Reference & Bookmark

Global Privacy Law Comparison

Side-by-side comparison of all nine frameworks covered by the compliance assessment tool. Accurate as of 31 March 2026. Scroll horizontally on smaller screens. Scroll the dimension column to navigate.

Strictness:

Strictest

Moderate

Most Flexible

N/A or Not Prescribed

Jump to Section:

Dimension	🇮🇳 DPDPA 2023 India · DPDP Rules 2025 Enforceable May 2027	🇪🇺 GDPR EU / EEA · Art. 2016/679 In Force	🇺🇸 CCPA / CPRA California · CPPA Regs 2025 In Force	🇸🇦 Saudi PDPL Saudi Arabia · Royal Decree M/19 In Force (Sep 2024)	🇧🇷 Brazil LGPD Brazil · Law 13,709/2018 In Force	🇸🇬 Singapore PDPA Singapore · Amended 2021 In Force	🇹🇭 Thailand PDPA Thailand · B.E. 2562 (2019) In Force (Jun 2022)	🇬🇧 UK GDPR / DUAA 2025 United Kingdom · DUAA in force Feb 2026 In Force	🇦🇪 UAE PDPL UAE · Fed. Decree-Law 45/2021 In Force
Enforcement & Regulator
Enforcement Authority	Data Protection Board of India (DPAB) Board constituted; core obligations from May 2027	Lead Supervisory Authority (national DPAs, e.g. CNIL, BfDI, ICO pre-Brexit)	California Privacy Protection Agency (CPPA) AG for criminal violations	Saudi Data and AI Authority (SDAIA) NDMO sub-unit of SDAIA	Autoridade Nacional de Protecao de Dados (ANPD)	Personal Data Protection Commission (PDPC)	Personal Data Protection Committee (PDPC Thailand)	Information Commissioner's Office (ICO)	UAE Data Office (UAEDO)
Territorial Scope	Processing of personal data of Indian data principals; applies to fiduciaries outside India if processing data of Indian residents (s.3)	Processing in EU establishment; or of EU residents' data by non-EU controllers (Art. 3)	Businesses meeting revenue/data volume thresholds doing business in California or processing CA residents' data	Controllers processing Saudi residents' personal data; extraterritorial reach for processing outside KSA of Saudi residents' data	Processing of personal data in Brazil; extraterritorial if offering goods/services in Brazil or data collected in Brazil	Organisations that collect, use, or disclose personal data in Singapore; extraterritorial for organisations with Singapore establishment	Controllers and processors collecting, using, or disclosing Thai residents' personal data; extraterritorial reach	UK establishment; or processing of UK residents' data by non-UK controllers offering goods/services or monitoring behaviour	Controllers processing UAE residents' data; applies to entities outside UAE processing UAE residents' personal data
Lawful Bases for Processing
Primary Basis	Consent (s.6): explicit, affirmative, per-purpose No bundled consent	6 bases (Art. 6): consent, contract, legal obligation, vital interests, public task, legitimate interests Most flexible basis structure	Opt-out model for sale/sharing. Notice-based for general processing. Not a lawful-basis framework in the GDPR sense. Different paradigm	Consent + 5 additional bases (Arts. 4-6): contractual necessity, legal obligation, vital interests, public interest, legitimate interests (non-sensitive, 2023 amendment) LI added by RD M/148 (2023)	10 bases (Art. 7): consent, contract, legal obligation, legitimate interests, credit protection, research, exercise of rights, vital interests, health obligations, fraud prevention Broadest list	Consent (Sec. 13) + deemed consent by contractual necessity, notification deemed consent, and without-consent exceptions (2021 amendments) Consent-primary	6 bases (Sec. 24): consent, contract, vital interests, public task, legitimate interests, legal obligation Mirrors GDPR Art. 6	6 bases (UK GDPR Art. 6) + Recognised Legitimate Interests Schedule (DUAA 2025, in force Feb 2026) RLI pre-satisfies LI test for listed activities	Consent + 4 bases (Arts. 5-8): contractual necessity, legal obligation, vital interests, public interest No open LI basis
