The Security Blog

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

International Privacy Laws, Rules, Regulations and Resources
M to Z

As of November 11, 2011, Breach notification laws have moved to their
own page, at www.arielsilverstone.com/resources/collection-of-breach-notification-laws

106. Macedonia / Македонија / Makedonija / Maqedonia(Not a part of Greece. Former Yugoslav Republic, CE, CE185)
     

     Directorate for Personal Data Protection (DZLP, Macedonian)

     Law on Personal Data Protection (Consolidated) (Macedonian PDF)

     Law Amending the Law on Protection of Personal Data no. 135/11 (Macedonian PDF)

     Law Amending the Law on Protection of Personal Data no. 124/10 (Macedonian PDF)

     Law Amending the Law on Protection of Personal Data no. 103/08 (Macedonian PDF)

     Law on Personal Data Protection no. 7 / 05) (Macedonian PDF)

107. Madagascar / Madagasikara
     1. None Found
108. Malawi / Dziko la Malaŵi / 马来西亚 / Măláixīyà / மலேசியா / Malēciyā
     1. None Found
109. Maldives / Divehi Rājje ge Jumhuriyyā
     1. None Found
110. Mali
     1. None Found
111. Malta (Member EU, Schengen, CE)
     1. Office of the Data Protection Commissioner (Note: Many Legal Notices Available Here)
     2. Data Protection Act (CAP 440, PDF)
112. Malaysia / மலேசியா / 马来西亚
     1. Personal Data Protection Bill 2010 (PDPA, PDF)
113. Marshall Islands /Aelōn̄ in M̧ajeļ (in Free Association with the United States)
114. Mauritania/ Mauritanie / Mūrītāniyā
     1. None Found
115. Mauritius / Maurice / Moris
     

     Information and Communication Technologies Authority (ICTA)

     Data Protection Act (2004) (DPA, PDF)

     Computer Misuse and Cybercrime Act (2003) (PDF)

     Information and Communication Technologies Act (2001) (ICATA, PDF)

116. Mexico / United Mexican States / Estados Unidos Mexicanos / México (Member OECD)
     1. Federal Law on The Protection of Personal Information in Possession of the Private Sector
     2. States of Mexico:

     Aguascalientes	Baja California	Baja California Sur
     Campeche	Chiapas	Chihuahua
     Coahuila de Zaragoza	Colima The Personal Data Protection Act	Durango
     Guanajuato	Guerrero	Hidalgo
     Ignacio de la Llave	Jalisco	México (Distro Federal) Law on the protection of personal data
     Michoacán de Ocampo	Morelos	Nayarit
     Nuevo León	Oaxaca	Puebla
     Querétaro	Quintana Roo	San Luis Potosí
     Sinaloa	Sonora	Tabasco
     Tamaulipas	Tlaxcala Law on Access to Public Information and Personal Data Protection (Spanish, PDF)	Veracruz
     Yucatán	Zacatecas

117. Moldova (Member CE)
     

     Centrului Naţional pentru Protecţia Datelor cu Caracter Personal (National Center for Personal Data Protection)

     Law Nr. 17-XVI of 15.02.2007 on personal data protection

     Law on Personal Data Protection (new redaction) no.133 from 08 July 2011 (shall come into force at 14.04.2012)

118. Monaco / Múnegu / Mónegue (Not member of Schengen, but generally administered as if it were, CE)
     1. Commission de Contrôle des Informations Nominatives (Commission of Control of Personal Information, French)
     2. Protection of Personal Data Law (1.165, PPDL, French PDF)
119. Mongolia / Монгол улс / Mongol uls
     1. None Found
120. Montenegro / Црна Гора / Crna Gora
     1. None Found
121. Morocco / al-Maġrib / ⵎⴰⵖⵔⵉⴱ / Maɣrib
     
     1. None Found
122. Myanmar / Pyi-daung-zu Myan-ma Naing-ngan-daw / Burma (Despotic Regime)
     1. None Found
123. Nauru / Naoero
     1. None Found
124. Nepal / नेपाल / Nepāl
     1. None Found
125. New Zeland / Aotearoa (Member OECD, CPEA)
     

