From Fragmentation to Convergence: How Global Data Privacy and Data Protection Laws and Regulations Are Aligning in 2025

Introduction

In an increasingly interconnected world, data flows seamlessly across borders. Yet, the data privacy and protection laws and regulations governing these flows remain fragmented. They are creating a complex compliance landscape for global organizations. This legal and regulatory dissonance has prompted a transformative shift: the global alignment of data privacy and protection laws and regulations. Spurred by the widespread influence of the European Union General Data Protection Regulation (EU GDPR), countries are rapidly revising or enacting legislation that reflects shared principles such as transparency, accountability, and user rights (Greenleaf, 2025). These efforts signal not just regional adjustments but a global pivot toward legal and regulatory convergence.

As of 2025, over 160 jurisdictions have established or proposed comprehensive data protection frameworks (DLA Piper, 2025a; Greenleaf, 2025). This surge in legal and regulatory activity marks a departure from the historically siloed approach to data governance. It highlights an emerging global consensus on fundamental data privacy and protection rights. The benefits of this alignment are clear: it enhances legal and regulatory predictability, reduces operational risk, and simplifies cross-border compliance obligations.

This article offers a comprehensive analysis of the global trend toward convergence in data privacy and protection laws. It examines key unifying principles, cross-border data transfer mechanisms, regulatory enforcement patterns, and evolving compliance strategies. Each section builds on the last to provide a cohesive understanding of how once-fragmented legal systems begin to speak a common language of data privacy and protection. By exploring this shift, readers gain critical insights into the future of data governance and its implications for international compliance programs.

To better visualize the international alignment of data privacy and protection frameworks, the following heatmap provides a global snapshot of legal and regulatory convergence as of 2025. It is a choropleth map illustrating three tiers of data privacy and protection development: (1) countries actively aligning their laws and regulations; (2) jurisdictions with established data privacy and protection laws; and (3) regions with limited or no comprehensive data privacy or protection frameworks.

Figure 1. Global Convergence Heatmap.

Key Terms

Convergence: The process by which disparate national or regional data privacy and protection laws and regulations increasingly align in terms of structure, principles, and regulatory enforcement. They are often modeled on comprehensive frameworks such as the EU GDPR (Greenleaf, 2025).

Cross-Border Data Transfers: The movement of personal data from one jurisdiction to another. Legal instruments, such as adequacy decisions, binding corporate rules (BCRs), and standard contractual clauses (SCCs), govern these regulations (Janardhanan & Warren, 2025).

Data Localization: Legal requirements that mandate personal data be stored or processed within the borders of a specific country. They are often for national security or regulatory oversight (Del Giovane et al., 2023).

Data Minimization: A principle that limits personal data collection to what is directly relevant and necessary for specified purposes (Intersoft Consulting, 2025).

Data Subject Rights: Legal entitlements granted to individuals concerning their personal data, including access, rectification, erasure, and data portability (Center for Information Policy Leadership, 2020).

Lawful Basis for Processing: Legitimate grounds defined by law that justify the collection and use of personal data, such as consent, contractual necessity, or legal obligation (The World Bank, 2025).

Sectoral Regulations: Industry-specific privacy requirements that apply to sensitive sectors such as healthcare, finance, and advertising, supplementing general data protection laws (Confone, 2020; Stikeman Elliott, 2023).

Unified Compliance Framework: An internal organizational structure that harmonizes data protection obligations across multiple jurisdictions, often built around the most stringent applicable law (e.g., EU GDPR) (Cisco, 2024).

Core Converging Principles

The shift toward data privacy and protection, with legal and regulatory alignment, begins with a shared set of foundational principles. Although laws vary in structure, many jurisdictions are embedding similar standards that reflect ethical data governance. These core principles, once jurisdiction-specific, are now central to emerging frameworks across continents.

At the heart of convergence is data minimization, which limits data collection to what is strictly necessary for a defined purpose. This principle is consistently seen in data privacy and protection laws and regulations across Argentina, the European Union, Japan, and South Africa (UN Conference on Trade & Development, 2025a).

