Algeria’s Data Protection Law (18-07): What Every Business Must Know in 2026

Algeria enacted Law No. 18-07 on the protection of personal data in June 2018 — modeled substantially on Europe’s GDPR — but for most of its existence it functioned more on paper than in practice. Enforcement was minimal, the supervisory authority had limited resources, and most businesses treated the law as a compliance aspiration rather than an operational reality.

That changed in 2025. On July 24, Algeria enacted Law No. 25-11, amending and supplementing Law 18-07 with mandatory Data Protection Officers, breach notification obligations, Data Protection Impact Assessments, and expanded enforcement powers for the ANPDP. Combined with Presidential Decree No. 25-320 establishing a national data governance framework, these changes transform Algeria’s data protection regime from theoretical to operational. For any organization handling data about Algerian citizens, 2026 is the year to get compliance right.

What Law 18-07 Actually Says: The Core Provisions

Scope and Applicability

Law 18-07 applies to any processing of personal data:

• Taking place on Algerian territory
• Carried out by an organization established in Algeria
• Involving personal data of Algerian residents, regardless of where the processing occurs

This extraterritorial reach means international companies that collect data from Algerian users are subject to the law even without a physical presence in Algeria.

Legal Bases for Processing

The law requires express, informed consent as the primary legal basis for data processing. Consent must be freely given and can be withdrawn at any time. Exceptions allow processing without consent when:

• Required by a legal obligation applicable to the controller
• Necessary to protect vital interests of the data subject
• Required for performance of a contract with the data subject
• Necessary for a public interest task
• Justified by legitimate interests of the controller (subject to balancing)

For most commercial uses — marketing, analytics, user profiling — explicit consent remains the most appropriate and legally safe basis.

Core Data Protection Principles

Like GDPR, Law 18-07 is built on fundamental principles governing all personal data processing:

1. Lawfulness: Processing must have a legal basis
2. Purpose limitation: Data collected for one purpose cannot be used for incompatible purposes
3. Data minimization: Only collect what is strictly necessary
4. Accuracy: Personal data must be kept accurate and up to date
5. Storage limitation: Data must not be retained longer than necessary
6. Security: Appropriate technical and organizational measures must protect data integrity and confidentiality

The 2025 Amendment: Law 25-11 — What Changed

Law No. 25-11, enacted on July 24, 2025, introduced several significant changes:

Mandatory Data Protection Officers

Organizations handling large-scale or sensitive data processing must now appoint a Data Protection Officer (DPO). The DPO’s contact details must be communicated to the ANPDP. This requirement, previously only recommended, is now a legal obligation under the amended law.

Five-Day Breach Notification

The amended law introduces breach notification obligations:

• 5 days to notify the ANPDP from the moment of becoming aware of a personal data breach
• Affected individuals must also be notified when a breach occurs

Organizations should maintain an internal breach register documenting all incidents to demonstrate compliance.

Data Protection Impact Assessments (DPIAs)

Organizations must conduct DPIAs for high-risk data processing activities — a new requirement that mirrors GDPR Article 35. This includes processing that involves large-scale systematic monitoring, sensitive data categories, or new technologies with significant privacy implications.

Records of Processing Activities

Controllers are now required to maintain detailed records of processing activities, documenting what data is collected, why, how long it’s retained, and who receives it.

Data Subject Rights

Individuals have the right to:

• Information about how their data is being processed
• Access all personal data held about them
• Rectification of inaccurate data
• Object to processing, particularly for direct marketing
• Withdraw consent at any time
• Protection against automated decision-making

Note: Unlike GDPR, Law 18-07 does not explicitly provide a “right to erasure” or “right to data portability.” Organizations accustomed to GDPR compliance should be aware of this distinction.

Cross-Border Data Transfers

Personal data about Algerian residents may only be transferred outside Algeria to countries that provide adequate protection, as assessed by the ANPDP. For transfers without an adequacy determination:

• Explicit authorization from the ANPDP is required
• Data subject consent for the specific transfer
• Exceptions exist for legal obligations, contract performance, court proceedings, vital interests, and public interest

Important: Transfers are prohibited if they endanger national security or vital state interests. The ANPDP has not yet published an adequacy country list, meaning most international transfers currently require case-by-case authorization.

