Data protection and privacy laws now in effect in 144 countries

The IAPP Research and Insights team has updated its Global Privacy Law and DPA Directory. This latest version includes both new and amended comprehensive data privacy laws and reflects recently established data protection authoritative bodies. First launched in 2017, it is intended to be a one-stop-shop for information on data protection authorities to keep privacy professionals up to date with global laws, authorities and trends.

The second half of 2024 welcomed new data privacy laws from Cameroon, Ethiopia, Malawi, the Republic of Moldova and the Vatican City. Other countries, such as Botswana, Chile, Malaysia, Monaco, Turkey, Peru and Vietnam, made notable amendments, replacements or implementing provisions to their data privacy laws. Many of these brought the countries' data privacy frameworks into alignment with other international standards, such as the EU General Data Protection Regulation.  

The most populous countries without a comprehensive national privacy law include the U.S., Pakistan, Bangladesh, Iran and Iraq, with Pakistan and Bangladesh having draft legislation. While the U.S. came as close as ever to passing a comprehensive data privacy law in 2024, the effort ultimately did not succeed. As such, the U.S. continues to be governed by sectoral laws and a patchwork of state privacy laws.

Examples of amended laws include Malaysia's amended Personal Data Protection Act, which established a 72-hour timeline for mandatory data breach notifications, revised cross-border data transfer obligations and adopted requirements to appoint a data protection officer, aligning with the GDPR's corresponding provisions. Peru's amended law places even stricter mandatory data breach notifications, requiring notifications within 48 hours, along with enhanced security obligations for covered entities that process personal data. It also requires public entities, organizations processing large volumes of personal data and entities whose main business activity is processing sensitive personal data to appoint DPOs.