Data Protection Laws in Georgia
Data Protection Laws in Georgia
The data protection laws indicator measures the strength, enforcement and practical effect of a country's legal framework for protecting personal data. With a score of 35/100 and global rank {{RANK}} of {{TOTAL}} countries, Georgia sits in the lower range of this indicator. The country has formal data protection legislation — but its scope, enforcement and the independence of the responsible supervisory body are considerably below EU standards, creating real gaps in practical privacy protection.
The Legal Framework: Law on Personal Data Protection
Georgia enacted its Law on Personal Data Protection in 2011 — one of the earlier post-Soviet states in the region to do so. The law establishes core principles familiar from European data protection frameworks: purpose limitation, data minimisation, consent requirements and rights of access and erasure. While these principles are formally present, a critical limitation is immediately apparent: the law applies to private sector actors with significant carve-outs for law enforcement and state security — sectors where data protection would arguably matter most.
The responsible supervisory authority is the Personal Data Protection Service (PDPS), operating as an independent agency in theory. Its independence in practice is contested: critics, including assessments from privacy advocacy groups and EU progress reports on Georgia's accession process, point to limited enforcement activity, insufficient fining powers and a tendency to defer to government interests on politically sensitive data protection inquiries.
The Russian Influence Factor
A distinctive dimension of data protection risk in Georgia that is largely absent in EU countries is the country's proximity to Russian intelligence operations. Russia has demonstrated over many years its capacity and willingness to conduct large-scale data operations against Georgia — hacking government systems, accessing communications networks, and leveraging the significant Russian population presence post-2022 for various information-gathering activities. The local legal framework does not meaningfully constrain Russian state actors, whose operations fall entirely outside Georgian law enforcement reach.
Private Sector Data Practices
Georgian banks and telecoms — the two private sector actors handling the most sensitive personal data — operate with international investor partnerships that create some upward pressure on data protection standards. TBC Bank and Bank of Georgia are listed on international exchanges and subject to GDPR requirements for their European customer interactions. The Georgian tech and startup sector, growing rapidly since 2022, generally uses international cloud platforms (AWS, Google Cloud) and applies standards proportional to their international client requirements. Weaknesses are more concentrated in local retail, healthcare and smaller service providers where enforcement oversight is minimal.
GDPR and Georgia: The Practical Gap
Georgians have no automatic GDPR rights equivalent to EU citizens. If you are a foreign national living in Georgia and your data is misused by a Georgian entity, your recourse is Georgian law — not GDPR. This practically matters for: healthcare providers handling medical data; employers accessing employee communications; commercial entities selling personal data to third parties without consent. None of these activities would be straightforwardly prosecuted under current Georgian enforcement practice.
What Expats Should Know
- Register carefully: Many Georgian services require phone number and national ID registration — your data will be stored without EU-level protection guarantees
- Use international platforms: For sensitive communications use Signal, ProtonMail — not local Georgian platforms
- Healthcare records: Ask about data storage and sharing practices before providing medical history to Georgian providers
- Employment contracts: Review data handling clauses; Georgian employment law does not provide strong employee data rights
Comparison with Other Countries
- United Kingdom (~85): UK GDPR (post-Brexit); among the world's strongest data protection environments
- Estonia (~82): EU member; GDPR; additionally advanced e-governance with strong privacy integration
- Turkey (~45): Personal Data Protection Law (2016); closer to GDPR principles; better enforcement
- Russia (~20): Data localisation laws serve state surveillance, not privacy protection
Summary: A score of 35/100 reflects a real and significant gap between Georgia's formal legal framework and effective data protection in practice. For expats this is mainly relevant when choosing service providers, handling healthcare data, and understanding working conditions in Georgian employers. Conscious use of international privacy tools helps bridge this gap.
This article was created on April 14, 2026
Data Protection Laws — Global Ranking ↗
| # | Country | Score |
|---|---|---|
| 1 |  Finland |
97 |
| 1 |  Denmark |
97 |
| 1 |  Sweden |
97 |
| 1 |  Germany |
97 |
| 1 |  Belgium |
97 |
| … | ||
| 147 |  Laos |
35 |
| 147 |  Rwanda |
35 |
| 147 | Georgia |
35 |
| 147 |  Nicaragua |
35 |
| 153 |  Ivory Coast |
32 |
| … | ||
| 225 |  Turkmenistan |
5 |
| 225 |  Afghanistan |
5 |
| 225 |  Iran |
5 |