AI and Data Privacy: Key Laws Around the World

AI systems run on data, and most of the binding obligations on AI deployments worldwide come from data protection law rather than AI-specific statutes. The picture in 2026 is layered: jurisdictions with mature data protection regimes (the EU, the UK, Japan, Singapore, Brazil) have layered AI-specific guidance and, in some cases, AI-specific statutes on top of their privacy law foundations. Other jurisdictions (the US at federal level, India in implementation phase, the UAE, Saudi Arabia, Qatar) are in active rule-making. The EU AI Act is the only horizontal AI statute currently in force, but its scope is risk-based rather than displacing data protection law.

This overview is not a substitute for jurisdiction-specific compliance work. It is the map you should have before you commission that work.

European Union: GDPR and the AI Act

The General Data Protection Regulation (GDPR)

The GDPR entered into force on 25 May 2018. It applies to organisations established in the EU and, extraterritorially, to non-EU organisations offering goods or services to or monitoring the behaviour of individuals in the EU. AI deployments processing personal data of EU residents are in scope.

Provisions of particular relevance to AI:

  • Article 5 principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
  • Article 6 lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. AI training and inference must each rest on a valid basis.
  • Article 9 special categories: heightened protection for biometric, health, racial, religious, political, and other sensitive data, with narrow processing grounds.
  • Article 22: rights regarding automated decision-making with legal or similarly significant effects, including the right to obtain human intervention, express a viewpoint, and contest the decision.
  • Article 35: Data Protection Impact Assessment (DPIA) for high-risk processing, including most consequential AI deployments.
  • Articles 13 and 14: notification of "meaningful information about the logic involved" in automated decision-making, often referred to as a right to explanation.
  • Privacy by design and by default (Article 25): AI systems must integrate privacy controls from the design stage.

GDPR penalties operate in two tiers under Article 83:

  • Lower tier: up to €10 million or 2% of total worldwide annual turnover (whichever is higher) for procedural violations such as record-keeping, breach notification, and security failures.
  • Higher tier: up to €20 million or 4% of total worldwide annual turnover for substantive violations of the basic principles, lawful basis, data subjects' rights, and cross-border transfer rules.

Both tiers apply per violation, and a single investigation can result in multiple fines. The largest GDPR fine to date is the Irish Data Protection Commission's €1.2 billion fine against Meta in 2023 for unlawful US data transfers.

The EU AI Act

The EU AI Act is the world's first horizontal AI statute. It entered into force on 1 August 2024, with phased application:

  • 2 February 2025: Article 5 prohibitions and AI literacy obligations applied.
  • 2 August 2025: governance provisions and general-purpose AI obligations applied.
  • 2 August 2026: Article 50 transparency obligations and the bulk of high-risk system requirements scheduled to apply, subject to the ongoing Digital Omnibus negotiation that may delay high-risk obligations to December 2027.

The Act classifies AI systems into prohibited (Article 5), high-risk (Annex III), limited-risk (Article 50), and minimal-risk categories. Penalties under Article 99 reach €35 million or 7% of worldwide annual turnover for prohibited-AI breaches, €15 million or 3% for high-risk system non-compliance, and €7.5 million or 1% for supplying incorrect information. The Act applies extraterritorially to providers and deployers wherever the AI output is used in the EU.

United States: a sectoral patchwork

The US has no comprehensive federal privacy law. AI compliance for US-touching deployments is built from state privacy laws, sector-specific federal laws, and an emerging set of state and federal AI-specific instruments.

California: CCPA, CPRA, and the ADMT regulations

The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA) effective January 2023, is the most influential US state privacy law. It applies to for-profit businesses meeting CCPA thresholds and grants California residents rights to know, delete, correct, opt out of sale or sharing, and limit the use of sensitive personal information.

In 2025, the California Privacy Protection Agency finalised regulations on Automated Decision-Making Technology (ADMT). Risk assessment provisions take effect on 1 January 2026, with full ADMT-specific obligations from 1 January 2027. Businesses using ADMT for significant decisions about California residents must conduct risk assessments, provide pre-use notices, and offer opt-out rights subject to specified exceptions.

California has also passed AI-specific statutes including SB 942 (the AI Transparency Act, effective 2 August 2026 after delay by AB 853), AB 2013 (training data transparency), and several others addressing deepfakes and disclosures.

