GDPR vs the World: How Global Privacy Laws Compare in 2026

When the GDPR took effect in 2018, it set a global benchmark. Eight years later, every major economy has enacted comprehensive privacy legislation — but none are copies of the GDPR. Each law reflects its jurisdiction’s regulatory philosophy, economic priorities, and cultural relationship with data. For organisations operating across borders, these differences create a compliance matrix that can’t be solved by treating GDPR as a universal standard.

This guide compares the GDPR with six major privacy laws in force in 2026, focusing on the differences that matter most for compliance programmes.

The regulatory landscape in 2026

The global privacy law count now exceeds 160 jurisdictions with some form of data protection legislation. The laws compared here represent the most significant in terms of economic impact, enforcement activity, and extraterritorial reach:

• EU GDPR (2018) — the reference standard
• US CCPA/CPRA (California, 2020/2023) — plus the patchwork of state laws
• Brazil LGPD (2020) — Latin America’s most comprehensive privacy law
• China PIPL (2021) — the strictest in several dimensions
• India DPDP Act (2023, rules effective 2025-2026) — the newest major law
• Japan APPI (amended 2022) — Asia-Pacific’s most mature framework
• Australia Privacy Act (amended 2024-2025) — significantly strengthened post-Optus and Medibank breaches

Scope and applicability

GDPR applies to any organisation processing personal data of EU residents, regardless of where the organisation is established. The extraterritorial reach is broad — offering goods or services to EU residents or monitoring their behaviour brings you in scope.

CCPA/CPRA applies to for-profit businesses meeting revenue or data volume thresholds (USD 25M+ revenue, 100,000+ consumers’ data, or 50%+ revenue from selling data). It’s narrower than GDPR — non-profits and small businesses are generally exempt. The California Privacy Protection Agency (CPPA) is now actively enforcing, and automated decision-making regulations took effect in 2025.

LGPD mirrors GDPR’s broad scope — any processing of personal data of individuals in Brazil, regardless of where processing occurs. However, enforcement by the ANPD has been slower to materialise, with significant enforcement actions only becoming regular from 2025 onwards.

PIPL applies to processing personal information of individuals within China. Its extraterritorial provisions are strict — non-China organisations processing Chinese citizens’ data must appoint a local representative. Cross-border transfer requirements are the most restrictive of any major privacy law.

DPDP Act applies to digital personal data processed within India or processed outside India in connection with offering goods or services to individuals in India. The Act is notably sector-agnostic but grants the government broad exemption powers, which creates uncertainty about actual enforcement scope.

APPI applies to business operators handling personal information in Japan. Its scope has expanded through amendments to cover foreign businesses targeting Japanese consumers, with the Personal Information Protection Commission (PPC) gaining stronger enforcement powers.

Australia Privacy Act applies to organisations with AUD 3M+ annual turnover, along with all government agencies and certain other entities regardless of turnover. Recent amendments significantly expanded individual rights and increased penalties following high-profile data breaches.

Lawful basis for processing

This is where the laws diverge most significantly.

GDPR requires one of six lawful bases: consent, contract, legal obligation, vital interests, public interest, or legitimate interests. The legitimate interests basis — which allows processing without consent when the controller’s interests outweigh data subject rights — is heavily used and frequently litigated.

CCPA/CPRA doesn’t use a lawful basis model. Instead, it focuses on consumer rights to opt out. Businesses can collect and use personal information by default, but consumers can opt out of sale, sharing, and certain profiling. This is a fundamentally different architecture — notice-and-choice rather than permission-based.

LGPD provides ten lawful bases, including legitimate interests and credit protection (unique to Brazil). The legitimate interests basis is available but the ANPD has issued guidance requiring a balancing test similar to the GDPR’s.

PIPL requires consent as the default basis, with narrower exceptions than GDPR. Separate consent is required for sensitive data, cross-border transfers, and sharing with third parties. Legitimate interests is not a recognised basis — this is a critical difference for organisations accustomed to relying on it under GDPR.

DPDP Act relies primarily on consent, with limited alternative bases (compliance with law, medical emergencies, employment). Legitimate interests is absent, and consent must be “free, specific, informed, unconditional and unambiguous” with clear affirmative action.

APPI traditionally relied on purpose limitation and opt-out rather than explicit consent. Recent amendments have strengthened consent requirements for sensitive data and cross-border transfers, but the overall approach remains less consent-heavy than GDPR.

