By 2030, there will be more data protection laws than there are work days in the year.

A field report from compliance country

An author's note

We collected every data protection law we could find — plus the ones our customers flagged — because our Data Protection Toolkit for Jira and Confluence needs a detection pattern for each one. Here's what that list looks like — and get all 233 as a spreadsheet

In May 2026 there are 233 distinct data protection laws in force around the world, across 179 jurisdictions, on every continent that has one. The pace is accelerating, the fines are breaking records, and the Vatican has its own GDPR now. This is a short field report on where the number is heading, and what to bring with you.


Part one — the scale

The number is bigger than you think.

Fun fact

Even the Vatican has a data protection law (2024). If the Pope's IT team is filing a RoPA, so are you.

+tap for moreless

It's modelled closely on the GDPR — the Holy See wanted alignment with EU rules so Vatican bodies could exchange data with European institutions. Vatican City State has roughly 800 residents and its own DPA.

More facts like this, monthly

For most of the post-GDPR era, "data protection law" in corporate conversation has meant a small, manageable handful of statutes: GDPR, CCPA, perhaps Brazil's LGPD if you run anything in São Paulo. That mental model has not aged well.

233
distinct data protection laws in force — May 2026

Two hundred and thirty-three separate statutes, regulations, treaties and amendments, spread across 179 jurisdictions. Roughly 6.6 billion people live under at least one of them. The growth in the last six years alone is 35%.

Aside

India's DPDPA covers 1.4 billion people — more than GDPR (450M) and all US state laws combined (180M).

+tap for moreless

It passed in August 2023 but enforcement is phased in through 2027, so most companies are still preparing. Penalties run up to ₹250 crore (about €28M) per breach — in the GDPR's league.

Track the new ones with us

The geographical coverage is, as of 2026, effectively total. 162 sovereign countries have enacted comprehensive data protection laws — every populated continent at majority coverage, with the gap between best (Europe, at 100%) and worst (the Middle East, at 67%) now just 33 percentage points. Africa alone went from three laws in 2010 to 42 today — a fourteen-fold increase in sixteen years.

The United States is a category of its own. There is no federal comprehensive privacy law — only sectoral ones (HIPAA, COPPA, GLBA) covering specific data types. But 20 of its 50 states have written their own version, and three more are drafting. The map below shows the world first, then the US state by state.

Where the laws are, May 2026

Purple = country (or US state) has a comprehensive data protection law in force. Striped = federal law absent but state-level coverage in place (USA). Grey = no such law, or sectoral only. Country data compiled from the project tracker plus IAPP Global Privacy Directory and DLA Piper.

Tap to zoom
United States, state by state No federal comprehensive law. 20 of 50 states have written their own.
Loading maps…
Has a comprehensive law No comprehensive law
162
countries & territories
with comprehensive laws
20
of 50 US states
with their own
0
US federal
comprehensive laws

The list itself

All 233, in one spreadsheet.

Here's a real sample of the file — sixteen of the 233, straight from the tracker. Same columns you'll get: year, jurisdiction, the law, its type, and a note on what it does.

xlsx data-protection-laws-2026.xlsx Showing 16 of 233 rows
Year Jurisdiction Law / Regulation Type Notes
1970 Germany (Hesse) Hessisches Datenschutzgesetz Sub-national World's first data protection law ever enacted.
1973 Sweden Datalagen (Data Act) National World's first national data privacy law.
1978 France Loi Informatique et Libertés (Law No. 78-17) National Established the CNIL — first independent DPA in the world.
1981 Council of Europe Convention 108 International Treaty First binding international treaty on data protection.
1995 European Union Data Protection Directive (95/46/EC) Supranational Superseded by GDPR in 2018.
2012 Philippines Data Privacy Act of 2012 (RA 10173) National Established the National Privacy Commission.
2013 South Africa Protection of Personal Information Act (POPIA) National In force Jul 2020. Penalties up to ZAR 10M.
2018 Brazil LGPD (Lei Geral de Proteção de Dados, No. 13.709) National Combined 40 pre-existing laws. Effective Sep 2020.
2018 United Kingdom Data Protection Act 2018 / UK GDPR National Continues independently post-Brexit.
2020 United States (California) California Privacy Rights Act (CPRA) Sub-national Effective 1 Jan 2023. Expands CCPA.
2021 China Personal Information Protection Law (PIPL) National China's GDPR equivalent. Extraterritorial scope.
2023 India Digital Personal Data Protection Act (DPDPA) National Phased enforcement through 2027. 1.4 billion people.
2024 Saudi Arabia Personal Data Protection Law (PDPL) National Gulf-region comprehensive data protection law.
2024 Vatican City Data Protection Law for the Governorate National Even the Vatican enacted its own law.
2025 Paraguay Personal Data Protection Bill National Newly enacted comprehensive law.
2025 The Gambia Personal Data Protection and Privacy Bill 2025 National Newly enacted comprehensive law.

