Maldives DPA

Data Protection Act 2017

Flag of MV
MaldivesOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 15, 2018
Enacted
January 1, 2017
Enforcing Authority
Not publicly documented — no dedicated data protection authority fully established
Consent Model
Opt-in
Applies To
Data controllers and processors in the Maldives

Overview

The Maldives has a basic Data Protection Act (2017) that outlines principles for data collection and disclosure. However, it is not a comprehensive GDPR-style law. A more robust Privacy and Personal Data Protection Bill was released for consultation in 2023 but has not yet been enacted.

What This Means for Your Website

  • Basic principles for data collection, use, and disclosure apply
  • The current law is limited in scope — not comprehensive
  • A stronger replacement bill is pending but not yet enacted
  • No dedicated DPA is fully established
  • Practical enforcement is limited

Key Requirements

No fully established DPA enforces the current Act. Basic data protection principles apply. Comprehensive requirements are pending in the draft replacement bill.

How ConsentStack Handles This

ConsentStack applies consent best practices for Maldivian visitors, positioning websites for compliance with both current law and the anticipated comprehensive replacement.

Penalties

Not publicly documented in detail.

Key Requirements

  • Basic principles for data collection, use, and disclosure
  • Individuals rights to control personal information
  • Comprehensive requirements pending in draft bill

Notable Provisions

  • Not a comprehensive GDPR-style law
  • Draft Privacy Bill released May 2023 — not enacted
  • No dedicated DPA fully established
  • Among smaller countries working toward comprehensive legislation

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Does the Maldives have comprehensive data protection?

Not yet. The 2017 DPA provides basic principles. A comprehensive Privacy Bill was released for consultation in 2023 but has not been enacted.

Is there a data protection authority in the Maldives?

No fully established DPA exists, limiting practical enforcement.

Is new legislation expected?

A Privacy and Personal Data Protection Bill was released in 2023 but its enactment timeline is uncertain.

Stay compliant with Maldives DPA

ConsentStack helps you implement Opt-in consent for Maldives automatically.

Get started free