Top 19 Countries with Data Privacy Laws

Top 19 Countries with Data Privacy Laws

In 2016, Minnesota state auditors discovered that 88 police officers across the state had misused their access to data. This had been between 2013 and 2015. They had access to personal data in the state’s driver’s license database and abused this access to look up information on people without authorization. Those affected include family members, girlfriends, friends, and others. With the rise in the number of online activities involving the user to submit data, there has been an increased awareness of data privacy, and the need to keep it private. Many companies share user data with a third party without the consent of the person involved. Thanks to top data privacy laws that exist in some countries, however, this isn’t the case anymore.

Countries belonging to the European union already protect the data collected from citizens thanks to the General Data Protection Regulation that was formed in 2018. It exists to govern the collection of personal data from internet users. The California Consumer Privacy Act which is similar in function to the GDPR has also come into play to protect user data. It’s in place to enhance the privacy of residents in California, USA. 

The Best Way to Ensure Your Privacy

Even if you live in a country that has top data privacy laws, you must protect your data by yourself especially if you have concerns about the amount of data you provide online.

When using apps that request weird permissions especially if the apps have no business with the functions they are requesting, it would be best to deny such requests. If it’s a must that you grant those permissions and you are not comfortable with it, delete the app and use an alternative, or just let it go. Being in control of your data also gives you control of your life as hackers can do a lot to you if they get hold of your personal information.

Protect Your Data With a VPN

You should connect to the web through a VPN if you must stay anonymous and protect your data. A VPN is an intermediary between you and the internet, and it takes your requests, processes them, and then sends your request on your behalf to the target server. 

When you send a request to the web using a VPN, it passes through an encryption tunnel. This tunnel scrambles the sent data so that it can’t be read even if intercepted by a third party. The data can only be deciphered by the intended party as they alone have the key to decrypt the data. You also remain anonymous as the VPN server which you connect to communicates with the web on your behalf. 

19 Countries with Top Data Privacy Laws


Country Privacy Law
Australia  Privacy Act
Ireland Data Protection Act
France Data Protection Bill
Canada The Privacy Act
Brazil General Data Protection Law
Iceland Data Protection Act
Norway Personal Data Act
Portugal Data Protection Law
Denmark Danish Data Protection Act
Switzerland  Federal Act on Data Protection 
Chile Personal Data Protection Law
China Personal Information Protection Law (draft)
USA California Consumer Privacy Act

California Privacy Rights Act

New Zealand Privacy Act

Information Privacy Principles 

India Information Technology Rules
South Korea  Personal Information Protection Act

Network Act

Credit Information Act

Thailand  Personal Data Protection Act
Japan The Act on the Protection of Personal Information
South Africa  The Protection of Personal Information Act(POPIA)



In Australia, the privacy amendment took full swing in February 2018 and requires that companies that have an annual turnover of over 3 million AUD should be responsible and disclose any data breaches they suffer. The data breaches are especially of those that are a threat to the users and they are to do this within 30 days after they discovered the breach or be fined to the tune of 1.8 million AUD.

Between January to June 2020, 518 data breaches were reported to the Office of the Australian Information Commissioner under Notifiable Data Breaches Scheme. Cyber attacks are the leading cause of breaches at 61%.  Breaches due to human error account for 34%. 


Ireland has had its data protection act since 1988 and has protected the manner and use of data collected from its citizens since then. Companies that operate in Ireland are required to have a privacy statement that explains how they abide by the country’s eight data protection principles in their data collection processes. There is a penalty for non-compliance. Twitter for example was fined in 2020 to the tune of $547,000 for their breach of GDPR’s rules. 


France has its reputation for providing world-class services in privacy enforcement, biometrics, and identity cards. Its privacy protection act has a broad scope and applies to every company located in France that collects data. In 2019, France National Data Protection Commission justified a fine of $56.7 million to Google for violating the European Union’s General Data Protection Regulation. 


The Canadian government introduced a bill in November 2020 to amend its data privacy policies. The bill if passed would be following the standard of GDPR such as fines for companies that don’t comply.

Canada loses $3.12 billion per year to cybercrime. Canadian businesses reported to the Office of the Privacy Commissioner of Canada, 680 data breaches between November 1, 2018, and October 31, 2019. The number of people affected was over 28 million. 


