16 Countries with GDPR-like Data Privacy Laws

By Mike Woodward

Posted on Jul 8, 2021

Coming into force on May 25th, 2018, the General Data Protection Regulation (GDPR) was a landmark for data protection. Trading blocs, governments, and privacy organizations took note, and over the last three years, GDPR has inspired new data privacy legislation worldwide. In my view, there are two very commercial reasons why a country might adopt a version of the GDPR (aside from data protection for its citizens):

  1. Extra-territoriality: The GDPR applies to the processing of European residents’ data (technically, all residents of the EU plus residents of the other European countries that have adopted the GDPR), no matter where in the world the data processing takes place. If you want to sell to European residents, you need to be compliant with the GDPR, and what better way to be compliant than to adopt it.
  2. Data export: The GDPR export rule is simple: data on European residents can only be exported to places with similar data protection rules (technically, the European Commission (EC) determines if your rules are adequate). If you want the commercial benefits of processing European residents’ data then you need to adopt the GDPR or something like it.

(Countries with GDPR-like laws in blue - as of May 2021.)

Let’s take a trip around the world and see where things stand three years after the GDPR came into force. To keep things short, I’ll only discuss 16 countries that have enacted national GDPR-like legislation.

The Middle East & Africa

The picture in the Middle East is patchy, with some countries adopting data privacy laws and others not. Here are some of the countries with GDPR-like legislation.

Country

Law

Year

Comment

Bahrain

Personal Data Protection Law

2019

The law includes a possible jail term of up to a year for unlawfully transferring personal data outside of Bahrain.

Israel

Data Security Regulations

2017

The regulations have some of the same ideas as the GDPR but contain features not in the GDPR (for example, rules on passwords and penetration testing). However, the EC has decided that Israel’s data protection rules are adequate for data export under the GDPR, meaning Israeli companies can process European residents’ data – a significant boost for Israeli data companies.

Qatar

Law No. 13

2016

The first data protection law in the Middle East.

Turkey

Law on Protection of Personal Data No. 6698

2016

The Turkish law was based on the prior (pre-2018) version of the GDPR

Other Middle Eastern countries have no formal legislation or ‘just’ have constitutional rights to privacy (e.g. the United Arab Emirates).

In 2014, the African Union adopted the Convention on Cyber Security and Personal Data Protection which was modeled on the GDPR. The intention was for African countries to adopt the convention into their national laws but progress has been inconsistent. Here are five African countries that have adopted GDPR-like laws.

Country

Law

Year

Comment

Kenya

Data Protection Act

2019

The Kenyan constitution has a right to privacy provision - article 31.

Mauritius

Data Protection Act

2017

Nigeria

Data Protection Regulation

2019

The Nigerian constitution contains a privacy section

South Africa

Protection of Personal Information (POPI) Act (2020)

2020

See below.

Uganda

Data Protection and Privacy Act, 2019

2019

The South African Protection of Personal Information (POPI) Act is similar to a number of other African data privacy laws in terms of its differences from the GDPR. The GDPR is extra-territorial, but POPI only applies to South African companies and when data is processed in South Africa. Similar to the GDPR, POPI defines categories of special personal information that require extra protection (e.g. religious beliefs, politics, health, sex, biometrics, etc.), but unlike the GDPR the consent rules for more general data are more relaxed.

Asia

Although only a handful of Asian nations have adopted GDPR-like laws, it’s notable that two of them have secured data adequacy agreements with the EC.

Country

Law

Year

Comment

Japan

Act on the Protection of Personal Information (APPI)

2020

The EC considers the Japan APPI adequate for export of European data and vice versa. It’s the first such agreement.

New Zealand

Privacy Act

2020

The EC considers the New Zealand Privacy Act adequate for export of European data

South Korea

Personal Information Protection Act (PIPA) 2011

2011, revised in 2020

Pre-dates the GDPR, but as modified in 2020, is similar in many ways. Considered to be one of the strictest privacy rules in the world. Adequacy talks with the EC were concluded on March 30th, 2021 and it’s likely an agreement on data export adequacy will be reached.

Thailand’s Personal Data Protection Act is due to come into force on May 31, 2021 and contains similar provisions to the GDPR, including extra-territoriality.

South America

In 2019, the European Union (EU) and the South American trading bloc MERCOSUR negotiated a blockbuster trade deal that included data processing export arrangements, but data export was conditional on MERCOSUR nations passing GDPR-like legislation. At the time of writing, three have.

Country

Law

Year

Comment

Argentina

Personal Data Protection Act No 25,326, constitutional protections

2001

EC considers the legal regime in Argentina adequate for data export. Bills to update the existing law are in Congress.

Brazil

General Data Protection Law LGPD

2020

Very similar to the GDPR, including extra-territoriality provisions.

Uruguay

Act on the Protection of Personal Data and Habeas Data Action

2008, but subsequently modified

EC considers the law adequate for data export.

The other MERCOSUR nation, Paraguay, has legislation in the works.

North America

The only country that’s adopted anything like the GDPR is Canada. In the United States, there’s no federal-level statute like the GDPR, but states have adopted their own legislation, most notably the CCPA in California.

Country

Law

Year

Comment

Canada

Personal Information Protection and Electronic Documents Act (PIPEDA)

2000

The EC has considered the PIPEDA as adequate for EU data export.

Who’s missing

You’ll note that I haven’t discussed China, Russia, or the United States. In the United States, there are some privacy laws at the federal level (for example, HIPPA), and most states have some form of data protection or breach notification laws, giving a complex picture. Russia’s privacy laws contain terms requiring at least initial data processing to take place in Russia and have provisions to block offending websites. Similar to the Russian rules, the draft Chinese Personal Information Protection Law would require data processors to at least maintain copies of data in China and allows for countermeasures against nations under some conditions. These are complex topics and deserve a separate blog post.

Where to next?

The picture on GDPR adoption is patchy, but the trend is clear. Smaller countries are adopting it as a trading measure with the EU. My guess is that we’ll see more adoption of the GDPR motivated by money: if companies and countries want a slice of the EU data processing market or want to sell to European residents, they’ll have to follow the EC laws, which in this case means following the GDPR.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!