Data protection & privacy laws in Timor-Leste (2026)

There is no general/omnibus personal-data protection statute comparable to the EU GDPR or Brazil's LGPD. Protection of personal data is not codified in a dedicated law.

The 2002 Constitution protects privacy through Article 36 (honor, reputation, private/family life), Article 37 (inviolability of home and correspondence) and Article 38, which grants citizens a right to access personal data held in records and to know the purpose of its collection.

Timor-Leste has no independent data protection authority. The Provedoria dos Direitos Humanos e Justiça (Ombudsman) has publicly called for comprehensive data-protection legislation, including at an August 2024 training session on the country's information and technology ecosystem.

The government announced a draft Data Privacy and Protection Law in early 2021, but it was never made publicly available and has not been adopted; academic and tracking sources note Timor-Leste lacks even a finalized draft, so no formal bill is currently pending.

Decree-Law No. 12/2024 (13 February 2024) created a general regime for electronic commerce and electronic signatures, touching electronic transactions but not establishing a personal-data protection framework. A separate draft cyber/cybercrime law has drawn criticism over privacy and free-expression risks.

Following Timor-Leste's confirmation as an ASEAN member (October 2025), the ASEAN Framework on Personal Data Protection and Framework on Digital Data Governance are expected to provide persuasive impetus for the country to develop data-protection legislation.