Equally prominent are data subject rights, which empower individuals to access, correct, delete, and port their personal information. Canada, Chile, the European Union, and Saudi Arabia embed these rights to ensure user autonomy (International Association of Privacy Professionals, 2020).

A lawful basis for processing is another unifying standard. Organizations must often justify the use of data through consent, contractual necessity, or legal obligation. China’s Personal Information Protection Law (PIPL), India’s Digital Information Data Protection Act (DPDPA), and the United Arab Emirates’ Personal Data Protection Law (PDPL) all reflect this EU GDPR-inspired concept (DPDPA.com, 2023; DY Lawyers & Legal Consultants, 2022; OneTrust, 2021).

Purpose limitation, the requirement that data be collected for a legitimate and specified use, is also gaining global traction. Jurisdictions like the EU, Mexico, Nigeria, and Singapore enforce this requirement to reduce misuse and excessive personal data processing (Chen, 2021).

Lastly, transparency mandates clear disclosures about how data is collected and used. This principle underpins frameworks in Brazil, India, South Korea, and the United Kingdom (UK), which are supported by data privacy and protection rules and guidance from their respective governments (Afonso & De Araujo, 2024; Kiteworks, 2025; Privacy Engine, 2024; UK Information Commissioner’s Office, 2025a).

To further illustrate the global shift toward aligned data protection standards, Table 1 outlines several core data privacy and protection principles increasingly embedded across jurisdictions. It summarizes key privacy principles recognized in global legislation, including data minimization, purpose limitation, lawful basis for processing, data subject rights, and transparency.

Additionally, it highlights jurisdictions that explicitly incorporate these principles, revealing the global trend toward shared legal and regulatory standards. These principles, ranging from data minimization to transparency, reflect the ethical and operational foundations of modern data governance. While the terminology may vary, the underlying concepts are converging across legal systems.

Table 1: Several Core Privacy Principles and Jurisdictional Alignment

Source Note: Compiled by Global Privacy Watchdog using primary legal texts and official guidance from the European Union General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), India’s Digital Personal Data Protection Act (DPDPA), Japan’s Act on the Protection of Personal Information (APPI), Nigeria’s Data Protection Act (NDPA), South Korea’s Personal Information Protection Act (PIPA), the UK General Data Protection Regulation (UK GDPR), and publicly available documentation from the IAPP, OECD, and UNCTAD.

This growing uniformity signals a move from abstract ideals to operational standards. Organizations can now anticipate regulatory expectations with more confidence across borders. As these principles take hold, they are shaping the compliance and enforcement landscapes and influencing cross-border data governance. The following section illustrates how major jurisdictions apply these shared concepts in practice, offering a comparative view of evolving legal and regulatory protection.

Jurisdictional Snapshots: Comparison of Key Features

As core data privacy and protection principles converge globally, their implementation still varies across different jurisdictional systems. Understanding how different jurisdictions interpret and enforce these shared concepts is essential for organizations designing cross-border compliance strategies. While national laws differ in structure and scope, many now grant common rights and establish similar enforcement mechanisms. They are signaling a global shift toward functional consistency.

Table 2 presents a comparative overview of six influential data protection laws. It highlights how key features, such as access, deletion, portability, consent, and regulatory oversight, are embedded in each jurisdiction. These elements form a compliance foundation that supports legal and regulatory interoperability and international risk planning.

Table 2: Comparative Overview of Privacy Law Features in Key Jurisdictions

Source Note: Compiled by Global Privacy Watchdog using official regulatory documentation from the European Commission, Brazilian National Data Protection Authority (ANPD), China’s Cyberspace Administration (CAC), India’s Ministry of Electronics and Information Technology (MEITY), the UK Department for Science, Innovation and Technology, and the UK’s Information Commission and Data Access Oversight Unit.

Although these laws and regulations reflect different requirements, they often pursue similar goals. For instance, Brazil’s LGPD, inspired by the EU GDPR, aligns with concerns regarding user rights and oversight. China’s PIPL emphasizes consent and central regulatory control, whereas India’s DPDPA strikes a balance between individual rights and national policy oversight.

