Learning Center July 8, 2021

16 Countries with GDPR-like Data Privacy Laws

by Mike Woodward
by Mike Woodward

Coming into force on May 25th, 2018, the General Data Protection Regulation (GDPR) was a landmark for data protection. Trading blocs, governments, and privacy organizations took note, and over the last three years, GDPR has inspired new data privacy legislation worldwide. In my view, there are two very commercial reasons why a country might adopt a version of the GDPR (aside from data protection for its citizens):

  1. Extra-territoriality: The GDPR applies to the processing of European residents’ data (technically, all residents of the EU plus residents of the other European countries that have adopted the GDPR), no matter where in the world the data processing takes place. If you want to sell to European residents, you need to be compliant with the GDPR, and what better way to be compliant than to adopt it.
  2. Data export: The GDPR export rule is simple: data on European residents can only be exported to places with similar data protection rules (technically, the European Commission (EC) determines if your rules are adequate). If you want the commercial benefits of processing European residents’ data then you need to adopt the GDPR or something like it.
world map
(Countries with GDPR-like laws in blue – as of May 2021.)

Let’s take a trip around the world and see where things stand three years after the GDPR came into force. To keep things short, I’ll only discuss 16 countries that have enacted national GDPR-like legislation.

Discover how your organization's cybersecurity stacks up against competitors. Get your free report.

The Middle East & Africa

The picture in the Middle East is patchy, with some countries adopting data privacy laws and others not. Here are some of the countries with GDPR-like legislation.

Country Law Year Comment
Bahrain Personal Data Protection Law 2019 The law includes a possible jail term of up to a year for unlawfully transferring personal data outside of Bahrain.
Israel Data Security Regulations 2017 The regulations have some of the same ideas as the GDPR but contain features not in the GDPR (for example, rules on passwords and penetration testing). However, the EC has decided that Israel’s data protection rules are adequate for data export under the GDPR, meaning Israeli companies can process European residents’ data – a significant boost for Israeli data companies.
Qatar Law No. 13 2016 The first data protection law in the Middle East.
Turkey Law on Protection of Personal Data No. 6698 2016 The Turkish law was based on the prior (pre-2018) version of the GDPR

Other Middle Eastern countries have no formal legislation or ‘just’ have constitutional rights to privacy (e.g. the United Arab Emirates).

In 2014, the African Union adopted the Convention on Cyber Security and Personal Data Protection which was modeled on the GDPR. The intention was for African countries to adopt the convention into their national laws but progress has been inconsistent. Here are five African countries that have adopted GDPR-like laws.

Country Law Year Comment
Kenya Data Protection Act 2019 The Kenyan constitution has a right to privacy provision – article 31.
Mauritius Data Protection Act 2017
Nigeria Data Protection Regulation 2019 The Nigerian constitution contains a privacy section
South Africa Protection of Personal Information (POPI) Act (2020) 2020 See below.
Uganda Data Protection and Privacy Act, 2019 2019

The South African Protection of Personal Information (POPI) Act is similar to a number of other African data privacy laws in terms of its differences from the GDPR. The GDPR is extra-territorial, but POPI only applies to South African companies and when data is processed in South Africa. Similar to the GDPR, POPI defines categories of special personal information that require extra protection (e.g. religious beliefs, politics, health, sex, biometrics, etc.), but unlike the GDPR the consent rules for more general data are more relaxed.


Although only a handful of Asian nations have adopted GDPR-like laws, it’s notable that two of them have secured data adequacy agreements with the EC.

Country Law Year Comment
Japan Act on the Protection of Personal Information (APPI) 2020 The EC considers the Japan APPI adequate for export of European data and vice versa. It’s the first such agreement.
New Zealand Privacy Act 2020 The EC considers the New Zealand Privacy Act adequate for export of European data
South Korea Personal Information Protection Act (PIPA) 2011 2011, revised in 2020 Pre-dates the GDPR, but as modified in 2020, is similar in many ways. Considered to be one of the strictest privacy rules in the world. Adequacy talks with the EC were concluded on March 30th, 2021 and it’s likely an agreement on data export adequacy will be reached.

Thailand’s Personal Data Protection Act is due to come into force on May 31, 2021 and contains similar provisions to the GDPR, including extra-territoriality.

South America

In 2019, the European Union (EU) and the South American trading bloc MERCOSUR negotiated a blockbuster trade deal that included data processing export arrangements, but data export was conditional on MERCOSUR nations passing GDPR-like legislation. At the time of writing, three have.

Country Law Year Comment
Argentina Personal Data Protection Act No 25,326, constitutional protections 2001 EC considers the legal regime in Argentina adequate for data export. Bills to update the existing law are in Congress.
Brazil General Data Protection Law LGPD 2020 Very similar to the GDPR, including extra-territoriality provisions.
Uruguay Act on the Protection of Personal Data and Habeas Data Action 2008, but subsequently modified EC considers the law adequate for data export.

The other MERCOSUR nation, Paraguay, has legislation in the works.

North America

The only country that’s adopted anything like the GDPR is Canada. In the United States, there’s no federal-level statute like the GDPR, but states have adopted their own legislation, most notably the CCPA in California.

Country Law Year Comment
Canada Personal Information Protection and Electronic Documents Act (PIPEDA) 2000 The EC has considered the PIPEDA as adequate for EU data export.

Who’s missing

You’ll note that I haven’t discussed China, Russia, or the United States. In the United States, there are some privacy laws at the federal level (for example, HIPPA), and most states have some form of data protection or breach notification laws, giving a complex picture. Russia’s privacy laws contain terms requiring at least initial data processing to take place in Russia and have provisions to block offending websites. Similar to the Russian rules, the draft Chinese Personal Information Protection Law would require data processors to at least maintain copies of data in China and allows for countermeasures against nations under some conditions. These are complex topics and deserve a separate blog post.

Where to next?

The picture on GDPR adoption is patchy, but the trend is clear. Smaller countries are adopting it as a trading measure with the EU. My guess is that we’ll see more adoption of the GDPR motivated by money: if companies and countries want a slice of the EU data processing market or want to sell to European residents, they’ll have to follow the EC laws, which in this case means following the GDPR.

Sign up for a free account