Legitimate Interests	Not available s.7 "certain legitimate uses" is a closed list (9 scenarios); not an open balancing-test LI equivalent	Available Art. 6(1)(f): three-part balancing test. Extensive EDPB/national DPA guidance available.	Not applicable CCPA does not use lawful basis concept	Available (2023 amendment) Non-sensitive data only. Cannot override data subject rights. Royal Decree M/148.	Available Art. 7(IX): balancing test required. ANPD guidance limited compared to EDPB.	Not a distinct basis Without-consent exceptions listed in Second Schedule. No open LI test.	Available Sec. 24(6): must not override data subject's fundamental rights and freedoms.	Available + RLI Schedule Standard LI test applies outside the Schedule. DUAA 2025 Recognised LI pre-satisfies balancing for listed activities (crime, safeguarding, national security, emergencies).	Not prescribed No explicit LI basis in Decree-Law 45/2021.
Data Subject / Principal Rights
Core Rights	Access (s.11), Correction & completion (s.12), Erasure (s.12), Grievance redressal (s.13), Nomination (s.14) 5 core rights	Access (Art.15), Rectification (Art.16), Erasure (Art.17), Restriction (Art.18), Portability (Art.20), Object (Art.21), ADM rights (Art.22) 7 rights + ADM	Know, Delete, Correct (CPRA), Opt-out of Sale/Sharing, Limit SPI (CPRA), Non-discrimination 6 rights; CPRA added Correct + Limit SPI	Access, Correction, Erasure (conditional), Object to processing 4 core rights	9 rights (Art. 18): confirmation, access, correction, anonymisation/blocking/deletion, portability, consent-deletion, information on sharing, consequences of denial, revocation 9 rights	Access (Sec.21), Correction (Sec.22), Portability (Part VIB, prescribed orgs) 3 primary rights	7 rights (Secs.30-36): informed, access/copy, rectification, erasure/destruction, restriction, portability, object Mirrors GDPR	Access (Art.15), Rectification (Art.16), Erasure (Art.17), Restriction (Art.18), Portability (Art.20), Object (Art.21), ADM (modified by DUAA 2025) DUAA 2025 relaxes Art.22 ADM	Access (Art.11), Correction (Art.12), Erasure (Art.13), Restriction (Art.14), Portability (Art.15) 5 rights
Response Deadline	Not prescribed No statutory deadline for access (s.11) or correction/erasure (s.12) in DPDP Rules 2025. Grievance redressal: max 90 days (Rule 14(3)).	1 month Extendable to 3 months for complex requests with prior notice (Art. 12(3)).	45 days Extendable to 90 days with notice. 2 free Requests to Know per 12-month period (s.1798.130(b)).	Reasonable timeframe No specific statutory deadline prescribed.	Immediate / 15 days Simple requests: immediate. Complex requests: 15 days per ANPD guidance (ANPD Resolution CD/ANPD No. 15/2024 and prior guidance).	30 days Must acknowledge and respond to access/correction requests within 30 days (Sec.21).	30 days Without undue delay and within 30 days of receipt (Secs.30-36).	1 month SAR stop-the-clock introduced by DUAA 2025: clock pauses while awaiting identity clarification reasonably needed.	Reasonable timeframe UAEDO guidance awaited on specific timelines.
Data Portability	Not provided No DPDPA equivalent to GDPR Art. 20.	Explicit right Art. 20: automated processing based on consent or contract. Machine-readable format.	Limited equivalent Right to know what PI is held; no machine-readable portability right per se.	Not explicitly provided	Explicit right Art. 18(V): transfer to another service provider. One of 9 rights.	Part VIB Phased rollout to prescribed organisations by sector (PDPC determines).	Sec. 34 For consent/contract-based processing by automated means.	Explicit right Art. 20: same as EU GDPR.	Art. 15 Right to data portability provided but practical implementation guidance still developing.
Breach Notification
