The IAPP Research and Insights team recently updated and revamped its Global Privacy Law and DPA Directory. First launched in 2017, this resource is a one-stop-shop for information on data protection authorities for privacy professionals navigating international data protection and privacy laws. Given the plethora of new legislation that has emerged globally in recent years, the directory has required some renovation.
The updated resource acts as an index of both the national privacy legislation and relevant DPAs in over 200 countries. The directory's map and list functions allow users to select an individual country and explore its existing national data privacy and protection legislation. If such legislation exists, the directory provides a link to its text, the title of the appointed DPA and a link to the DPA's website. In short, the directory curates helpful resources for organizations and privacy pros who must understand and interact with privacy authorities in different countries around the world.
The importance of the updated directory is amplified by the current state of the global privacy landscape. A few trends have emerged among countries that have been working through the process of updating long-standing privacy laws and crafting entirely new ones. The first informal phase emerged after the passage of the EU General Data Protection Regulation, when EU countries began applying its provisions within their national borders.
Following this wave, there was a period of global GDPR mirroring, courtesy of the "Brussels effect," in which non-EU countries framed and passed national privacy legislation that heavily paralleled the GDPR. For instance, in the 2020s a handful of countries, including Brazil, Thailand, China, Saudi Arabia and India, enacted their first comprehensive data privacy and protection laws.. While these countries already had laws that dealt with data privacy in one way or another, such as China's Data Security and Cybersecurity Laws, the newer laws represent first-of-their-kind comprehensive legislation specifically designed to regulate and protect personal information. Not surprisingly, a strong GDPR influence may be detected in each law, as the countries used it as a model and customized it according to their unique political, economic and cultural needs.
Currently, countries like Australia and the U.K. are taking inspiration from the lived experiences of GDPR as one factor amid their broader strategic objectives associated with privacy and data when designing national legislation. Because much has changed throughout the world since the GDPR went into effect in 2018, such as the COVID-19 pandemic, the proliferation of AI and various national security incidents, this current wave of legislation factors in the privacy implications of these events.
Meanwhile, another group of countries, including New Zealand, Singapore and Switzerland, amended their existing privacy laws to be more robust and reflective of technological advancements since their initial passage. Geographically, a boom in law and policy updates has occurred in the Asia-Pacific region. Additionally, a number of African nations, including Nigeria, Kenya and South Africa, passed comprehensive privacy legislation in the past several years. This could be the GDPR effect reaching different parts of the globe, or it could be reasonably attributed to the worldwide realization of the need to protect the personal information of individuals in an age of constant digital connection.
Data privacy and protection laws have proliferated dramatically over the past few years. By our count, 137 countries now have national data privacy laws. This means 70% of nations worldwide, 6.3 billion people or 79.3% of the world's population is covered by some form of national data privacy law. As such, this metric has surpassed Gartner's prediction that 75% of the population would be covered by 2024. This legislative boom is only set to continue as more nations develop comprehensive laws regulating privacy and AI.
In 2017, 120 countries maintained national privacy legislation. A 17-country increase in seven years is notable, but it does not reflect the vast number of nations that updated and revised preexisting laws to make them more comprehensive. We hope this directory serves as a helpful resource for our members and provides a better picture of today's truly global data protection and privacy legislative landscape.