Data & Privacy · Algeria
Data protection & privacy laws in Algeria (2026)
Algeria shaded by its data & privacy status
Algeria enacted a comprehensive personal data protection law (Law 18-07) in 2018, which entered into force on 10 August 2023 with the operationalisation of the ANPDP as an independent supervisory authority. A significant 2025 amendment (Law 25-11) modernised the framework, aligning it more closely with GDPR by introducing mandatory Data Protection Officers, Data Protection Impact Assessments, 5-day breach notification, and expanded ANPDP oversight powers. The law applies to all public and private entities processing personal data in Algeria or targeting Algerian residents.
Key points
Law No. 18-07 of 10 June 2018 is the comprehensive personal data protection statute. It entered into effective force on 10 August 2023 when the ANPDP became operational. It was materially amended and strengthened by Law No. 25-11 of 24 July 2025.
The ANPDP is an independent administrative authority with legal personality and financial autonomy, operating under the authority of the President of Algeria. It receives declarations, grants authorisations for high-risk processing, handles complaints, conducts inspections (field inspections of private-sector companies began February 2024), and imposes administrative sanctions.
Controllers must file a declaration with the ANPDP before commencing any personal data processing. High-risk activities — including international data transfers, large-scale database interconnections, and processing of sensitive data — require prior authorisation rather than mere notification.
Law 25-11 (July 2025) introduced mandatory appointment of Data Protection Officers (DPOs), records of processing activities, Data Protection Impact Assessments (DPIAs) for high-risk processing, mandatory breach notification to the ANPDP within five days, new definitions for biometric data, profiling, pseudonymisation and data breaches, and prior consultation with the ANPDP where a DPIA reveals unmitigated high risks.
Data subjects are granted rights of information, access, rectification, and erasure. Controllers must obtain consent for processing in most cases, and specific rules govern sensitive categories of data (health, biometric, etc.).
Non-compliance carries administrative fines ranging from 20,000 DZD to 1,000,000 DZD, and criminal penalties of imprisonment from two months to five years, applicable to both controllers and processors.
Timeline - major decisions & events
Parliament enacted Law 25-11 amending Law 18-07 to introduce mandatory Data Protection Officers, records of processing activities, Data Protection Impact Assessments for high-risk processing, and a 5-day breach notification obligation to the ANPDP. The amendment brings Algeria's framework significantly closer to GDPR-era standards.
DataGuidance ↗After a five-year phased implementation, Law 18-07 became fully enforceable on 12 August 2023, obligating all public and private data controllers to file declarations, obtain authorisations for high-risk processing, and comply with data-subject rights. The ANPDP received 228 filings within its first three months of operations.
LexAfrica ↗The ANPDP went public with its website and online declaration/authorisation forms, beginning a structured awareness phase running from January to August 2023. This operationalised the authority's role as primary interface for data controllers navigating Law 18-07 obligations.
Africa Data Protection Blog ↗The National Authority for the Protection of Personal Data (ANPDP) was officially installed on 11 August 2022, four years after Law 18-07 was enacted. As an independent administrative authority with legal personality and financial autonomy, it became responsible for registrations, authorisations, complaints, and sanctions.
Gide Loyrette Nouel ↗The revised Algerian Constitution, adopted by referendum on 1 November 2020, enshrined personal data protection in Article 47 alongside the right to privacy of correspondence and communications. This cemented data protection as a constitutional obligation rather than a merely statutory one.
DataGuidance ↗Algeria's landmark data-protection statute established GDPR-inspired principles: lawfulness, purpose limitation, data minimisation, accuracy, and storage limitation. It created consent requirements, data-subject rights (access, correction, objection), cross-border transfer controls, and mandated the creation of the independent ANPDP.
ARPCE (Algerian Post & Electronic Communications Regulatory Authority) ↗Enacted weeks before Law 18-07, the E-Commerce Law included data-protection provisions specifically governing direct marketing and online consumer consent, giving customers the right to refuse processing before Law 18-07 created the broader framework.
Digital Policy Alert ↗An executive decree published in the Official Journal created a formal national body under the Ministry of Justice to coordinate prevention of and responses to ICT-related offences, operationalising the institutional framework envisaged by the 2009 cybercrime law.
CMS Expert Guide ↗Algeria's first major digital privacy legislation established rules on interception of electronic communications, obligations on ISPs to cooperate with judicial authorities, and the legal framework for combating ICT crimes. It introduced the concept of lawful surveillance with safeguards for communications secrecy and was later amended by Law 16-02 (2016).
WIPO Lex ↗Algeria - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →