Privacy Law Directory

About This Directory

This directory covers 21 country jurisdictions across the United States, the European Union, and international partners as of February 2026. Each page examines not just data protection legislation but also surveillance laws, intelligence agencies, data broker contracts, Internet exchange point taps, sureveillance company contracts, mutual legal assistance treaties (MLATs), data sharing agreements, data retention laws, encryption laws, child protection laws, oversight boards, and enforcement actions, because understanding privacy requires understanding the full picture.

The directory is organized around the intelligence alliance framework that shapes modern signals intelligence cooperation: the Five Eyes (the core anglophone alliance), the Nine Eyes (adding four European partners), and the Fourteen Eyes (SIGINT Seniors Europe). These alliances determine how intercepted communications and personal data flow between governments, making them directly relevant to any assessment of a jurisdiction’s privacy posture.

A recurring finding across every jurisdiction in this directory is that privacy laws primarily protect a country’s own citizens and residents. Nearly every nation examined here maintains legal exemptions that permit its intelligence agencies to collect, intercept, and retain foreign communications with fewer restrictions than apply to domestic targets. These foreign traffic exemptions, combined with intelligence-sharing alliances that allow partner nations to collect on each other’s populations and share the results back, create a global system in which domestic privacy protections can be structurally bypassed.

Beyond government surveillance, commercial data collection operates largely outside the scope of these laws. Data brokers aggregate personal information from public records, commercial transactions, app SDKs, advertising exchanges, and social media into profiles that can be purchased by governments, private investigators, and corporations without the judicial oversight required for law enforcement surveillance. Internet exchange points are monitored in multiple choke points (places most traffic passes through). Commercial surveillance contractors sell endpoint exploitation tools, spyware, and analytics platforms directly to government agencies. The result is that the privacy protections documented in this directory, while significant, represent only one layer of a more complex reality.

For detailed coverage of these mechanisms, see the Data Broker Directory (over 1700 across 17 categories) and The Myth of Jurisdictional Privacy.

United States

Federal

United States Federal Privacy & Surveillance Laws – Patchwork of sector-specific federal privacy laws (Privacy Act, HIPAA, GLBA, FCRA, COPPA) with no comprehensive framework. Section 702 authorizes warrantless collection of foreign communications; EO 12333 governs overseas bulk collection with minimal restrictions. CLOUD Act compels disclosure of data stored abroad. CALEA requires wiretap-capable infrastructure. Cable-tapping programs: FAIRVIEW (AT&T, $188.9M), STORMBREW (Verizon, $46M), Room 641A fiber splitters. Surveillance vendor contracts include Palantir ($970.5M), Clearview AI (70B+ facial images), Cellebrite ($48.6M ICE), Cognyte ($20M+ NSA).

States

California (CCPA/CPRA) – First comprehensive US state privacy law with the nation’s first dedicated privacy enforcement agency (CPPA). DELETE Act/DROP platform enables data broker deletion requests. Private right of action limited to data breaches; state law does not restrict federal surveillance programs.

US State Privacy Laws Overview – 20 states with comprehensive privacy laws as of February 2026. The dominant Virginia model provides no private right of action and broad business exemptions; only 11 states require universal opt-out mechanisms. Sector-specific laws fill gaps: Illinois BIPA (biometric consent, $1,000–$5,000 per violation), Washington My Health My Data Act, Texas CUBI.

Five Eyes Alliance

The Five Eyes is the core anglophone signals intelligence alliance under the UKUSA Agreement, originally signed between the United States and United Kingdom in 1946 and extended to Canada, Australia, and New Zealand. Member nations share raw signals intelligence and, critically, can collect intelligence on each other’s citizens and share it back, a structure that critics argue functions as a mechanism to circumvent domestic legal restrictions on surveilling one’s own population.

United Kingdom – UK GDPR, Data Protection Act 2018, and the Investigatory Powers Act 2016. The IPA authorizes bulk interception, bulk equipment interference, and 12-month mandatory data retention. GCHQ Tempora program collects from 200+ fiber-optic cables (21M GB/day). IPA 2024 amendment requires tech companies to notify before deploying new encryption; Apple withdrew Advanced Data Protection from the UK. CLOUD Act bilateral with the US (20,000+ requests). Five Eyes intelligence sharing. Palantir contracts: MOD £240M, NHS £330M.

Canada – PIPEDA governs private-sector data under an ombudsman model with no federal fining power. CSE conducts foreign SIGINT with minimal restrictions on non-Canadians; the Levitation program tracked 10–15M uploads/downloads daily. Five Eyes intelligence sharing. No mandatory data retention. CLOUD Act bilateral under negotiation.