Table 3 presents a comparison of rights protected across four key data privacy and legal frameworks, while offering clarity on jurisdictional implementation. It compares core data privacy and protection rights. These rights include access, correction, data breach notification, deletion, oversight, portability, and breach notification, and more. The applicable laws and regulations are Brazil’s LGPD, the EU GDPR, India’s DPDPA, and South Korea’s Personal Information Protection Act (PIPA).

Table 3: Jurisdictional Snapshots

Source Note: Compiled by Global Privacy Watchdog using primary legal texts and official regulatory guidance from the European Union General Data Protection Regulation (EU GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), India’s Digital Personal Data Protection Act (DPDPA, 2023), and South Korea’s PIPA. Legal references include GDPR Articles 15–22, 33–34, 37; LGPD Articles 18–20, 41, 48; DPDPA Sections 8–12; and PIPA Articles 31, 35–36, and 39-4. All information reflects the status of these laws as of 2025.

This comparative snapshot reveals both the convergence and divergence shaping global privacy governance. By identifying commonalities and contrasts, organizations can better prepare for overlapping obligations and jurisdiction-specific requirements. The following section examines how nations address cross-border data transfers. An area where geopolitical and legal complexities continue to challenge global convergence.

Cross-Border Data Transfer Mechanisms

As organizations expand globally, the ability to move data across borders becomes essential. However, this issue remains one of the most challenging areas in data privacy and protection, as well as in legal and regulatory efforts. Legal and regulatory frameworks differ significantly in terms of the safeguards required. Many countries impose strict conditions or restrictions on international transfers. Without proper mechanisms, organizations risk legal and regulatory exposure, as well as operational disruption.

Following the jurisdictional analysis, this section focuses on how countries regulate cross-border data flows. Despite variations, several standard tools, such as adequacy decisions, ad hoc agreements, binding corporate rules (BCRs), data localization, and standard contractual clauses (SCCs), serve as the backbone of cross-border compliance.

Adequacy Decisions allow data to flow freely between jurisdictions deemed to provide “essentially equivalent” protections. The European Union and the United Kingdom continue to rely heavily on this mechanism to streamline transfers (European Data Protection Board, 2025).

BCR supports internal data flows within multinational corporations. Approved by data protection authorities, BCRs demonstrate robust internal safeguards and legal accountability. They remain most prevalent in the EU and UK (European Commission, 2025).

Data Localization Requirements, by contrast, restrict or prohibit international data transfers. Countries like China and Russia impose strict localization rules, while India’s DPDPA permits transfers only to government-approved jurisdictions (International Association of Privacy Professionals, 2023; Parekh et al., 2022; Sherman, 2022).

SCCs are widely used templates that bind parties to EU GDPR-like standards. These clauses have been adopted beyond the EU. Brazil, Singapore, and other countries have adopted them or versions of them as scalable alternatives to adequacy (European Commission, 2021; International Association of Privacy Professionals, 2021; UN Conference on Trade & Development, 2024b).

To navigate international data flows legally, organizations must rely on cross-border transfer mechanisms recognized in major data protection regimes. These mechanisms form the backbone of global compliance architecture, ensuring that personal data moving across jurisdictions receives consistent protection.

Table 4 summarizes the prevalence of five widely used mechanisms, which include adequacy decisions, BCRs, data localization, and SCCs mandates across selected jurisdictions. While these tools vary in form and application, they reflect a shared effort to strike a balance between data mobility and national legal and regulatory sovereignty.

Table 4: Cross-Border Data Transfer Mechanisms by Jurisdiction

Source Note: Compiled by Global Privacy Watchdog using official documentation and regulatory guidance from the European Commission, IAPP, national legislation from Brazil, Singapore, China, Russia, India, and the United Kingdom, the Organisation for Economic Co-operation and Development, and the United Nations Conference on Trade and Development.