Authority Notification Deadline	Without delay + 72 hours (two-step) Rule 7: initial description to DPAB "without delay" (Rule 7(2)(a)) and simultaneous notification to all affected Data Principals (Rule 7(1)). Detailed follow-up report to DPAB within 72 hours (Rule 7(2)(b)), extendable on request.	72 hours from awareness Art. 33: notify Lead SA. Partial notification permitted.	No CCPA breach notification deadline California Civ. Code 1798.82 (separate law): "expedient time" / 30 days after discovery in AG investigations.	72 hours from awareness Implementing Regs Art. 24: notify SDAIA.	3 business days (full notification) ANPD Resolution CD/ANPD No. 15/2024 (26 April 2024). Where full details are unavailable, preliminary notice within 3 business days; supplementary report within 20 working days. Small agents (Resolution No. 2/2022): 6 business days. Business days exclude weekends and Brazilian holidays.	3 calendar days from DETERMINATION Sec. 26D: clock starts from determination that breach is notifiable (NOT from discovery). Calendar days include weekends.	72 hours from awareness Sec. 37(3): unless breach unlikely to result in risk.	72 hours from awareness UK GDPR Art. 33: notify ICO at ico.org.uk/report-a-breach.	Without undue delay (72 hours target) Art. 17: framework still maturing; monitor UAEDO guidance.
Individual Notification Threshold	ALL affected principals No minimum risk threshold. Every affected data principal must be notified. Stricter than GDPR Art. 34.	HIGH RISK only Art. 34: notification required only where breach likely to result in high risk to rights and freedoms.	California Civ. Code 1798.82 Separate state breach notification law. CCPA itself does not govern individual breach notification.	Where harm is likely Individual notification required where breach likely to cause harm to affected individuals.	Risk or harm Art. 48: notify individuals where breach could cause risk or harm. No explicit "high risk" qualifier.	Significant harm to any individual Sec. 26D(3): as soon as reasonably practicable where significant harm is likely.	HIGH RISK Sec. 37(4): notify individuals where likely to result in high risk to rights and freedoms.	HIGH RISK only UK GDPR Art. 34: same threshold as GDPR.	Risk to rights Art. 17: where breach poses a risk to data subjects' rights.
Children's Data
Age Threshold	18 years s.9: verifiable parental consent mandatory for all under-18 users. Strictest global threshold.	16 years (default) Art. 8: reducible to 13 by member states (e.g., UK set 13). Parental consent for information society services.	16 / 13 years 13-16: opt-in consent required (s.1798.120(d)). Under 13: COPPA applies (parental consent, federal law).	Not explicitly defined PDPL requires heightened protection for minors but no specific age threshold prescribed.	Under 18 Art. 14: children and adolescents receive special protection. Processing requires parental/guardian consent.	No specific threshold PDPC has not set a bright-line age threshold. General reasonableness standard applies for minors.	Under 20 (Thai civil law) Minors under Thai law require parental/guardian consent. Age of majority is 20 in Thailand.	13 years UK GDPR Art. 8 / DUAA 2025: UK set threshold at 13 for online services. ICO Age Appropriate Design Code applies to services likely accessed by under-18s.	Not explicitly specified UAEDO guidance anticipated. General consent framework applies.
Child-Specific Prohibitions	Absolute prohibition s.9(3): behavioral tracking, targeted advertising, and profiling of children categorically prohibited. No exceptions.	Restrictions apply GDPR Art. 8 + Recital 38: special protection for children. Profiling under Art. 22 requires explicit consent. ICO AADC in UK goes further.	Age-appropriate design CPRA and CCPA impose restrictions on selling data of under-16s. COPPA governs under-13s.	Heightened protection General heightened protection; no categorical prohibition on tracking/advertising equivalent to DPDPA s.9(3).	Special protection Art. 14: special protection for children and adolescents; best interest of the child principle.	No specific prohibitions General consent and protection obligations apply. No categorical prohibition.	Parental consent required No categorical prohibitions; parental/guardian consent required for minors' data processing.	ICO AADC applies Age Appropriate Design Code (Children's Code): 15 standards for services likely accessed by under-18s. Profiling off by default.	Not explicitly prescribed UAEDO guidance awaited.
Data Protection Officer (DPO / Encarregado)