The ANPDP: Algeria’s Data Protection Authority

The Autorité Nationale de Protection des Données à Caractère Personnel (ANPDP) is the independent supervisory authority established by Law 18-07. Following Law 25-11, the ANPDP’s powers include:

• Investigation authority: conducting audits and investigations
• Enforcement orders: suspending unlawful data processing activities
• Administrative fines: 20,000 to 1,000,000 DZD (approximately $150–$7,500) for violations
• Criminal sanctions: Non-compliance can result in imprisonment from 2 months to 5 years for serious violations including unauthorized data disclosure or sensitive data misuse
• Documentation requests: requiring proof of consent and processing records

The penalty scale is modest compared to GDPR’s percentage-of-turnover model, but the criminal dimension — including potential imprisonment — makes Algerian data protection law uniquely consequential for individuals responsible for compliance failures. This is not a regime where fines are simply a cost of doing business.

Current enforcement reality: As of early 2026, there are no publicly reported enforcement actions by the ANPDP. However, with Law 25-11 now in force and the ANPDP’s expanded powers, this enforcement vacuum is unlikely to persist.

Practical Compliance Roadmap for 2026

For organizations that have not yet undertaken a structured compliance program:

Phase 1: Audit (Months 1–2)

• Data inventory: Map every category of personal data you collect, process, or store about Algerian residents
• Processing activities record: Document the purpose, legal basis, retention period, and recipients for each processing activity
• Vendor assessment: Identify all third-party processors who receive Algerian personal data and review their data processing agreements

Phase 2: Gap Analysis (Month 2–3)

• Compare current practices against Law 18-07 + Law 25-11 requirements
• Identify highest-risk gaps: missing consent mechanisms, unauthorized cross-border transfers, inadequate security measures, absence of breach response procedures
• Prioritize remediation by risk level

Phase 3: Remediation (Months 3–6)

• Appoint DPO if required; register contact details with ANPDP
• Update privacy notices and consent mechanisms on digital properties
• Implement technical security measures: encryption at rest and in transit, access controls, audit logging
• Establish breach detection and five-day notification procedures
• Create data subject rights request handling process
• Conduct DPIAs for high-risk processing activities

Phase 4: Ongoing Compliance

• Annual privacy impact assessments for new processing activities
• Regular staff training on data protection responsibilities
• Quarterly review of the breach register
• Annual DPO report to senior management

Dual Compliance: Law 18-07 and GDPR

For multinationals operating in both Algeria and the European Union, Law 18-07’s GDPR-inspired framework provides a familiar structure. The two frameworks share similar legal bases for processing, comparable data subject rights, and analogous DPO requirements.

However, key differences exist that prevent a simple copy-paste of GDPR compliance programs:

• Breach notification: 5 days to ANPDP (vs. 72 hours under GDPR)
• No erasure or portability rights explicitly in Algerian law
• Cross-border transfers: No published adequacy list; ANPDP authorization required case-by-case
• Penalties: Criminal sanctions including imprisonment (GDPR is purely administrative)
• Consent emphasis: Algeria places greater weight on express consent vs. GDPR’s broader legitimate interest basis

A single privacy compliance program with Algeria-specific customizations — particularly around breach notification timelines, consent mechanisms, and ANPDP registration — can address both frameworks, but organizations should not assume GDPR compliance automatically satisfies Algerian requirements.

Sources

• Algeria Data Protection Law 18-07 and Amendments — Cookie-Script
• Guide on Algeria Data Protection Law 18-07 — CookieYes
• CMS Expert Guide — Algeria Data Protection and Cybersecurity
• DPA Digital Digest: Algeria 2025 — Digital Policy Alert
• Algeria Law Modifying Data Protection Law — DataGuidance
• ANPDP Setup — Gide Loyrette Nouel
• Algeria Fact Sheet — Data Protection Africa
• Algeria Data Governance Decree 25-320 — We Are Tech Africa