By 2030, there will be more data protection laws than there are work days in the year.
A field report from compliance country
An author's note
We collected every data protection law we could find — plus the ones our customers flagged — because our Data Protection Toolkit for Jira and Confluence needs a detection pattern for each one. Here's what that list looks like — and get all 233 as a spreadsheet↓
In May 2026 there are 233 distinct data protection laws in force around the world, across 179 jurisdictions, on every continent that has one. The pace is accelerating, the fines are breaking records, and the Vatican has its own GDPR now. This is a short field report on where the number is heading, and what to bring with you.
Part one — the scale
The number is bigger than you think.
Fun fact
Even the Vatican has a data protection law (2024). If the Pope's IT team is filing a RoPA, so are you.
+tap for moreless
It's modelled closely on the GDPR — the Holy See wanted alignment with EU rules so Vatican bodies could exchange data with European institutions. Vatican City State has roughly 800 residents and its own DPA.
More facts like this, monthly→For most of the post-GDPR era, "data protection law" in corporate conversation has meant a small, manageable handful of statutes: GDPR, CCPA, perhaps Brazil's LGPD if you run anything in São Paulo. That mental model has not aged well.
Two hundred and thirty-three separate statutes, regulations, treaties and amendments, spread across 179 jurisdictions. Roughly 6.6 billion people live under at least one of them. The growth in the last six years alone is 35%.
Aside
India's DPDPA covers 1.4 billion people — more than GDPR (450M) and all US state laws combined (180M).
+tap for moreless
It passed in August 2023 but enforcement is phased in through 2027, so most companies are still preparing. Penalties run up to ₹250 crore (about €28M) per breach — in the GDPR's league.
Track the new ones with us→The geographical coverage is, as of 2026, effectively total. 162 sovereign countries have enacted comprehensive data protection laws — every populated continent at majority coverage, with the gap between best (Europe, at 100%) and worst (the Middle East, at 67%) now just 33 percentage points. Africa alone went from three laws in 2010 to 42 today — a fourteen-fold increase in sixteen years.
The United States is a category of its own. There is no federal comprehensive privacy law — only sectoral ones (HIPAA, COPPA, GLBA) covering specific data types. But 20 of its 50 states have written their own version, and three more are drafting. The map below shows the world first, then the US state by state.
Where the laws are, May 2026
Purple = country (or US state) has a comprehensive data protection law in force. Striped = federal law absent but state-level coverage in place (USA). Grey = no such law, or sectoral only. Country data compiled from the project tracker plus IAPP Global Privacy Directory and DLA Piper.
with comprehensive laws
with their own
comprehensive laws
The list itself
All 233, in one spreadsheet.
Here's a real sample of the file — sixteen of the 233, straight from the tracker. Same columns you'll get: year, jurisdiction, the law, its type, and a note on what it does.
| Year | Jurisdiction | Law / Regulation | Type | Notes |
|---|---|---|---|---|
| 1970 | Germany (Hesse) | Hessisches Datenschutzgesetz | Sub-national | World's first data protection law ever enacted. |
| 1973 | Sweden | Datalagen (Data Act) | National | World's first national data privacy law. |
| 1978 | France | Loi Informatique et Libertés (Law No. 78-17) | National | Established the CNIL — first independent DPA in the world. |
| 1981 | Council of Europe | Convention 108 | International Treaty | First binding international treaty on data protection. |
| 1995 | European Union | Data Protection Directive (95/46/EC) | Supranational | Superseded by GDPR in 2018. |
| 2012 | Philippines | Data Privacy Act of 2012 (RA 10173) | National | Established the National Privacy Commission. |
| 2013 | South Africa | Protection of Personal Information Act (POPIA) | National | In force Jul 2020. Penalties up to ZAR 10M. |
| 2018 | Brazil | LGPD (Lei Geral de Proteção de Dados, No. 13.709) | National | Combined 40 pre-existing laws. Effective Sep 2020. |
| 2018 | United Kingdom | Data Protection Act 2018 / UK GDPR | National | Continues independently post-Brexit. |
| 2020 | United States (California) | California Privacy Rights Act (CPRA) | Sub-national | Effective 1 Jan 2023. Expands CCPA. |
| 2021 | China | Personal Information Protection Law (PIPL) | National | China's GDPR equivalent. Extraterritorial scope. |
| 2023 | India | Digital Personal Data Protection Act (DPDPA) | National | Phased enforcement through 2027. 1.4 billion people. |
| 2024 | Saudi Arabia | Personal Data Protection Law (PDPL) | National | Gulf-region comprehensive data protection law. |
| 2024 | Vatican City | Data Protection Law for the Governorate | National | Even the Vatican enacted its own law. |
| 2025 | Paraguay | Personal Data Protection Bill | National | Newly enacted comprehensive law. |
| 2025 | The Gambia | Personal Data Protection and Privacy Bill 2025 | National | Newly enacted comprehensive law. |
+ 217 more, from 1970 to today
Every jurisdiction, sortable, in one file.
