Data Protection
Laws of the World
An overview of key privacy and data protection laws across more than 160 jurisdictions.
Data protection heatmap
Select a country below to start browsing data protection legal content.
Heavy
Robust
Moderate
Limited
Compare data protection laws around the world
Welcome to the 2025 edition of DLA Piper's Data Protection Laws of the World Handbook. Since the launch of our first edition in 2012, this comprehensive guide has been a trusted resource for navigating the complex landscape of privacy and data protection laws worldwide. Now in its fourteenth edition, the Handbook has grown to provide an extensive overview of key privacy and data protection regulations across more than 160 jurisdictions. As we step into 2025, the global landscape of data protection and privacy law continues to evolve at an unprecedented pace. With new legislation emerging in jurisdictions around the world, businesses face a growing need to stay informed and agile in adapting to these changes. This year promises to bring new developments and challenges, making the Handbook an invaluable tool for staying ahead in this ever-changing field.
Privacy and Publication generally never go together. But this publication is a must for every privacy lover. Meticulous compilation of data privacy laws by the DLA Piper team.
Raghu Raman Lakshmanan, General Counsel
HCL America, Inc.
This compilation does what every brilliant lawyer should do: it makes it easy for clients to understand and apply technical and difficult regulations. Touché to DLA Piper Data Protection Team.
Dr Katarzyna Lasota Heller, Group Legal Compliance Officer
Naspers
DLA Piper has done a great work as the handbook is incredibly well structured and an extremely valuable for anyone handling data protection issues.
Desislava Avramova, Senior Legal Counsel EMEA
Newell Rubbermaid Inc.
DLA Piper's Data Protection Laws of the World Handbook is an extremely useful resource. It enables us to find an answer to complex multi-jurisdictional privacy law questions very quickly.
Lieven van Parys, European Privacy Counsel
Pfizer
I've never seen anything like it before in terms of law firm guidance/publications. Fantastic job and an excellent tool! I and my team will certainly use it and I know that it is already being circulated to others within the Volvo Group.
Alexia Henriksen, VP General Counsel
Volvo Financial Services (EMEA)
Looking ahead: Data protection in 2025
In the Middle East, another important economy – Saudi Arabia – passed its data protection law, closely modelled on a GDPR template. In this case, we know that the law will become effective in 2024 (14 September to be precise), and preparations are well underway for companies operating in the region.
A significant law which went into effect since our last edition was the new Federal Data Protection Act in Switzerland. Like in India, the law in Switzerland was subject to a number of delays and its arrival finally brought this important European jurisdiction into closer alignment with its EU neighbours. Further west in Europe, the United Kingdom threatens to move in the other direction – the Data Protection and Digital Information Bill continues to inch through the UK parliament and 2024 is the year in which it looks likely to pass. However, current indications are that it will be a gradual evolution of the current GDPR status quo, rather than a full-scale post-Brexit revolution.
In the United States, Utah’s state privacy law came into effect on December 31, 2023, while Oregon's Consumer Privacy Act, and Texas' Data Privacy and Security Act, as well as Florida's Digital Bill of Rights will take effect on July 2024. On October 1, 2024, Montana’s state privacy law will follow. Several states will follow suit in 2025, including Iowa, Delaware, Tennessee, and Indiana. As an outlier, Washington’s My Health My Data Act will come into effect on March 31, 2024 (with an extension for small businesses until June 30, 2024), which targets the collection, storage and transfer of health data (very broadly defined to include biometrics as well). In addition, several privacy regulators, including state Attorney Generals (“AGs”), Federal Trade Commission ("FTC"), Securities Exchange Commission (“SEC”), Consumer Financial Protection Bureau ("CFPB"), and the California Privacy Protection Agency ("CPPA") continue to issue rules, regulations and guidance including related to automated decision-making, data breach notification, and the accountable use of AI. Another significant development included the approval of the EU/UK/Swiss.-US Data Privacy Framework as an adequacy decision. For the upcoming year we expect more states to enact comprehensive state privacy laws.
In Asia, the Middle East and Africa, fears of growing strict data localisation have somewhat abated as the final new India, Saudi Arabia and Indonesia data laws were ultimately more permissive than earlier drafts when it comes to cross-border data transfers. However, the ever-evolving data laws China and Vietnam continue to raise cross-border data transfer compliance challenges for multi-national businesses. Further, the trend towards regulating broader data categories (beyond personal data) continues in these regions.
Broader trends in technology regulation continue to impact and overlap with the world of data protection and privacy. Perhaps most notably, 2023 was the year in which Artificial Intelligence (AI) went mainstream, and in the dying days of the year the EU passed the world’s first comprehensive AI law. In the midst of this, the privacy community found itself at the centre of an emerging debate about the concept of ‘AI governance’. This is not a surprising development – AI systems are creatures of data and the principle-based framework for the lawful use of personal data that sits at the heart of data protection law offers a strong starting point for considering how to approach the safe and ethical use of AI. Whilst privacy professionals cannot technical the AI challenge alone, expect them to continue to be on the front lines throughout 2024 and beyond.
The regulation of data in its broadest sense is also an emerging trend that touches on our world and raises questions about the scope of responsibility of DPOs and other privacy professionals. The EU is continuing with its grand ambition to create a ‘single market for data’, with the Data Act entering into force in January 2024 and becoming effective from 2025. Meanwhile, the first sector-specific data regulation – the Health Data Space – continues to move through the Brussels legislative process.
This handbook is not a substitute for legal advice. Nor does it cover all aspects of the legal regimes surveyed, such as specific sectorial requirements. Enforcement climates and legal requirements in this area continue to evolve. Most fundamentally, knowing high-level principles of law is just one of the components required to shape and to implement a successful global data protection compliance program.