Privacy Law Directory

About This Directory

A living directory covering 38 jurisdictions, last updated March 31, 2026. Each page covers surveillance laws, intelligence agencies, MLATs, data sharing agreements, data retention, cable infrastructure, age verification, encryption policy, and commercial surveillance procurement, not just data protection legislation. Organized around the intelligence alliances (Five Eyes, Nine Eyes, Fourteen Eyes, SSPAC) that determine how intercepted communications flow between governments. Corrections: updates@codamail.com.

Privacy laws protect residents of the country. Foreign traffic falls under surveillance laws, MLATs, and other data sharing agreements.

Nearly every nation here exempts its intelligence agencies from privacy laws when targeting foreigners. These exemptions, combined with alliances that let partner nations collect on each other’s populations and share results back, structurally bypass domestic protections. Commercial surveillance adds another layer: data brokers, IXP monitoring, and spyware vendors sell directly to governments without judicial oversight.

Why MLATs Matter

Mutual Legal Assistance Treaties (MLATs) let governments compel production of evidence located in another country’s jurisdiction. Country A asks Country B to obtain data and hand it back. The MLAT itself defines what can be requested and how, not the domestic privacy laws of either country.

The asymmetry: a French citizen whose data is held by a US company (Gmail, Microsoft, etc.) may have strong GDPR protections that would make it difficult for France to obtain that data domestically. But France can submit an MLAT request to the US DOJ, which compels the US company to produce the data under the terms of the treaty, routing around the stronger domestic standard entirely.

The reverse also works. US law enforcement can use MLATs to obtain data held abroad that might be harder to get domestically. The Fourth Amendment imposes warrant requirements, probable cause standards, and exclusionary rules. But if data is obtained via MLAT, US courts have generally held that the Fourth Amendment’s exclusionary rule doesn’t apply to evidence produced under treaty obligations, unless US agents were so involved that it was essentially a joint operation.

United States

No comprehensive federal privacy law, but sector-specific laws (HIPAA, FERPA, GLBA, COPPA, ECPA), no mandatory data retention laws, and no encryption restrictions. Warrantless foreign collection under Section 702 and EO 12333, the CLOUD Act compelling US providers to produce data stored on foreign servers, and extensive global cable-tapping and commercial surveillance procurement. State-level privacy laws vary widely.

• United States Federal Privacy & Surveillance Laws
• California (CCPA/CPRA)
• US State Privacy Laws Overview

Five Eyes Alliance

The Five Eyes is the core anglophone signals intelligence alliance under the UKUSA Agreement (1946). Member nations share raw signals intelligence by default and can collect on each other’s citizens and share it back, a structure that critics argue functions as a mechanism to circumvent domestic legal restrictions on surveilling one’s own population.

• United Kingdom
• Canada
• Australia
• New Zealand

Nine Eyes Alliance

The Nine Eyes extends the Five Eyes by four European nations who share signals intelligence as “third party” partners under the UKUSA framework. Unlike Five Eyes members, third-party partners are not automatically exempt from being targeted by NSA collection.

• Denmark
• France
• Netherlands
• Norway

Fourteen Eyes Alliance (SIGINT Seniors Europe)

SIGINT Seniors Europe, commonly known as the Fourteen Eyes, adds five more nations to the Nine Eyes framework. The alliance was formed in 1982 during the Cold War and expanded after September 2001 to include counterterrorism cooperation.

• Germany
• Belgium
• Italy
• Sweden
• Spain

European Union Framework

All EU member states in this directory are subject to the GDPR, the ePrivacy Directive, and the Law Enforcement Directive. However, Article 2(2) exempts national security, an exemption every member state uses. The EU framework page provides the foundation for understanding each member state’s national implementing legislation.

• European Union Framework

Asia-Pacific Partners (SSPAC)

SIGINT Seniors of the Pacific (SSPAC) is the Asia-Pacific counterpart to SIGINT Seniors Europe. Founded by the Five Eyes nations alongside South Korea, Singapore, and Thailand, later joined by France (2013) and India (2008). Members share counterterrorism intelligence through the CRUSHED ICE secure network. Like Nine Eyes third-party partners, SSPAC members are not automatically exempt from being targeted by NSA collection.

• Singapore
• Japan
• South Korea
• India
• Thailand

Third-Party Partners and Transit States

The jurisdictions below are not formal members of the numbered Eyes alliances or SSPAC, but each participates in intelligence data sharing, has its traffic transit through partner nations’ cable-tapping infrastructure, or maintains its own foreign surveillance capabilities with few restrictions on non-citizen targeting. The recurring pattern across this directory applies here as well: privacy laws protect domestic populations while foreign traffic faces minimal legal barriers to interception.

• Austria
• Israel
• Ireland
• Iceland
• Poland
• Switzerland
• Brazil
• Czechia
• Estonia
• Hungary
• Finland
• Latvia
• Lithuania
• Luxembourg
• Malaysia
• Portugal
• Greece
• Liechtenstein
• Turkey

Directory Information

This directory covers 41 pages across 38 country jurisdictions, including dedicated coverage of US federal and state privacy laws, the EU framework, and international partners. It is maintained by CodaMail as a public resource for understanding the global privacy and surveillance landscape. Pages are updated as new legislation, enforcement actions, and intelligence disclosures warrant revision.

This directory grew from The Myth of Jurisdictional Privacy, through Your Phone is a Military Target and the Data Broker Directory (1,700+ entities across 17 categories).