Selling or operating internationally

Controls the export and re-export of dual-use items -- commercial goods with potential military applications -- including encryption technology and certain software. Administered by the Bureau of Industry and Security, it requires export licenses for controlled items. Applies to any company exporting technology, software, or technical data outside the United States.

Australia's federal privacy law establishing the Australian Privacy Principles, which govern the collection, use, disclosure, storage, and cross-border transfer of personal information. It was significantly reformed in 2022 with increased penalties. Applies to Australian government agencies and private organizations with annual turnover over A$3 million.

Brazil's comprehensive data protection law, heavily influenced by the GDPR. It establishes ten legal bases for processing, data subject rights, and a national data protection authority (ANPD) with enforcement powers. Applies to any organization processing personal data of individuals in Brazil, regardless of where the organization is based.

Brazil's "Internet Bill of Rights" establishing principles of net neutrality, privacy, and freedom of expression online. Imposes data retention, user notification, and due process requirements on internet service providers.

Canada's proposed overhaul of federal privacy law, currently before Parliament. It would replace PIPEDA with the Consumer Privacy Protection Act and create a new AI regulatory framework. Companies operating in Canada should monitor its progress as it will substantially change Canadian privacy obligations.

Canada's federal private-sector privacy law, built on ten fair information principles. It requires meaningful consent for data collection, use, and disclosure, and gives individuals the right to access and challenge the accuracy of their personal data. Applies to private-sector organizations collecting personal information in the course of commercial activity across Canada.

Quebec's modernized privacy law introducing mandatory privacy impact assessments, breach notification, enhanced consent requirements, and the right to data portability. It is notably stricter than the federal PIPEDA. Applies to all private organizations collecting personal information in Quebec.

A voluntary, accountability-based framework enabling cross-border data transfers among APEC member economies. Companies certify compliance through a government-approved accountability agent rather than through regulation. Relevant for businesses transferring personal data across the Asia-Pacific region.

Pre-approved contractual terms adopted by the European Commission for transferring personal data from the EU to countries without an adequacy decision. They are the most widely used mechanism for lawful cross-border data transfers from the EU. Any company receiving personal data from the EU without an adequacy finding must implement the appropriate SCC module.

The current mechanism allowing certified US companies to receive personal data from the EU without additional safeguards like Standard Contractual Clauses. US companies self-certify through the Department of Commerce. It replaces the invalidated Privacy Shield, and its long-term durability remains uncertain.

The UK's mechanism for lawful personal data transfers to countries without a UK adequacy decision, replacing the EU SCCs for UK data flows after Brexit. They are required whenever UK personal data is transferred to a non-adequate country. Any company receiving UK personal data must implement the appropriate transfer agreement.

Targets large online platforms designated as "gatekeepers" -- such as Apple, Google, Amazon, Meta, and Microsoft -- imposing obligations around interoperability, data portability, fair ranking, and prohibitions on self-preferencing. It aims to ensure contestable and fair digital markets. Applies to platforms meeting specific user and revenue thresholds in the EU.

Comprehensive EU regulation governing online intermediaries and platforms. Imposes content moderation, transparency, and risk-mitigation obligations — with tiered requirements based on platform size. Very Large Online Platforms face the strictest rules.

The world's first comprehensive AI regulation, classifying AI systems by risk level from prohibited (social scoring, manipulative AI) to high-risk (hiring, credit, law enforcement) requiring conformity assessments. Compliance deadlines are phased through 2027. Applies to any company deploying or developing AI systems used in the EU.

The EU's landmark data protection regulation and the global benchmark for privacy law. It establishes comprehensive rules for collecting, processing, and transferring personal data, with fines up to 4% of global annual revenue. Applies to any organization processing personal data of individuals in the EU, regardless of where the organization is located.

French law establishing principles of openness, fairness, and loyalty for digital platforms. Includes provisions on data portability, platform transparency, and algorithmic accountability.

France's foundational data protection law, originally enacted in 1978 and updated to align with the GDPR. It is enforced by the CNIL, one of Europe's most active and influential data protection authorities. Applies to all organizations processing personal data of individuals in France.

Germany's federal data protection law supplementing the GDPR with specific requirements for employment data processing, video surveillance, and the appointment of data protection officers. It is one of the strictest national implementations in the EU. Applies to all organizations processing personal data in Germany.