While some countries promote interoperable safeguards, others use localization to assert regulatory control. This tension complicates global compliance, necessitating that organizations closely monitor developments. Figure 2 outlines the five legal mechanisms that support international data transfers: adequacy decisions, ad hoc agreements, BCRs, derogations, and SCCs.

Figure 2:

Looking ahead, harmonization efforts may offer evolving data privacy and protection frameworks. Until then, understanding the legal foundation of each mechanism remains essential. The following section examines how convergence unfolds across various sectors, highlighting the diverse impacts of data privacy and protection on industries such as advertising, healthcare, and finance.

Sectoral Impact Snapshot

As global data privacy and protection laws and regulations converge, their effects ripple across sectors in distinct ways. While shared principles offer legal and regulatory clarity, industry-specific risks and rules continue to shape compliance obligations. Each sector encounters unique challenges ranging from automated decision-making in finance to consent complexities in healthcare. Understanding these sectoral impacts is essential for tailoring compliance programs and risk mitigation strategies.

Advertising and AdTech grapple with enforcement around dark patterns, consent fatigue, and deceptive design. Regulators in the EU and several U.S. states are cracking down on opaque tracking and manipulative interfaces (Blake, 2025; European Parliament Think Tank, 2025; Federal Trade Commission, 2022).

Employment Data is under growing regulatory attention. Countries such as South Korea and Canada have expanded protections for employee data, requiring transparency and purpose limitation in HR practices (Baker Mckenzie, 2025; Office of the Privacy Commissioner of Canada, 2024).

Financial services are facing heightened scrutiny, as laws and regulations limit profiling and require enhanced due diligence for data sharing, particularly under anti-money laundering frameworks. Transparency mandates from financial watchdogs now coexist with emerging data privacy laws and regulations (FATF, 2025).

Healthcare presents one of the most regulated environments. Data privacy and protection laws and regulations such as China’s PIPL, the EU GDPR, and the U.S. Health Insurance Portability and Accountability Act requires explicit, granular consent for healthcare data use. Health data is classified as sensitive in nearly all frameworks, making compliance stakes exceptionally high (Censinet, n.d.; DLA Piper, 2025b; U.S. Department of Health and Human Services, 2025).

These differences demonstrate that convergence does not erase complexity. Instead, it equips sectors with more precise boundaries and evolving compliance standards. As industry practices evolve, the legal and regulatory responses continue to shape expectations.

Figure 3 illustrates the impact of data privacy and protection laws on four key industry sectors: e-commerce, financial services, healthcare, and technology. Each segment highlights areas where consent requirements, data localization, data sensitivity, or legal and regulatory enforcement standards differ significantly, providing a high-level comparative view.

Figure 3:

The following section considers how organizations are adapting. It highlights the rise of unified compliance frameworks and the strategic use of global data privacy and protection architectures to reduce legal and regulatory friction.

Toward Unified Compliance Frameworks

In response to the growing complexity of global data privacy and protection laws and regulations, organizations are adopting unified compliance frameworks. These frameworks offer a structured approach to harmonizing obligations across jurisdictions. While legal convergence offers consistency in principle, operationalizing these laws requires internal alignment, cross-functional planning, and dynamic risk management.

These programs often adopt the most stringent legal standard, typically the EU GDPR, as a foundation for broader implementation (Cisco, 2024). The goal is to streamline operations, reduce redundancy, and ensure global readiness. Below are the key components that define effective unified compliance models.

Data Protection Impact Assessments (DPIAs) are mandatory under several laws and increasingly adopted as best practice. These assessments evaluate privacy risks before launching new projects, helping prevent regulatory violations and build stakeholder trust (European Data Protection Board, 2018; UK Information Commissioner’s Office, 2025b).

Governance Controls establish internal accountability. These include assigning data protection officers, maintaining audit trails, and setting data retention policies. Robust governance helps ensure that compliance efforts are sustainable and auditable (Jones et al., 2024).