In Brazil, the Lel Geral de Protecao de Dados (LGPD) was made for the same purpose as GDPR, and they have some similarities. The difference between them though is the harsh financial penalties that GDPR has for offenders. Any company that wishes to operate in brazil would have to comply with the set rules of LGPD as it relates to customer data. The penalty for boycotting these rules is a fine of 50 million BRL and it has been in effect since September 2020.

In January 2021, Brazil experienced their largest data leaks. The personal data of over 220 million people, 40 million companies, and 104 vehicles was leaked and available on the internet for sale. 


Even though Iceland is GDPR compliant, it has its own data privacy laws. One of such laws is the requirement that organizations only collect personal data with due consent and for legitimate purposes only. The penalty for violation of their laws can go as much as three years’ prison sentence.

They also protect whistleblowers and investigative journalism, so there is freedom of expression and information in Iceland.

The Icelandic Data Protection Authority in 2020 imposed a fine on the National Center of Addiction Medicine. It involves a breach in which a former employee had data on over 3,000 patients, and complete health records of 252 former patients. 


Norway is under the jurisdiction of GDPR, but they also have their strong data protection laws. According to Norwegian law, you must provide your name, address, and reason for data collection to a user if you need to get personal data from the person. You must also state if the data would be shared with any third parties and data must be given voluntarily.

Grindr, a social media platform for gay, bi, and trans community has had complaints filed against them by the Norwegian Consumer Council. Grindr has been accused of sharing personal data of its users to more than a dozen companies, and this is in violation of EU’s GDPR data protection legislation. 


The Portuguese act on Protection of Personal Data dictates that data can only be collected after the user has given consent. The user needs to know who is collecting the data and the reason for this. Portugal has a biometric ID card for the storage of fingerprint information, and the system is seal proof as it protects users’ privacy excellently. To ensure that there is no leak or compromise to security, no fingerprints are stored on any database, and so identity is confirmed if the fingerprint on the card matches that of the bearer.


The Danish Data Protection Agency protects the privacy of Danish citizens. According to the data protection laws of Denmark, data can only be collected if the user gives explicit consent and the said data can’t be shared except consent is also given for that.

The Danish company, IDdesign A/S was fined to pay approximately 13,500 EUR for violating article 5 (1)(e) of the GDPR. This was due to lack of deletion of personal data as is contained in the article. 


Switzerland is a hot location for many cloud storage services as their values make it easy for businesses whose aim is to provide data protection to their clients to be trusted and to meet their end of the bargain. The Federal Data Protection Act guarantees everyone the right to their data privacy and requires that companies seek consent before collecting personal data.


Chile believes that data protection is a human right and the constitution was amended to include this in 2018. The privacy laws have been constantly updated ever since and numerous bills have been proposed in this regard.

One of such bills has reached its final hearing stage and is going to be made a law. It would make the data protection in Chile up to the standard of GDPR and includes the creation of a data protection agency, and also the regulation of data collection, handling, and transfer. It also has a fine for non-compliance by organizations and it is in the range of 55EUR to 530,000 EUR.

According to Statista, a survey done in 2018 showed that 59.6% of respondents agreed to have their devices being j texted by virus and other malware in the past. 32.1% agreed to have received an email, text message or another message from where the malware was downloaded. 15.8% have been victims of identity theft, and 13.8% have had notifications that they were victims of data breaches. 


China has released its draft of the personal protection law and its force is stated clearly. The law would subject companies that operate in China to either comply or pay fines of up to 50 million CNY. Individuals are also subject to fines of up to 1 million CNY if found guilty.

It has been reported that data belonging to about 2.4 million people from around the world was being compiled in a Chinese company; Zhenhua data. Internet 2.0 tried recovering this data and succeeded in recovering records of only 250,000 people. This includes 35,000 Australians, 52,000 Americans, and about 10,000 brits. 


The US currently has no data laws on the federal level, but each state has its privacy laws. Due to the independence, the states have, their laws vary considerably in penalties, scope, and also applicability. California however has its own data privacy regulatory body that emulates GDPR, the CCPA.

After the passage of CCPA, many other countries have made proposals for the passage of data privacy bills and even though the momentum is still building, it isn’t clear whether these bills would be passed on a national level.

