Global Comprehensive

Privacy Law Mapping Chart

C
omprehensive data protection laws into force. As always, we appreciate input from
exist across the globe. While each law is our members. If you have comments about
different, there are many commonalities the mapping or believe additional information
in terms of the rights, obligations and should be included, please share it with Cathy
enforcement provisions. The Westin Research Cosgrove at [email protected].
Center has created this chart mapping several
comprehensive data protection laws, including Special thanks to Anna Johnston, Selin Ozbek
the laws in the U.S., to assist our members in Cittone, Dr. Julien C. Hounkpe, Kezia Talbot,
understanding how data protection is being Daimhin Warner, IAPP Legal Externs Seth
approached around the world. Azubuike and Eduardo Monteverde, and
former IAPP legal externs, including Brynne
Our intent is to add to this chart and update Duvall, Sean Kellogg and Cheryl Saniuk-Heinig,
it as laws are amended and other laws come for their contributions.

Argentina Australia Benin Republic Brazil

Last updated: November 2021
Note: This tool is for Privacy Act 1988
informational purposes and is Australian Privacy
not legal advice. Whether a law Personal Data Principles (included General Data
includes a particular provision Digital Code
Protection Act* in Privacy Act) Protection Law
should always be verified via
official sources. Australian Privacy
Principles Guidelines
Right to access Articles 4(6) and 14 APP 12 Article 437 Articles 6(IV) and 18(II)
Right to correct Article 16 APP 13 Article 441 Article 18(III)
APP Guidelines, APP 13
INDIVIDUAL RIGHTS

Right to delete Articles 4(5) and 16 (related to correcting Articles 441, 443 and 444 Article 18(VI)
inaccuracy)
Right to portability Article 438 Article 18(V)
Right to opt out of all or
APP 7 Articles 390 and 440
specific processing
Right to opt in for sensitive
Articles 2 and 7* APP 3 Article 394 Article 11
data processing
Age-based opt-in right Article 446 Article 14
Right not to be subject to
Articles 401, 415 and 439 Article 20
fully automated decisions
Notice/transparency Articles 384, 403, 415,
Articles 6 and 13 APPs 1 and 5 Article 10, Section 2
requirements 416 and 418
Legal basis for processing Articles 383 and 389 Article 7
Purpose limitation Article 4(3) APP 6 Articles 383(3) and 424 Article 6(I)
Data minimization Article 4(1), (7) APP 3.1–3.2 Articles 383(4) and 424 Article 6(III)
Security requirements Article 9 APP 11 Articles 383 and 426 Articles 6(VII) and 46–49
APP Guidelines,
Privacy by design Article 424
APP 1, 1.3
Processor/service provider
BUSINESS OBLIGATIONS

Article 9 (security) Article 386 Articles 37, 39 and 40

requirements
Prohibition on discrimination Articles 393 and 401 Article 6(IX)
Chapter IV (Articles
APP Guidelines,
Record keeping 21–28) (for data files, Article 435 Article 37
APP 1, 1.5
registers, banks, etc.)
Privacy Act 1988, 33D;
APP Guidelines,
Risk/impact assessments APP 1, 1.7; Australian Article 428 Article 38
Government Agencies
Privacy Code*
Data breach notification* Privacy Act 1988, Part IIIC Article 427 Article 48
Chapter IV (Articles
Articles 405 and 406
Registration with authorities 21–28) (for data files,
(reporting obligation)
registers, banks, etc.)
Australian Government
Data protection officer Articles 430–432 Article 41
Agencies Privacy Code*
International data transfer
Article 12 APP 8 Articles 391 and 392 Article 33
restrictions
Exemption for
Privacy Act 1988, 7B(3)
employee data
SCOPE

Privacy Act 1988, 6C–6E

Nonprofits covered Articles 1 and 2 Article 380 Article 3
OAIC guidance
Sectoral law carveouts
State-level preemption
Office of the Autorité de Protection
Agencia de Acceso a la National Data
Australian Information des Données à caractère
Independent enforcement Información Pública Protection Authority
Commissioner Personnel
authority
Chapter V
Privacy Act 1988, Part IV Articles 462–490 Articles 55-A–55-L
(Articles 29 and 30)
ENFORCEMENT

