ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
Identity Review’s Global Data Policy Database serves as a comprehensive record of data policies around the world. Each row is composed of region, regulation, status of the policy, a short description, and a link to find more information. This was last updated June 15, 2021.

The goal of this database is to provide a straightforward, accessible resource for anyone interested in delving into global data policy. If you would like more information, please contact team@identityreview.com.
2
Region What RegulationProposed/In EffectNotes (What kind of data policy?)Links
3
VirginiaStateState data protection lawIn effect Consumers receive copies of their online data, amend or delete that data, or opt out of allowing big buisnesses to use the data for marketing/other purposeshttps://www.virginiabusiness.com/article/va-set-to-become-2nd-state-with-consumer-data-protection-law/
4
CaliforniaStateState data protection lawIn effectConsumers have a right to accesss data through a data subject access request (DSAR). Businesses cannot sell consumer information without providing them an opportunity to opt outhttps://www.varonis.com/blog/us-privacy-laws/
5
MassachusettsStateData Privacy Law (S-120)ProposedSimilar to CCPA, but consumers can sue for any violation of the proposed MA law. https://www.varonis.com/blog/us-privacy-laws/
6
New York StateS5642ProposedApplies to all businesses without any revenue threshold (different from MA, CA, and VA). Businesses are legally responsble for the consumer data they hold. Very strict proposition, consumers can correct inaccurate information, making it more similar to the EU GDRPhttps://www.varonis.com/blog/us-privacy-laws/
7
HawaiiStateSB 148 Proposed Very similar to the CCPA, but legal document does not explicitly say it applies to websites that conduct business in HI. Websites based anywhere in the world could violate the law if they don't offer adequate protection as outlined in the billhttps://www.varonis.com/blog/us-privacy-laws/
8
Maryland StateSB 613Proposed Companies are required to disclose information that is passed onto third parties, even if the data is transferred for free.Also prohibits websites from knowinly disclosing any personal informaiton collected about childrne https://www.varonis.com/blog/us-privacy-laws/
9
North DakotaStateHB 1485Proposed Currently in the state's House of Representatives. The most significant clause would completely retrict websites from passing on any information to third parties without consent of users. There is no right to have information removed to deleted once consent has been granted. The most lightweight bill currently proposed in the U.Shttps://www.varonis.com/blog/us-privacy-laws/
10
European UnionRegionGDPRIn effectProtection of natural persons personal data and the free movement of such data. https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
11
European UnionRegionData Protection Law Enforcement Directive In effectProtects citizens' fundamental right to data protection whenever personal data is used by criminal law enforement authoritieshttps://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
12
New York StateNY SHIELD ACTIn effectRequires any preson or business owning data that includes private infromation of an NY resident to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private informationhttps://www.natlawreview.com/article/new-york-shield-act-faqs
13
Illinois StateBiometic Information Privacy ActIn effect imposes requirements on buisnesses that collect biometic information. One of the only state laws regulating biometic usage that allows private individuals to bring suit and recover damages for violations. https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
14
United StatesCountryGramm Leach Bliley ActIn effectgoverns the protection of personal informaiton in hands of banks, insurance companies and other companies in the financial service industry. https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
15
United StatesCountryFair Credit Reporting ActIn effectrestricts the use of infomration with a bearing on an individuals creditworthiness, credit standing, credit capacity, character, and general reputation. requires truncation of credit card numbers of printed receiptshttps://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57*comparison table: https://iapp.org/resources/article/state-comparison-table/
16
MichiganStateSB 172In effectmodifies requirements for insurers providng privact policies to customershttps://www.ncsl.org/research/telecommunications-and-information-technology/2020-consumer-data-privacy-legislation637290470.aspx
17
VirginiaStateSB 101In effectallows a mechant to scan the machine readable zone of an individual's drivers liscense for verification purposes, but requires the mechant to destroy the retained informationhttps://www.ncsl.org/research/telecommunications-and-information-technology/2020-consumer-data-privacy-legislation637290470.aspx
18
California StateAB 82In effectrequires data broker registration fees to be used to offset costs for an internet website where the information provided by data brokers is accessible to the public https://www.ncsl.org/research/telecommunications-and-information-technology/2020-consumer-data-privacy-legislation637290470.aspx
19
California StateAB 713In effectExempts from the Consumer privacy act information that was deidentifed in accordance with specifed federal law or policy https://www.ncsl.org/research/telecommunications-and-information-technology/2020-consumer-data-privacy-legislation637290470.aspx
20
CaliforniaStateAB 1281In effectexempts from the CCPA certain employment information and personal information involved in business to business communications and transactions https://www.ncsl.org/research/telecommunications-and-information-technology/2020-consumer-data-privacy-legislation637290470.aspx
21
United StatesCountryTelephone Consumer Protection ActIn effectregulate calls and text messages to monile phones that are made for marketing purproseshttps://iclg.com/practice-areas/data-protection-laws-and-regulations/usa#:~:text=There%20is%20no%20single%20principal%20data%20protection%20legislation%20in%20the%20United%20States.&text=broadly%20empowers%20the%20U.S.%20Federal,privacy%20and%20data%20protection%20regulations.