Privacy Impact Assessments (PIAs), although broader in scope than DPIAs, are often used in jurisdictions where there is no specific legal requirement for DPIAs. PIAs assess the potential impacts of a system, policy, or program on individual privacy rights. They are designed to identify, evaluate, and mitigate risks arising from the collection, use, and sharing of personal information. They are particularly conducted in public-sector or technology-driven initiatives. PIAs are recognized as foundational tools in Canada, Australia, and the United States for establishing privacy-by-design frameworks and fostering public trust (Office of the Privacy Commissioner of Canada, 2025; Organisation for Economic Cooperation and Development, 2025).

Training and Awareness are central to compliance culture. Organizations must educate employees, contractors, and vendors on the evolving privacy obligations, potential breaches, and the ethical use of data. Regular training supports behavioral change and legal literacy (UN Conference on Trade & Development, 2024).

Vendor Risk Management is increasingly regulated. Third-party processors must align with internal policies and legal standards. This includes due diligence, contractual safeguards, and monitoring of data handling practices (Organization for Economic Cooperation and Development, 2023).

By investing in these foundational elements, organizations reduce compliance costs and increase global agility. Unified frameworks also prepare teams for enforcement, audits, and policy shifts across multiple jurisdictions. Figure 4 illustrates the foundational components of a global data protection and privacy compliance program. The framework integrates governance, risk assessments (including DPIAs and PIAs), enforcement of data subject rights, and oversight of third-party vendors. These pillars reflect core operational mandates under laws such as the EU GDPR, Brazil’s LGPD, South Korea’s PIPA, and India’s DPDPA.

Figure 4:

The following section looks ahead. It examines whether the future holds greater harmonization or persistent fragmentation amid evolving technologies and regulatory trends.

What is Next: Harmonization or Persistent Fragmentation?

As privacy regulations grow more consistent, global organizations face a new challenge: operationalizing these laws across multiple jurisdictions. Legal and regulatory convergence has improved clarity. However, localized enforcement, sector-specific obligations, and cross-border risks still necessitate adaptable and harmonized approaches.

Building on earlier insights into sector-specific impacts, this section explores how organizations are developing unified compliance frameworks. These frameworks are structured systems designed to meet diverse legal obligations by implementing shared controls. These models often anchor on the EU GDPR, setting a high bar for global alignment (Cisco Privacy Benchmark Study, 2024).

These internal systems are increasingly reinforced by regional and global frameworks that promote data privacy and protection interoperability. Key examples include:

The African Union Convention on Cybersecurity and Personal Data Protection (also known as the Malabo Convention) promotes harmonized data privacy and protection laws and regulations across Africa. It enhances enforcement capacity by requiring member states to establish national data protection authorities and sets foundational legal standards for the collection, processing, and storage of personal data (Digwatch, 2014; Gakiria & Gitonga, 2025).

Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System: Facilitates cross-border data transfers in the Asia-Pacific region by offering certification through accountability agents. It aims to increase trust while allowing for legal diversity (Asia-Pacific Economic Cooperation, 2019; C&M International, 2019).

Association of Southeast Asian Nations Model Contractual Clauses: Provides pre-approved legal templates to ensure lawful cross-border transfers among Southeast Asian countries (Association of Southeast Asian Nations and the European Commission, 2023).

Global Cross-Border Privacy Rules (CBPR) Forum: The Global CBPR Forum fosters collaboration among legal jurisdictions, certification entities, and organizations that handle personal data, promoting common data protection and privacy interests while building trust in cross-border data flows. Additionally, it enables trusted data flows globally through international data protection and privacy certifications, such as the Global Cross-Border Privacy Rules (CBPR) System and the Global Privacy Recognition for Processors (PRP) System.

Organisation for Economic Co-operation and Development (OECD) Privacy Guidelines: Offers global best practices that emphasize accountability, safeguards, and rights. These guidelines shape national policies and support international collaboration (OECD, 2023).

Together, these instruments support the broader goal of interoperability by striking a balance between national sovereignty and global commerce. Unified compliance frameworks, when aligned with these efforts, help organizations future-proof their operations and navigate the increasing complexity of legal requirements.