Chapter V
Rulemaking authority Privacy Act 1988, 100 Article 483 Article 55-J
(Articles 29 and 30)
Privacy Act 1988,
Articles 452-455, 459
Fining authority Article 31 Part III, 13G; Part IIIA; Articles 52–54
and 483
Part V, 46, 65–66, etc.
Privacy Act 1988,
Criminal penalties Articles 31 and 32 Part V, 46, 65 and 66; Articles 460 and 461
Part VIA, 80Q, etc.
Personal liability Articles 31 and 32 Privacy Act 1988, 99A Article 460
Private right of action Articles 33–39 Articles 449–451 Articles 42–45

*Data breach notification: Many countries and all 50 U.S. states have separate data breach notification laws. The term in this chart refers to a provision included in
a comprehensive data protection law.
*Argentina: Morrison Foerster’s privacy library has an English version of the Personal Data Protection Act. The law provides no person can be compelled to provide
sensitive data, subject to certain exceptions.
*Australia: The Australian Government Agencies Privacy Code requires Australian government agencies subject to the Privacy Act to conduct written privacy impact
assessments for “high privacy risk” projects and requires the appointment of a privacy officer(s) and privacy champion.
*Canada: PIPEDA applies to employee information in organizations engaged in federal works, undertakings or businesses.

Global Comprehensive Privacy Law Mapping Chart 1

 Global Comprehensive
Privacy Law Mapping Chart
Last updated: November 2021 Canada China Colombia European Union
Note: This tool is for
informational purposes and is Law 1581/2012*
not legal advice. Whether a law Personal Information
Personal Information General Data Protection
includes a particular provision Protection and Electronic
Protection Law Regulation
should always be verified via Documents Act Law 1266/2008
official sources.
Articles 8 and 18, Law
Right to access Schedule 1, Principle 9 Articles 44 and 45 1581; Article 7, Law 1266; Article 15
Article 21, Decree 1377
Articles 8 and 18, Law
Right to correct Schedule 1, Principle 9 Article 46 1581; Article 7, Law 1266; Article 16
Article 22, Decree 1377
INDIVIDUAL RIGHTS

Schedule 1, Principle 9 Articles 8 and 18, Law

Right to delete (related to correcting Article 47 1581; Article 7, Law 1266; Article 17
inaccuracy) Article 22, Decree 1377
Right to portability Article 45 Article 20
Right to opt out of all or Schedule 1,
Articles 15 and 44 Article 8(e), Law 1581 Articles 7 and 21
specific processing Principle 3 (4.3.8)
Articles 5 and 6,
Right to opt in for sensitive See OPC Guidance,
Article 29 Law 1581; Article 6, Article 9
data processing Principle 3
Decree 1377
Article 7, Law 1581*;
Age-based opt-in right Article 31 Article 8
Article 12, Decree 1377
Right not to be subject to
Articles 24 and 55 Article 22
fully automated decisions
Articles 4(e) and 12,
Notice/transparency Schedule 1,
Articles 7, 17, 23 and 30 Law 1581; Articles 14–18, Article 12
requirements Principles 2, 3 and 8
Decree 1377
Article 9, Law 1281;
Schedule 1, Principle 4.3
Legal basis for processing Article 13 Article 5, Decree 1377 Article 6
(consent required)
(consent based)
Purpose limitation Schedule 1, Principle 4 Article 6 Article 4(b), Law 1581 Article 5(1)(b)
Articles 4 and 11,
Data minimization Schedule 1, Principle 4 Articles 6 and 19 Article 5(1)(c)
Decree 1377
Articles 4(g), 17 and 18,
Security requirements Schedule 1, Principle 7 Articles 9, 51 and 59 Law 1581; Article 19, Article 32
Decree 1377
BUSINESS OBLIGATIONS