22
United StatesCountryPayment Card Data Security StandardIn effectregulations for major credit card companies required for buisnesses that process, store, or transmit payment card data
23
NevadaStateSB 220In effect relates to internet privacy, prohibits the sale of certain consumer informationhttps://iapp.org/resources/article/state-comparison-table/
24
AlabamaStateHB 216ProposedAlabama Consumer Privacy Act - allows consumers to opt in or out of sale of personal information with certain conditions, resquires buisnesses to make certain disclosureshttps://iapp.org/resources/article/state-comparison-table/
25
ArizonaStateHB 2865Proposedpersonal data, processing, security standardshttps://apps.azleg.gov/BillStatus/BillOverview/76066?SessionId=123
26
KentuckyStateHB 408ProposedKentucky Consumer Privacy Acthttps://apps.legislature.ky.gov/record/21rs/hb408.html
27
Maryland StateSB 0930ProposedMaryland Online Consumer Protection Acthttps://fastdemocracy.com/bill-search/md/2021/bills/MDB00023828/
28
New York StateA 680ProposedNew York Privacy Acthttps://www.nysenate.gov/legislation/bills/2021/A680
29
New York StateSB 567ProposedAllow consumers the right to request fron businesses the categories of personal information a business has sold or disclosed to third partieshttps://www.nysenate.gov/legislation/bills/2021/S567
30
OklahomaStateHB 1602ProposedOklahoma Computer Data Privacy Acthttp://www.oklegislature.gov/BillInfo.aspx?Bill=HB1602
31
WashingtonStateHB 1433ProposedPeople's Privacy Acthttps://app.leg.wa.gov/billsummary?BillNumber=1433&Year=2021&Initiative=false
32
WashingtonStateSB 5062ProposedWashington Privacy Act 2021https://app.leg.wa.gov/billsummary?BillNumber=5062&Initiative=false&Year=2021
33
CanadaCountryCPPAIn effectCanada Consumer Privacy Act - protects consumers control over their data and promotes improved transparency regarding how organizations use data containing personal identifershttps://www.jdsupra.com/legalnews/coming-soon-canada-s-new-privacy-law-3558341/
34
CanadaCountryPIPEDAIn effectPersonal Information Protection and Electonic Documents Act - governs how organizations use, collect and disclose presonal information in the course of personal buisnesshttps://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
35
Mexico CountryFederal Law on Protection of Personal Data Held by Private PartiesIn effect Regulates informationla self-determination. Its provisions apply to all natural or legal persons who carry out the processing of personal data in activites (banks, insurface, hospitals, schools, etc.)https://www.dlapiperdataprotection.com/index.html?t=law&c=MX
36
Mexico CountryThe General Law on Protection of Personal Data Held by Mandated PartiesIn effectFederal, state, and municipal privacy laws. https://www.dlapiperdataprotection.com/index.html?t=law&c=MX
37
Mexico CountryThe Recommendations on Personal Data SecurityIn effectentered into force in 2011https://www.dlapiperdataprotection.com/index.html?t=law&c=MX
38
Mexico CountryThe Parameters for Self-Regulation regarding personal dataIn effectin effect in 2014https://www.dlapiperdataprotection.com/index.html?t=law&c=MX
39
Mexico CountryThe General Law on Protection of Personal Data in Possession of Obligated SubjectIn effectin effect in 2017https://www.dlapiperdataprotection.com/index.html?t=law&c=MX
40
AlbertaStatePersonal Information Protection Act In effectapplies to provincially regulated private sector organizations in Alberta to provide a right of access to an individual's personal informationhttps://www.alberta.ca/personal-information-protection-act.aspx
41
British ColumbiaStatePersonal Information Protection Act In effectapplies to provincially regulated private sector organizations in BC to provide a right of access to an individual's personal informationhttps://www.oipc.bc.ca/about/legislation/
42
QuebecStateQuebec Privacy ActIn effectapplies to provincially regulated private sector organizations in Quebec to provide a right of access to an individual's personal informationhttp://legisquebec.gouv.qc.ca/en/showdoc/cs/P-39.1
43
HondurasCountryNational Constitution Article 182In effectgives individuals the right to access any file or record that contains information that may produce damage