Conclusion

As explored throughout this article, 2025 marks a pivotal moment in global data privacy and protection. What once was a fragmented legal landscape is now moving toward meaningful alignment. Shared principles, such as data subject rights, transparency, and accountability, are being implemented worldwide. This convergence simplifies compliance and creates new opportunities for operational consistency across borders.

Following the analysis of jurisdictional models, sector-specific dynamics, and cross-border mechanisms, alignment does not mean uniformity. Each country brings its own legal, cultural, and geopolitical considerations. The challenge for organizations is not just legal adherence, but adaptive, informed compliance.

Unified frameworks offer a pragmatic solution. When combined with emerging global and regional efforts, they create pathways for interoperability and mutual recognition. These instruments serve not only legal goals but also economic, diplomatic, and ethical ones.

Data privacy and protection professionals, regulators, technologists, and policymakers must collaborate to shape systems that respect both global values and local sovereignty.

The trend toward convergence is real, but its permanence will depend on intentional design, inclusive governance, and public trust.

As you reflect on this evolving ecosystem, consider this: the future of privacy is not just about laws and regulations. It is about the choices we make as a global society. How we define fairness, accountability, and human dignity in digital spaces will determine whether convergence serves compliance or deeper democratic values.

Key Questions for Key Stakeholders

The global shift toward data privacy convergence raises as many questions as it resolves. These questions can guide strategic planning, policy design, and long-term governance. Tailored for different audiences, they prompt a deeper consideration of what alignment truly means and the challenges that may persist.

For Civil Society and Privacy Advocates:

1. Does convergence enhance or dilute individual rights and democratic oversight?

2. How can advocates ensure that harmonization efforts prioritize equity, justice, and the needs of marginalized communities?

3. What new risks emerge as privacy becomes a matter of international governance?

   
   

For Legal and Compliance Teams:

1. Which jurisdiction’s legal requirements serve as the baseline for a global compliance program?

2. How should multinational organizations reconcile overlapping and sometimes contradictory data obligations?

3. What tools can improve visibility into third-party risks, cross-border transfers, and evolving regulatory requirements?

   
   

For Policymakers:

1. How can national legislation strike a balance between global interoperability and domestic priorities, such as sovereignty, security, and cultural norms?

2. What role should international organizations (e.g., OECD, UN, APEC) play in shaping minimum global privacy standards?

3. Should regional instruments (e.g., EU GDPR, APEC CBPR) remain voluntary, or evolve toward enforceable treaties?

   
   

For Regulators:

1. How can enforcement practices align across jurisdictions without compromising independence or national legal frameworks?

2. What mechanisms can promote legal and regulatory cooperation in cross-border investigations and data breach response?

3. How should regulators address conflicting localization requirements and adequacy decisions?

   
   

For Technology Developers and Data Scientists:

1. How can privacy-by-design and privacy engineering approaches incorporate diverse legal standards?

2. What role does algorithmic transparency play in meeting new regulatory expectations?

3. How should global technical infrastructure accommodate conflicting rules on data use, storage, and movement?

   
   

These questions signal that convergence is not the end of debate. It is the beginning of a global dialogue. Addressing them requires cross-sector collaboration, interdisciplinary expertise, and sustained public engagement.

References

1. Alfonso, L.G., & De Araujo, L.F. (2024, July 31). Data protection laws and regulations – Brazil. IGLG. https://iclg.com/practice-areas/data-protection-laws-and-regulations/brazil

2. Asia-Pacific Economic Cooperation. (2019). Asia‑Pacific Economic Cooperation Cross-Border Privacy Rules system program requirements. https://www.apec.org/docs/default-source/Groups/ECSG/CBPR/CBPR-ProgramRequirements.pdf

3. Association of Southeast Asian Nations and the European Union. (2023). Joint guide to ASEAN model contractual clauses and EU standard contractual clauses. https://asean.org/wp-content/uploads/2023/05/The-Joint-Guide-to-ASEAN-Model-Contractual-Clauses-and-EU-Standard-Contractual-Clauses.pdf