DPO Requirement	SDF only s.10: only Significant Data Fiduciaries. Must be Indian resident. Effective May 2027.	Criteria-based Art. 37: public authorities; large-scale systematic monitoring; large-scale special category or criminal data processing.	Not required CCPA / CPRA do not mandate a DPO. Some CPPA regulations reference a responsible person.	Effectively mandatory SDAIA guidance indicates a designated Data Protection Officer or responsible person should be appointed. Explicit mandatory requirement less clear-cut than GDPR.	Mandatory for all controllers Art. 41: Encarregado required. Contact must be publicly disclosed. ANPD may grant exemptions to micro-enterprises and small businesses.	Mandatory for all organisations Sec. 11A (2021 amendment): every organisation must designate at least one DPO. Contact must be publicly available.	Criteria-based Sec. 41: public authorities; large-scale systematic monitoring; large-scale sensitive data processing. Mirrors GDPR Art. 37.	Criteria-based UK GDPR Art. 37: same criteria as GDPR. ICO registration also required (GBP 40-2,900/yr).	Where required by UAEDO Not mandatory for all. UAEDO guidance on specific thresholds still developing.
DPO Residency Requirement	Must be Indian resident s.10(2)(b): SDF DPO must ordinarily reside in India.	No residency requirement Can be based anywhere. Representative in the EU required for non-EU controllers under Art. 27.	Not applicable	No specific residency requirement	No residency requirement Encarregado can be based outside Brazil.	No residency requirement	No residency requirement	No residency requirement Art. 27 UK representative required for non-UK controllers.	No specific residency requirement
Cross-Border Data Transfers
Transfer Model	Restriction / Blacklist s.16: transfers permitted by default unless Central Government restricts specific countries. No restriction list notified yet. Sector-specific rules (RBI, SEBI, IRDAI) apply independently.	Adequacy / Whitelist Arts. 44-49: adequacy decision, SCCs + TIA, BCRs, or Art. 49 derogation. Schrems II applies.	No transfer restrictions CCPA does not impose cross-border transfer restrictions. Service provider contracts must cover data use.	Adequacy + contractual safeguards Arts. 29-30: adequacy assessment or binding contractual safeguards. Unlawful transfer: criminal offence (SAR 1M + 1yr imprisonment).	Adequacy + ANPD SCCs Art. 33: ANPD SCCs mandatory for new/renewed arrangements from 23 Aug 2025 (Resolution CD/ANPD No. 19). BCRs and adequacy also valid.	Adequacy + contractual arrangements Sec. 26: Third Schedule mechanisms (BCRs, contractual arrangements, binding corporate rules). PDPC assesses adequacy.	Adequacy + contractual safeguards Secs. 28-29: adequacy determination or contractual safeguards ensuring equivalent protection.	Adequacy + IDTA / UK addendum DUAA 2025 codifies "not materially lower" TRA standard (less strict than EU "essentially equivalent"). ICO IDTA or UK addendum to EU SCCs.	Adequacy (UAEDO list) + contractual safeguards Arts. 22-24: UAEDO adequacy list; approved standard clauses where no adequacy. Administrative fines range from AED 50,000 to AED 5,000,000 (AED 10,000,000 for repeat violations).
Transfer Assessment Standard	No formal TIA/TRA required Default permissive until restriction notified. No Transfer Impact Assessment mandated by DPDPA.	Essentially equivalent (Schrems II) Transfer Impact Assessment (TIA) mandatory alongside SCCs.	Not applicable	PDPL-equivalent protection No formal TIA equivalent; proportionality and protection assessment required.	LGPD-equivalent protection Compatibility analysis required where applicable. ANPD oversees.	Comparable protection PDPC assesses whether comparable protection exists. No formal TIA mechanism.	Adequate protection No formal TIA; reasonable safeguards assessment required.	Not materially lower (DUAA 2025) Transfer Risk Assessment (TRA) required. Codified by DUAA 2025; less stringent than EU "essentially equivalent."	UAEDO assessment Framework still maturing; monitor UAEDO guidance.