Yahoo has been found to spy on user’s emails for the NSA, FBI, and other spy agencies. This was discovered in 2015 and they did this without obtaining consent from users. 

New Zealand

There have been some amendments to New Zealand’s Privacy Act of 1993, but they however lack the key features of GDPR. One similar provision though is the requirement that the relevant authorities and affected persons be informed of data breaches. There is also a limitation to offshore data transfer and this is similar to that of Australia’s Privacy Amendment.

One of the differences that exist between the privacy amendment of New Zealand and that of GDPR is the lack of fines for non-compliance. Offshore data restrictions exclude cloud servers and it makes all the difference as most cloud servers are foreign. Also even though New Zealand is sometimes forgotten when the world map is made, they didn’t include the right to be forgotten in their privacy act.

New Zealand had 550 reported incidents of scams and fraud to Cert. NZ in the third quarter of 2019. Another report of 514 incidents of phishing and credential harvesting was also reported, and 109 cases of unauthorized access. 


Thanks to the introduction of India’s Personal Data Protection bill that has been introduced to the parliament, countries are getting ready to adjust their services to be following the law. Thankfully, India would be emulating GDPR even though some areas have no clear statements and are left to the government. Similarities with GDPR include consent before acquiring data, notifying the public of breaches, right to be forgotten, and non-compliance fines.

In 2019 alone, over 313,000 cybersecurity incidents were reported. In April 2021, 1 million credit card records and 180 million Domino’s pizza orders were up for sale on the dark web. The data included customer names, email addresses, and phone numbers. 

South Korea

South Korea has the same privacy standard that the GDPR uses, and so all companies that collect and store data of south Koreans are bound by this. The Personal Information Protection Act of September 2011 has provisions for companies that handle data including seeking consent before data is collected and used for any purpose, the scope of the data collected, and also limitations and justification of the periods to hold data.


The Thailand Personal Data Protection Act is in charge of the handling of the data of its citizens by companies. The act was supposed to take full swing on 27th may 2020 but the grace period was extended to allow companies to meet up the requirements. The Data Protection Act resembles GDPR in several ways including the definition of personal data, penalties, and also the legal basis for data collection and use.

According to a survey published by Pacific Prime Thailand, cybercrime increased by a massive 37% between February and March 2020. The spike was blamed on the remote work due to COVID-19 with more companies going remote. 


Both local and foreign companies in japan that have access to the data of Japanese people are under the amended Act of Protection of Personal Information. So even companies that are located outside Japan would be subject to this act.

Japan has reached an agreement with the European Commission on reciprocal adequacy of its data privacy laws. Due to this, Japan made a whitelist of companies belonging to the EU that have met the criteria of careful handling of the data of Japanese citizens, and the EU has done the same.

Toyota Motor Corp. confirmed on March 21st that roughly 3 million customer data was stolen from their sales company’s system. This was as a result of a computer hack that occurred. 

South Africa

The Protection of Personal Information Act (POPIA) for South Africa came into play on July 1 2020 after a grace period of one year. Even though POPIA isn’t identical with GDPR, organizations that are GDPR compliant won’t have a hard time complying with POPIA. 

Both GDPR and POPIA have their full effect in some areas while being lenient in some. For instance, there are some exemptions such as SMEs in having a data protection officer, but for POPIA, all companies must have a data protection officer no matter how small the company is. GDPR also has its requirements for the right to be forgotten, but POPIA doesn’t.

In terms of fines for non-compliance, both acts have huge penalties but they come in different packages. GDPR gives high fines but no criminal charges to offenders, while POPIA adds criminal charges to the penalty.

It was revealed that in May 2020, the personal data of 24 million South Africans plus data of 700,000 businesses were sold by Experian. The leaked data was seen on a website on 1st September 2020 and it was confirmed by Experian to match that which they sold. The data was sold to an imposter who acted as a legitimate customer. 


Many countries now have top data protection laws and this has made organizations and businesses step up their data protection game. It’s good news for users as you can be sure that your data won’t be collected without your consent, or abused. So with this in mind, go for companies that are based in countries that have strict laws to protect personal data. Also, ensure your privacy with the use of a premium VPN service like LimeVPN for complete data encryption and anonymity.