+ 217 more, from 1970 to today

Every jurisdiction, sortable, in one file.

I'm tired of reading — just give me the Excel ↓

Part one (continued) — the cost

The polite-letter era is over.

For roughly the first decade of European data protection enforcement, fines were modest. That changed with GDPR's enforcement provisions: up to €20 million or 4% of global annual turnover, whichever is higher. Regulators have since shown an appetite for the higher number.

Meta
2023
€1.2B
Largest GDPR fine ever
Amazon
2021
€746M
Held the record 2021–2023
TikTok
2023
€345M
Children's data violations
WhatsApp
2021
€225M
Transparency failures
Google
2019
€50M
First major GDPR fine

Total GDPR fines have crossed €7.1 billion — roughly the GDP of Montenegro.

Cumulative GDPR fines, January 2026

US enforcement, which had been quieter, is no longer quieter. In 2024, the State of Texas alone secured a $1.4 billion settlement against a single technology company over biometric data collection. One state. One case.

I'll just delete my email and become a goat farmer.
Goats are personal data too. They have ear tags.

How we got here — tap through the eras

It started in 1970, with a fear of mainframes.

Fun fact

The world's first data protection law was passed a year before email was invented.

+tap for moreless

Hesse passed its law in 1970; Ray Tomlinson sent the first networked email in 1971. The law was written for mainframes and punch cards — the fear was governments cross-referencing citizen registries, not the internet, which didn't exist yet.

The whole timeline, in Excel

The number didn't get to 233 in a straight line. It crept for almost fifty years, then broke into a sprint. Here's the story in five chapters — tap or swipe through, and watch the count climb.

The acceleration, plotted

Comprehensive data protection statutes and major amendments enacted per year, before and after GDPR's 25 May 2018 effective date.

Tap to zoom 0 10 20 30 40 GDPR 36 statutes & amendments (GDPR rollout) 1970 1980 1990 2000 2010 2020 2030
Before GDPR (1970–2017) After GDPR (2018–2025) Projection (at current pace)
The rate of new data protection laws is now 6.7× the pre-GDPR baseline.

Before GDPR: 110 laws in 48 years.
After GDPR: 123 laws in 8 years.

The Brussels Effect, in laws per year


The Compliance Pulse Vol. V, 2026

Get the list of laws

We made this list so we'd stop being surprised. Get all 233 laws as an Excel file — it goes out of date fast, so subscribe and we'll send the updated version each month, with the latest new laws, fines and deadlines.


Part two — where this is going

The line is [not] bending.

Since 2020, the world has been adding 15 to 18 new comprehensive data protection laws per year, and several major amendments per year on top. Nothing about the current trajectory suggests a slowdown — quite the opposite. The AI regulation wave, led by the EU AI Act and the Council of Europe's 2024 AI treaty, adds an entirely new category of instruments on top of the privacy stack.

The trajectory, projected

Cumulative comprehensive data protection statutes and amendments in force worldwide, with projection to 2030 at the post-GDPR pace.

Tap to zoom 300 250 200 150 233 310 2018 2020 2022 2024 2026 2028 2030
Actual Projection (at current pace)

At current pace, the world reaches roughly 310 distinct laws by 2030. That projection is conservative: it extrapolates the base rate without accounting for the AI wave, the second generation of US state laws, or the dozen or so jurisdictions currently drafting bills.