Privacy by design Article 25

Processor/service provider Articles 8, 12, 17 and 18,
Article 21 Article 28
requirements Law 1581
Prohibition on discrimination Article 16 Recital 71
Articles 8, 17 and 18,
Part 1, Division 1.1,
Record keeping Articles 54–56 Law 1581; Articles 8 Article 30
Section 10.3
and 26, Decree 1377
Articles 17, 18 and 25,
Risk/impact assessments Articles 55 and 56 Article 35
Law 1581
Part 1, Division 1.1, Articles 17 and 18, Article 33
Data breach notification* Article 57
Sections 10.1–10.3 Law 1581 Article 34
Article 25, Law 1581
Registration with authorities Articles 52 and 53 Article 37(7)
(databases)
Article 23, Decree 1377
(person or area
Data protection officer Schedule 1, Principle 1 Article 52 designated to assume Article 37
the function of personal
data protection)
Article 26, Law 1581;
International data transfer
Articles 38–43 Articles 24 and 25, Articles 44–50
restrictions
Decree 1377
Exemption for
Part 1, Section 4(1)(b)*
employee data
SCOPE

Nonprofits covered Part 1, Section 4 Article 3 Article 2, Law 1581 Article 2

Sectoral law carveouts Article 6(2)
State-level preemption See OPC Guidance Recital 10
Office of the Privacy Superintendency of EU national data
Independent enforcement Commissioner Industry and Commerce protection authorities
authority
Part 1, Division 2 Articles 19–24, Law 1581 Articles 51–59
Part 1, Division 4, Articles 64, 65(1)(c)
Rulemaking authority Article 62 Article 21, Law 1581
ENFORCEMENT

Section 26 and 92
Part 1, Division 4, Articles 23 and 24, Law
Fining authority Article 66 Article 83
Section 28 1581; Title VII, Law 1266
Criminal penalties Article 71
Articles 23 and 24, Law
Personal liability Article 66 1581; Articles 18 and 19,
Law 1266
Part 1, Division 2, Article 16, Law 1266;
Private right of action Articles 50, 69 and 70 Article 79
Sections 14–17 Decree 2591

*Data breach notification: Many countries and all 50 U.S. states have separate data breach notification laws. The term in this chart refers to a provision included in
a comprehensive data protection law.
*Colombia: In addition to the data protection laws, there are decrees and other documents with relevant data protection provisions, including Decree 1377/2013 and
Decree 2591/1991. Law 1581/2012 prohibits the processing of personal data of children and adolescents.

Global Comprehensive Privacy Law Mapping Chart 2

 Global Comprehensive
Privacy Law Mapping Chart
Hong Kong New Zealand Nigeria Singapore
Last updated: November 2021
Note: This tool is for
Personal Data Privacy Privacy Act 2020 Nigeria Data
informational purposes and is Ordinance* Protection Regulation
Information Privacy
not legal advice. Whether a law Principles (Part 3, Personal Data
Nigeria Data
includes a particular provision Data Protection Subpart 1 of the Protection Act
should always be verified via
Protection Regulation
Principles (PDPO Privacy Act)
official sources. Implementation
Schedule 1)
Codes of practice Framework 2020
Part 5, Division 1,
Right to access IPP 6; Part 4, Subpart 1 Paragraph 3.1 (6) and (14) Section 21
Section 18; DPP 6
Part 5, Division 2,
Right to correct IPP 7; Part 4, Subpart 2 Paragraph 3.1(7)(h) Section 22
Section 22
IPP 7; Section 7(1); Part
DPP 2 (related to Section 25 (obligation
Right to delete 4, Subpart 2 (related to Paragraph 3.1(9)
correcting inaccuracy) limiting retention)
INDIVIDUAL RIGHTS

correcting inaccuracy)
Paragraph 3.1(14)
Right to portability Sections 26F–26J*
and (15)
Right to opt out of all or Part 6A, Division 2, Paragraphs 2.3(c)
Section 16
specific processing Section 35G and 3.1(11)
Right to opt in for sensitive NDPR Framework,
data processing Articles 5.3.2 and 5.4*
NDPR Framework,
Age-based opt-in right Articles 5.3.1(d), 5.4 *
and 5.5*
Paragraph 3.1(7)(L);
Right not to be subject to NDPR Framework,
fully automated decisions Articles 3.2 (xvi)
and 5.3.1(f)
Paragraphs 2.5, 3.1(1)
Notice/transparency and (7); NDPR
DPPs 5 and 6 IPP 3 Sections 12(d) and 20
requirements Framework, Annex B
(Privacy Policy Template)
IPPs 10 and 11 Section 13
Legal basis for processing DPP 1 Paragraph 2.2
(post-collection) (consent required)
Paragraphs 2.1(1)(a)
Purpose limitation DPPs 1 and 3 IPP 10 and 3.1(7)(m); NDPR Sections 18 and 20
Framework, Article 4.1
NDPR Framework,
IPPs 1 and 9
Data minimization DPP 1 Annex A (Audit Section 14(2)(a)
(storage limitation)
Template), No. 4.6
Paragraphs 2.1(1)(d) and
Security requirements DPP 4 IPP 5 2.6; NDPR Framework, Section 24
BUSINESS OBLIGATIONS

