World Data Privacy Laws: A Country-by-Country Guide
Data privacy regulation has gone global. Over 140 countries have enacted data protection legislation, with the EU's General Data Protection Regulation (GDPR) setting the standard since 2018. This guide covers data privacy and data protection laws across 70+ countries, from the GDPR to Brazil's LGPD, China's PIPL, India's DPDP Act, and dozens of national frameworks worldwide.
The Global Data Protection Landscape
The map below classifies countries by the scope of their data protection framework. Click any country to read its full data privacy law analysis with statute citations, enforcement details, and compliance requirements.
Data protection frameworks fall along a spectrum. At one end, EU and EEA countries enforce the world's most comprehensive regime through GDPR. At the other, some nations lack any formal data protection legislation. Between these extremes lie countries with comprehensive national laws modeled on GDPR (Brazil, Japan, South Korea), sectoral approaches (the United States), and developing frameworks still building enforcement capacity.
The GDPR Standard
The General Data Protection Regulation (Regulation 2016/679) has become the de facto global benchmark for data protection. Effective since May 25, 2018, it applies directly in all 27 EU member states and extends to Iceland, Liechtenstein, and Norway through the EEA Agreement.
GDPR rests on seven principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. It grants data subjects eight rights including access, rectification, erasure ("right to be forgotten"), data portability, and the right to object to automated decision-making.
Enforcement has been substantial. Total GDPR fines have exceeded EUR 7 billion since 2018, with Ireland's Data Protection Commission, France's CNIL, and Germany's state DPAs among the most active enforcers. The regulation's extraterritorial reach means any organization worldwide that processes EU residents' data must comply.
GDPR has directly influenced new data protection laws in Brazil, Japan, South Korea, India, Thailand, Indonesia, South Africa, and dozens of other countries. When legislators draft new privacy frameworks, GDPR is almost invariably the starting reference point.
Major Data Protection Frameworks by Region
Europe
All 30 EU/EEA countries enforce GDPR directly, though each has national implementing legislation that fills gaps the regulation leaves to member states (employee data, health research, media exemptions). Germany supplements GDPR with the BDSG and 16 state-level data protection authorities. France's CNIL has been particularly aggressive on cookie enforcement. Ireland's DPC serves as lead supervisory authority for Meta, Google, Apple, TikTok, and Microsoft due to their European headquarters locations.
Outside the EU, the United Kingdom maintains the UK GDPR post-Brexit with its own adequacy arrangement. Switzerland overhauled its law entirely with the nFADP effective September 2023, uniquely imposing criminal penalties on individuals rather than organizations. Turkey's KVKK has been in effect since 2016 but lacks EU adequacy.
Asia-Pacific
The Asia-Pacific region contains some of the world's most significant data protection laws. China's PIPL (2021) covers 1.4 billion people and imposes penalties up to 5% of annual revenue with strict data localization requirements. Japan's APPI has EU adequacy and was significantly amended in 2022. South Korea's PIPA is one of the world's strictest, with EU adequacy since 2021.
India's DPDP Act (2023) represents the largest population newly covered by a comprehensive data protection law, though implementing rules are still being finalized. Australia, Singapore, Thailand, and Indonesia all have comprehensive frameworks.
Americas
Brazil's LGPD (2018, effective 2020) is Latin America's most significant data protection law, closely modeled on GDPR and enforced by the ANPD. Brazil received EU adequacy in January 2026. Canada's PIPEDA has EU adequacy for commercial organizations, with Quebec's Law 25 adding the strongest provincial protections since 2023.
The United States remains the most significant outlier among major economies with no comprehensive federal privacy law, relying instead on sector-specific federal statutes and a growing patchwork of 20 state laws. Mexico, Argentina (EU adequacy), and Colombia round out the region's major frameworks.
Middle East & Africa
South Africa's POPIA (fully effective 2021) is Sub-Saharan Africa's most developed data protection law, with criminal penalties including imprisonment. Nigeria enacted the NDPA in 2023 and Kenya's DPA 2019 has been operational since its initial gazetting.
In the Middle East, the UAE operates a multi-layered framework with a federal PDPL plus separate regimes in the DIFC and ADGM free zones. Saudi Arabia's PDPL took full effect in 2023, and Israel maintains EU adequacy under its 1981 Privacy Protection Law.
Cross-Border Data Transfers
International data transfers are one of the most complex areas of global data privacy law. The GDPR restricts transfers of personal data to countries outside the EU/EEA unless the destination provides "adequate" data protection, or the transferring organization implements appropriate safeguards.
The primary transfer mechanisms include: adequacy decisions (17 countries approved), Standard Contractual Clauses (SCCs, the most widely used mechanism), Binding Corporate Rules (BCRs, for multinational companies), and the EU-US Data Privacy Framework (replacing the invalidated Privacy Shield). China's PIPL requires government security assessments for transfers involving sensitive data or large volumes. Russia and several other countries mandate that certain categories of personal data be stored on servers located within the country (data localization).
Enforcement Trends
Global enforcement of data privacy laws has intensified. GDPR fines exceeded EUR 1.2 billion in 2025 alone, with Ireland, France, and Germany leading enforcement. Outside Europe, Brazil's ANPD has begun issuing administrative sanctions, South Korea's PIPC fined Meta and Google for consent violations, and the Texas Attorney General secured the largest single-state privacy settlements in history ($1.375 billion from Google, $1.4 billion from Meta).
Key enforcement themes across jurisdictions include: children's data protection violations, insufficient consent mechanisms for online advertising, inadequate data breach notification, and non-compliant cross-border data transfers. Artificial intelligence and automated decision-making are emerging as the next major enforcement frontier, with the EU AI Act creating additional obligations that intersect with GDPR requirements.