Sensitive / Special Category Data
Definition Approach	Not yet defined in Act DPDPA 2023 does not create a separate sensitive category. IT Act SPDI Rules 2011 (passwords, financial, health, biometric, sexual orientation, medical history) remain in force until May 2027. Central Government may notify categories.	Exhaustive list (Art. 9) Health, biometric, genetic, racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, sexual orientation, criminal convictions (Art. 10).	CPRA Sensitive PI list SSN/gov ID, login credentials, financial account details, precise geolocation, racial/ethnic origin, religious beliefs, philosophical beliefs, union membership, mail/email/text contents, genetic data, biometric, health data, sex life/sexual orientation, immigration status.	Art. 23 list Health, genetic, biometric, criminal records, racial/ethnic origin, religious beliefs. Unauthorized disclosure: criminal offence (SAR 3M + 2yr imprisonment).	Art. 5(II) list Racial/ethnic origin, religious beliefs, political opinions, health/sex life, genetic/biometric data, criminal records, trade union membership, minor's data.	No separate category Singapore PDPA does not define a separate sensitive personal data category. All personal data regulated under same framework.	Sec. 26 list (10 categories) Racial/ethnic origin, political opinions, religious/philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union membership, genetic data, biometric data.	Art. 9 list (same as GDPR) Health, biometric, genetic, racial/ethnic, political, religious/philosophical, trade union, sexual orientation, criminal (Art. 10).	Listed categories Health, genetic, biometric, criminal, racial/ethnic origin, religious, political opinions, sexual orientation. Similar scope to GDPR Art. 9.
Processing Standard	SPDI Rules (until May 2027) IT Act SPDI Rules 2011 require explicit written consent for sensitive personal information categories. Enhanced security obligations under s.43A IT Act.	Explicit Art. 9(2) basis required General consent (Art. 6) is insufficient. Explicit consent (Art. 9(2)(a)) or narrow listed exceptions. Stricter security under Art. 32.	Consumer can Limit SPI CPRA s.1798.121: right to limit use/disclosure of Sensitive PI to what is necessary for the requested service. "Limit My SPI" link required.	Heightened controls + explicit consent Art. 23: extra security, explicit consent or narrow PDPL exceptions. Criminal liability for unauthorized disclosure.	Art. 11 basis required Closed list of bases. Explicit consent (not general consent) required where consent is the basis. Third-party transfer restrictions (Art. 11 para. 2).	N/A No separate sensitive category; general PDPA obligations apply to all personal data.	Sec. 26 explicit basis required Explicit consent or narrow Sec. 26 exceptions. Max THB 3M fine for processing without Sec. 26 basis.	Explicit Art. 9(2) basis required Same as GDPR. Processing by design default under Art. 25 applies with extra force.	Higher standard Enhanced security and consent obligations. Framework details still developing under UAEDO guidance.
Penalties & Enforcement
Maximum Penalty	INR 250 Crore (~EUR 27M)per violation (s.33 Schedule Item 1: security safeguards) Fixed rupee amounts; can stack per provision	EUR 20M or 4% global turnover(higher applies) per violation (Art. 83(5)) Turnover-based: scales with organisation size	USD 7,500 per intentional violationper consumer for intentional violations (s.1798.155) Per-consumer penalties compound at scale	SAR 5,000,000general violations (SAR 10M repeat); criminal: SAR 3M + 2yr (sensitive); SAR 1M + 1yr (cross-border) Criminal liability is rare globally	2% Brazil revenues or BRL 50M(lower of) per infraction (Art. 52) Revenue-based; daily fines also available	SGD 1,000,000 or 10% SG turnover(higher applies) (Sec. 48J, from Oct 2022) Turnover-based for Singapore revenues	THB 3,000,000 (administrative)per violation (Sec. 82); criminal: THB 1M + 1yr imprisonment Fixed cap; criminal sanctions for deliberate acts	GBP 17.5M or 4% global turnover(higher applies) (UK GDPR Art. 83(5) / DUAA 2025) PECR penalties now aligned to UK GDPR level	AED 5,000,000maximum administrative fine (AED 10,000,000 for repeat violations). Administrative fines range from AED 50,000 upwards. Criminal liability under cybercrime law also applicable (imprisonment and fines up to AED 5,000,000). Fixed amounts; framework maturing