Australia – Privacy Act 1988 (13 APPs) with the TOLA Act requiring encryption backdoors through Technical Capability Notices. 2-year mandatory metadata retention with 300,000+ access requests annually; Section 280 allows 80+ entities to access metadata beyond the 21 authorized agencies. Pine Gap: NSA-operated satellite interception station. Five Eyes intelligence sharing. Surveillance contracts: Palantir AUD $100M+, Cellebrite AUD $17M.

New Zealand – Privacy Act 2020 with no mandatory data retention. GCSB conducts cable interception and SIGINT across the Pacific; Waihopai satellite station decommissioned 2022 but cable access continues. TICSA requires network operators to maintain interception capability. Pacific island nations’ communications transit NZ-controlled infrastructure. Five Eyes intelligence sharing.

Nine Eyes Alliance

The Nine Eyes extends the Five Eyes by four European nations (Denmark, France, the Netherlands, and Norway) who share signals intelligence as “third party” partners under the UKUSA framework. Unlike Five Eyes members, third-party partners are not automatically exempt from being targeted by NSA collection.

Denmark – Datatilsynet enforces GDPR. FE/PET intelligence services; Operation Dunhammer revealed that FE provided NSA access to submarine cable infrastructure using XKeyscore at Sandagergård, enabling surveillance of European leaders (2012–2014). No substantive intelligence reform since mid-2016. Mandatory data retention (reformed 2022 to targeted dual-track). Maximator alliance member. Nine Eyes SIGINT sharing.

France – CNIL enforces data protection. Intelligence Act 2015 authorizes algorithmic “black boxes” for bulk metadata analysis; SILT Law 2017 made emergency surveillance powers permanent; Narcotrafficking Law 2025 extends black boxes beyond counterterrorism. Generalized data retention validated by the Council of State; intelligence can retain metadata up to 6 years. DGSE conducts undersea cable tapping. Nine Eyes SIGINT sharing.

Netherlands – Autoriteit Persoonsgegevens enforces GDPR. Wiv 2017 authorizes bulk interception of cable traffic; Temporary Cyber Operations Act (2024) expanded intelligence hacking powers. AIVD/MIVD intelligence services. Data retention law struck down in 2015 and not replaced. Nine Eyes SIGINT sharing.

Norway – Datatilsynet enforces GDPR via the EEA. Intelligence Service Act 2020 authorizes bulk collection of cross-border cable traffic. E-tjenesten operates Arctic SIGINT facilities and monitors undersea cables; intelligence can retain metadata 18 months and raw data up to 15 years. Telecom data retention legislated but not yet in force. Nine Eyes SIGINT sharing.

Fourteen Eyes Alliance (SIGINT Seniors Europe)

SIGINT Seniors Europe, commonly known as the Fourteen Eyes, adds five more nations to the Nine Eyes framework: Germany, Belgium, Italy, Sweden, and Spain. The alliance was formed in 1982 during the Cold War and expanded after September 2001 to include counterterrorism cooperation.

Germany – BfDI and 16 state DPAs enforce GDPR under the BDSG. BND Act authorizes foreign cable tapping at DE-CIX, one of the world’s largest internet exchanges; BND Act 2025 reform adds offensive cyber powers. Data retention suspended (3-month IP retention being prepared). Maximator alliance member. Fourteen Eyes SIGINT sharing.

Belgium – APD/GBA enforces GDPR. BIM Law authorizes special surveillance methods. Data retention operates via geographic risk zones covering the entire national territory (CJEU referral pending). VSSE and ADIV/SGRS intelligence services. Fourteen Eyes SIGINT sharing. Host nation for EU institutions.

Italy – Garante enforces the Privacy Code and GDPR. Data retention: 24 months telephony / 12 months internet baseline, extended to 72 months (6 years) for serious crimes — the longest in the EU. Paragon spyware deployed against approximately 100 targets (2025). Nordio wiretap reforms reduce judicial transparency. AISE/AISI intelligence. Fourteen Eyes SIGINT sharing.

Sweden – IMY enforces GDPR. FRA Law authorizes bulk interception of all cross-border cable traffic; the ECtHR Grand Chamber found it violated the ECHR in Centrum för Rättvisa v. Sweden (2021), but reforms remain pending and the FRA continues to operate under the existing framework. A proposed encryption backdoor law was postponed. 1-year data retention with no prior judicial authorization for access. Expanded video surveillance, biometric, and real-time facial recognition powers (2025). Maximator alliance member. Fourteen Eyes sharing. Seventy years of secret SIGINT cooperation behind a public posture of neutrality.

Spain – AEPD enforces GDPR and the LOPDGDD. 12-month mandatory data retention (not reformed after CJEU invalidated the EU directive). Catalangate: Pegasus spyware deployed against 65 elected officials and their families; NSO Group executives formally indicted (first worldwide). Spain supports mandatory Chat Control scanning. La Liga app activated user microphones without adequate disclosure on 10M+ devices. CNI intelligence. Fourteen Eyes SIGINT sharing.