Other state privacy laws

By April 2026, more than 20 states have enacted comprehensive privacy laws including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and others. Their substantive obligations broadly track GDPR concepts (lawful processing, data subject rights, DPIAs, opt-outs from profiling). The Colorado AI Act (SB 24-205), effective 30 June 2026, is the first comprehensive US state AI statute, addressing algorithmic discrimination in consequential decisions.

Federal sector-specific laws

  • HIPAA: governs medical data and applies to AI in healthcare diagnostics, predictive analytics, and clinical decision support.
  • COPPA: restricts data collection from children under 13.
  • FCRA and ECOA: govern consumer reporting and credit decisions, including AI-assisted underwriting.
  • GLBA: governs financial institutions' handling of nonpublic personal information.
  • FTC Section 5: addresses unfair or deceptive AI practices.

The EEOC has issued guidance on AI in employment decisions, applying Title VII, ADA, and ADEA to algorithmic tools. New York City's Local Law 144 (in force July 2023) requires bias audits for AEDTs used to evaluate NYC candidates and employees.

China: PIPL, AI-specific rules, and the broader digital regime

The Personal Information Protection Law (PIPL)

The PIPL, effective 1 November 2021, is China's principal data protection statute. It establishes consent as a default lawful basis, sensitive data protections, data subject rights, breach notification, cross-border transfer requirements (including security assessments), and extraterritorial application to processing personal information of individuals in China where goods or services are offered or behaviour is analysed.

PIPL operates alongside the Cybersecurity Law (2017) and the Data Security Law (2021). Penalties for severe PIPL violations reach RMB 50 million or 5% of annual turnover in the previous year, plus operational restrictions and personal liability for responsible individuals.

AI-specific rules from the CAC

China has the most active AI-specific rule-making outside the EU. The Cyberspace Administration of China (CAC) has issued:

  • Interim Measures for the Management of Generative AI Services (effective 15 August 2023): apply to generative AI services accessible to the Chinese public, with content quality, training data, security assessment, and labelling obligations.
  • Provisions on the Administration of Deep Synthesis Internet Information Services (effective 10 January 2023): cover deepfakes and synthetic media.
  • Provisions on the Management of Algorithmic Recommendations of Internet Information Services (effective 1 March 2022): regulate recommendation algorithms.
  • AI Labelling Measures (effective 1 September 2025): require explicit and implicit labelling of AI-generated content.

China's regulatory model imposes more direct obligations on AI service providers than most other jurisdictions, including registration of algorithm providers and security assessment of consumer-facing AI services.

Japan: APPI and the AI Promotion Act

Act on the Protection of Personal Information (APPI)

Japan's APPI, administered by the Personal Information Protection Commission (PPC), is the country's primary data protection statute. Recent amendments have strengthened cross-border transfer rules, breach notification, sensitive data protections, and penalties for serious violations.

AI Promotion Act (May 2025)

On 28 May 2025, Japan's National Diet passed the Act on Promotion of Research and Development and Utilization of AI-Related Technologies (AI Promotion Act), Japan's first AI-specific statute. Most provisions entered into force on 4 June 2025, with the AI Strategy Headquarters chapters effective from 1 September 2025. The Cabinet adopted the first AI Basic Plan on 23 December 2025.

The Act is a framework law. It establishes principles, the AI Strategy Headquarters, and the AI Basic Plan, but does not impose direct administrative fines or criminal penalties. Binding obligations come from the APPI, sectoral law, and the AI Guidelines for Business v1.1 (METI/MIC, March 2025) operating as a "comply or explain" benchmark.

Singapore: PDPA, Model AI Governance Framework, and AI Verify

Singapore's Personal Data Protection Act (PDPA, 2012) is the binding statute for personal data, with penalties up to S$1 million or 10% of annual local turnover (whichever is higher) for organisations with annual local turnover exceeding S$10 million. The PDPC published Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems on 1 March 2024, clarifying how PDPA rules apply to AI training, recommendations, and decisions.