Article 3.2(v)
Privacy by design
Processor/service provider Paragraph 2.7; NDPR
DPPs 2(3) and 4(2) IPP 5; Section 11 Section 4(2)
requirements Framework, Article 3.2
Prohibition on discrimination
NDPR Framework,
Part 5, Division 3,
Record keeping Annex A (Audit Section 22A
Section 27
Template), No. 3.1
Paragraph 4.1(5)-(7)
(audit requirement);
NDPR Framework,
Risk/impact assessments *
Articles 3.2(viii) and 4.2
(data protection
impact assessment)
NDPR Framework,
Data breach notification* Part 6, Subpart 1 Sections 26A–26E
Articles 3.2(ix) and 9
Registration with authorities Part 4, Section 15 Section 11(5)*
Paragraph 4.1(2); NDPR
Data protection officer Section 201 Section 11
Article 3.4-3.7
Paragraphs 2.11-12 and
International data transfer Part 6, Section 33
IPP 12; Part 8 3.1(8); NDPR Framework, Section 26
restrictions (not yet in operation)
Articles 7 and 14
First Schedule, Part 3
Exemption for
Part 8, Sections 53 and 54 Legitimate Interests,
employee data
Section 10
SCOPE

Paragraph 1.2; NDPR

Nonprofits covered Part 1, Section 2 Section 8 Section 4
Framework, Article 2.1
Sectoral law carveouts Sections 24 and 28 Section 4(6)(b)
State-level preemption
Office of the Privacy National Information
Office of the Privacy Personal Data
Commissioner for Technology Development
Independent enforcement Commissioner Protection Commission
Personal Data Agency*
authority
Paragraph 4.2; NDPR
Part 2, Section 5 Part 2 Sections 5–10
Framework, Article 10
ENFORCEMENT

Rulemaking authority Part 3, Section 12 Part 3, Subpart 2 Preamble to NDPR Section 65

Part 7, Sections 35C, Paragraph 2.10; NDPR Sections 48C–48F,
Fining authority
50A, 64, etc. Framework, Article 10.1.4 48J–48K, 51–52A and 56
Sections 104, 118, 197 Paragraph 2.10; NDPR Sections 48C–48F,
Criminal penalties Numerous provisions
and 212 Framework, Article 10.1.5 51–52A and 56
Sections 48C–48F,
Director convicted Sections 12, 27, 119, 120,
Personal liability 48J–48K, 51–52A, 56
under PDPO and 211
and 60
Private right of action Part 9, Section 66 Section 31 Section 48O

*Data breach notification: Many countries and all 50 U.S. states have separate data breach notification laws. The term in this chart refers to a provision included in
a comprehensive data protection law.
*Hong Kong: The Personal Data (Privacy) (Amendment) Ordinance 2021 focused on combating doxxing acts took effect Oct. 8, 2021.
*Nigeria: Explicit consent is required for the processing of sensitive personal data. Consent is required for the processing of the personal data of a minor. A child is
defined as any person under 13. NITDA is the main regulator.
*Singapore: Amendments to the PDPA not yet in effect will create a right of portability and increase potential financial penalties. The PDPC has issued Advisory
Guidelines on various topics, including data activities related to minors and data protection impact assessments. There is no DPO registration requirement but the law
does require DPO contact details be made public.