4. Baker McKenzie. (2025, January 1). Global data and cyber handbook – South Korea. https://resourcehub.bakermckenzie.com/en/resources/global-data-and-cyber-handbook/asia-pacific/south-korea/topics/data-processing-in-the-employment-context

5. Blake, A. (2025, April 17). Consent banners and dark patterns: Latest enforcement trends in the EU. KeyGroup. https://key-g.com/de/blog/consent-banners-dark-patterns-enforcement-eu/

6. Cesinet. (n.d.). Data protection in the U.S. vs. in the EU – GDPR vs. HIPAA. https://www.censinet.com/perspectives/gdpr-vs-hipaa-key-differences-for-healthcare

7. Center for Information Policy Leadership. (2020, July 8). White paper: Data subject rights under the GDPR in a global data driven connected world. https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_white_paper_on_data_subject_rights_under_the_gdpr_in_a_global_data_driven_and_connected_world__8_july_2020_.pdf

8. Chen, R. (2021). World development report 2021: Mapping data governance legal frameworks around the globe. The World Bank. https://openknowledge.worldbank.org/server/api/core/bitstreams/0a248046-b7c9-59eb-a2e5-2d39e3a0b6be/content

9. Cisco. (2024). Privacy as an enabler of customer trust: Cisco 2024 – Data privacy benchmark study. https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-privacy-benchmark-study-2024.pdf

10. C&M International. (2019). Benefits of the APEC Cross-Border Privacy Rules. https://cbprs.org/wp-content/uploads/2019/05/Benefits-of-CBPR-System-Guide_Jan-2019_FINAL.pdf

11. Cofone, I. (2020, November). Policy proposals for PIPEDA reform to address artificial intelligence report. Office of the Privacy Commissioner of Canada. https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/completed-consultations/consultation-ai/pol-ai_202011/

12. Del Giovane, C., Ferencz, J., &Lopez-Gonzalez, J. (2023, November). The nature, evolution and potential implications of data localization measures. OECD Trade and Agriculture Directorate. https://www.oecd.org/content/dam/oecd/en/publications/reports/2023/11/the-nature-evolution-and-potential-implications-of-data-localisation-measures_249df37e/179f718a-en.pdf

13. Digwatch. (2014, June). African Union convention on cybersecurity and personal data protection. https://dig.watch/resource/african-union-convention-on-cyber-security-and-personal-data-protection-african-union

14. DLA Piper. (2025a). Data protection laws of the world. https://www.dlapiperdataprotection.com/

15. DLA Piper. (2025b). Data protection in China. https://www.dlapiperdataprotection.com/index.html?c=CN

16. DPDPA.com. (2023). Section 4 of the DPDPA, 2023: Grounds for processing personal data. https://dpdpa.com/dpdpa2023/chapter-2/section4.html

17. DY Lawyers & Legal Consultants. (2022). Data protection law UAE: PDPL, Sector rules, and compliance guidance. https://dylegalconsultants.com/data-protection-law-uae/

18. European Commission. (2025). Binding corporate rules (BCRs). https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en

19. European Data Protection Board. (2025). Data protection guide for small businesses. https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en

20. European Data Protection Board. (2018, May 25). Data protection impact assessments: high-risk processing. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/data-protection-impact-assessments-high-risk-processing_en

21. European Parliament Think Tank. (2025, January 13). Regulating dark patterns in the EU: Towards digital fairness. https://www.europarl.europa.eu/thinktank/en/document/EPRS_ATA%282025%29767191

22. FATF. (2025, June). The FATF recommendations. https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html

23. Federal Trade Commission. (2022, September 15). FTC report shows rise in sophisticated dark patterns designed to trick and trap customers. https://www.ftc.gov/news-events/news/press-releases/2022/09/ftc-report-shows-rise-sophisticated-dark-patterns-designed-trick-trap-consumers

24. Gakiria, A., & Gitonga, T.M. (2025, January 29). What is the Malabo convention? Diplo. https://www.diplomacy.edu/blog/what-is-the-malabo-convention/

25. Global CBPR Forum. (2025). Global CBPR Forum: Building digital trust through partnerships. https://www.globalcbpr.org/

