Blog, Learning Center July 8, 2021

16 Countries with GDPR-like Data Privacy Laws

Coming into force on May 25th, 2018, the General Data Protection Regulation (GDPR) was a landmark for data protection. Trading blocs, governments, and privacy organizations took note, and over the last three years, GDPR has inspired new data privacy legislation worldwide. In my view, there are two very commercial reasons why a country might adopt a version of the GDPR (aside from data protection for its citizens):

  1. Extra-territoriality: The GDPR applies to the processing of European residents’ data (technically, all residents of the EU plus residents of the other European countries that have adopted the GDPR), no matter where in the world the data processing takes place. If you want to sell to European residents, you need to be compliant with the GDPR, and what better way to be compliant than to adopt it.
  2. Data export: The GDPR export rule is simple: data on European residents can only be exported to places with similar data protection rules (technically, the European Commission (EC) determines if your rules are adequate). If you want the commercial benefits of processing European residents’ data then you need to adopt the GDPR or something like it.
world map
(Countries with GDPR-like laws in blue – as of May 2021.)

Let’s take a trip around the world and see where things stand three years after the GDPR came into force. To keep things short, I’ll only discuss 16 countries that have enacted national GDPR-like legislation.

Discover how your organization's cybersecurity stacks up against competitors. Get your free report.

The Middle East & Africa

The picture in the Middle East is patchy, with some countries adopting data privacy laws and others not. Here are some of the countries with GDPR-like legislation.

CountryLawYearComment
BahrainPersonal Data Protection Law2019The law includes a possible jail term of up to a year for unlawfully transferring personal data outside of Bahrain.
IsraelData Security Regulations2017The regulations have some of the same ideas as the GDPR but contain features not in the GDPR (for example, rules on passwords and penetration testing). However, the EC has decided that Israel’s data protection rules are adequate for data export under the GDPR, meaning Israeli companies can process European residents’ data – a significant boost for Israeli data companies.
QatarLaw No. 132016The first data protection law in the Middle East.
TurkeyLaw on Protection of Personal Data No. 66982016The Turkish law was based on the prior (pre-2018) version of the GDPR

Other Middle Eastern countries have no formal legislation or ‘just’ have constitutional rights to privacy (e.g. the United Arab Emirates).

In 2014, the African Union adopted the Convention on Cyber Security and Personal Data Protection which was modeled on the GDPR. The intention was for African countries to adopt the convention into their national laws but progress has been inconsistent. Here are five African countries that have adopted GDPR-like laws.

CountryLawYearComment
KenyaData Protection Act2019The Kenyan constitution has a right to privacy provision – article 31.
MauritiusData Protection Act2017
NigeriaData Protection Regulation2019The Nigerian constitution contains a privacy section
South AfricaProtection of Personal Information (POPI) Act (2020)2020See below.
UgandaData Protection and Privacy Act, 20192019

The South African Protection of Personal Information (POPI) Act is similar to a number of other African data privacy laws in terms of its differences from the GDPR. The GDPR is extra-territorial, but POPI only applies to South African companies and when data is processed in South Africa. Similar to the GDPR, POPI defines categories of special personal information that require extra protection (e.g. religious beliefs, politics, health, sex, biometrics, etc.), but unlike the GDPR the consent rules for more general data are more relaxed.

Asia

Although only a handful of Asian nations have adopted GDPR-like laws, it’s notable that two of them have secured data adequacy agreements with the EC.

CountryLawYearComment
JapanAct on the Protection of Personal Information (APPI)2020The EC considers the Japan APPI adequate for export of European data and vice versa. It’s the first such agreement.
New ZealandPrivacy Act2020The EC considers the New Zealand Privacy Act adequate for export of European data
South KoreaPersonal Information Protection Act (PIPA) 20112011, revised in 2020Pre-dates the GDPR, but as modified in 2020, is similar in many ways. Considered to be one of the strictest privacy rules in the world. Adequacy talks with the EC were concluded on March 30th, 2021 and it’s likely an agreement on data export adequacy will be reached.

Thailand’s Personal Data Protection Act is due to come into force on May 31, 2021 and contains similar provisions to the GDPR, including extra-territoriality.

South America

In 2019, the European Union (EU) and the South American trading bloc MERCOSUR negotiated a blockbuster trade deal that included data processing export arrangements, but data export was conditional on MERCOSUR nations passing GDPR-like legislation. At the time of writing, three have.

CountryLawYearComment
ArgentinaPersonal Data Protection Act No 25,326, constitutional protections2001EC considers the legal regime in Argentina adequate for data export. Bills to update the existing law are in Congress.
BrazilGeneral Data Protection Law LGPD2020Very similar to the GDPR, including extra-territoriality provisions.
UruguayAct on the Protection of Personal Data and Habeas Data Action2008, but subsequently modifiedEC considers the law adequate for data export.

The other MERCOSUR nation, Paraguay, has legislation in the works.

North America

The only country that’s adopted anything like the GDPR is Canada. In the United States, there’s no federal-level statute like the GDPR, but states have adopted their own legislation, most notably the CCPA in California.

CountryLawYearComment
CanadaPersonal Information Protection and Electronic Documents Act (PIPEDA)2000The EC has considered the PIPEDA as adequate for EU data export.

Who’s missing

You’ll note that I haven’t discussed China, Russia, or the United States. In the United States, there are some privacy laws at the federal level (for example, HIPPA), and most states have some form of data protection or breach notification laws, giving a complex picture. Russia’s privacy laws contain terms requiring at least initial data processing to take place in Russia and have provisions to block offending websites. Similar to the Russian rules, the draft Chinese Personal Information Protection Law would require data processors to at least maintain copies of data in China and allows for countermeasures against nations under some conditions. These are complex topics and deserve a separate blog post.

Where to next?

The picture on GDPR adoption is patchy, but the trend is clear. Smaller countries are adopting it as a trading measure with the EU. My guess is that we’ll see more adoption of the GDPR motivated by money: if companies and countries want a slice of the EU data processing market or want to sell to European residents, they’ll have to follow the EC laws, which in this case means following the GDPR.

Sign up for a free account