Global Comprehensive Privacy Law Mapping Chart 3

 Global Comprehensive
Privacy Law Mapping Chart
Last updated: November 2021 South Africa South Korea Turkey
Note: This tool is for Protection of Personal
informational purposes and is
Information Act
not legal advice. Whether a law Personal Information Law on the Protection
includes a particular provision Regulations Relating to Protection Act of Personal Data
should always be verified via the Protection of Personal
official sources. Information
Right to access Sections 5(b), 23 and 25* Articles 4 and 35 Chapter 3, Article 11
Right to correct Sections 5(c) and 24; Regulation 3 Articles 4 and 36 Chapter 3, Article 11
INDIVIDUAL RIGHTS

Chapter 2, Article 7;
Right to delete Sections 5(c) and 24; Regulation 3 Articles 4 and 36
Chapter 3, Article 11 (limited)
Right to portability
Right to opt out of all or
Sections 5(d)-(e) and 11(3)-(4) Articles 4 and 37
specific processing
Right to opt in for sensitive Sections 26–33
Article 23 Chapter 2, Article 6
data processing (“special personal information”)
Age-based opt-in right Sections 34 and 35 Article 22(6)
Right not to be subject to
Sections 5(g) and 71 Chapter 3, Article 11(1)(g)
fully automated decisions
Notice/transparency
Sections 5(a) and 18 Articles 3, 4 and 30 Chapter 3, Article 10(1)
requirements
Legal basis for processing Sections 4, 9 and 11 Articles 3 and 15 Chapter 2, Articles 4–6
Purpose limitation Sections 13 and 15 Articles 3, 15, 18 and 19 Chapter 2, Article 4(2)(c)
Data minimization Sections 10, 14 and 16 Article 16(1) Chapter 2, Article 4(2)(ç) and (d)
Security requirements Sections 19–21 Article 29 Chapter 3, Article 12
Privacy by design
BUSINESS OBLIGATIONS

Processor/service provider
Sections 20 and 21 (security) Articles 19 and 26 Chapter 3, Article 12
requirements
Prohibition on discrimination
Record keeping Sections 14 and 17 Article 29 Chapter 4, Article 16
Risk/impact assessments Regulation 4(b) Article 33
Data breach notification* Section 22 Article 34 Chapter 3, Article 12(5)
Sections 55 (for Information
Officers) and 58 (certain
Registration with authorities processing); Guidance Note Article 32 Chapter 4, Article 16
on Application for Prior
Authorisation*
Sections 55 and 56;
Regulation 4; Guidance Note on
Data protection officer Article 31
Information Officers and Deputy
Information Officers*
International data transfer Articles 14(2), 17(3), 39-12
Section 57(1),(d) and 72 Chapter 2, Article 9
restrictions and 39-13
Exemption for
Section 32(1)(f)
employee data
SCOPE

Nonprofits covered Section 3 Article 58 Chapter 1, Article 2

Sectoral law carveouts Article 6 Chapter 7, Article 28
State-level preemption Chapter 7, Article 28
Personal Information Personal Data Protection
Independent enforcement The Information Regulator
Protection Commission Authority
authority
Sections 39–54 Article 7 Chapter 6, Articles 19 and 20
Rulemaking authority Sections 40(1)(f), 60-68 and 112(2) Articles 7-8 and 7-9 Chapter 6, Article 22
ENFORCEMENT

Chapter 5, Article 18;

Fining authority Section 109 Articles 70–76
Chapter 6, Article 22
Criminal penalties Section 107 Articles 70–73 Chapter 5, Article 17
Section 93(b)(ii) (Information
Officers); Guidance Note on
Personal liability Articles 70–76 Chapter 5, Article 18
Information Officers and Deputy
Information Officers*
Private right of action Section 99 Articles 51–57 Chapter 3, Article 11(1)(ğ)

*Data breach notification: Many countries and all 50 U.S. states have separate data breach notification laws. The term in this chart refers to a provision included in
a comprehensive data protection law.
*South Africa: Access to personal informatiom is further regulated by the Promotion of Access to Information Act No. 2 of 2000. Guidelines, guidance notes and
notices from the Information Regulator can be found here.

