supreme People’s Court and the Supreme Procuratorate on Several Issues Concerning Handling of Cases Involving Infringement Upon Personal Information of Citizens
- PRC Encryption Law, 2020
- Second draft of the Personal Information Per Act.
- The Law of the people’s republic of china on the protection of personal information.
- Data Security Law.
Dominican Rebublic
- Section 44 of the Dominican Constitution recognizes citizens’ right to access their personal data stored in public or private databases, as well as their right to information concerning the purpose and use of the same.
- Protection of Personal Data Law No. 172-13
- Sending of Commercial Unsolicited Messages (SPAM)Law No. 310-14
Ethiopia
- 1995 Constitution of the Federal Democratic Republic of Ethiopia
- 2005 Criminal Code of the Federal Democratic Republic of Ethiopia
- 1960 Civil Code Computer
- Crime Proclamation No. 958/2016
- Freedom of the Mass Media and Access to Information Proclamation No. 590/2008
- Mass Media and Access to Information Proclamation No. 590/2008 (as amended by the Media Proclamation No. 1238/2021)
Honduras
- Article 182 of the National Commission
- Article 109, Decree 62-2004 of Law of the Civil Registry
- Article 3.5, Decree 170-2006 of Law for Transparency and for Access to Public Information
- Article 42, Accord 001-2008 of Rulings on the Law for Transparency and for Access to Public Information.
Iceland
- The Data Protection Act of 2000
- Act 90/2018 on Data Protection and Processing of Personal Data (“Data Protection Act”) implementing the GDPR into Icelandic law (only available in Icelandic)
India
- Data Protection Bill, 2021
- The Information Technology Act, 2000 (“IT Act”)
- The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Privacy Rules”)
- Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”).
Iran
- Sharia law principles
- Personal Data Protection and Safeguarding Draft Act, July 2019
- The Constitution of the Islamic Republic of Iran
- Draft of the Bill on Protection of Data and Privacy in the Cyber Space 2018
- Charter of Citizen’s Rights 2016
- Cyber Crime law 2009
- The Law Concerning Protection of Consumers Rights 2010
- The Law on Publishing and Access to Data 2009
- Stock Market Law 2006
- Electronic Commerce Law (ECL 2004)
- The Law on Facilitation of Competition and Prevention of Monopoly 2004
- The Law on respect for Legitimate Rights and Citizen Rights 2004
- The Law on Establishment of the Ministry of Justice Official Experts 2003
- Press Law 2002
- Criminal Code 1997
- Bylaw Concerning Official Translators 1996
- Criminal Procedures Code 1994
- Direct Taxation Act as amended 1988
- The Law on Statistic Centre of Iran1976
- Civil Liability Code 1960
- The Law on Establishment of Notary Public Offices 1937
- Iranian Bar Association Law 1936
Indonesia
- Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions (“EIT Law”)
- Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions (“GR 82”)
- Minister of Communication and Informatics (“MOCI”) Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (“MOCI Regulation 20”) (together, “Data Protection Regulations”)
- Law No. 23 of 2006, as amended by Law No. 24 of 2013 on Demographic Administration
Israel
- The Protection of Privacy Law, 1981 (the “Privacy Law”)
- The Protection of Privacy Regulations (Data Security), 2017 (the “Data Security Regulations”)
- The Protection of Privacy Regulations (Transfer of Information to Databases outside the State’s Boundaries), 2001 (the “Transfer Regulations”)
- Israeli Protection of Privacy Authority (the “PPA”)
Japan
- The Act on Protection of Personal Information, (APPI)
- Amended Act on the Protection of Personal Information
- Basic Policy for protecting Personal Information
- Enforcement Regulation of APPI
- Enforcement Order of APPI
- Guidelines on the Act on Protection of Personal Information
- Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision
- Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No. 27 of 2013, as amended)
Kenya
- Constitution of Kenya 2010
- Access to Information Act 2016
- Health Act 2017
- Computer Misuse and Cybercrimes Act 2018
- Kenya’s Consumer Protection Act 2012
- Data Protection Act 2019
- Data Protection (Civil Registration) Regulations, 2020
- Data Protection (Compliance and Enforcement) Regulations, 2021
- Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021
- Data Protection (General) Regulations, 2021
Kyrgyzstan
Madagascar
- The Data Protection Law No. 2014-038
- Law No. 2/2012 which establishes the legal framework for video surveillance in public spaces
Mauritius
Mexico
- The Federal Law for the Protection of Personal Data
- The Constitution of the United Mexican States
- The Federal Law on the Protection of Personal Data held by Private Parties (“FDPL”) and its Implementing Regulations
- The Privacy Notice Guidelines
- Minimum Guidelines for contracting cloud services
- Guidelines for Processing Biometric Personal Data
- Data Incidents’ (breaches) recommendations
- Binding Corporate Rules Guidelines
- Federal Consumer Protection Law
Morocco
Mozambique
- The Civil Code (Decree-Law no. 47344)
- The Penal Code (Law no 35/2014)
- The Labour Law (Law no 23/2007)
- The Advertisement Code (Decree no 38/2016)
- The Electronic Transactions Law (Law no 3/2017)
Namibia
- Article 13 of the Namibian Constitution recognizes right to privacy as a fundamental human right.