Data Privacy Laws by Country
Select a country below for a detailed guide to its data protection law, enforcement authority, penalties, and compliance requirements. Countries are organized by region and color-coded by framework strength.
Europe(34 countries)
Austria
Belgium
Bulgaria
Croatia
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Ireland
Italy
Latvia
Lithuania
Luxembourg
Malta
Netherlands
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
Norway
Iceland
United Kingdom
Switzerland
Turkey
Russia
Ukraine
Asia-Pacific(16 countries)
Japan
South Korea
China
India
Australia
New Zealand
Singapore
Thailand
Indonesia
Philippines
Malaysia
Vietnam
Taiwan
Pakistan
Bangladesh
Sri Lanka
North America(1 country)
Central & South America(7 countries)
Middle East & North Africa(6 countries)
For data privacy laws within the United States, see our Data Privacy Laws by State guide covering all 50 states, CCPA/CPRA, breach notification laws, and the federal privacy framework.
This information is general legal information, not legal advice. Data protection laws change frequently and vary by jurisdiction. Consult a qualified attorney for advice specific to your situation.
Frequently Asked Questions
What is the GDPR and which countries does it apply to?
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law, effective since May 25, 2018. It applies directly in all 27 EU member states plus Iceland, Liechtenstein, and Norway through the EEA Agreement (30 countries total). The UK adopted its own version (UK GDPR) after Brexit. GDPR also applies extraterritorially to any organization worldwide that offers goods or services to EU residents or monitors their behavior, regardless of where the organization is based.
Which countries have GDPR adequacy decisions?
As of 2026, the European Commission has granted adequacy decisions to: Andorra, Argentina, Canada (commercial organizations under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, United States (under the EU-US Data Privacy Framework), Uruguay, Brazil, and the European Patent Organisation. Adequacy means personal data can flow freely from the EU to these countries without additional safeguards like Standard Contractual Clauses.
How does China's PIPL compare to the GDPR?
China's Personal Information Protection Law (PIPL), effective November 2021, shares several features with GDPR: consent-based processing, data subject rights, breach notification, and substantial penalties (up to 5% of annual revenue, higher than GDPR's 4%). Key differences include stricter cross-border transfer requirements (security assessments, standard contracts, or certification required), data localization mandates for Critical Information Infrastructure Operators, and the Cyberspace Administration of China (CAC) serving as the primary regulator rather than an independent data protection authority.
What is a data protection authority (DPA)?
A data protection authority is an independent government body responsible for enforcing data privacy laws, investigating complaints, and issuing guidance. Most countries with comprehensive data protection laws have established a DPA. In the EU, each member state has its own DPA (for example, the CNIL in France, BfDI in Germany, ICO in the UK, AEPD in Spain). The European Data Protection Board (EDPB) coordinates between national DPAs. Globally, over 130 countries have a designated data protection authority.
What are Standard Contractual Clauses (SCCs)?
Standard Contractual Clauses are pre-approved legal contracts that organizations can use to transfer personal data from the EU to countries without an adequacy decision. The European Commission adopted updated SCCs in June 2021 with four modular sets covering controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller transfers. Organizations must also conduct a Transfer Impact Assessment (TIA) to evaluate whether the recipient country's laws provide adequate data protection. SCCs are the most widely used mechanism for international data transfers from the EU.
Which countries have the strictest data privacy laws?
The strictest data privacy regimes include the EU/EEA (GDPR with fines up to 4% of global revenue and extensive data subject rights), China (PIPL with 5% revenue penalties, strict data localization, and government security assessments for transfers), South Korea (PIPA with criminal penalties and one of the world's highest enforcement rates per capita), and Brazil (LGPD with 2% revenue penalties modeled closely on GDPR). Germany and France are the most aggressive enforcers within the EU, while Ireland's DPC supervises most Big Tech companies due to their European headquarters being located there.
Does the United States have a federal data privacy law?
No. The United States does not have a comprehensive federal data privacy law equivalent to GDPR. Instead, it relies on sector-specific federal laws (HIPAA for health, GLBA for financial, COPPA for children) and a growing patchwork of state laws. Twenty states have enacted comprehensive consumer privacy laws as of 2026, led by California's CCPA/CPRA. See our US Data Privacy Laws guide for state-by-state coverage.
What are the largest data privacy fines ever issued?
The ten largest GDPR fines include: Meta/Facebook EUR 1.2 billion (Ireland DPC, 2023, EU-US data transfers), Amazon EUR 746 million (Luxembourg CNPD, 2021, targeted advertising), TikTok EUR 345 million (Ireland DPC, 2023, children's data), Meta/Instagram EUR 405 million (Ireland DPC, 2022, children's data), and Meta/WhatsApp EUR 225 million (Ireland DPC, 2021, transparency). Outside the EU, China fined Didi Global approximately RMB 8 billion (USD 1.2 billion) in 2022, and the Texas Attorney General secured settlements of $1.375 billion (Google) and $1.4 billion (Meta) in 2024.
Sources and References
- GDPR Full Text (Regulation 2016/679)(eur-lex.europa.eu).gov
- European Data Protection Board(edpb.europa.eu).gov
- EU Adequacy Decisions(commission.europa.eu).gov
- UK Data Protection Act 2018(legislation.gov.uk).gov
- Brazil LGPD (Law 13.709/2018)(planalto.gov.br).gov
- Japan APPI (PPC)(ppc.go.jp).gov
- South Korea PIPA (PIPC)(pipc.go.kr).gov
- India DPDP Act 2023(meity.gov.in).gov
- Australia Privacy Act 1988(oaic.gov.au).gov
- Canada PIPEDA(priv.gc.ca).gov
- South Africa POPIA(gov.za).gov
- Singapore PDPA(pdpc.gov.sg).gov