     Office of the Privacy Commissioner / Te Mana Matapono Matatapu Health Information Privacy Code (HIPC, PDF)

     Telecommunications Information Privacy Code (TIPC, PDF)

     Privacy Act Summary

     Privacy Act

     Also Includes

     The Dependent Territory of Tokelau Parts of the Antarctic Ross Ice Shelf

126. Nicaragua
     1. None Found
127. Niger / Nijar
     1. None Found
128. Nigeria / Nijeriya / Naigeria / Niiseriya / Naìjírìà
     1. National Health Bill (PDF)
129. North Korea / Hanguk (Despotic Regime)
     1. None Found
130. Norway / Norge / Noreg (Member OECD, CE, CE108, Schengen)
     

     Datatilsynet (The Date Inspectorate, in Bokmål (Norsk))

     Personal Data Act (Translated PDF)

     Royal Regulations on the Processing of Personal Data (Translated PDF)

     Personal Health Data Filing System Act (Including Processing of Personal Health Data, translated)

131. Oman
     1. None Found
132. Pakistan / Pākistān
     1. None Found
133. Palau / Pelwe / Beluu / Belau
     1. None Found
134. Panama / Panamá
     1. None Found
135. Papua-New Guinea / Papua Niugini
     1. None Found
136. Parguay / Paraguái
     1. National Secretariat of State Reform
137. Peru / Perú / Piruw
     1. Instituto Nacional de Defensa de la Competencia y de la Protección de la Propiedad Intelectual  (INDECOPI / National Institute for the Defense of Competition and Intellectual Property Protection
     2. Ley que Regula las Centrales Privadas de Información de Riesgos y de Protección al Titular de la Información Ley Nº 27.489 / Law Regulating the Privacy of Information Risk and Protection of Information Owner Law No. 27.489 – no Source found.
138. Phillipines / Pilipinas / Filipinas
     1. NONE
139. Poland / Polska (Member EU, OEC, CE, CES 108), Schengen, CEEP)
     1. Generalnego Inspektora Ochrony Danych Osobowych (GIODO) /  Inspector General for Personal Data Protection (in Polish)
     2. Protection of Personal Data Law (Polish PDF)
140. Portugal / Pertual (Member EU,OECD, Schengen, CE)
     

     Law Creating CNPD (Portuguese PDF)

     Comissão Nacional de Protecção de Dados(CNPD, National Commission for Protection of Data, in Portuguese)

     Law 67/1998 – Protection Personal Data and Information (Portuguese PDF)

     Law 32/2008 – Retention of Electronic Communications Data (Portuguese PDF)

     Law 41/2004 – Protection of Personal Data in Electronic Communications (Portuguese PDF)

     Law 109/1991 – Information Crimes (Portuguese PDF)

     Portugal also controls:

     The Azores Madiera

141. Qatar / Dawlat Qaṭar
     1. None Found
142. Romania / România (Member EU, Schengen (not implemented), CE, CE185)
     

     Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (The National Supervisory Authority For Personal Data Processing) (Romanian)

     Notification Guide (Romanian)

     Law no. 677/2001 (Translated PDF)

     Law no. 682/2001 (Translated PDF)

     Law no. 102/2005 (Translated PDF)

     Law no. 55/2005 (Translated PDF)

     Law no. 506/2004 (Translated PDF)

     Emergency Ordinance no. 36/2007 (Translated PDF)

     Law no. 298/2008 (Translated PDF)

      

143. Russia /Россия /
     Российская Федерация / Russian Federation / Rossyia (Member CE, but NOT Ratified ETS 108)

     Federal Act 24-FZ – Information, Informatization and Information Protection (Translated, now replaced by 149-FZ)

     информации, информационных технологиях и о защите информации / Federal Act 149-FZ – Information, Information Technologies and Protection of Information (Russian)

     Federal Act 152-FZ – “On Personal Data” (Russian PDF)

     Federal Act 15-FZ – “On Communication”

     Criminal Code Article 108: Violation of the Secrecy of Correspondence, Telephone Conversations, Postal, Telegraphic and Other Messages (Translated)

     1. Includes the Following Federal Subject areas:
        1. Includes the Following Federal Subject areas:
           1. Republics (areas with right to form their own constitution):
              