Penalty Structure	Fixed absolute amounts (s.33 Schedule). Factors in s.33(2) guide quantum within ceiling. DPAB can double penalties in cases of gravity (s.42(1)). Fixed; proportionally severe for smaller orgs	Two tiers (Art. 83(4)-(5)). Factors: gravity, duration, nature, cooperation, mitigation, repeat nature. DPA discretion is broad. Proportionate to global size	Civil penalties (AG); administrative fines (CPPA). Intentional vs unintentional distinction. USD 2,500 for unintentional violations. Consumer-count based; compounds quickly	Fixed + criminal. Repeat violations double the fine. SDAIA may impose additional corrective measures. Criminal track is unique globally	Revenue-based: 2% of Brazilian revenue per infraction. Daily fines for ongoing violations. ANPD has graduated penalty structure under Art. 52. Revenue-proportionate	Graduated scale below SGD 1M / 10% turnover ceiling. PDPC has published enforcement decisions as precedents. Active enforcement history	Fixed administrative maximum. PDPC can also issue warnings, suspension, or corrective orders. Criminal track requires intentional/reckless conduct. Fixed ceiling regardless of size	Two tiers aligned with GDPR. ICO publishes detailed penalty notices with reasoning. Active; post-DUAA 2025 approach unchanged	Administrative fines from AED 50,000 to AED 5,000,000; doubled for repeat violations. UAEDO enforcement posture still developing. Corrective orders also available. Criminal liability under cybercrime laws applies in parallel. Framework maturing
ROPA / Processing Register	Not mandated No explicit ROPA requirement. Accountability under s.8 implies records. Best practice to maintain one for DPAB audit readiness.	Mandatory (Art. 30) 250+ employee threshold; Art. 30(5) exemption is narrow in practice (most regular processing not exempt).	Not required No ROPA equivalent in CCPA/CPRA framework.	Required under Implementing Regulations Processing register required for SDAIA audit readiness.	Not explicitly mandated ANPD guidance encourages a processing inventory. Best practice for audit readiness.	Not explicitly required PDPC recommends maintaining a data inventory. No statutory ROPA obligation.	Required (Sec. 39) Controllers must maintain records of processing activities. Must be available for PDPC inspection.	Mandatory (Art. 30) Same criteria as GDPR. ICO may request ROPA during audits and investigations.	Data inventory required Cabinet Resolution 33/2022 requires maintaining a data inventory/register. Details still developing.

Notes on Colour Coding

The strictness labels (Strictest / Moderate / Most Flexible) refer to the relative stringency of each framework on that specific dimension, not an overall framework ranking. A framework may be strictest on children's data but most flexible on cross-border transfers. Use the assessment tool for a full compliance analysis tailored to your organisation.

⚠ Legal Disclaimer & Copyright

Not Legal Advice. This matrix is an informational reference tool. It does not constitute legal advice. Regulatory interpretations, enforcement practice, and guidance documents evolve continuously. Always verify against primary sources and engage qualified legal counsel before making compliance decisions.

Accuracy as of 31 March 2026. Key changes reflected: DPDPA Rules 2025 (Nov 2025), Saudi PDPL 2023 amendment (LI basis), DUAA 2025 (in force Feb 2026), CPPA Final Regulations Arts. 9/10/11 (approved 22 Sep 2025), LGPD ANPD SCC mandate (Aug 2025), LGPD breach notification corrected to 3 business days per ANPD Resolution CD/ANPD No. 15/2024, UAE PDPL penalties corrected to AED 5,000,000 maximum administrative fine, DPDPA Rule 7 two-step notification structure reflected.