44
HondurasCountryLaw of the Civil RegistryIn effect
refers only to public personal information that is contained in the archives of the Civil Registry.
https://www.dlapiperdataprotection.com/index.html?t=law&c=HN
45
HondurasCountryLaw for Transparency and for Access to Public InformationIn effect
access of any person to all the information contained in public entities, except that which is classified as 'Confidential.'
https://www.dlapiperdataprotection.com/index.html?t=law&c=HN
46
BrazilCountryBrazilian General Data Protection Law (LGPD)In effectthe first comprehensive data protection regulation, largely aligned to GDPRhttps://gdpr.eu/gdpr-vs-lgpd/
47
Costa Rica CountryLaw No. 7975 - Undisclosed Information Law In effectmakes it a crime to disclose confidential and or personal information without authorizationhttps://www.dlapiperdataprotection.com/index.html?t=law&c=CR
48
Costa Rica CountryLaw No. 8968 - Protection in the Handling of the Personal Data of Individuals In effectregulates companies that administers databses containing personal information https://gdpr.eu/gdpr-vs-lgpd/
49
PanamaCountryLaw No. 81In effect47 articles that reglates the principles, obgliations, and procedures applicable to the protection of personal data in Panama, expected to be further regulated by an Executive Decree, which will be published later in 2021
50
Cayman Islands CountryData Protection Law In effectregulates whethern an organization is established in the Cayman Islands, or only has personal data processed in the Cayman Islands https://www.dlapiperdataprotection.com/index.html?t=law&c=KY
51
Domincan Republic CountryProtection of Personal Data ActIn effectregulates the collection, storage, and safekeeping of personal data as well as usage and access rights https://www.dlapiperdataprotection.com/index.html?t=law&c=DO
52
Trinidad and Tobago CountryData Protection ActIn effectprovides protection of personal privacy information processed and collected by public bodies and private organizations https://www.dlapiperdataprotection.com/index.html?t=law&c=TT&c2=AO
53
Colombia CountryLaw 1266In effectregulates the processing of financial data, credit records, and commercial information collected in Colombia or abroad https://www.dlapiperdataprotection.com/index.html?t=law&c=CO
54
Colombia CountryLaw 1581In effectdefines special categories of data including sensitive data, and data collected from minors https://www.dlapiperdataprotection.com/index.html?t=law&c=CO
55
Peru CountryPersonal Data Protection Law. No 29733In effectprovides provisions for activities related to companies that handle personal information related to financial, commerical tax, employment or insurance obligations, and other sensitve data https://www.dlapiperdataprotection.com/index.html?t=law&c=PE
56
BoliviaCountryBill of Personal Data Protection In effectAny individual who believes to be prevented from objtecting, knowing or obtaining registered data in public or private files may file a Private Protection Action https://www.dlapiperdataprotection.com/index.html?t=law&c=BO
57
ParaguayCountryLaw No. 6534 - Personal Credit Data Protection Law In effectregulates the use of private informationhttps://www.dlapiperdataprotection.com/index.html?t=law&c=PY
58
Paraguay CountryLaw No. 4868 - Electonic Commerce Law In effectregulates electronic commerce and data collection procedures https://www.dlapiperdataprotection.com/index.html?t=law&c=PY
59
Chile CountryLaw 19,628/1999In effectprovides data subjects with the right to access, rectify, delete, block and object to processing of personal data https://www.dlapiperdataprotection.com/index.html?t=law&c=CL
60
Chile CountryLaw 20,575/2012In effectesblishes the purpose principle for the processing of personal data of an economic, financial, banking or commercial nature https://www.dlapiperdataprotection.com/index.html?t=law&c=CL
61
Argentina CountryLaw 25,326 - Personal Data Protection Law In effectfollows international standards, and has been considered as granding adequate protection by the European commission. https://www.dlapiperdataprotection.com/index.html?t=law&c=AR