              Adygea	Altai	Bashkortostan
              Buryatia	Chechnya	Chuvashia
              Dagestan	Ingushetia	Kabardino-Balkaria
              Kalmykia	Karachay-Cherkessia	Karelia
              Khakassia	Komi	Mari El
              Mordovia	North Ossetia-Alania	Sakha Republic
              Tatarstan	Tuva	Udmurtia

           2. Provinces (Oblasts):
              

              Amur	Arkhangelsk	Astrakhan
              Belgorod	Bryansk	Chelyabinsk
              Chita	Irkutsk	Ivanovo
              Kaliningrad	Kaluga	Kemerovo
              Kirov	Kostroma	Kurgan
              Kursk	Leningrad	Lipetsk
              Magadan	Moscow	Murmansk
              Nizhny Novgorod	Novgorod	Novosibirsk
              Omsk	Orenburg	Oryol
              Penza	Pskov	Rostov
              Ryazan	Sakhalin (note: disputed with Japan)	Samara
              Saratov	Smolensk	Sverdlovsk
              Tambov	Tomsk	Tver
              Tula	Tyumen	Ulyanovsk
              Vladimir	Volgograd	Vologda
              Voronezh	Yaroslavl

           3. Territories (Krais):
              

              Altai	Kamchatka	Khabarovsk
              Krasnodar	Krasnoyarsk	Perm
              Primorsky	Stavropol	Zabaykalsky

           4. Federal Cities:
              1. Moscow
              2. St. Petersberg
           5. Autonomous Oblast:
              1. Jewish Autonmous Oblast / Евре́йская
                 автоно́мная о́бласть / Yevreyskaya avtonomnaya oblast / ייִדישע אווטאָנאָמע געגנט
           6. Autonomous Districts (Okruga):
              

              Chukotka	Khanty–Mansi
              Nenets	Yamalo-Nenets

144. Rwanda
     1. None Found
145. Saint Kitts and Nevis / Federation of Saint Christopher and Nevis / Saint-Christophe et Nevis
     1. None Found
146. Saint Lucia / Sainte Lucie
     1. None Found
147. Saint Vincent and the Grenadines
     1. None Found
148. Samoa / German Samoa / Western Samoa / Malo Sa’oloto Tuto’atasi o Samoa / Sāmoa
     1. None Found
149. San Marino (Member CE, but NOTRatified ETS 108)
     1. Act Regulating the Computerized Collection of Personal Data (Italian)
150. São Tomé and Príncipe / São Tomé e Príncipe
     1. None Found
151. Saudi Arabia / as-Saʿūdiyyah / Roubah El-Hali (Despotic Regime)
     1. None Found
152. Senegal / Sénégal
     1. None Found
153. Serbia / Србија / Szerbia / Serbija (Member CE)
     1. None Found
154. Seychelles / Sesel
     1. None Found
155. Sierra Leon
     1. None Found
156. Singapore / Singapura / 新加坡 / சிங்கப்பூர் / Chiṅkappūr
     

     Electronic Commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce (source not found)

     Model Data Protection Code for the Private Sector

     Infocomm Development Authority of Singapore (IDA)

