12.2 The Global Convergence of Privacy Law

When the GDPR came into force in May 2018, many commentators predicted it would become a global standard. That prediction has largely been borne out — but the picture is more complex than simple convergence.

How widespread is privacy legislation?

The International Association of Privacy Professionals (IAPP) estimates that approximately 71% of countries now have some form of privacy or data protection legislation — up from roughly 40% in 2010. That is a dramatic expansion in legal coverage over a single decade, driven partly by GDPR's extraterritorial reach and partly by countries seeking to demonstrate adequacy for data transfers.

The major converging laws

Several landmark national laws have adopted core GDPR-like principles — lawful basis for processing, data subject rights, breach notification, and independent supervisory authorities:

• Brazil LGPD (Lei Geral de Proteção de Dados, 2020): closely modelled on the GDPR, with a national supervisory authority (ANPD) and rights including access, correction, and deletion.
• India DPDP (Digital Personal Data Protection Act, 2023): a more business-friendly framework with consent-based processing and significant government exemptions.
• Japan APPI (Act on the Protection of Personal Information, revised 2022): introduced stricter breach notification, pseudonymized data provisions, and cross-border transfer rules.
• South Korea PIPA (Personal Information Protection Act): one of Asia's strongest frameworks, with a dedicated Personal Information Protection Commission.
• California CPRA (2023): extended the CCPA with a new enforcement agency (CPPA), sensitive data category, and opt-out rights for automated profiling.

Adequacy decisions as a mechanism for spreading norms

The European Commission can grant 'adequacy decisions' to countries it considers to provide equivalent data protection — allowing free data flows without additional safeguards. This mechanism has become a powerful incentive: countries seeking European business must align their legal frameworks with GDPR principles. Japan, South Korea, and the UK hold adequacy status.

The limits of convergence

Not all convergence is genuine. China's Personal Information Protection Law (PIPL, 2021) adopts GDPR terminology — consent, data minimisation, individual rights — while cöxisting with a state surveillance infrastructure that mandates data access by security services. Some authoritarian governments adopt privacy laws rhetorically, creating compliance obligations for private actors while preserving unrestricted state access. The IAPP notes that law on paper and law in practice diverge significantly in such contexts.

What this means in practice

For individuals, a global privacy baseline means that even if you live outside the EU, you are increasingly likely to have legal rights over your data — and companies operating internationally will generally apply their strongest compliance standard globally. For organisations, the message is unambiguous: privacy law is moving in one direction.

Your takeaway

Privacy law is converging globally, but the convergence is uneven. The principles — consent, rights, accountability — are spreading. Enforcement and political will vary enormously.