62
UruguayCountryData Protection Law No. 18.331In effectpersonal data protection laws https://www.dlapiperdataprotection.com/index.html?t=law&c=UY
63
Australia CountryPrivacy ActIn effectapply to all private sector entiries - regulates the handling of personal information https://www.dlapiperdataprotection.com/index.html?t=law&c=AU
64
Australian Capital TerritoryRegionInformation Privacy Act 2014In effectspecific privacy laws to the Australian Capital territoryhttps://www.legislation.act.gov.au/a/2014-24/
65
Australian Northern TerritoryRegionInformation Act 2002In effectcombines laws related to privacy, freedom of information, and public records in one Acthttps://www.dlapiperdataprotection.com/index.html?t=law&c=AU
66
New South WalesRegionPrivacy and Personal Information Protection Act 1998In effectdeals with how NSW government agencies manage personal information. It applies to state government agencies, statutory or declared authorities, the police service and local councilshttps://www.dlapiperdataprotection.com/index.html?t=law&c=AU
67
QueenslandRegionInformation Privacy Act 2014In effect
The information privacy act introduced the Territory Privacy Principles, which set out standards for handling personal information.
https://www.dlapiperdataprotection.com/index.html?t=law&c=AU
68
Tasmania StatePersonal Information Protection Act 2004In effectCreates a consisten approach to protecting presonal health information https://www.dlapiperdataprotection.com/index.html?t=law&c=AU
69
Victoria StatePrivacy and Data Protection Act 2014In effect10 Information Privacy Princiles that outline how public sector organizations must handle your personal information https://www.dlapiperdataprotection.com/index.html?t=law&c=AU
70
Australia CountryConsumer Data Right (CDR)Proposedallows a consumer to obtain certain data about that consumer by a third party and require data be given to accredited third parties for certain purposes. https://www.dlapiperdataprotection.com/index.html?t=law&c=AU
71
New Zealand CountryThe Privacy Act 2020In effectgoverns how agencies collect, use, disclose, store, retain and give access to personal information. https://www.dlapiperdataprotection.com/index.html?t=law&c=NZ
72
ChinaCountryThe Civil Code of ChinaIn effectComprehensively strengthens protection of people's various rights. Right of Privacy is detailed in the chapter with “Privacy and Personal Information Protection,” which contains detailed provisions to protect privacy and personal information. Also covers Tort Liabilities and contains several articles relating to network infringement. This newer code replaces previous civil laws, the relevant ones relating to data policy are the Tort Law and General Principles of Civil Law.http://english.www.gov.cn/archive/lawsregulations/202012/31/content_WS5fedad98c6d0f72576943005.html
73
ChinaCountryCybersecurity LawIn effectIncrease data protection, data localization, and cybersecurity in the interest of national security. Defines obligations for "network operators" and “providers of network products and services.”https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/
74
ChinaCountryNational Standard of Information Security TechnologyIn effectPersonal Information Security Specification (PIS Specification) - systematic, national standard set by the People's Republic of China in order to protect personal information and how it is shared both domestically and abroad.https://www.tc260.org.cn/upload/2020-09-18/1600432872689070371.pdf
75
ChinaCountryGuidelines on Internet Personal Information Security ProtectionIn effectTechnical guide (covering in detail key issues such as data transfers, sensitive personal information and data subject rights), and thus not legally binding, they are highly persuasive. Recommendations for protecting personal informationhttp://www.cicpa.org.cn/Column/hyxxhckzl/zcyxs/201904/W020190429563470312325.pdf
76
ChinaCountryDecision on Strengthening Online Information ProtectionIn effectProtect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests.https://chinacopyrightandmedia.wordpress.com/2012/12/28/national-peoples-congress-standing-committee-decision-concerning-strengthening-network-information-protection/