157. Slovakia / Slovensko / Szlovákia (Member EU, OECD, Schengen, CE, CEEP)
     1. Úrad na Ochranu Osobných Údajov (Office for Personal Data Protection, Slovak)
     2. Act 428/2002 – Protection of Personal Data (Translated PDF)
158. Slovenia / Slovenija / Szlovénia (Member EU, Schengen, CE, CE185)
     1. Informacijski Pooblaščenec (IP-RS, Information Commissioner, Sloven)
     2. Personal Data Protection Act (Translated)
159. Solomon Islands
     1. None Found
160. Somalia / Soomaaliya / As-Sūmāl / Somalo (No Effective Government)
     1. None Found
161. South Sudan
     1. None Found
162. South Africa / / Suid-Afrika / Sewula Afrika / Zantsi Afrika / Ningizimu Afrika / Afrika-Borwa / Afrika Dzonga / Afurika Tshipembe (CE185)
     1. None Found
163. South Korea / Chosŏn / 대한민국 / 大韓民國 / Daehanminguk (Member OECD)
     1. Act on Promotion of Information and Communications Network Utilization and Data Protection (Translated PDF)
     2. Korean Internet and Security Agency (KISA)
164. Spain / España / Espanya / Espainia / Espanha (Member EU, OECD, Schengen, CE)
     1. Agencia Española de Protección de Datos (AEPD, in Spanish)
     2. Protection of Personal Data Law (Translated PDF)
     3. Law 34/2002 – Information Society Services and Electronic Commerce (Translated PDF)
     4. Law 41/2002 – Regulating Patient Data (Translated PDF)
     5. Law 32/200 – State Telecommunications Act (Translated PDF)
     6. Law 62/2003 – Modifying Data Protection Regulations (Translated PDF)
     7. Regions and Districts:
        1. Datuak Babesteko Euskal Bulegoa / Agencia Vasca de Protección de Datos / Basque Agency for Protection of Data
           1. Ley 2/2004, de Ficheros de Datos de Carácter Personal de Titularidad Pública y de Creación de la Agencia Vasca de Protección de Datos (Law 2/2004 Regarding Protection of Data of Personal Nature, of Public Access, and The Creation of the Basque Agency of Data Protection, translated PDF)
           2. Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal (LOPD, Law of Protection of Data of Personal Nature, in Spanish)
        2. Agencia Catalana de Protección de Datos / Catalan Agency for Protection of Data)
           1. Ley 5/2002, de la Agencia Catalana de Protección de Datos (Law (creating) of The Catalan Agency of Protection of Data, in Spanish)
        3. Agencia de Protección de Datos de la Comunidad de Madrid / Community of Madrid Agency for Protection of Data,  (APDCM)
           1. Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal (Law of The Protection of Data of Personal Character, Spanish PDF)
           2. Ley 8/2001, de Protección de Datos de Carácter Personal en la Comunidad de Madrid (Protection of Data of Personal Character in the Community of Madrid, in Spanish)
     8. Independent Cities:
        1. Ceuta
        2. Melilla / Tamelilt
     9. Independent Places:
        1. Islas Chafarinas
        2. Peñón de Alhucemas
        3. Peñón de Vélez de la Gomera
     10. Independent Provinces:
         1. Balearic Islands / Illes Balears / Islas Baleares, including:
            1. Cabrera
            2. Formentera
            3. Ibiza
            4. Majorca
            5. Minorca / Menorca
         2. Canary Islands / Comunidad Autónoma de Canarias, including:
            1. Alegranza
            2. El Hierro
            3. Fuerteventura
            4. Gran Canaria
            5. La Gomera
            6. La Graciosa
            7. La Palma
            8. Lanzarote
            9. Montaña Clara
            10. Tenerife
165. Sri Lanka / Ceylon / ශ්‍රී ලංකා / இலங்கை /Ilaṅkai / Shrī Laṁkā (Despotic Regime)
     1. None Found
166. Sudan (Despotic Regime)
     1. None Found
167. Suriname / Dutch Guiana
     1. None Found
168. Swaziland / Umbuso weSwatini (Despotic Regime)
     1. None Found
169. Sweden / Sverige (Member EU, OECD, Schengen, CE)
     1. SvenskaDatainspektionen (Swedish Data Inspection Board, in Swedish)
     2. Personal Data Act (PDA)
     3. Credit Information Act (In Swedish)
     4. Debt Collection Law (In Swedish) (Relevant here)
     5. Patient Data Act (Swedish PDF)
     6. Telecommunication Privacy (In Swedish)
170. Swiss Confederation / Switzerland / Schweiz / Suisse / Svizzera / Svizra / Helvetica (Member OECD, Schengen, CE)
     1. Der Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragte (EDÖB) / Le Préposé fédéral à la protection des données et à la transparence (PFPDT) / L’Incaricato federale della protezione dei dati e della trasparenza (IFPDT) / Federal Data Protection and Information Commissioner (FDPIC) Federal Act on Data Protection (DSG / LPD / FADP, translated)
     2. Ordinance on the Federal Act (Translated)
     3. Les Commissaires Suisses à la Protection des Données / Die Schweizerischen Datenschutzbeauftragten / The Cantonal Privacy Commissioners’ Association (Privatim, or “Privately”, In French and German)
     4. Cantons:
        1. Beauftragte für Oeffentlichkeit und Datenschutz des Kantons Aargau / Publicity and Privacy Officer for the Canton of Aargau(German)
           1. Law on Public Information, Data Protection and the archives (IDAG) (German)
        2. Datenschutz-Kontrollorgan des Kantons Appenzell Ausserrhoden / Data Protection Control (board) of the Canton Appenzell Ausserrhoden (Outer Rhoden)
        3. Datenschutzaufsicht des Kantons Appenzell Innerrhoden / Data Protection Supervisor of the Canton Appenzell Innerrhoden (Inner Rhoden)
        4. Datenschutzbeauftragte des Kantons Basel-Landschaft / Data Protection Supervisor of Canton Basel-County (German)
        5. Datenschutzbeauftragter des Kantons Basel-Stadt / Data Protection Supervisor of the canton of Basel-City (German)
        6. Datenschutzbeauftragter des Stadt Bern / Data Protection Supervisor of the State of Bern (German and French)
        7. Autorité de
           surveillance du Canton de Friborg en Matière de Protection des Données / Authority of Surveillance and Master of Protection of Data of the Canton of Friborg (Free Castle) (German or French)
        8. Commission de contrôle de l’informatique de l’Etat de Genève / Commission of Control of Information for the State of Geneva (French)
           