New Zealand
Nigeria
- Constitution of the Federal Republic of Nigeria 1999
- Child Rights Act 2003
- Consumer Code of Practice Regulations 2007
- Consumer Protection Framework 2016
- Credit Reporting Act 2017
- Cybercrimes (Prohibition, Prevention Etc) Act 2015
- Freedom of Information Act, 2011 (FOI Act)
- National Identity Management Commission (NIMC) Act 2007
- National Health Act 2014 (NHA)
- Nigerian Communications Commission (registration of telephone subscribers) Regulation 2011
- Nigeria Data Protection Regulation established under the NITDA Act, 2007
- Federal Competition and Consumer Protection Act, 2018
- Nigeria Data Protection Regulation, 2019
- National Cyber Security Policy and Strategy, 2021
North Macedonia
- Law on Personal Data Protection (Official Gazette of the Republic of Macedonia) effective February 2005, amended March 2014.
- Law on Personal Data Protection 2020 is implemented for the Macedonia’s obligation to align its national legislation with the EU regulatory framework derives from its status as an EU candidate country, whereby the implementation of the EU legislation is mandatory
Norway
- Norwegian Personal Data Act (in Norwegian only)
- EU General Data Protection Regulation Although not being a member of the EU, Norway is a member of the European Economic Area (EEA). The GDPR was incorporated into the EEA agreement and became applicable in Norway. Norway is thus bound by the GDPR in the same manner as EU Member States.
Pakistan
- The Prevention of Electronic Crimes Act, 2016 criminalizes unauthorized: access to information systems or data, copying or transmission of data and use of identity information.
- Personal Data Protection Bill 2020 (‘the bill’)
Panama
- Law 51 of July 22, 2008, as amended by Law 82 of November 9, 2012 (“Law 51”)
- Executive Decree No. 40 of May 19, 2009 (“Decree 40”)
- Executive Decree No. 684 of October 18, 2013 (“Decree 684”)
- Law 81 of March 26th 2019
- Executive Decree No. 285 of May 28th, 2021
Paraguay
- National Constitution
- Law No. 6534 Personal Credit Data Protection Law
- Law No. 5543 of 2015 (‘the Private Information Law’) – 2nd Amendment of the Data Privacy Law
Peru
- Law 29733 – Data Protection Law
- Supreme Decree 003-2013-JUS, which approves Regulation of Law 29733
- Directive on the Security of Information Managed by Personal Data Banks
- Legislative Decree 1353, which creates the National Authority for Transparency and Access to Public Information, and amends Data Protection Law
- Supreme Decree 019-2017-JUS, which amends the Regulation of the Data Protection Law
- Emergency Decree No. 007-2020 which approves the Digital Trust Framework
- Directorial Resolution No. 02-2020-JUS/DGTAIPD the Directive for the Processing of Personal Data by Video Surveillance Systems was published, in order to establish obligations regarding the collection, processing, and storage of personal data obtained through video surveillance systems, as well as security measures related to the implementation of user identification and authentication procedures.
Russia
- Federal Law of 27 July 2006 N 152-FZ On Personal Data
- Federal Law No. 149-FZ of 27 July 2006, on Information, Information Technology and Data Protection
- Federal Law of 24 April 2020 No. 123-FZ
- Code of Administrative Offences
- Federal Law of 30 December 2020 No 519-FZ on Personal Data as amended on 1 March 2021.
- Code of Administrative Offenses Amended on 24 February 2021- Federal Law of 24 February 2021 No. 19-FZ.