77
ChinaCountryPRC Data Security LawProposedBuilds on existing structures set up by the Cybersecurity Law and related regulations and introduces rules around markets for data, government data collection and handling, and classification of different types of data.https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-chinas-data-security-law-draft/
78
ChinaCountryPRC Personal Information Protection LawProposedThe first comprehensive national level personal information protection law in the PRC, creating binding compliance obligations previously considered recommended practice (under the Guidelines), and requiring organizations to comply with new compliance steps.https://www.newamerica.org/cybersecurity-initiative/digichina/blog/chinas-draft-personal-information-protection-law-full-translation/?utm_campaign=Marketing_Cloud&utm_medium=email&utm_source=Standalone+Call+for+Comments+Personal+Information+-+10.27.20&%20utm_content=https%3a%2f%2fwww.newamerica.org%2fcybersecurity-initiative%2fdigichina%2fblog%2fchinas-draft-personal-information-protection-law-full-translation%2f
79
South KoreaCountryPersonal Information Protection Act ("PIPA")In effectA general, comprehensive statute. It prescribes how personal data is processed in order to protect the rights and interests of all citizens and further realize the dignity and value of each individual. The Act aims to protect personal data from unnecessary collection, unauthorized use or disclosure, and abuse.https://www.privacy.go.kr/eng/laws_view.do?nttId=8186&imgNo=3
80
South KoreaCountryCredit Information Use and Protection ActIn effectRegulates personal credit information. Foster a stable credit information industry, promote the efficient utilization and systematic management of credit information, and protect personal and credit information from misuse and abuse.https://www.privacy.go.kr/eng/laws_view.do?nttId=8188&imgNo=2
81
South KoreaCountryAct on Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”)In effectPromote the use of information and communications networks, to protect the user’s personal information when they are in use of information and communications services, and to construct a milieu within which users can safely use information and communications networks with the aim of improving individual lives as well as the general public welfare. https://www.privacy.go.kr/cmm/fms/FileDown.do?atchFileId=FILE_000000000830762&fileSn=0#:~:text=Article%201%20(Purpose)%20The%20purpose,communications%20networks%20in%20order%20to
82
South KoreaCountryAct on the Protection, Use, ETC. of Location InformationIn effectProtect privacy from the divulging, abuse and misuse of location information, provide a safe environment for using location informationhttps://elaw.klri.re.kr/eng_service/lawView.do?hseq=43349&lang=ENG
83
JapanCountryAct on the Protection of Personal Information ("APPI")In effectRegulates privacy protection issues in Japan and the Personal Information Protection Commission ("PPC"), a central agency acts as a supervisory governmental organization on issues of privacy protection.https://www.cas.go.jp/jp/seisaku/hourei/data/APPI.pdf
84
RussiaCountryRussian Constitution, Articles 23 and 24In effectEstablishes the right to privacy of each individualhttps://www.dataguidance.com/legal-research/constitution-russian-federation-12-december-1993
85
RussiaCountryData Protection Act No. 152 FZ (DPA)In effectBackbone of Russian privacy laws. Requires data operators to take "all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental accesshttps://iapp.org/media/pdf/knowledge_center/Russian_Federal_Law_on_Personal_Data.pdf
86
RussiaCountryInformation, Information Technologies and Information Protection Act No. 149 FZ ("Law on Information")In effectEstablishes basic rules as to the information in general and its protection.http://www.kremlin.ru/acts/bank/24157
87
TaiwanCountryPersonal Data Protection Act (“PDPA”)In effectRegulate the collection, processing and use of personal data so as to prevent harm on personality rights, and to facilitate the proper use of personal data.https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=I0050021
