Population: 43,851,043

Capital: Algiers

President: Abdelmadjid Tebboune

2021 Freedom House Score: 32/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, the Algerian Constitution protects the right to privacy in Article 47, including privacy over correspondence and private communications and the protection of individuals when handling personal data is a fundamental right.

DPA legislation: Law No. 18-07 on the protection of individuals in the processing of personal information (the Law) was passed in 2018 and provides a comprehensive basis for the protection of personal data. The law provides for a one-year period from the date of the establishment of the data protection authority for data controllers to become compliant, but to date the authority has not yet been created, and as such, it is not yet enforced.

The Law requires that the processing of personal information, regardless of its origin or form, must be done in a manner that respects human dignity, the right to privacy, and public liberties, and must not infringe on human rights or a person’s honour or reputation.

The Law provides data subjects with the right to information, access, and correction, and the right to object to the processing of their information.

ICCPR: Ratified

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: Yes

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): Yes

Broad or vague exclusions: Yes

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes

Personal data is defined as any information, regardless of its medium, that concerns and identified or identifiable person in a direct or indirect manner, in particular with reference to an identification number or one or more elements specific to a person’s physical, physiological, genetic, biometric, mental, economic, cultural or social identity.

Sensitive personal data is defined as personal data related to:

• Ethnic or racial origin;
• Political opinions;
• Religious or philosophical beliefs;
• Trade union membership;
• Health, including genetic data.

Chapter II of the Law provides a number of principles with which the processing of personal information must accord. Processing may only be implemented with the express consent of the data subject of legal guardian, if relevant. Personal information must be processed lawfully and fairly, must be collected for a determined, explicit and legitimate purpose, and must be adequate, relevant and not excessive with regard to the purpose for which it was collected. Personal information must be accurate, complete and kept up to date, and must not be retained for a period longer than is necessary to achieve the defined purpose.

All processing of personal information is subject to a prior declaration to or authorisation from the designated regulatory authority.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Partial

Notification to data subject in event of data breach: Partial

Timeframe for notification is specified: No

Exceptions exist to breach notifications: Yes

Requires a data processing register: Yes

Register is publicly available: Unclear

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Unclear

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Unclear

Adequate protections against undue removal: Unclear

Number of members in DPA: 16

Maximum term length for members of the DPA (years): 10

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

A responsible party may not transfer personal information to a foreign country without the authorisation of the national authority and if the country provides a sufficient level of protection for the privacy and fundamental rights and freedoms of individuals, a fact which is to be assessed by the national authority.

A responsible party may nonetheless transfer personal information to another country that does not comply with this requirement if the data subject has provided their express consent, if the transfer is made pursuant to a bilateral or multilateral agreement to which Algeria is a party; or if the transfer is necessary:

• To protect the life of the data subject;
• To protect the public interest;
• For the defence of a legal right;
• For the execution of a contract between the responsible party and the data subject or pre-contractual measures taken in that regard;
• For the execution of a contract concluded in the interests of the data subject between the responsible party and a third party;
• For the execution of an international legal assistance measure; or
• For the prevention, diagnosis, or treatment of medical conditions.

Provides a right not to be subject to automated decision-making: Yes