Australia Privacy Act uses Australian Privacy Principles (APPs), which combine purpose limitation, notice, and consent requirements without a formal “lawful basis” framework. The recent amendments introduced a fair and reasonable test for collection and use, moving closer to GDPR’s accountability model.

Individual rights

All seven laws grant individuals rights over their data, but the specific rights and their scope vary:

Right	GDPR	CCPA/CPRA	LGPD	PIPL	DPDP	APPI	AU Privacy Act
Access	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Deletion	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Correction	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Portability	Yes	Yes	Yes	Yes	Yes	Limited	Proposed
Opt-out of sale	N/A	Yes	N/A	N/A	N/A	N/A	N/A
Restrict processing	Yes	Limited	Yes	Yes	No	No	No
Object to processing	Yes	Limited	Yes	Yes	No	Limited	Limited
Not be subject to automated decisions	Yes	Yes (2025)	Yes	Yes	No	No	Proposed

Key differences to note:

• The CCPA/CPRA’s “opt-out of sale/sharing” right has no GDPR equivalent — it reflects the US law’s focus on the data economy
• China’s PIPL grants broad individual rights but enforcement is primarily driven by the Cyberspace Administration of China (CAC) rather than individual complaints
• India’s DPDP Act notably omits data portability and the right to object — making it narrower than most other major laws
• Australia’s Privacy Act is in active amendment, with portability and automated decision-making rights proposed but not yet enacted

Enforcement and penalties

GDPR: Up to EUR 20M or 4% of global annual turnover. Active enforcement across member states, with cumulative fines exceeding EUR 4.5 billion since 2018. Multiple supervisory authorities create jurisdictional complexity.

CCPA/CPRA: Up to USD 7,500 per intentional violation, USD 2,500 per unintentional violation. The CPPA has ramped enforcement significantly since 2024. Private right of action exists for data breaches (statutory damages of USD 100-750 per consumer per incident).

LGPD: Up to 2% of revenue in Brazil, capped at BRL 50M per infraction. The ANPD issued its first significant fines in 2024-2025, with a focus on consent violations and data breach notification failures.

PIPL: Up to CNY 50M or 5% of previous year’s revenue for serious violations. The CAC has imposed substantial penalties, including ordering apps to be removed from stores and suspending business operations. Enforcement is aggressive and often sector-wide.

DPDP Act: Up to INR 250 crore (approximately USD 30M) per violation. Enforcement is through the Data Protection Board of India, which began operations in 2025. Early enforcement patterns are still forming.

APPI: Historically low penalties, but 2022 amendments introduced criminal sanctions for certain violations. The PPC relies more on administrative guidance and orders than financial penalties, though this is changing.

Australia Privacy Act: Up to AUD 50M, three times the benefit obtained, or 30% of adjusted turnover — whichever is greatest. Post-Optus and Medibank, the OAIC has pursued penalties aggressively. Australia now has some of the highest maximum penalties globally.

Practical implications for multi-jurisdictional compliance

The common approach — “comply with GDPR and you’re covered everywhere” — is a dangerous oversimplification. Specific areas where GDPR compliance is insufficient:

• China (PIPL): Cross-border transfer requirements exceed GDPR’s. Security assessments by the CAC are mandatory for certain transfers. Legitimate interests is not available as a lawful basis. Local data storage requirements apply to critical information infrastructure operators.

• US (CCPA/CPRA): The opt-out architecture requires different technical implementations than GDPR’s consent model. Global Privacy Control (GPC) signals must be honoured. The sale/sharing concepts have no GDPR parallel.

• India (DPDP): Consent withdrawal must be as easy as consent provision. The government can designate certain data as restricted from cross-border transfer by notification. Broad exemptions for government processing create compliance uncertainty.

• Australia: The fair and reasonable test may be stricter than GDPR’s legitimate interests in practice. Mandatory breach notification within 72 hours (same as GDPR, but the threshold for “eligible data breach” differs).

Building a compliance programme that works across jurisdictions requires mapping the specific obligations of each applicable law, identifying where they conflict, and implementing controls that satisfy the strictest requirement for each obligation category.

---

AuditDSS covers 23 privacy regulations across all major jurisdictions — including GDPR, CCPA/CPRA, LGPD, PIPL, DPDP, APPI, and the Australia Privacy Act — decomposed into individual obligations with cross-jurisdictional comparison. Explore AuditDSS.