Coming into force on May 25th, 2018, the General Data Protection Regulation (GDPR) was a landmark for data protection. Trading blocs, governments, and privacy organizations took note, and over the last three years, GDPR has inspired new data privacy legislation worldwide. In my view, there are two very commercial reasons why a country might adopt a version of the GDPR (aside from data protection for its citizens):

1. Extra-territoriality: The GDPR applies to the processing of European residents’ data (technically, all residents of the EU plus residents of the other European countries that have adopted the GDPR), no matter where in the world the data processing takes place. If you want to sell to European residents, you need to be compliant with the GDPR, and what better way to be compliant than to adopt it.
2. Data export: The GDPR export rule is simple: data on European residents can only be exported to places with similar data protection rules (technically, the European Commission (EC) determines if your rules are adequate). If you want the commercial benefits of processing European residents’ data then you need to adopt the GDPR or something like it.

Let’s take a trip around the world and see where things stand three years after the GDPR came into force. To keep things short, I’ll only discuss 16 countries that have enacted national GDPR-like legislation.

The Middle East & Africa

The picture in the Middle East is patchy, with some countries adopting data privacy laws and others not. Here are some of the countries with GDPR-like legislation.

Country	Law	Year	Comment
Bahrain	Personal Data Protection Law	2019	The law includes a possible jail term of up to a year for unlawfully transferring personal data outside of Bahrain.
Israel	Data Security Regulations	2017	The regulations have some of the same ideas as the GDPR but contain features not in the GDPR (for example, rules on passwords and penetration testing). However, the EC has decided that Israel’s data protection rules are adequate for data export under the GDPR, meaning Israeli companies can process European residents’ data – a significant boost for Israeli data companies.
Qatar	Law No. 13	2016	The first data protection law in the Middle East.
Turkey	Law on Protection of Personal Data No. 6698	2016	The Turkish law was based on the prior (pre-2018) version of the GDPR

Other Middle Eastern countries have no formal legislation or ‘just’ have constitutional rights to privacy (e.g. the United Arab Emirates).

In 2014, the African Union adopted the Convention on Cyber Security and Personal Data Protection which was modeled on the GDPR. The intention was for African countries to adopt the convention into their national laws but progress has been inconsistent. Here are five African countries that have adopted GDPR-like laws.

Country	Law	Year	Comment
Kenya	Data Protection Act	2019	The Kenyan constitution has a right to privacy provision – article 31.
Mauritius	Data Protection Act	2017
Nigeria	Data Protection Regulation	2019	The Nigerian constitution contains a privacy section
South Africa	Protection of Personal Information (POPI) Act (2020)	2020	See below.
Uganda	Data Protection and Privacy Act, 2019	2019

The South African Protection of Personal Information (POPI) Act is similar to a number of other African data privacy laws in terms of its differences from the GDPR. The GDPR is extra-territorial, but POPI only applies to South African companies and when data is processed in South Africa. Similar to the GDPR, POPI defines categories of special personal information that require extra protection (e.g. religious beliefs, politics, health, sex, biometrics, etc.), but unlike the GDPR the consent rules for more general data are more relaxed.

Asia

Although only a handful of Asian nations have adopted GDPR-like laws, it’s notable that two of them have secured data adequacy agreements with the EC.

Country	Law	Year	Comment
Japan	Act on the Protection of Personal Information (APPI)	2020	The EC considers the Japan APPI adequate for export of European data and vice versa. It’s the first such agreement.
New Zealand	Privacy Act	2020	The EC considers the New Zealand Privacy Act adequate for export of European data
South Korea	Personal Information Protection Act (PIPA) 2011	2011, revised in 2020	Pre-dates the GDPR, but as modified in 2020, is similar in many ways. Considered to be one of the strictest privacy rules in the world. Adequacy talks with the EC were concluded on March 30th, 2021 and it’s likely an agreement on data export adequacy will be reached.

Thailand’s Personal Data Protection Act is due to come into force on May 31, 2021 and contains similar provisions to the GDPR, including extra-territoriality.

South America

In 2019, the European Union (EU) and the South American trading bloc MERCOSUR negotiated a blockbuster trade deal that included data processing export arrangements, but data export was conditional on MERCOSUR nations passing GDPR-like legislation. At the time of writing, three have.

Country	Law	Year	Comment
Argentina	Personal Data Protection Act No 25,326, constitutional protections	2001	EC considers the legal regime in Argentina adequate for data export. Bills to update the existing law are in Congress.
Brazil	General Data Protection Law LGPD	2020	Very similar to the GDPR, including extra-territoriality provisions.
Uruguay	Act on the Protection of Personal Data and Habeas Data Action	2008, but subsequently modified	EC considers the law adequate for data export.

The other MERCOSUR nation, Paraguay, has legislation in the works.

North America

The only country that’s adopted anything like the GDPR is Canada. In the United States, there’s no federal-level statute like the GDPR, but states have adopted their own legislation, most notably the CCPA in California.

Country	Law	Year	Comment
Canada	Personal Information Protection and Electronic Documents Act (PIPEDA)	2000	The EC has considered the PIPEDA as adequate for EU data export.

Who’s missing

You’ll note that I haven’t discussed China, Russia, or the United States. In the United States, there are some privacy laws at the federal level (for example, HIPPA), and most states have some form of data protection or breach notification laws, giving a complex picture. Russia’s privacy laws contain terms requiring at least initial data processing to take place in Russia and have provisions to block offending websites. Similar to the Russian rules, the draft Chinese Personal Information Protection Law would require data processors to at least maintain copies of data in China and allows for countermeasures against nations under some conditions. These are complex topics and deserve a separate blog post.

Where to next?

The picture on GDPR adoption is patchy, but the trend is clear. Smaller countries are adopting it as a trading measure with the EU. My guess is that we’ll see more adoption of the GDPR motivated by money: if companies and countries want a slice of the EU data processing market or want to sell to European residents, they’ll have to follow the EC laws, which in this case means following the GDPR.