Global Comprehensive Privacy Law Mapping Chart 4

 Global Comprehensive
Privacy Law Mapping Chart
Last updated: November 2021 California Colorado Virginia
Note: This tool is for
informational purposes and is California Consumer California Privacy
not legal advice. Whether a law Privacy Act Consumer Data
Rights Act Colorado Privacy Act*
includes a particular provision Protection Act
California Consumer (most provisions (effective July 1, 2023)
should always be verified via (effective Jan. 1, 2023)
Privacy Act Regulations operative Jan. 1, 2023)
official sources.
Section 1798.100 Section 1798.100
Right to access Section 1798.110 Section 1798.110 Section 6-1-1306(1)(b) Section 59.1-573(A)(1)
Section 1798.115 Section 1798.115
INDIVIDUAL RIGHTS

Right to correct Section 1798.106 Section 6-1-1306(1)(c) Section 59.1-573(A)(2)

Right to delete Section 1798.105 Section 1798.105 Section 6-1-1306(1)(d) Section 59.1-573(A)(3)
Sections 1798.100(d) and Section 1798.130(a)(3)
Right to portability Section 6-1-1306(1)(e) Section 59.1-573(A)(4)
1798.130(a)(2) (B)(iii)
Right to opt out of all or
Section 1798.120 Section 1798.120 Section 6-1-1306(1)(a) Section 59.1-573(A)(5)
specific processing
Right to opt in for sensitive
Section 1798.121* Section 6-1-1308(7) Section 59.1-574(A)(5)
data processing
Age-based opt-in right Section 1798.120(c) Section 1798.120(c) Section 6-1-1308(7)
Right not to be subject to Section 6-1-1306(1)(a)
Section 1798.185(a)(16)* Section 59.1-574(A)(5)
fully automated decisions (I)(C)
Section 1798.100(b) Section 1798.100(a)
Notice/transparency
Sections 1798.130(a) and Section 6-1-1308(1) Section 59.1-574
requirements Section 1798.130
1798.135
Legal basis for processing
Purpose limitation Section 1798.100(b) Section 1798.100(c) Section 6-1-1308(2), (4) Section 59.1-574(A)(2)
Sections 1798.100(c) and
Data minimization Section 6-1-1308(3) Section 59.1-574(A)(1)
1798.100(a)(d)
BUSINESS OBLIGATIONS

Sections 1798.100(e) and

Security requirements Section 1798.150(a) Section 6-1-1308(5) Section 59.1-574(A)(3)
1798.150(a)
Privacy by design
Processor/service provider Sections 1798.100(d) and
Section 1798.140(v) Section 6-1-1305 Section 59.1-575
requirements 1798.140(ag)(1)
Prohibition on discrimination Section 1798.125 Section 1798.125 Section 6-1-1308(6) Section 59.1-574(A)(4)
CCPA Regulations,
Record keeping
Section 999.317
Risk/impact assessments Section 1798.185(a)(15) Section 6-1-1309 Section 59.1-576
Data breach notification*
Registration with authorities
Data protection officer
International data transfer
restrictions
Section 1798.145(m)
Exemption for from CPRA operative
Section 6-1-1303(6)(b) Section 59.1-572(C)(14)
employee data immediately until
SCOPE

Jan. 1, 2023
Nonprofits covered Section 6-1-1304(1)
Sections 1798.145 and Sections 1798.145 and
Sectoral law carveouts Section 6-1-1304(2) Section 59.1-572
1798.146 1798.146
State-level preemption Section 1798.180 Section 1798.180 Section 6-1-1312
California Privacy
Independent enforcement Protection Agency
authority Section 1798.199.10
ENFORCEMENT

et seq.
Rulemaking authority Section 1798.185 Section 1798.185 Section 6-1-1313
Sections 1798.155,
Fining authority Section 1798.155 1798.199.55 and Section 6-1-1311 Section 59.1-580
1798.199.90
Criminal penalties
Personal liability
Private right of action Section 1798.150 Section 1798.150

*Data breach notification: Many countries and all 50 U.S. states have separate data breach notification laws. The term in this chart refers to a provision included in
a comprehensive data protection law.
*California: The California Privacy Right Act categorizes sensitive data and allows consumers to limit its use and disclosure but does not require opt-in consent
for use of sensitive data. There is no explicit right against automatic decision-making but the use of automatic decision-making is within the scope of the regulations
to be promulgated.
*Colorado: The Colorado Privacy Act is now codified in the Colorado Revised Statutes.

Global Comprehensive Privacy Law Mapping Chart 5