By Venkatesh Krishnamoorthy, Tomoko Naoe, Tham Shen Hong, Wong Wai San, Irma Gudžiūnaitė, Thomas Boué, Caroline Kibby, Kate Goodloe, and Joseph Whitlock
Privacy laws are now a fact of life across much of the global economy. From Europe and the United Kingdom to Asia, the Americas, and beyond, governments around the world are uniting in putting comprehensive data protection frameworks into place. What varies is how each government puts these to work.
As 2026 begins, policymakers are looking to both implement and update existing laws. New guidance is coming online and companies are adjusting their compliance programs while continuing to expand digital services and deploy artificial intelligence (AI) at scale. Choices about legal bases for processing, the role of consent, enforcement priorities, and cross-border data transfers are increasingly shaping how privacy regimes function day-to-day.
To mark Data Privacy Day 2026, BSA is publishing an updated version of our global privacy priorities. These priorities emphasize the rights consumers should have over their personal data, which companies should have obligations to handle that data responsibly, the need for consistent enforcement of a country’s privacy law, and the importance of internationally interoperable privacy laws.
With these priorities in mind, BSA asked our regional policy teams to reflect on what they see on the ground. Together, these perspectives highlight what stood out across the globe over the past year and the direction of privacy policy heading into 2026.
- DPDP Moves From Statute to Schedule
- A Pivot Towards ‘Responsible Use’ — With Guardrails
- Australia’s Reform Moment: Ambition Meets Drafting
- Southeast Asia Enters the Implementation Era
- The UK’s Next Phase: Making Reform Usable
- GDPR Holds — Practice Shifts Toward Proportionality
- The US State Map is Stabilizing
- Congress Revisits the Case for Federal Privacy Law
- A Converging Global Direction for 2026
DPDP Moves From Statute to Schedule
In 2026, organizations finalizing their privacy compliance priorities amid rapid AI adoption will shape India’s privacy landscape. After a long wait, the Indian Parliament approved the Digital Personal Data Protection (DPDP) Rules in November 2025. Parliament will implement the rules in phases over an 18-month period, with key compliance obligations coming into force by May 2027.
As organizations move forward with plans to update their privacy practices, the coming year will see deeper engagement and dialogue among policymakers, businesses, the legal community, and software developers. These conversations are important in ensuring consistency and confidence in compliance requirements. At the same time, we expect organizations to rapidly scale AI adoption, an issue that is top of mind in Delhi as India hosts the AI Impact Summit next month.
This convergence of privacy compliance and AI adoption will require a flexible and innovative playbook.
– Venkatesh Krishnamoorthy, Country Manager, India, based in New Delhi
A Pivot Towards ‘Responsible Use’ — With Guardrails
In Japan, the year is starting with a push to revise the country’s existing privacy law. The Personal Information Protection Commission recently released its policy on amendments to the Act on the Protection of Personal Information. It’s expected that the National Diet will receive a draft bill early this year. Notably, the policy would allow the use of personal data without consent for the creation of statistical information, including AI development. It would also permit waiving consent when data is used to save lives or improve public health, as well as for uses that do not harm individuals’ rights or interests and are not contrary to their will.
The policy reflects an important shift away from a consent-based approach to privacy. Looking ahead, as personal data continues to underpin AI-driven innovation and digital services, using data responsibly to improve products and services, while supported by the appropriate safeguards, becomes increasingly important. We are also encouraged by the policy’s direction to streamline data breach notification requirements, which can help ensure that, in the future, companies focus their resources on incidents that present a genuine and material risk of harm to individuals.
– Tomoko Naoe, Director, Policy — Japan, based in Tokyo
Australia’s Reform Moment: Ambition Meets Drafting
In Australia, the privacy outlook for 2026 will depend on whether the government successfully translates ambition into concrete outcomes. Work on reforming the Privacy Act 1988 continues in earnest as policymakers seek to respond to rapid technological change, heightened public expectations, and the growing use of data-driven and AI-enabled services.
Although policymakers have already made some reforms to the Privacy Act, more are needed. In particular, the Privacy Act needs a clear distinction between organizations that decide how and why to process a consumer’s personal information (often called controllers) and organizations that process that data on behalf of other companies (often called processors). The long-standing distinction between controllers and processors underpins global privacy and data protection laws worldwide, and should be part of any reforms to Australia’s Privacy Act. Recognizing these different roles can create stronger consumer protections by tailoring obligations to each type of company. If implemented well, such reforms can strengthen trust, support responsible innovation, and ensure the updated Privacy Act is fit for purpose in a modern digital economy.
– Tham Shen Hong, Senior Manager, Policy — APAC, based in Singapore
Southeast Asia Enters the Implementation Era
All major markets in Southeast Asia have now enacted national-level data protection laws, including Vietnam, Thailand, and Indonesia. These laws reflect the region’s growing commitment to strong and effective data privacy frameworks.
Vietnam’s Personal Data Protection Law, which came into force on January 1, is the latest sign of this momentum. As countries across the region move from adoption to implementation, 2026 presents an opportunity to focus on deeper regional alignment.
The Association of Southeast Asian Nations (ASEAN) has already established a strong foundation for regional cooperation, beginning with the ASEAN Model Contractual Clauses and practical guidance comparing them with contractual clauses in other regions.