        9. Datenschutzbeauftragter des Kantons Glarus / Data Protection Supervisor of the Canton of Glarus (German)
           
        10. Datenschutzbeauftragter der Kantonalen Verwaltung des Kantons Graubünden / Data Protection Administration Supervisor of the Canton of Graubünden (Grey Grison) (German)
        11. Jura Commission Cantonale de la Protection des Données Jura / Cantonal Commission of Protection of Data, Jura (French)
            
        12. Datenschutzbeauftragter des Kantons Luzern / Data Protection Supervisor of the Canton of Lucerne (German)
        13. Autorité de Surveillance en Matière de Protection de la Personnalité du Canton de Neuchâtel; / Authority on the Surveiliance Regrading the Matter of Protection of People in the Neuchatel Canton (French)
        14. Datenschutzbeauftragter des Kantone Schwyz, Obwalden und Nidwalden / Supervisor of Data Protection of the Cantons of Schwyz, Oldforest and Newforest (almost-German)
        15. Datenschutzbeauftragte des Kantons St. Gallen / Data Protection Supervisor of the Canton of St.
            Gallen (German)
        16. Datenschutzbeauftragter des Kantons Schaffhausen / Data Protection Supervisor of the Canton of Schaffhausen
        17. Informations- und Datenschutzbeauftragter des Kantons Solothurn / Information and Data Protection for the Canton of Solothurn (German)
        18. Datenschutzbeauftragter des Kantons Thurgau / Data Protection Supervisor of the Canton of Thurgau
        19. Incaricato della Protezione dei Dati del Republica e Cantone Ticino / Data Protection Officer of the Republic and Canton of Ticino (Italian)
        20. Datenschutzbeauftragter des Kantons Uri / Data Protection Supervisor of the Canton of Uri (German)
        21. Commission Cantonale de la Protection des Données, Valais / Cantonal Commission of Protection of Data Canton of Valais 
        22. Préposé à la Protection des Données du Canton de Vaud / Clerk of Data Protection of the Canton of Vaud
            1. Loi Sur la Protection des Données Personnelles  (411, March 2007, PDF, in French)
        23. Datenschutzbeauftragter des Kantons Zug / Data Protection Supervisor of the Canton of Zug (Train) (German)
        24. Datenschutzbeauftragter des Kantons Zürich / Data Protection Supervisor of the Canton of Zurich (German)
     5. Municiplaties:
        1. Datenschutzaufsicht der Gemeinde Belp / Data Protection Supervisor of the Community of Belp
        2. Datenschutzaufsicht der Gemeinde Berne / Data Protection Supervisor of the Community of Bern
        3. Datenschutzbeauftragter der Einwohnergemeinde Steffisburg / Data Protection Supervisor of the Residential Community of Steffisburg
        4. Datenschutzaufsicht der Stadt Thun / Data Protection Supervisor of the City of Thun
        5. Datenschutzberater der Stadt Uster / Data Protection Preacher (policy maker) of the City of Uster
           
