Controls the export and re-export of dual-use items -- commercial goods with potential military applications -- including encryption technology and certain software. Administered by the Bureau of Industry and Security, it requires export licenses for controlled items. Applies to any company exporting technology, software, or technical data outside the United States.
Australia's federal privacy law establishing the Australian Privacy Principles, which govern the collection, use, disclosure, storage, and cross-border transfer of personal information. It was significantly reformed in 2022 with increased penalties. Applies to Australian government agencies and private organizations with annual turnover over A$3 million.
Brazil's comprehensive data protection law, heavily influenced by the GDPR. It establishes ten legal bases for processing, data subject rights, and a national data protection authority (ANPD) with enforcement powers. Applies to any organization processing personal data of individuals in Brazil, regardless of where the organization is based.
Brazil's "Internet Bill of Rights" establishing principles of net neutrality, privacy, and freedom of expression online. Imposes data retention, user notification, and due process requirements on internet service providers.
Personal Information Protection and Electronic Documents Act
PIPEDA — S.C. 2000, c. 5
Canada's federal private-sector privacy law, built on ten fair information principles. It requires meaningful consent for data collection, use, and disclosure, and gives individuals the right to access and challenge the accuracy of their personal data. Applies to private-sector organizations collecting personal information in the course of commercial activity across Canada.
Quebec Law 25 (Act to modernize legislative provisions as regards the protection of personal information)
Quebec Law 25 — S.Q. 2021, c. 25
Quebec's modernized privacy law introducing mandatory privacy impact assessments, breach notification, enhanced consent requirements, and the right to data portability. It is notably stricter than the federal PIPEDA. Applies to all private organizations collecting personal information in Quebec.
A voluntary, accountability-based framework enabling cross-border data transfers among APEC member economies. Companies certify compliance through a government-approved accountability agent rather than through regulation. Relevant for businesses transferring personal data across the Asia-Pacific region.
Pre-approved contractual terms adopted by the European Commission for transferring personal data from the EU to countries without an adequacy decision. They are the most widely used mechanism for lawful cross-border data transfers from the EU. Any company receiving personal data from the EU without an adequacy finding must implement the appropriate SCC module.
The current mechanism allowing certified US companies to receive personal data from the EU without additional safeguards like Standard Contractual Clauses. US companies self-certify through the Department of Commerce. It replaces the invalidated Privacy Shield, and its long-term durability remains uncertain.
The UK's mechanism for lawful personal data transfers to countries without a UK adequacy decision, replacing the EU SCCs for UK data flows after Brexit. They are required whenever UK personal data is transferred to a non-adequate country. Any company receiving UK personal data must implement the appropriate transfer agreement.
Targets large online platforms designated as "gatekeepers" -- such as Apple, Google, Amazon, Meta, and Microsoft -- imposing obligations around interoperability, data portability, fair ranking, and prohibitions on self-preferencing. It aims to ensure contestable and fair digital markets. Applies to platforms meeting specific user and revenue thresholds in the EU.
Comprehensive EU regulation governing online intermediaries and platforms. Imposes content moderation, transparency, and risk-mitigation obligations — with tiered requirements based on platform size. Very Large Online Platforms face the strictest rules.
The EU AI Act establishes a comprehensive risk-based regulatory framework for artificial intelligence systems, including obligations for high-risk systems, transparency requirements, and governance rules for general-purpose AI models. It applies extraterritorially to many companies offering AI systems or AI-generated outputs to users in the European Union, even if the company is based in the United States.
The EU's landmark data protection regulation and the global benchmark for privacy law. It establishes comprehensive rules for collecting, processing, and transferring personal data, with fines up to 4% of global annual revenue. Applies to any organization processing personal data of individuals in the EU, regardless of where the organization is located.
French law establishing principles of openness, fairness, and loyalty for digital platforms. Includes provisions on data portability, platform transparency, and algorithmic accountability.
France's foundational data protection law, originally enacted in 1978 and updated to align with the GDPR. It is enforced by the CNIL, one of Europe's most active and influential data protection authorities. Applies to all organizations processing personal data of individuals in France.
Germany's federal data protection law supplementing the GDPR with specific requirements for employment data processing, video surveillance, and the appointment of data protection officers. It is one of the strictest national implementations in the EU. Applies to all organizations processing personal data in Germany.
India's comprehensive data protection law, enacted in 2023 with implementing rules still being finalized. It establishes consent-based processing, data principal rights, and significant penalties up to 250 crore rupees. Applies to processing of digital personal data within India or of Indian residents' data abroad.