Saudi Arabia
- Islamic Law (Shari’ah )
- Law of Civil Affairs
- Banking Control Law
- Banking Consumer Protection Principles
- Regulations for Consumer Credit
- Insurance Market Code of Conduct Regulation
- Insurance Intermediaries Regulation
- Telecommunications Law and Regulations
- Cloud Computing Regulatory Framework
- Anti-Cyber Crime Law
- Personal Data Protection Law
Seychelles
- The Data Protection Act (the ‘Act’) was enacted in 2003 (not yet in force)
Tajikistan
- Personal Data Protection Law, No.1537 of 3 August 2018
- Protection Data Law, No.631 of 15 May 2002
- Informatization Law, No. 40 of 6 August 2001
- Information Law, No.609 of 10 May, 2002
- Regulation on Certification of Information Security Facilities, Attestation of Information Objects and the Procedure for
- Their State Registration, No.404 of 1 October 2004
- The List of Information Security Facilities Subject to State Certification, No.424 of 24 February 2008
Thailand
- The Personal Data Protection Act B.E. (2020)
- Personal Data Protection Act 2019
- The Notification of the National Telecommunications Commission Re: Measures to Protect Telecommunications Users, Data Privacy, Privacy Rights and Freedom of Communications
- The Official Information Act B.E. 2540 (1997)
- The Credit Information Business Act B.E. 2545 (2002)
- The Child Protection Act B.E. 2546 (2003)
- The National Health Act B.E. 2550 (2007)
- The Payment System Act B.E. 2560 (2017)
Trinidad and Tobago
Tunisia
UAE- Abu dhabi
UAE- Dubai
- DIFC Law No 5 of 2012 Data protection Law (THE ENACTMENT NOTICE)
- Data Protection Regulations
- DIFC Law no.5 of 2020
UAE- Dubai Health Care City Free Zone
- Health Data Protection Regulation. No 7 of 2008
UAE- General
- UAE in general has sector-specific data protection provisions in certain laws.
- Article 379 of the UAE Penal Code– This law prohbits a person who by reason of profession or craft is entrusted with a “secret,” from using or disclosing that “secret,” without the consent of the person to whom the secret pertains
- Regulatory Framework for stored values and electronic payment systems (Digital Payment Regulation)- data stored with Payment Service Providors (PSP) can only be made available to the corresponding User, the Central Bank, to other regulatory authorities following prior approval of the Central Bank, or by UAE court order.
- The Constitution(Federal Law 1 of 1971)
- Penal Code (Federal Law 3 of 1987 as amended)
- Cyber Crime Law (Federal Law 5 of 2012 regarding Information Technology Crime Control) (as amended by Federal Law No. 12 of 2016 and Federal Decree Law No. 2 of 2018)
- Regulating Telecommunications (UAE Federal Law by Decree No. 3 of 2003), which includes several implementing regulations/policies enacted by the Telecoms Regulatory Authority (‘TRA’) in respect of data protection of telecoms consumers in the UAE.
- The Cyber Crime Law criminalizes obtaining, possessing, modifying, destroying or disclosing (without authorization) electronic documents or electronic information relating to medical records. The Federal Law No. (2) of 2006 on The Prevention of Information Technology Crimes
- Article 13.5 of TRA Consumer Protection Regulations.
- Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data
Ukraine
- Law of Ukraine No. 2297 VI ‘On Personal Data Protection
- Law of Ukraine ‘On Amendments to Certain Laws of Ukraine regarding Improvement of Personal Data Protection System’ No. 383-VII
- The Constitution of Ukraine
- The Civil Code of Ukraine No 435 IV
- Law of Ukraine ‘On Information’ No 2657 XII
- Law of Ukraine ‘On Protection of Information in the Information and Telecommunication Systems’ No. 80/94 VR
- Law of Ukraine ‘On Electronic Commerce’ No 675-VIII
United Kingdom
United States
- The FTC (Federal Trade Commission) regulates business privacy laws.
- US Privacy Act of 1974 which deals with data in government agencies
- Health Insurance Portability and Accountability Act of 1996 (HIPPA), which deals with health-related information
- Children’s Online Privacy Protection Rule (COPPA), which applies to websites that collect data from children under the age of 13.
- GLBA (The Gramm-Leach-Bliley Act) deals with financial institutions to document what information is shared and how it is protected.
- The various states in the US have also formulated their own laws for data protection.
- California Online Privacy Protection Act (CalOPPA), which is the first law in the United States that specifically requires websites to post a Privacy Policy
- California Consumer Privacy Act (CCPA)
- Washington Privacy Act (WPA).
- California Privacy Rights Act (CPRA)
- The Internet of Things (IoT) Cybersecurity Improvement Act of 2020
- Colorado Privacy Act
- Code of Virginia – Chapter 53. Consumer Data Protection Act
- Oklahoma Computer Data Privacy Act of 2022
- Utah Consumer Privacy Act
Uzbekistan
- The Law on Personal Data No. ЗРУ-547 (The Law) (enacted on 2nd July, 2019) and further amended on 16 April 2021.