I'm tired of reading — just give me the Excel ↓Part one (continued) — the cost
The polite-letter era is over.
For roughly the first decade of European data protection enforcement, fines were modest. That changed with GDPR's enforcement provisions: up to €20 million or 4% of global annual turnover, whichever is higher. Regulators have since shown an appetite for the higher number.
Total GDPR fines have crossed €7.1 billion — roughly the GDP of Montenegro.
Cumulative GDPR fines, January 2026
US enforcement, which had been quieter, is no longer quieter. In 2024, the State of Texas alone secured a $1.4 billion settlement against a single technology company over biometric data collection. One state. One case.
How we got here — tap through the eras
It started in 1970, with a fear of mainframes.
Fun fact
The world's first data protection law was passed a year before email was invented.
+tap for moreless
Hesse passed its law in 1970; Ray Tomlinson sent the first networked email in 1971. The law was written for mainframes and punch cards — the fear was governments cross-referencing citizen registries, not the internet, which didn't exist yet.
The whole timeline, in Excel→The number didn't get to 233 in a straight line. It crept for almost fifty years, then broke into a sprint. Here's the story in five chapters — tap or swipe through, and watch the count climb.
Tap the arrows or swipe through — there's a surprise at the end →
The acceleration, plotted
Comprehensive data protection statutes and major amendments enacted per year, before and after GDPR's 25 May 2018 effective date.
Before GDPR: 110 laws in 48 years.
After GDPR: 123 laws in 8 years.
The Brussels Effect, in laws per year
Get the list of laws
We made this list so we'd stop being surprised. Get all 233 laws as an Excel file — it goes out of date fast, so subscribe and we'll send the updated version each month, with the latest new laws, fines and deadlines.
Part two — where this is going
The line is [not] bending.
Since 2020, the world has been adding 15 to 18 new comprehensive data protection laws per year, and several major amendments per year on top. Nothing about the current trajectory suggests a slowdown — quite the opposite. The AI regulation wave, led by the EU AI Act and the Council of Europe's 2024 AI treaty, adds an entirely new category of instruments on top of the privacy stack.
The trajectory, projected
Cumulative comprehensive data protection statutes and amendments in force worldwide, with projection to 2030 at the post-GDPR pace.
At current pace, the world reaches roughly 310 distinct laws by 2030. That projection is conservative: it extrapolates the base rate without accounting for the AI wave, the second generation of US state laws, or the dozen or so jurisdictions currently drafting bills.
Watch list
US federal law? Still no. 20 state laws — and Oklahoma, Alabama, Arkansas drafting. Pakistan, Bangladesh too.
+tap for moreless
The US patchwork is the real headache: each state law has its own thresholds, definitions and deadlines, so a company serving all 50 tracks 20+ separate rulebooks. That's exactly the kind of thing that's easy to miss — which is why we keep the list.
One email when the list grows→The more interesting question is not the count but the texture. Three trends matter more than the total number: extraterritorial scope (your customers' jurisdiction matters more than yours), enforcement convergence (regulators sharing case files), and AI overlay (every privacy law now has an AI provision, written or pending).
Part two (a small interlude)
The slightly less serious extrapolation.
With apologies to the data, the future also contains scenarios that are statistically improbable but emotionally accurate. Compiled with input from one tired compliance officer.
- 2028 — every US state has its own privacy law. They all use the word "consumer" to mean something different.
- 2030 — your fridge needs a DPIA. Your toothbrush has a privacy policy. Your sourdough starter is a biometric controller.
- 2035 — there are more privacy laws than countries. Microstates start writing them to be polite.
- 2040 — reading all 430 of them takes eleven months. Three more pass while you're reading, contradicting the first one.
- 2050 — humanity invents one law that simply says "stop." It is immediately preempted by an EU regulation.
Epilogue — what to be ready for
You cannot memorise 310 regulations. You can prepare for them.
The good news is that most data protection laws rhyme. They share roughly the same core: lawful basis, data subject rights, breach notification, cross-border transfer mechanisms, accountability. The bad news is that the rhymes are imperfect, and the differences are exactly where the fines live.
The practical question for the next four years is not which laws apply to your organisation — increasingly, the answer is most of them — but whether your operating model can answer the same compliance question 179 different ways without collapsing. Six capabilities matter more than the others.
The question is no longer whether your organisation needs a data protection strategy. It is whether the one you have can handle 310 overlapping regulations across 179 jurisdictions on six continents — while a 20-state American patchwork keeps growing, AI rules keep tightening, and enforcement records keep breaking.
It started in 1970, in one German state, about mainframe databases. It is now the largest body of cross-border regulation humanity has ever attempted to maintain. It is also still accelerating.
Good luck out there.
Still reading? Get all 233 laws as a spreadsheet ↑ — plus the monthly update when the list grows.
Got a topic in mind? Vote on the next deep-dive →