26. Greenleaf, G. (2025, May 30). Global data privacy laws 2025: 172 countries, twelve  new in 2023/2024. SSRN. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5275559

27. International Association of Privacy Professionals. (2023, October). Top 10 operational impacts of India’s DPDPA – Cross-border data transfers. https://iapp.org/resources/article/operational-impacts-of-indias-dpdpa-part5/

28. International Association of Privacy Professionals. (2021, July). Frequently asked and questions on “Schrems II.” https://iapp.org/resources/article/frequently-asked-questions-resources-on-schrems-ii/

29. International Association of Privacy Professionals. (2020, October). The state of data rights. https://iapp.org/resources/article/the-state-of-data-rights/

30. Intersoft Consulting. (2025). Art. 5 GDPR: Principles relating to processing of personal data. https://gdpr-info.eu/art-5-gdpr/

31. Kiteworks. (2025). Everything you need to know about the India Digital Information Data Protection Act. https://www.kiteworks.com/risk-compliance-glossary/india-digital-personal-data-privacy-act/

32. Janardhanan, B., & Warren, S. (2025, April 29). The impact of India’s new digital personal data protection rules. Squire Patton Boggs. https://www.privacyworld.blog/2025/04/the-impact-of-indias-new-digital-personal-data-protection-rules/.

33. Jones, J., Kanthasamy, S., Saniuk-Heinig, C., & Fischer, L. (2025, November). Privacy governance report 2024. International Association of Privacy Professionals. https://iapp.org/resources/article/privacy-governance-report/

34. Office of the Privacy Commissioner of Canada. (2025, February 25). Privacy impact assessments – Overview. https://www.priv.gc.ca/en/privacy-topics/privacy-impact-assessments/overview-pia/

35. Office of the Privacy Commissioner of Canada. (2023, May 29). Privacy in the workplace. https://www.priv.gc.ca/en/privacy-topics/employers-and-employees/02_05_d_17/

36. OneTrust. (2021, October 28). China: Operationalising PIPL Part Three – Consent and Lawful Processing. DataGuidance. https://www.dataguidance.com/opinion/china-operationalising-pipl-part-three-consent-and

37. Organisation for Economic Cooperation and Development. (2025). Digital. https://www.oecd.org/en/topics/digital.html

38. Parekh, S., Reddin, S., Rowshankish, K., Soller, H., & Strandell-Jannson, M. (2022, June 30). Localization of data privacy regulations creates competitive opportunities. McKinsey & Company. https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/localization-of-data-privacy-regulations-creates-competitive-opportunities

39. Privacy Engine. (2024, November 28). A comprehensive guide to South Korea’s Personal Information Protection Act (PIPA). https://www.privacyengine.io/blog/south-koreas-personal-information-protection-act/

40. Secure Privacy. (2023, November 15). Protecting your personal information in the age of the Personal Information Protection Law (PIPL) by the People’s Republic of China. https://secureprivacy.ai/blog/china-pipl-personal-information-protection-law

41. Sherman, J. (2022, September 27). Russia is weaponizing its data laws against foreign organizations. Brookings. https://www.brookings.edu/articles/russia-is-weaponizing-its-data-laws-against-foreign-organizations/

42. The World Bank. (2025). Data protection and privacy laws. ID4D. https://id4d.worldbank.org/guide/data-protection-and-privacy-laws

43. UK Information Commissioner's Office. (2025a). Right to be informed. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-be-informed/

44. UK Information Commissioner's Office. (2025b). Data protection impact assessments. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-impact-assessments/

45. United Nations Conference on Trade and Development (UNCTAD). (2024a). Data protection and privacy legislation worldwide. https://unctad.org/page/data-protection-and-privacy-legislation-worldwide

46. United Nations Conference on Trade and Development (UNCTAD). (2024b). Digital economy report 2024.  https://unctad.org/publication/digital-economy-report-2024

47. U.S. Department of Health and Human Services. (2025, March 14). Summary of the HIPAA privacy rule. Office for Civil Rights. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html