88
TaiwanCountryEnforcement Rules of the Personal Data Protection Act (“Enforcement Rules”)In effectProvides further guidelines on the interpretation and implementation of the PDPA.https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=I0050022
89
PhillipinesCountryData Privacy Act of 2012 (“Act”)In effectThe governing law on data privacy matters in the Philippines. Protects the fundamental human right of privacy.https://www.privacy.gov.ph/data-privacy-act/#1
90
Hong KongCountryPersonal Data (Privacy) OrdinanceIn effectRegulates the collection and handling of personal data.https://www.elegislation.gov.hk/hk/cap486
91
MacauCountryPersonal Data Protection Act 8/2005In effectEstablishes the legal system on the processing and protection of personal data.https://www.gpdp.gov.mo/uploadfile/2013/1217/20131217120421182.pdf
92
MacauCountryCybersecurity Law 13/2019In effectEstablishes and regulates the network security system of the Macau Special Administrative Region to protect the information network, computer system and computer data of key infrastructure operators.https://bo.io.gov.mo/bo/i/2019/25/lei13_cn.asp#13
93
VietnamCountryConstitution 2013 (“Constitution”)In effectRight of privacy and right of reputation, dignity and honour and fundamental principles of such rightshttps://www.constituteproject.org/constitution/Socialist_Republic_of_Vietnam_2013.pdf?lang=en
94
VietnamCountryCivil Code 2015 (“Civil Code”)In effectRight of privacy and right of reputation, dignity and honour and fundamental principles of such rights. Article 38 provides rules for the collection, storage, processing, use, disclosure, and publication of personal information.https://thuvienphapluat.vn/van-ban/Quyen-dan-su/Bo-luat-dan-su-2015-296215.aspx
95
VietnamCountryLaw No. 86/2015/QH13 ("Network Information Security Law")In effectEnforces data privacy rights for individual data subjects. Provides regulations on network information security activities, rights and duties of agencies, organizations and individuals in securing network information security; civil cryptography.https://english.mic.gov.vn/Upload/VanBan/Law-on-Network-Information-Security-16-05-30.pdf
96
VietnamCountryLaw No. 67/2006/QH11 ("IT Law")In effectGoverns information technology applications and development, sets out the rights and obligations of agencies, organisations, and individuals engaged in these activities, as well as regulates the collection, processing, use, storage, and provision of personal data on a network environment.http://www.chinhphu.vn/portal/page/portal/chinhphu/hethongvanban?class_id=1&mode=detail&document_id=29137
97
VietnamCountryLaw No. 51/2005/QH11 ("E-transacations Law")In effectGoverns electronic transactions by state agencies as well as the private sector and generally prohibits the use, provision, or disclosure of data, which can be accessed in relation to an electronic transaction, without consent.http://vanban.chinhphu.vn/portal/page/portal/chinhphu/hethongvanban?class_id=1&_page=2&mode=detail&document_id=29675
98
VietnamCountryLaw No. 59/2010/QH12 ("Protection of Consumers' Rights Law")In effectSets out a variety of consumer rights and details organisations' obligations to protect consumer information.http://vanban.chinhphu.vn/portal/page/portal/chinhphu/hethongvanban?class_id=1&mode=detail&document_id=96053
99
VietnamCountryLaw No. 41/2009/QH12 ("Telecommunications Law")In effectRegulates telecommunications activities and the rights and obligations of those working in the telecommunication industry, and expressly requires telecommunications enterprises not to disclose information of an end-user without consent from such end-user or a valid request from a competent authority.http://vanban.chinhphu.vn/portal/page/portal/chinhphu/hethongvanban?class_id=1&mode=detail&document_id=92518
100
VietnamCountryPersonal Data Protection Decree (PDPD)ProposedWould consolidate all data protection laws and regulations into one comprehensive data protection law. Would adopt a GDPR-type framework. Proposed effective date Dec. 1, 2021https://www.bakermckenzie.com/en/insight/publications/2020/04/draft-decree-on-personal-data-protection