Watch list

US federal law? Still no. 20 state laws — and Oklahoma, Alabama, Arkansas drafting. Pakistan, Bangladesh too.

+tap for moreless

The US patchwork is the real headache: each state law has its own thresholds, definitions and deadlines, so a company serving all 50 tracks 20+ separate rulebooks. That's exactly the kind of thing that's easy to miss — which is why we keep the list.

One email when the list grows

The more interesting question is not the count but the texture. Three trends matter more than the total number: extraterritorial scope (your customers' jurisdiction matters more than yours), enforcement convergence (regulators sharing case files), and AI overlay (every privacy law now has an AI provision, written or pending).


Part two (a small interlude)

The slightly less serious extrapolation.

With apologies to the data, the future also contains scenarios that are statistically improbable but emotionally accurate. Compiled with input from one tired compliance officer.

Predictions from the breakroom whiteboard:
  • 2028 — every US state has its own privacy law. They all use the word "consumer" to mean something different.
  • 2030 — your fridge needs a DPIA. Your toothbrush has a privacy policy. Your sourdough starter is a biometric controller.
  • 2035 — there are more privacy laws than countries. Microstates start writing them to be polite.
  • 2040 — reading all 430 of them takes eleven months. Three more pass while you're reading, contradicting the first one.
  • 2050 — humanity invents one law that simply says "stop." It is immediately preempted by an EU regulation.
Can we just have ONE law for the whole planet?
Yes. Every jurisdiction will write its own version of it.

Epilogue — what to be ready for

You cannot memorise 310 regulations. You can prepare for them.

The good news is that most data protection laws rhyme. They share roughly the same core: lawful basis, data subject rights, breach notification, cross-border transfer mechanisms, accountability. The bad news is that the rhymes are imperfect, and the differences are exactly where the fines live.

The practical question for the next four years is not which laws apply to your organisation — increasingly, the answer is most of them — but whether your operating model can answer the same compliance question 179 different ways without collapsing. Six capabilities matter more than the others.

The data protection stack you need NOW
1
A living Record of Processing Activities
Maintained, not assembled from memory the day before an audit.
2
A working cross-border transfer mechanism
SCCs, BCRs, adequacy decisions — chosen, documented, and tested.
3
Data subject rights at production-grade SLA
The 30-day clock starts the moment the email arrives, not the moment legal sees it.
4
An AI and model inventory
Every model in production, every dataset used to train it, every cross-border inference.
5
A breach response playbook with a 72-hour cadence
Practiced before you need it, not assembled during it.
6
A jurisdiction matrix
Which customer segments trigger which obligations, refreshed quarterly.
7
Actonic Products Data Protection Toolkit
Built into Jira and Confluence — anonymisation, retention, audit trail, DSR fulfilment, where the data actually lives.
+8.
Aspirin.
For when somebody mentions the ePrivacy Regulation.

The question is no longer whether your organisation needs a data protection strategy. It is whether the one you have can handle 310 overlapping regulations across 179 jurisdictions on six continents — while a 20-state American patchwork keeps growing, AI rules keep tightening, and enforcement records keep breaking.

It started in 1970, in one German state, about mainframe databases. It is now the largest body of cross-border regulation humanity has ever attempted to maintain. It is also still accelerating.

So… we're going to be okay, right?
We're going to be busy. That's almost the same thing.

Good luck out there.

Got a topic in mind? Vote on the next deep-dive →

Nikoloz Surmanidze

Nikoloz Surmanidze

Product Owner · Actonic Products GmbH

Nikoloz is a Product Owner at Actonic, where he spends most days inside the numbers behind Jira and Confluence customer behaviour.

The dataset behind this article was assembled over six months of cross-referencing against IAPP's Global Privacy Directory, DLA Piper's Data Protection Laws of the World, and primary legislative texts. The dataset is maintained in service of Actonic's Data Protection Toolkit for Jira and Confluence, which is what got him into this mess in the first place.

Actonic Products GmbH · actonic.de

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 9

No votes so far! Be the first to rate this post.