The Model AI Governance Framework (2019, second edition January 2020) provides voluntary guidance for traditional AI deployments. The Model AI Governance Framework for Generative AI (May 2024), released by IMDA and the AI Verify Foundation, addresses generative AI risks across nine dimensions. The AI Verify testing toolkit (launched May 2022, mapped to NIST AI RMF in October 2023 and ISO/IEC 42001 in June 2024) provides standardised tests against eleven AI ethics principles.

Brazil: LGPD

The Lei Geral de Proteção de Dados Pessoais (LGPD) entered into force in August 2020, with administrative penalties from August 2021. The National Data Protection Authority (ANPD) enforces it. The LGPD is closely modelled on GDPR, with consent and other lawful bases, data subject rights (access, correction, anonymisation, portability, deletion, information about automated decisions), DPIA requirements, breach notification, and extraterritorial application.

LGPD penalties reach 2% of revenue in Brazil for the previous year, capped at BRL 50 million per violation. The ANPD has issued specific guidance on AI and personal data, including its preliminary studies on generative AI and a working group on AI governance.

India: DPDPA and the 2025 Rules

The Digital Personal Data Protection Act 2023 (DPDPA) was enacted by Parliament on 11 August 2023. The implementing DPDP Rules 2025 were notified by MeitY on 13 November 2025 and gazetted on 14 November 2025. Implementation is staggered: Phase 1 from 14 November 2025 (procedural), Phase 2 from November 2026 (Consent Managers), Phase 3 from around mid-May 2027 (substantive obligations and Data Protection Board penalty powers).

DPDPA penalties under Schedule I reach up to INR 250 crore (approximately USD 30 million) for failure to prevent personal data breaches, with separate ceilings for breach notification failures, children's data violations, and other categories. Significant Data Fiduciaries (a class designated by government notification) have enhanced obligations including India-resident DPOs, independent audits, and DPIAs. India's AI Governance Guidelines were released by MeitY on 5 November 2025 alongside the DPDP Rules.

United Kingdom: principles-based, post-Brexit

The UK retained the UK GDPR after Brexit, supplemented by the Data Protection Act 2018. Penalties reach £17.5 million or 4% of global turnover. The Data (Use and Access) Act 2025, in force from 19 June 2025, updated automated decision-making rules, smart data, and other provisions.

The UK has explicitly chosen a "pro-innovation" principles-based approach to AI rather than a horizontal AI Act. Sector regulators (ICO, CMA, FCA, MHRA, Ofcom) apply five cross-sector principles within their existing remits. The UK AI Safety Institute coordinates frontier AI safety work alongside Japan's AISI and the US AISI.

Canada and Australia (in summary)

Canada applies the federal PIPEDA at federal level and provincial laws including Quebec's Law 25 (significantly modernised in 2022-2024) and Ontario's PHIPA in healthcare. The proposed Artificial Intelligence and Data Act (AIDA) within Bill C-27 has gone through several iterations, and as of April 2026 has not been enacted in its earlier form, though replacement AI legislation is being considered.

Australia applies the Privacy Act 1988, recently amended (Privacy and Other Legislation Amendment Act 2024) to introduce statutory tort, expanded penalties, and new automated-decision-making transparency obligations effective from 10 December 2026. Further reforms in additional tranches are expected.

Common principles across regimes

Despite different enforcement architectures and penalty bands, most data privacy regimes converge on a common set of principles that AI deployments should address regardless of jurisdiction:

  • Lawfulness and fairness: AI processing of personal data must rest on a valid legal basis and be fair to data subjects.
  • Purpose limitation: data must be processed for stated purposes; secondary use for AI training requires fresh basis or compatibility assessment.
  • Data minimisation: training and inference should use only necessary data.
  • Accuracy: data and model outputs should be accurate, with mechanisms to correct errors.
  • Storage limitation: training data and inference logs should not be retained longer than necessary.
  • Integrity and confidentiality: appropriate technical and organisational security.
  • Accountability: organisations are responsible for compliance and must demonstrate it.
  • Transparency: individuals must be informed about AI processing affecting them.
  • Individual rights: access, correction, deletion, objection, and (in many regimes) human review of significant automated decisions.

