The IAPP Research and Insights team has updated its Global Privacy Law and DPA Directory. This latest version includes both new and amended comprehensive data privacy laws and reflects recently established data protection authoritative bodies. First launched in 2017, it is intended to be a one-stop-shop for information on data protection authorities to keep privacy professionals up to date with global laws, authorities and trends.
The second half of 2024 welcomed new data privacy laws from Cameroon, Ethiopia, Malawi, the Republic of Moldova and the Vatican City. Other countries, such as Botswana, Chile, Malaysia, Monaco, Turkey, Peru and Vietnam, made notable amendments, replacements or implementing provisions to their data privacy laws. Many of these brought the countries' data privacy frameworks into alignment with other international standards, such as the EU General Data Protection Regulation.
The most populous countries without a comprehensive national privacy law include the U.S., Pakistan, Bangladesh, Iran and Iraq, with Pakistan and Bangladesh having draft legislation. While the U.S. came as close as ever to passing a comprehensive data privacy law in 2024, the effort ultimately did not succeed. As such, the U.S. continues to be governed by sectoral laws and a patchwork of state privacy laws.
Examples of amended laws include Malaysia's amended Personal Data Protection Act, which established a 72-hour timeline for mandatory data breach notifications, revised cross-border data transfer obligations and adopted requirements to appoint a data protection officer, aligning with the GDPR's corresponding provisions. Peru's amended law places even stricter mandatory data breach notifications, requiring notifications within 48 hours, along with enhanced security obligations for covered entities that process personal data. It also requires public entities, organizations processing large volumes of personal data and entities whose main business activity is processing sensitive personal data to appoint DPOs.
Today, 144 countries have enacted national data privacy laws, bringing approximately 6.64 billion people or 82% of the world's population under the protection of some form of national data privacy legislation. This is an increase from the 79% reported in the previous update.
Regionally, Europe still has the most data privacy laws of any continent, with all of the continent covered by some form of comprehensive data privacy legislation — an ongoing legacy of the GDPR and the "Brussels effect." However, African and Asian countries have been accelerating their lawmaking on data privacy in recent years. Approximately 39, or 72% of, countries in Africa are covered by a comprehensive data privacy law, closely followed by Asia with approximately 35 countries, or 73%.
North America and the Caribbean have approximately 16 countries, or 70%, with national data privacy laws, while there are nine countries, or 75%, in South America with national data privacy laws. Lastly, Australia and New Zealand both have their own data privacy laws.
Although the number of new countries passing comprehensive data privacy laws has slowed, many countries are still establishing fully operational DPAs created by their respective laws. Since the beginning of 2024, countries such as Jordan, Madagascar, Sri Lanka, Togo and Zambia have appointed DPAs to begin enforcement of their national data privacy laws.
This increase in new and amended laws over the past eight years — from 120 in 2017 to 144 by the end of 2024 — highlights the ongoing need for privacy pros who can help individuals, governments and businesses navigate the ever-evolving global legal landscape.
Aly Apacible-Bernardo, CIPM, is a legal research associate at the IAPP.
Kayla Bushey is a Westin Research fellow at the IAPP.
