Our latest Global Trends benchmark compares data protection laws across 14 jurisdictions, by analysing in each:

• Data protection framework and key updates over the past three years. Lawful basis to process personal data and extraterritorial applicability.
• Privacy rules for location data, biometric data, and children’s data.
• Enforcement framework and practice. Landmark privacy-related cases for location, biometric and children’s data, and/or involving big tech groups.

Data protection framework

• All jurisdictions covered in this benchmark, with the only exception of the US, have comprehensive data protection frameworks applicable at national level. All such frameworks have extraterritorial applicability.
• Over the past three years, most monitored jurisdictions have updated or further developed their data protection frameworks through new laws, amendments or implementing rules.
• Since the previous edition of this benchmark (July 2025), six monitored jurisdictions have further developed their data protection frameworks, particularly regarding implementation, enforcement, cross-border data transfers, and the use of personal data for AI training and research purposes.

Specific privacy rules
 

• Six monitored jurisdictions impose at least some specific restrictions on the use of location data. Since August 2025, developments have focused mainly on geolocation guidance in the UK and cross-border transfer restrictions in the US.
• 11 monitored jurisdictions impose specific rules on biometric data, generally treating it as sensitive or specially protected data. Since August 2025, developments in seven jurisdictions have focused mainly on stronger safeguards for biometric processing, digital identity, and related uses.
• 11 monitored jurisdictions impose specific rules on children’s data, although regulatory approaches remain fragmented, particularly regarding consent ages. Since August 2025, five jurisdictions have introduced or proposed stronger safeguards for children’s data.

Enforcement

• The enforcement of data protection and privacy rules is currently carried out by a single data protection authority (DPA) in 10 out of 14 jurisdictions covered in this benchmark.
• The benchmark highlights several enforcement cases for infringements involving location, biometric and children’s data, often involving major tech groups such as Google, Meta, Tools for Humanity and TikTok.

Scope

• Region: Global 
• Countries covered: 14 (Australia, Brazil, Canada, China, the EU, India, Indonesia, Japan, Kenya, Korea, Singapore, South Africa, the UK and the US) 
• Policy area: privacy, data protection
• Last updated: May 2026

For more information and to access the full report, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to the Global Trends service.