“Privacy and Publication generally never go together. But this publication is a must for every privacy lover. Meticulous compilation of data privacy laws by the DLA Piper team.”
Raghu Raman Lakshmanan, General Counsel,
HCL America, Inc.
“This compilation does what every brilliant lawyer should do: it makes it easy for clients to understand and apply technical and difficult regulations. Touché to DLA Piper Data Protection Team.”
Dr Katarzyna Lasota Heller, Group Legal Compliance Officer,
Naspers
“DLA Piper has done a great work as the handbook is incredibly well structured and an extremely valuable for anyone handling data protection issues.”
Desislava Avramova, Senior Legal Counsel EMEA,
Newell Rubbermaid Inc.
“DLA’s handbook is a very helpful tool when looking up and comparing privacy requirements across various countries. And by putting it online they made it available to me anytime and anywhere I need it.”
René Keiser, Senior Counsel,
Mondelēz International
“DLA Piper’s Data Protection Laws of the World Handbook is an extremely useful resource. It enables us to find an answer to complex multi-jurisdictional privacy law questions very quickly.”
Lieven van Parys, European Privacy Counsel,
Pfizer
“I’ve never seen anything like it before in terms of law firm guidance/publications. Fantastic job and an excellent tool! I and my team will certainly use it and I know that it is already being circulated to others within the Volvo Group.”
Alexia Henriksen, VP General Counsel
Volvo Financial Services (EMEA)
Welcome
Welcome to the 2024 edition of DLA Piper's Data Protection Laws of the World Handbook. We launched our first edition in 2012 and have been updating the content each year since. This will be our thirteenth edition and we are proud to state that the Handbook now provides an overview of key privacy and data protection laws across more than 160 jurisdictions.
Looking ahead, 2024 promises to be another eventful year in the world of data protection and privacy law. New laws continue to come online across the globe. In 2023, we saw the long-awaited arrival of an omnibus data protection law in India, the world’s fastest growing economy and a focal point for IT and technology services. The Digital Personal Data Protection Act was enacted on 11 August 2023 but an effective date for the law is still to be announced. Nevertheless, we expect many companies to be focusing on their Indian compliance programs and India-based vendors in the coming year.
In the Middle East, another important economy – Saudi Arabia – passed its data protection law, closely modelled on a GDPR template. In this case, we know that the law will become effective in 2024 (14 September to be precise), and preparations are well underway for companies operating in the region.
A significant law which went into effect since our last edition was the new Federal Data Protection Act in Switzerland. Like in India, the law in Switzerland was subject to a number of delays and its arrival finally brought this important European jurisdiction into closer alignment with its EU neighbours. Further west in Europe, the United Kingdom threatens to move in the other direction – the Data Protection and Digital Information Bill continues to inch through the UK parliament and 2024 is the year in which it looks likely to pass. However, current indications are that it will be a gradual evolution of the current GDPR status quo, rather than a full-scale post-Brexit revolution.
In the United States, Utah’s state privacy law came into effect on December 31, 2023, while Oregon's Consumer Privacy Act, and Texas' Data Privacy and Security Act, as well as Florida's Digital Bill of Rights will take effect on July 2024. On October 1, 2024, Montana’s state privacy law will follow. Several states will follow suit in 2025, including Iowa, Delaware, Tennessee, and Indiana. As an outlier, Washington’s My Health My Data Act will come into effect on March 31, 2024 (with an extension for small businesses until June 30, 2024), which targets the collection, storage and transfer of health data (very broadly defined to include biometrics as well). In addition, several privacy regulators, including state Attorney Generals (“AGs”), Federal Trade Commission ("FTC"), Securities Exchange Commission (“SEC”), Consumer Financial Protection Bureau ("CFPB"), and the California Privacy Protection Agency ("CPPA") continue to issue rules, regulations and guidance including related to automated decision-making, data breach notification, and the accountable use of AI. Another significant development included the approval of the EU/UK/Swiss.-US Data Privacy Framework as an adequacy decision. For the upcoming year we expect more states to enact comprehensive state privacy laws.
In Asia, the Middle East and Africa, fears of growing strict data localisation have somewhat abated as the final new India, Saudi Arabia and Indonesia data laws were ultimately more permissive than earlier drafts when it comes to cross-border data transfers. However, the ever-evolving data laws China and Vietnam continue to raise cross-border data transfer compliance challenges for multi-national businesses. Further, the trend towards regulating broader data categories (beyond personal data) continues in these regions.
Broader trends in technology regulation continue to impact and overlap with the world of data protection and privacy. Perhaps most notably, 2023 was the year in which Artificial Intelligence (AI) went mainstream, and in the dying days of the year the EU passed the world’s first comprehensive AI law. In the midst of this, the privacy community found itself at the centre of an emerging debate about the concept of ‘AI governance’. This is not a surprising development – AI systems are creatures of data and the principle-based framework for the lawful use of personal data that sits at the heart of data protection law offers a strong starting point for considering how to approach the safe and ethical use of AI. Whilst privacy professionals cannot technical the AI challenge alone, expect them to continue to be on the front lines throughout 2024 and beyond.
The regulation of data in its broadest sense is also an emerging trend that touches on our world and raises questions about the scope of responsibility of DPOs and other privacy professionals. The EU is continuing with its grand ambition to create a ‘single market for data’, with the Data Act entering into force in January 2024 and becoming effective from 2025. Meanwhile, the first sector-specific data regulation – the Health Data Space – continues to move through the Brussels legislative process.
In this complex environment, DLA Piper's global data protection, privacy and security team brings deep experience and international reach, bringing practical compliance solutions to the myriad data protection laws.
We hope you continue to enjoy this popular resource, drawing on DLA Piper's global network of offices and trusted local counsel across an unparalleled number of jurisdictions.
If you require further guidance, please do not hesitate to contact us at [email protected].
Privacy Matters
If you find this Handbook useful, you may also be interested in DLA Piper's Data, Privacy and Cybersecurity group's Privacy Matters site − a blog featuring regular data protection, privacy and cybersecurity legal updates to help you remain aware of the most important legal and regulatory developments.
To ensure you receive an automatic email when a new article is posted, please enter your details in the 'subscribe' section found on the blog’s right hand sidebar.
Disclaimer
This handbook is not a substitute for legal advice. Nor does it cover all aspects of the legal regimes surveyed, such as specific sectorial requirements. Enforcement climates and legal requirements in this area continue to evolve. Most fundamentally, knowing high-level principles of law is just one of the components required to shape and to implement a successful global data protection compliance program.