- Constitution of Uzbekistan
- Law No. 439-II ‘On Principles and Guarantees of Freedom of Information’
- Law No. 560-II ‘On Informatization’
- Law No. 530-II ‘On Bank Secrecy’ under which a bank is prohibited to disclose bank secrecy, and should guarantee its protection
- Law No. 822-I ‘On Telecommunications’ under which all operators and service providers are obliged to ensure the secrecy of communications
- Law No. 265-I ‘On Protection of Citizens’ Health’ under which the medical secrecy is protected
- Law No. 358-II ‘On Insurance Activities’ under which insurance companies should guarantee the confidentiality of information which became available in course of provision of insurance services.
- Law No. ZRU-385 of the Republic of Uzbekistan ‘On E-Commerce’ (new version)
Venezuela
- August 4, 2011, the Constitutional Chamber of the Supreme Court issued Decision N° 1318 May 8, 2012, the Constitutional Chamber of the Supreme Court issued decision No 568
- Decision No. 1318 of the Constitutional Chamber of the Supreme Court issued on August 4, 2011.
- Decision No. 568 of the Constitutional Chamber of the Supreme Court issued on May 8, 2012.
- The Constitution of the Bolivarian Republic of Venezuela published in the Extraordinary Official Gazette No 5.908 dated February 19, 2009
- Law of Informatic Crimes published in the Official Gazette No 37.313 dated October 30, 2001
- Law Protecting the Privacy of Communications published in Official Gazette N° 34.863 dated December 16, 1991
- Law on Data Messages and Electronic Signatures published in the Official Gazette No 37.148 dated February 28, 2001
- Law of Credit, Debit, Prepaid and any other Financial Card or Electronic Payment published in the Official Gazette No 39.021 dated September 22, 2008
- Law for the Protection of Children and Adolescents, published in the Official Gazette No 5.859 dated December 10, 2007
- Law on Banking Sector Institutions published in the Official Gazette No 40.557 dated December 8, 2014
- The InfoLaw, published in the Official Gazette No 40.274 dated October 17, 2013
- The Organic Labor Law published in the Extraordinary Official Gazette No 6.076 dated May 12,2012
- Regulation for the Protection of the Rights of Users in the Provision of Telecommunications Services published in the Official Gazette No 41.533 dated November 27, 2018
Vietnam
- Law No. 91/2015/QH13, adopted by the National Assembly on 24 November 2015 (“Civil Code”)
- Law No. 67/2006/QH11, adopted by the National Assembly on 29 June 2006 (“ITLaw”)
- Law on Cyber Information Security No. 86/2015/QH13, adopted by the NationalAssembly on 19 November 2015 (“LOCIS”)
- Law No. 24/2018/QH14, adopted by the National Assembly on 12 June 2018 (“Law on Cybersecurity”)
- Law No. 59/2010/QH12, adopted by the National Assembly on 17 November 2010 (“Law on Consumer Protection”)
- Law No. 10/2016/QH13 dated 5 April 2016, effective from 1 June 2017 (“Law on Children”).
- Decree No. 72/2013/ND-CP, dated 15 July 2013, on the management, provision and use of internet services and online information, as amended and supplemented by Decree No. 27/2018/ND-CP (“Decree No. 72”)
- Decree No. 52/2013/ND-CP dated May 16, 2013 of the Government on e-commerce
- Draft Decree on Personal Data Protection
- Decree No. 174/2013/ND-CP, dated 13 November 2013, providing penalties for administrative violations pertaining to postal, telecommunication, information technology and radio frequency areas (“Decree No. 174”)
- Draft Decree on Personal Data Protection 2021.
Zimbabwe
- Freedom of Information Act (1/2020)
- Cybersecurity and Data Protection Bill, H.B. 18, 2019
- The Access to Information and Protection of Privacy Act (Chapter 10:247) contains the most provisions on data protection.
- The Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04)
- Census And Statistics Act [Chapter 10:29]
- Banking Act (Chapter 24:20)
- National Registration Act (Chapter 10:17)
- The Interception of Communications Act (Chapter 11:20)
- Revised National Policy for Information Communication Technology (“ICT Policy”)
- Data Protection Act (Chapter 11:12)
*Disclaimer: This general information is provided for reference purpose only. It is informed that laws are subject to frequent updation and each jurisdiction may have additional civil laws and policies in place. Also link to laws provided for certain countries are of unofficial english translation therefore readers are advised to cross-check/ validate the information provided from official sources.