India's comprehensive data protection law, enacted in 2023 with implementing rules still being finalized. It establishes consent-based processing, data principal rights, and significant penalties up to 250 crore rupees. Applies to processing of digital personal data within India or of Indian residents' data abroad.

Ireland's national implementation of the GDPR, particularly significant because Ireland's Data Protection Commission supervises many major US tech companies -- including Apple, Google, Meta, and Microsoft -- whose European headquarters are based there. Applies to all organizations processing personal data of individuals in Ireland.

Israel's primary privacy legislation, regulating database registration, data collection and processing, and data security requirements. Israel holds an EU adequacy decision, making it a significant hub for cross-border data transfers. Applies to all entities managing databases containing personal data in Israel.

Italy's data protection code, amended to align with the GDPR, including Italian-specific provisions for processing related to archiving, scientific research, and statistical purposes. It works alongside the GDPR as the national implementing law. Applies to all organizations processing personal data of individuals in Italy.

Japan's comprehensive data protection law, substantially amended in 2022 to strengthen cross-border transfer rules and expand data subject rights. It regulates the collection, use, and transfer of personal information with breach notification requirements. Applies to all businesses handling personal information of individuals in Japan.

Mexico's federal data privacy law governing private-sector data processing. It requires privacy notices, consent, and provides data subjects with access, rectification, cancellation, and opposition (ARCO) rights. Applies to all private entities processing personal data in Mexico.

The Dutch implementation act supplementing the GDPR with specific provisions on processing national identification numbers, health and genetic data, criminal conviction data, and exemptions for journalistic and academic purposes. It tailors the GDPR to the Dutch legal system. Applies to all organizations processing personal data in the Netherlands.

New Zealand's updated privacy law, replacing the 1993 Act. It introduces mandatory data breach notification, strengthens cross-border data transfer controls, and enhances the Privacy Commissioner's enforcement powers. Applies to any agency, public or private, collecting or holding personal information in New Zealand.

Poland's national implementation of the GDPR, supplementing EU requirements with Polish-specific provisions on penalties and the powers of the national data protection authority (UODO). It fills gaps left by the GDPR with local administrative and procedural rules. Applies to all organizations processing personal data of individuals in Poland.

Singapore's comprehensive data protection law governing the collection, use, and disclosure of personal data by private organizations. It includes consent requirements, mandatory data breach notification, and maintains a national Do Not Call Registry. Applies to all private organizations processing personal data in Singapore.

South Korea's comprehensive data protection law, one of the strictest in Asia. It requires explicit consent for most data processing, mandates data breach notification, and imposes criminal penalties for violations. Applies to all public and private entities processing personal information in South Korea.

Spain's national data protection law supplementing the GDPR with innovative digital rights provisions, including the right to digital disconnection in the workplace and rights related to digital wills. It extends data protection into broader digital rights territory. Applies to all organizations processing personal data in Spain.

Sweden's national data protection act supplementing the GDPR with provisions on processing personal identity numbers and the powers of the Swedish Data Protection Authority (IMY). It adapts the GDPR to the Swedish legal context. Applies to all organizations processing personal data in Sweden.

Data protection rules for entities operating within the Abu Dhabi Global Market financial free zone, closely modeled on the GDPR. It establishes data subject rights, breach notification duties, and cross-border transfer controls for the ADGM jurisdiction. Applies to companies registered in or processing data through the ADGM.

Data protection law for the Dubai International Financial Centre free zone, closely modeled on the GDPR. It establishes data subject rights, breach notification obligations, and cross-border transfer controls specific to the DIFC jurisdiction. Applies to entities registered in or processing data through the DIFC.

The UAE's first comprehensive federal data protection law, establishing consent requirements, data subject rights, cross-border transfer restrictions, and breach notification obligations. It brings the UAE closer to international data protection standards. Applies to all processing of personal data within the UAE, excluding the ADGM and DIFC free zones which have their own laws.

The UK's primary data protection legislation, working alongside the UK GDPR after Brexit. It covers law enforcement processing, intelligence services processing, and supplements the UK GDPR with UK-specific derogations. Applies to all organizations processing personal data of individuals in the United Kingdom.

The retained EU GDPR as incorporated into UK law after Brexit, substantively similar to the EU version but enforced by the UK Information Commissioner's Office (ICO). Companies serving both EU and UK markets must comply with both versions independently. Applies to all organizations processing personal data of individuals in the United Kingdom.