๐Ÿ‡จ๐Ÿ‡ญ Cryptwire

How privacy is changing worldwide: a map of data protection laws

Updated July 2026 ยท 5 min read

Over the past decade, data protection has moved from a niche concern to a regulatory priority across most of the world. Here's a non-exhaustive overview of where things stand in 2026.

European Union: GDPR turns 10

The General Data Protection Regulation (GDPR), adopted in 2016 and enforced since 2018, marked ten years since its adoption in May 2026. It remains the most widely imitated privacy framework in the world. In 2026 the European Commission proposed, through the "Digital Omnibus" package, some simplifications to reduce administrative burdens on smaller businesses (for example extending certain record-keeping exemptions to organizations with fewer than 750 employees in low-risk cases), while keeping substantive protections intact. In parallel, the EU AI Act continues its phased rollout, with some high-risk system deadlines pushed to December 2027.

Switzerland: the nFADP

Switzerland is not an EU member and is not directly subject to the GDPR, but it applies the revised Federal Act on Data Protection (nFADP/revDSG), in force since September 2023, which draws on several GDPR principles while keeping its own legal framework, supervisory authority (FDPIC) and enforcement regime. The combination of this law and Switzerland's long tradition of confidentiality makes the country a regulatory environment often cited as favorable for privacy-oriented services.

United States: a patchwork of state laws

The US has no single federal privacy law comparable to the GDPR: regulation proceeds state by state. In 2026, new comprehensive privacy laws took effect in Indiana, Kentucky and Rhode Island, joining states like California, Colorado, Connecticut, Virginia and others already in force โ€” roughly twenty states now have a comprehensive consumer privacy law. Twelve states also require businesses to honor "Global Privacy Control" (GPC) opt-out signals sent automatically by the browser.

The rest of the world

Outside the EU and Switzerland the picture is moving quickly too: the UK's new Data Use and Access Act is now operational, India is rolling out its Digital Personal Data Protection Act in phases, Australia has introduced new transparency obligations for automated decision-making, and Brazil continues strengthening LGPD enforcement. The general trend is toward tighter accountability for data processors and greater scrutiny of consent design.

Why it matters if you use encrypted messaging

This regulatory patchwork shows two opposing trends coexisting: a general strengthening of personal data protection on one hand, and proposals like the EU's "Chat Control" pushing the opposite direction in the name of public safety on the other. For anyone choosing encrypted communication tools, understanding your country's legal context matters just as much as understanding the technology itself.

This article is for general informational purposes and does not constitute legal advice. The regulations mentioned evolve over time โ€” consult a qualified data protection lawyer for specific decisions.
Sources: GDPR text and European Commission communications, Swiss Federal Office of Justice (nFADP), multistate.us regulatory tracker, OneTrust and Forcepoint 2026 privacy law reviews.