Practical implications for cross-border AI deployments

For organisations operating across jurisdictions, the practical implications of this layered global picture are several:

  • One governance programme, jurisdiction-specific annexes. Build the AI governance framework on NIST AI RMF or ISO/IEC 42001 (now widely accepted as the international baseline) and add jurisdiction-specific annexes for binding requirements.
  • Prioritise lawful basis and special data. AI training data lawfulness is the highest-frequency failure point across jurisdictions. Documenting lawful basis for each category of training data, separately for inference, is now essential.
  • Build automated-decision documentation. Most regimes (GDPR, LGPD, DPDPA, California ADMT, Australia from December 2026) impose obligations on automated decision-making with significant effects. A standard template covering logic, inputs, outputs, and human review hooks will satisfy the core obligation in most jurisdictions.
  • Plan cross-border transfer mechanisms. GDPR adequacy decisions, PIPL security assessments, PDPL or PDPA SCCs, and other transfer mechanisms vary. A transfer matrix listing each pair of source and destination jurisdictions with the applicable mechanism is now standard governance documentation.
  • Track AI-specific instruments separately. The EU AI Act, China's CAC measures, Japan's AI Promotion Act, India's AI Governance Guidelines, and US state AI laws each operate in addition to data protection law. They are not redundant.

Compliance FAQ

If I comply with GDPR, am I compliant elsewhere?

Partly. GDPR compliance gives a strong starting point for LGPD, UK GDPR, PDPA, APPI, and other GDPR-aligned regimes, but it does not satisfy China's PIPL specifics, India's DPDPA registration and consent manager mechanics, or sector-specific obligations in any jurisdiction. It also does not satisfy AI-specific instruments such as the EU AI Act, Colorado AI Act, NYC Local Law 144, or China's CAC AI rules.

Which jurisdiction's AI rules apply to my training data?

All jurisdictions whose residents' personal data appears in the training set, simultaneously. If your dataset contains personal data of EU residents, Brazilian residents, Japanese residents, and California residents, then GDPR, LGPD, APPI, and CCPA all apply to that processing. Documenting lawful basis under each regime, and maintaining the records to demonstrate compliance, is now part of standard AI development practice.

Are AI-specific laws replacing data protection laws?

No. AI-specific laws (EU AI Act, China's CAC measures, Japan's AI Promotion Act, US state AI statutes) sit on top of data protection law rather than replacing it. The EU AI Act explicitly preserves GDPR. AI deployments must address both regimes in parallel.

What about the right to explanation for automated decisions?

Multiple regimes impose forms of right to explanation: GDPR Article 22, LGPD Article 20, the UK Data Protection Act, India DPDPA's data fiduciary information obligations, California ADMT pre-use notices, and others. The exact scope varies (some regimes apply only to "solely automated" decisions; some apply to "significant" decisions). A single explanation template that covers logic, factors, contestation rights, and human review pathways usually satisfies the core obligation across regimes.

How do penalty bands compare?

EU AI Act: up to €35 million or 7% of global turnover for prohibited AI. GDPR: up to €20 million or 4%. UK GDPR: up to £17.5 million or 4%. LGPD: 2% of Brazilian revenue, capped at BRL 50 million per violation. PIPL: up to RMB 50 million or 5% of annual turnover. PDPA Singapore: up to S$1 million or 10% of annual local turnover. DPDPA: up to INR 250 crore. CCPA: up to USD 7,500 per intentional violation. The relative bite of each depends on enterprise size, jurisdiction footprint, and the type of violation.

The bottom line

The global AI privacy landscape in 2026 is layered, jurisdiction-specific, and still in active development. The EU continues to set the regulatory pace through GDPR and the AI Act. China has the most active AI-specific rule-making outside the EU. The US operates a patchwork of state laws plus sector-specific federal rules. Asia-Pacific jurisdictions (Japan, Singapore, Australia, India) have moved decisively in 2024-2025 with new AI-specific instruments. Latin America and the Gulf are catching up rapidly. For multinational AI deployments, the durable compliance posture is a single governance programme anchored on NIST AI RMF or ISO/IEC 42001, with jurisdiction-specific annexes for the binding requirements of each regime where the AI system operates or its outputs reach. Track the major regulators directly. Update your annexes when they update their rules. Privacy and AI compliance are now joint, continuous, and unavoidable.

Last updated: April 2026. This article is educational content and is not legal advice. Each jurisdiction's framework continues to evolve. Consult qualified counsel before making compliance decisions for cross-border AI deployments.