European Union Framework

All EU member states in this directory (Ireland, France, Germany, Denmark, the Netherlands, Belgium, Italy, Sweden, Spain, and Estonia) are subject to the General Data Protection Regulation (GDPR), the ePrivacy Directive, the Law Enforcement Directive, and other EU-level data protection instruments. The EU framework page provides the foundation for understanding each member state’s national implementing legislation.

European Union Framework – GDPR provides the baseline, but Article 2(2) exempts national security — an exemption every member state uses. Chat Control proposal would mandate scanning of encrypted messages (voluntary scanning expires April 2026). Schrems I and II invalidated successive transatlantic data transfer frameworks. Data Retention Directive struck down, but member states maintain national retention laws. AI Act permits real-time biometric surveillance with law enforcement exemptions.

Other Jurisdictions

Ireland – Data Protection Commission (DPC) serves as lead GDPR regulator for Meta, Google, Apple, Microsoft, TikTok, and LinkedIn under the one-stop-shop mechanism; overridden multiple times by the EDPB. €4.04B in fines issued, €20M collected. 12-month mandatory data retention; proposed National Cyber Security Bill would enable bulk metadata collection with 18-month retention. ECHELON cooperation despite nominal military neutrality.

Iceland – Persónuvernd enforces GDPR via the EEA, with criminal penalties up to 3 years. 6-month mandatory data retention (bills to remove it have not been implemented). Not a Five Eyes, Nine Eyes, or Fourteen Eyes member, but participates as a Tier B third-party contributor on computer network exploitation. IMMI framework protects whistleblowers and journalists. A police surveillance powers bill (2024–2025) proposes expanded warrantless surveillance. Among the strongest privacy postures in this directory.

Switzerland – FDPIC enforces the revised Federal Act on Data Protection (nFADP). 6-month mandatory metadata retention under the BÜPF; proposed VÜPF expansion would classify VPNs, encrypted messaging apps, and email as telecoms subject to retention. NDB conducts cable reconnaissance (Kabelaufklärung) on cross-border fiber-optic traffic; a December 2025 FAC ruling found this incompatible with fundamental rights but granted a five-year transitional period, so interception continues pending reform by 2030. Club de Berne founding member; participates in focused cooperation on computer network exploitation with Five Eyes nations. The Crypto AG scandal revealed the CIA and BND secretly owned Switzerland’s premier encryption company, reading communications of 100+ governments for decades.

Singapore – PDPC enforces the PDPA. Internal Security Act authorizes indefinite detention without trial. ISD conducts domestic surveillance with no meaningful restrictions on foreign targets. 110,000 lamp posts with facial recognition cameras under Smart Nation. Five Eyes third-party SIGINT partner. TraceTogether COVID data was repurposed for criminal investigations. POFMA, FICA, and OCHA laws restrict speech and information access.

Brazil – ANPD enforces the LGPD. Parallel ABIN scandal: 60,000+ surveillance searches targeting journalists, judges, and political opponents using Cognyte/First Mile spyware; 9 state security departments purchased Cognyte totaling R$65.7M. Mandatory data retention: 1 year connection logs, 6 months application logs, 5 years telecom subscriber data. Facial recognition: 90%+ of FRT arrests target Black individuals. Cellebrite deployed by Federal Police. First Latin American country to receive EU mutual adequacy.

Estonia – AKI enforces GDPR (EUR 3M Apotheka fine). Pegasus spyware: $30M procurement; FinSpy suspected deployment. VLA foreign intelligence operates under GDPR Article 2(2) national security exemption with a different legal regime for foreign targets. Traffic transits through Denmark, Sweden, Germany, and the UK — all with documented cable-tapping programs. Baltic Sea cable infrastructure vulnerable to sabotage (Estlink 2 severed December 2024). The world’s most digitally advanced society (X-Road, i-Voting, KSI Blockchain) is also the most digitally dependent.

Liechtenstein – DSS (Datenschutzstelle) enforces GDPR via EEA membership with zero fines to date. No intelligence service, no military (abolished 1868). Liechtenstein is effectively borrowing Switzerland’s internet connection: complete telecommunications dependency means all traffic is subject to Swiss BÜPF interception and NDB intelligence collection, with onward exposure through German and Austrian networks. The Prince retains veto power over all legislation. The 2008 LGT Bank scandal (the princely family’s own bank) exposed 1,400 accounts to German tax authorities.

Directory Information

This directory covers 24 pages across 21 country jurisdictions, including dedicated coverage of US federal and state privacy laws, the EU framework, and international partners, as of February 2026. It is maintained by CodaMail as a public resource for understanding the global privacy and surveillance landscape. Pages are updated as new legislation, enforcement actions, and intelligence disclosures warrant revision.