171. Syria / Sūriyah (Despotic Regime, Regime Change in Progress)
     1. None
        
172. Taiwan 台灣 / Táiwān / Formosa / Republic of China
     1. Computer-Processed Personal Data Protection Law (Translated PDF)
     2. Enforcement Rules (Translated PDF)
173. Tajikistan / Тоҷикистон / Tojikiston
     1. None Found
174. Tanzania (Including Tanganyika and Zanzibar)
     1. Telecommunication Consumer Protection Regulations (PDF)
175. Thailand / ประเทศไทย
     1. Office of Official Information Commission
176. Tibet བོད་ / Bod / 西藏 /Xīzàng (under Chinese control)
     1. None Found
177. Togo / République Togolaise
     1. None Found
178. Tonga / Pule’anga Fakatu’i ‘o Tonga
     1. None Found
179. Trinidad and Tubegu
     1. None Found
180. Tunisia / Tunisie / Tunis / Tūnisīyah (Despotic Regime)
     
     1. Loi Organique Relative à la Protection des Données Personnelles (Personal Data Protection Law, no source found)
181. Turkey / Türkiye (Member OECD, CE)
     1. None Found
182. Turkmenistan / Türkmenistan / Turkmenia / Туркмения (Despotic Regime)
     1. None Found
183. Tuvalu / Ellice Islands
     1. None Found
184. Uganda
     1. None Found
185. Ukraine / Ucrania / України (Despotic Regime) (CE)
     1. Law On Information (Translated PDF)
     2. Law on Data Protection in Information Systems (Translated PDF)
     3. Includes the Crimea
186. United Arab Emirates
     1. None Found Nationally
     2. Includes:
        1. Abu Dhabi
        2. Ajman
        3. Dubai (Note: these laws were created under the authority of the Dubai International Financial Center, DIFC)
           1. Data Protection Law 2006 (it is called “2007″, no longer available, replaced the 2004 law)
           2. Data Protection Law of 2012 (PDF, replaced the 2006/7 law)
           3. Dubai International Financial Centre Authority
        4. Fujairah
        5. Sharjah
        6. Ras al-Khaimah
        7. Umm al-Quwain
187. United Kingdom of Great Britain and Northern Ireland / Teyrnas Unedig Prydain Fawr a Gogledd Iwerddon / An Rìoghachd Aonaichte na Breatainn Mhòr agus Èirinn a Tuath / Ríocht Aontaithe na Breataine Móire agus Thuaisceart Éireann / Unitit Kinrick o Great Breetain an Northren Ireland / Ruwvaneth Unys Breten Veur hag Iwerdhon Gledh (Member OECD, EU, CE, Schengen (only partially implemented))
     1. Data Protection Act Information commissioner’s Office
     2. Co-administered territories:
        1. Anguilla
     3. Overseas Territories
        1. Bermuda
        2. Diego Garcia (leased to the United States Government)
        3. Gibraltar (Member EU)
           1. Gibraltar Regulatory Authority
           2. Data Protection Act (PDF)
        4. Montserrat
        5. Turks and Caicos (Member EU)
188. Uruguay / República Oriental del Uruguay
     1. Se Dictan Normas para la Protección de Datos Personales a ser Utilizados en Informes Comerciales , y se Regula la Acción de “Habeas Data”. Ley 17.838 (Guidelines for the Protection of Personal Data in Use in Commercial Reports, and Regulating the Use of the “Habeas Data” Law 17.838 (In Spanish)
189. Uzbekistan / O‘zbekiston / Ўзбекистон
     1. None Found
190. Vanuatu
     1. None Found
191. Vatican (Holy See) / Vaticana / Vaticano
     1. None Found
192. Venezuela / República Bolivariana de Venezuela (Despotic Regime)
     1. None Found
193. Viet Nam / Việt Nam (Despotic Regime)
     1. None Found
194. Yemen
     1. None Found
195. Zambia
     1. Telecommunications (Consumer Protection) Regulations
196. Zimbabwe (Despotic Regime)
     1. None Found