Implementation rules not yet fully in effect as of 2025 — monitor for updates
Ireland's national implementation of the GDPR, particularly significant because Ireland's Data Protection Commission supervises many major US tech companies -- including Apple, Google, Meta, and Microsoft -- whose European headquarters are based there. Applies to all organizations processing personal data of individuals in Ireland.
Irish Data Protection Commission is lead EU regulator for many US tech companies
Israel's primary privacy legislation, regulating database registration, data collection and processing, and data security requirements. Israel holds an EU adequacy decision, making it a significant hub for cross-border data transfers. Applies to all entities managing databases containing personal data in Israel.
Codice in materia di protezione dei dati personali
Codice Privacy — D.Lgs. 196/2003
Italy's data protection code, amended to align with the GDPR, including Italian-specific provisions for processing related to archiving, scientific research, and statistical purposes. It works alongside the GDPR as the national implementing law. Applies to all organizations processing personal data of individuals in Italy.
Japan's comprehensive data protection law, substantially amended in 2022 to strengthen cross-border transfer rules and expand data subject rights. It regulates the collection, use, and transfer of personal information with breach notification requirements. Applies to all businesses handling personal information of individuals in Japan.
Ley Federal de Protección de Datos Personales en Posesión de los Particulares
LFPDPPP — DOF 05-07-2010
Mexico's federal data privacy law governing private-sector data processing. It requires privacy notices, consent, and provides data subjects with access, rectification, cancellation, and opposition (ARCO) rights. Applies to all private entities processing personal data in Mexico.
The Dutch implementation act supplementing the GDPR with specific provisions on processing national identification numbers, health and genetic data, criminal conviction data, and exemptions for journalistic and academic purposes. It tailors the GDPR to the Dutch legal system. Applies to all organizations processing personal data in the Netherlands.
New Zealand's updated privacy law, replacing the 1993 Act. It introduces mandatory data breach notification, strengthens cross-border data transfer controls, and enhances the Privacy Commissioner's enforcement powers. Applies to any agency, public or private, collecting or holding personal information in New Zealand.
Poland's national implementation of the GDPR, supplementing EU requirements with Polish-specific provisions on penalties and the powers of the national data protection authority (UODO). It fills gaps left by the GDPR with local administrative and procedural rules. Applies to all organizations processing personal data of individuals in Poland.
Singapore's comprehensive data protection law governing the collection, use, and disclosure of personal data by private organizations. It includes consent requirements, mandatory data breach notification, and maintains a national Do Not Call Registry. Applies to all private organizations processing personal data in Singapore.
South Korea's comprehensive data protection law, one of the strictest in Asia. It requires explicit consent for most data processing, mandates data breach notification, and imposes criminal penalties for violations. Applies to all public and private entities processing personal information in South Korea.
Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales
LOPDGDD — Ley Orgánica 3/2018
Spain's national data protection law supplementing the GDPR with innovative digital rights provisions, including the right to digital disconnection in the workplace and rights related to digital wills. It extends data protection into broader digital rights territory. Applies to all organizations processing personal data in Spain.
Sweden's national data protection act supplementing the GDPR with provisions on processing personal identity numbers and the powers of the Swedish Data Protection Authority (IMY). It adapts the GDPR to the Swedish legal context. Applies to all organizations processing personal data in Sweden.
Data protection rules for entities operating within the Abu Dhabi Global Market financial free zone, closely modeled on the GDPR. It establishes data subject rights, breach notification duties, and cross-border transfer controls for the ADGM jurisdiction. Applies to companies registered in or processing data through the ADGM.
Applies within the Abu Dhabi Global Market free zone
Data protection law for the Dubai International Financial Centre free zone, closely modeled on the GDPR. It establishes data subject rights, breach notification obligations, and cross-border transfer controls specific to the DIFC jurisdiction. Applies to entities registered in or processing data through the DIFC.
Applies within the Dubai International Financial Centre free zone
Federal Decree-Law No. 45 of 2021 on Personal Data Protection
UAE PDPL — Federal Decree-Law No. 45/2021
The UAE's first comprehensive federal data protection law, establishing consent requirements, data subject rights, cross-border transfer restrictions, and breach notification obligations. It brings the UAE closer to international data protection standards. Applies to all processing of personal data within the UAE, excluding the ADGM and DIFC free zones which have their own laws.
The UK's primary data protection legislation, working alongside the UK GDPR after Brexit. It covers law enforcement processing, intelligence services processing, and supplements the UK GDPR with UK-specific derogations. Applies to all organizations processing personal data of individuals in the United Kingdom.
The retained EU GDPR as incorporated into UK law after Brexit, substantively similar to the EU version but enforced by the UK Information Commissioner's Office (ICO). Companies serving both EU and UK markets must comply with both versions independently. Applies to all organizations processing personal data of individuals in the United Kingdom.