Looking ahead, enhanced ASEAN cooperation is critical as policymakers increasingly focus on emerging technology like artificial intelligence and, in time, quantum computing. By continuing to collaborate within ASEAN and aligning regional frameworks with international standards, Southeast Asia is well positioned to advance interoperability both within the region and globally.
– Wong Wai San, Senior Manager, Policy — APAC, based in Singapore
The UK’s Next Phase: Making Reform Usable
This year, the United Kingdom is expected to clarify how companies can comply with recent amendments to the country’s privacy laws.
The big focus is the Data (Use and Access) Act (DUAA), which was adopted in 2025. It makes targeted reforms to several important UK laws: the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the UK’s e-privacy rules. These include clarifying lawful bases for processing personal data and recognized legitimate interests, streamlined processes for data subject requests, updated cookie rules, and a more flexible approach to certain automated decision-making. Throughout 2026, the UK Information Commissioner’s Office (ICO) is expected to issue guidance to help organizations operationalize these changes.
Cross-border data flows will also remain a key priority for the UK. In early 2026, the ICO issued a guide on international data transfers, providing greater clarity on transfer risk assessments and available safeguards under UK law. These developments are important not only for regulatory certainty, but also for the UK’s digital trade ambitions and its role as a globally connected data hub.
– Irma Gudžiūnaitė, Director, Policy, based in Brussels
GDPR Holds — Practice Shifts Toward Proportionality
Heading into 2026, privacy policy in the European Union remains anchored in the GDPR, which combines strong consumer rights with clear responsibilities for controllers and processors, multiple lawful bases for processing, and established mechanisms for cross-border data transfers. The framework is not being replaced, but it is no longer politically untouchable.
That shift became clear with the European Commission’s Digital Simplification Omnibus, released late last year, which proposes targeted amendments to the GDPR as part of a broader effort to streamline the EU’s digital rulebook. While narrow in scope, the proposals reopen issues many considered settled, including the definition of personal data, explicit legal bases for AI training and development, and more harmonized approaches to data reporting and impact assessments. Together, these changes point to a recalibration of how the GDPR operates in an AI-enabled economy, without altering its core principles.
Looking ahead, political agreement is the main hurdle. Reopening the GDPR has prompted objections in both the European Parliament and the Council, and even targeted amendments are likely to face close scrutiny.
– Thomas Boué, Director General EMEA, based in Brussels
The US State Map is Stabilizing
As we go into 2026, there is a growing body of state privacy laws in the United States that create clear patterns for protecting consumers.
There are now 20 states with comprehensive consumer privacy laws. Most of these laws recognize core consumer rights like access, correction, deletion, and opting out of certain processing, and impose baseline duties around data security, minimization, and risk assessments. All state laws also distinguish between controllers and processors, creating one set of obligations for the controllers that decide how and why to process consumers’ data, and another for processors that handle data on behalf of other companies.
One reason for this consistency is that states like Colorado, Connecticut, and Virginia anchor their laws in structurally similar models. At the same time, these states adopt different substantive protections, requiring companies to map compliance across overlapping but non-identical jurisdictions. Looking forward, the big questions this year are how legislatures will amend existing laws and how state attorneys general will enforce them.
– Caroline Kibby, Tech Policy Fellow, based in Washington, DC
Congress Revisits the Case for Federal Privacy Law
In the United States Congress, there has been an effort to reset discussions around federal privacy legislation.
The US privacy landscape has changed dramatically since July 2022, when a House Committee overwhelmingly advanced a comprehensive consumer privacy bill to the full House. At that time, only California’s state privacy law was in effect. Today, there are 20 state comprehensive privacy laws in force. Those state laws are remarkably consistent, with 19 adopting the same basic structure, but creating different levels of substantive protections that reflect different policy choices.
This shift gives lawmakers an opportunity to look at existing privacy laws and identify protections that should become part of any national privacy law.
Congress should treat state and global privacy laws as a roadmap for identifying effective obligations. Companies are already complying with these laws, including by providing new rights to consumers and adopting new safeguards when they handle personal data. Understanding how existing privacy laws work in the real world will give lawmakers an important foundation for advancing nationwide privacy protections.
– Kate Goodloe, Managing Director, Policy, based in Washington, DC
A Converging Global Direction for 2026
In addition to national-level privacy laws, international trade negotiations are also contributing to the development of globally interoperable data privacy norms that protect personal data while it flows across international digital networks.
Around the world, digital trade agreements are increasingly demonstrating that strong privacy protections and seamless cross-border data flows are not in tension, but mutually reinforcing. These agreements recognize that trusted data flows are essential to achieving legitimate public policy objectives, from economic growth and scientific research to public health, cybersecurity, and national security. Recent agreements illustrate this convergence: The US-Mexico-Canada Agreement (which will be reviewed in 2026) pairs affirmative protections for personal data with disciplines that enable cross-border access to knowledge and information. So do the 2025 EU-Indonesia Comprehensive Economic Partnership Agreement, the Comprehensive and Progressive Trans-Pacific Partnership, and the Digital Economy Partnership Agreement.
As governments look ahead to key moments in 2026, the trajectory is encouraging. Digital trade agreements can support interoperable, pro-privacy frameworks that protect individuals while allowing data to flow securely across global digital networks, strengthening innovation, resilience, and trust worldwide.
– Joseph Whitlock, Director, Policy and Executive Director, Global Data Alliance, based in Washington, DC
