The IAPP Research and Insights team updated its Global Privacy Law and DPA Directory. This latest version includes both new, amended, and draft comprehensive data privacy laws and reflects recent developments, including the establishment of new data protection authorities. First launched in 2017, the directory is intended to be a one-stop-shop for current information on data protection to keep privacy professionals up-to-date with global laws, authorities and trends.
Data protection regimes continue to blossom and mature around the world. The European Commission has proposed significant reforms to its General Data Protection Regulation nearly 10 years after passage. In the last 12 months, India introduced new implementing rules to bring the Digital Personal Data Protection Act into force, Bangladesh and the Gambia adopted or are considering new comprehensive laws, and other countries, including Ecuador and Indonesia, introduced new agencies to interpret and enforce existing privacy statutes.
Global data protection statistics
According to the updated directory, 179 of the 240 analyzed jurisdictions have data protection frameworks in place while another eight are considering draft laws. This means approximately 3 out of every 4 countries are covered by data protection laws. Based on this count, over 6.6 billion people around the world are covered by some level of data protection law, accounting for approximately 80% of the world's total population.
Of course, this does not include those covered by state and local privacy laws, such as individuals in California and those covered by sectoral laws in the United States. It also does not account for nations considering draft data protection laws, like Bangladesh and Pakistan. As a result, the true reach of global privacy laws is likely even greater.
These figures are supported by other data sources as well. For example, the UN Conference of Trade and Development estimates 79% of countries worldwide established data protection legislation. Moreover, UNCTAD contends that 98% of developed nations are covered by privacy laws.
Although the boundaries are somewhat subjective and the percentages are rough estimates, a breakdown of comprehensive data protection laws by region is also instructive. Europe leads the way with 98% of jurisdictions covered by comprehensive laws. Africa maintains coverage in 77% of its jurisdictions; North America is close behind at 75%. Asia is just behind North America at 72%. South America follows closely with 71% of jurisdictions covered, and in Oceania, 35% of jurisdictions are covered.
That said, the metrics shift somewhat when the number of people covered within those regions is taken into account. Europe still leads with 99% of people covered; South America follows with 90% of people covered. Asia and Africa are virtually tied, with 84% of people covered in Asia and 83% in Africa. Oceania comes next with 70% of people covered. North America lags well behind with only 39% of people covered by a comprehensive privacy law — the U.S. being the main outlier.
The largest countries by population that do not have comprehensive data protection laws are the Democratic Republic of Congo in Africa, the U.S. in North America, Bangladesh and Pakistan in Asia, Venezuela and Bolivia in South America and Papua New Guinea in Oceania.
EU digital rulebook simplification
By many accounts, the EU GDPR set the global standard for data protection, showcasing the "Brussels effect," the EU's capacity to shape international business environments outside its borders as multinational companies adopt those regulations as a baseline for compliance.
What's more, the Brussels effect led to the passage of comprehensive, rights-based data protection laws around the world. However, EU regulations were recently linked to flagging innovation and competitiveness within the Union. The Draghi report notes that Europe "claim(s) to favour innovation, but ... continue(s) to add regulatory burdens onto European companies, which are especially costly for SMEs and self-defeating for those in the digital sectors."
In response, the European Commission proposed the Digital Omnibus package in November 2025, which aims to amend the GDPR and other legislation to reduce compliance costs, preserve protection of fundamental rights and increase competitiveness and innovation within the EU.
For example, the Omnibus package would redefine the meaning of "personal data" to exclude information held by an entity that does not have the "means reasonably likely to be used" to identify the individual. It would also reduce the circumstances in which data controllers would need to disclose information to individuals about the processing of their personal data. Likewise, the Omnibus package would broaden the legitimate interest legal basis for processing personal data to include scientific research and artificial intelligence model development. This digital package will now proceed through the full legislative process, including trilogue negotiations with the European Parliament and the Council of the European Union.
It will take many months, if not longer, for the Omnibus proposal to filter through the EU legislative machine. Yet, no matter how the final amendments pan out, the mere fact that the innovator of data protection law is now considering amendments that would reign in its scope may trigger similar reconsiderations for other data protection laws around the world. Just as the Brussels effect spurred new laws, the question arises whether a simplification effort in Brussels will cause similar simplification efforts elsewhere or a hesitation to act on data protection altogether.
This potential development is echoed by experts, some of whom point to the U.K., where simplification may be welcomed by a pragmatic information commissioner. Still others argue that EU regulatory simplification may provide outsized benefits to legacy technology companies while only giving EU startups and small and medium-sized enterprises nominal gains. A countervailing force, the so-called "Washington Pull," is perhaps inducing a "more permissive approach to tech governance."
India's Digital Personal Data Protection Rules, 2025
On 13 Nov. 2025, India's Ministry of Electronics and Information Technology published the Digital Personal Data Protection Rules, which clarify certain provisions of the DPDPA and implement the law in a phased approach. Of note, the DPDP Rules establish clear protocols for personal data breach notifications, reinforce the rights of data principals, establish a fully digital data protection board and appellate tribunal, clarify the transparency obligations of data fiduciaries and define the registration process and duties of consent managers. Although the rules identify a compliance transition period over the next 18 months, the Minister of Electronics and Information Technology has suggested this timeline will be shortened.
The DPDPA, as notified, has many parallels with the GDPR, though some material differences are worth noting. For example, the DPDPA only applies to digital personal data rather than any information relating to an identifiable person. Furthermore, the act mandates certain entities, depending on factors such as the volume and sensitivity of the personal data processed, be deemed significant data fiduciaries and therefore remain subject to heightened compliance obligations above and beyond normal data fiduciaries.
The DPDPA also creates the legal concept of consent manager, which is an interoperable third-party platform through which data principals can manage consent preferences. In contrast to the GDPR, the DPDPA lacks contractual necessity and legitimate interests as legal bases for processing personal data. Moreover, the act requires that verifiable consent be obtained from a parent or lawful guardian to process the personal data of a child or person with disability. These and other provisions differentiate the DPDPA from related comprehensive laws like the GDPR.
New and draft data protection laws
In neighboring Bangladesh, the draft Personal Data Protection Ordinance, 2025 seeks to establish a legal framework to protect the confidentiality, integrity and security of personal data. The ordinance sets out legal bases for processing data, data subject rights, data fiduciary obligations and the functions of the National Data Governance and Interoperability Authority, which is yet to be established.
The Gambia passed the Personal Data Protection and Privacy Bill, 2025, which is structured to protect privacy rights, strengthen digital governance and enhance public trust in the nation's digital transformation. Likewise, Paraguay passed the Personal Data Protection Bill, which mandates fundamental principles and legal bases for personal data processing, grants rights to data subjects and governs cross-border data transfers, among other provisions.
Other nations that passed new data protection laws or introduced new draft laws include Brunei, Cambodia, El Salvador, Kiribati, Kuwait, Monaco, Pakistan and Vanuatu.
New data protection authorities
Since the Global Privacy Law and DPA Directory's last update, some new DPAs have come online. For example, Ecuador's Data Protection Superintendence is now active; the agency announced its first sanctions for a breach of the Personal Data Protection Act against the Professional Football League of Ecuador and the Ecuadorian Football Federation. Furthermore, Indonesia's Ministry of Communications and Digital Affairs was reorganized to take on the development of digital infrastructure, supervision of the digital space, protection of personal data, and management of public communication and media.
The challenge of global compliance
Global compliance with privacy and data protection laws is no small task. According to IAPP research, 52% of privacy professionals are only "somewhat confident" in their ability to stay informed about new global privacy laws. Nevertheless, there are clear paths to success. These include assessing the scale of compliance to decide whether a global or country-by-country approach is appropriate and practicing cultural humility to recognize that different legal cultures require different approaches to compliance.
The worldwide data protection landscape continues to shift as early movers, like the EU, reconsider their existing frameworks and new markets, like India, implement their own, bespoke data protection models. To stay up-to-date with this dynamic space, visit the IAPP Global Privacy Law and DPA Directory.
Will Simpson, AIGP, CIPP/US, is a Westin Fellow for the IAPP.
