Algorithm-proof freedom: what’s behind North Africa’s data laws

The meteoric rise of digital technologies and the massive collection of personal data have profoundly altered relations between citizens, governments and companies. In the countries of North Africa and the Middle East, these changes raise fundamental questions: How can individual freedoms be preserved in the face of surveillance? What role can the law play when  states are tempted to control rather than protect? And are the systems in place truly capable of guaranteeing a digital space that respects rights?

Algeria recently revised its 2018 personal data law with a new text, adopted in July 2025. This change comes at an opportune moment to question all the legislation currently in force in Algeria, Tunisia, Morocco and Egypt. While these texts show a desire to align with international standards, they are still riddled with grey areas, sometimes revealing the political instrumentalization of digital regulation.

By comparing them with the European Union’s General Data Protection Regulation (GDPR), often cited as a benchmark for digital rights, this analysis offers a comparative, critical and committed perspective. It is aimed at those who refuse to choose between security and freedom, and who seek to understand how the law can become a lever of emancipation rather than a tool of domination.

Why do we need a law to protect personal data?

Protecting personal data is not just a technical or compliance issue. It is a political, philosophical and social issue. It lies at the crossroads of several traditions: liberalism, which defends individual rights; socialist thought, which denounces the logic of domination; and universalism, which affirms the equal dignity of all.

In the digital world, every click, every message, every geographical location becomes a fragment of ourselves. Data is no longer mere numbers. They reveal preferences, opinions and vulnerabilities. They reveal intimacy, but also commitment, memory and identity. They reveal a digital double, often more exposed than we think.

Faced with this reality, a legal framework is essential. The European Union chose to act in 2016 with the GDPR, which came into force two years later. Its founding principle is simple: data belongs to the data subject, not to those who collect or process it. Platforms, companies and administrations are merely temporary custodians, responsible for their use.

The GDPR has introduced new, concrete and often ignored rights. The right to erasure, portability, opposition, or the right not to be subjected to automated decisions. These tools are not incidental. They give everyone back some room for maneuver in an increasingly opaque world.

But in other regions, notably in authoritarian states or states in transition, the law can serve other purposes. Instead of protecting, it can monitor. Instead of emancipating, it can coerce. Texts do exist, sometimes well-drafted, but in practice, they are abused. The law then becomes a window behind which massive data collection, profiling and censorship are organized.

It is in this gap between legal discourse and political reality that the battle is fought. And it is this gap that this study aims to shed light on.

The Algerian law of 2025: between openness and institutional lock- in

With law No. 25-11 adopted in July 2025, Algeria has decided to modernize its legal framework for the protection of personal data. The text builds on the 2018 law, and bears witness to a certain voluntarism. It affirms the need for a clear framework, in a country where digital technology plays an increasingly central role.

Among the measures announced, the creation of a National Data Protection Authority is a strong signal. It affirms that privacy is not a luxury, but a fundamental right. It recognizes that the digital world is not neutral, and that it deserves public control. By imposing principles such as free and informed consent, prior definition of processing purposes, and the obligation of transparency, the law sets an ethical course. It calls on institutions and companies to review their practices.

In the field, the administration has organized awareness-raising campaigns. It has launched training courses and opened debates on digital sovereignty. The message is clear: the State wants to catch up, build a responsible data culture, and enter the era of digital rights.

But behind this impetus, weaknesses remain. The text is silent on data processing by security services. It does not impose any independent control over data collected for security or strategic purposes. Although the newly-created Authority is described as independent, its resources, real powers and budgetary autonomy remain unclear. Without solid guarantees, its action risks remaining symbolic.

Citizens’ rights are set out in the text, but rarely guaranteed in practice. Appeal procedures are complex and not well known to the general public. Sanctions are weak and rarely applied.

Algorithmic transparency is not addressed. And trust in institutions remains fragile.The legal reform of 2025 marks a turning point, but it walks a fine line. It hesitates between democratic ambition and the logic of control. It promises openness, but leaves surveillance mechanisms out of the picture. It’s a start -undoubtedly sincere- but still far from a profound change.

The European GDPR: a legal foundation and a tool for digital sovereignty

The General Data Protection Regulation, better known by its acronym GDPR, was adopted in 2016 by the European Parliament and came into force in May 2018. This is no mere technical update. This text marks a turning point. It replaces a 1995 directive, drafted at a time when the internet still concerned a minority, and data collection remained marginal.

The GDPR was born of a series of observations. First, the rise in power of digital giants who accumulate data without any real control. Second, the inability of European states to effectively regulate this new power, so fragmented were national regimes. And finally, citizens’ growing mistrust of the opacity of platforms. The European Union therefore wanted to establish a strong, harmonized and protective framework. The idea was simple: give individuals back control over their data and demand uncompromising transparency from digital players.

The RGPD is based on a series of clear principles. All data collection must be lawful, justified and proportionate. Data must only be kept for as long as necessary. It must be accurate, secure and, above all, accessible to the data subject. To this must be added concrete rights: deleting data, transferring it, refusing certain processing operations and requesting explanations of automated decisions.

These rights are not theoretical. They are accompanied by precise procedures. Companies must document their processing operations, alert the authorities in the event of a leak, and appoint a compliance officer. And, above all, supervisory authorities, such as the CNIL in France, have extensive powers, up to and including the imposition of fines of up to several million euros.

The strength of the RGPD lies not only in its legal content. It’s in its coherence. The rights are clear, the obligations binding, the sanctions real. The individual is no longer a mere object of regulation. They become active participants, capable of contesting, questioning and refusing.

In the countries of the South, the RGPD is often presented as a model. But the aim must not be to copy it slavishly. Rather, it’s a matter of drawing inspiration from it with discernment. We need to understand its logic, adapt its principles to local realities, and turn it into a lever for social and political transformation.

Tunisia, Morocco and Egypt: between legal advances and political obstacles

The paths taken by Tunisia, Morocco and Egypt clearly illustrate the tensions inherent in Arab societies, which are confronted with both democratic aspirations and authoritarian logics of power. Each of these countries has attempted to regulate the use of personal data, but none has yet succeeded in making this regulation a genuine pillar of the digital rule of law.

In Tunisia, the organic law adopted in July 2004 was one of the first in the region. This was before the revolution. Although a pioneering text, it remains marked by an administrative vision of data protection. Since 2011, few far-reaching reforms have been carried out, despite the creation of the INPDP, the National Authority for Personal Data Protection. This authority remains on the sidelines. Its independence is theoretical, due to a lack of budget, staff and

institutional recognition. Its action relies more on the goodwill of its members than on a solid operational mandate.

Morocco, for its part, passed a law in 2009. It established a National Commission for Data Protection. The Commission has investigative powers and can impose sanctions. On paper, the architecture is more robust than in Tunisia. In practice, however, the administrative culture remains unfavorable to transparency. The frequent use of derogations for security reasons severely limits the real application of the law’s principles. There is a constant gap between stated intentions and day-to-day practice.

Egypt came later, in 2020, with a law that represents a first attempt at a comprehensive framework. The text is ambitious. It introduces modern concepts borrowed from international standards. But its application remains constrained by the political context. The regulatory authority, the EDPA, reports directly to the government. Citizens, for their part, are reluctant to assert their rights in an environment where surveillance is omnipresent and sanctions sometimes arbitrary. Digital self- censorship is commonplace.

These three experiences show that legal convergence with international standards is possible. But without truly independent institutions, accessible justice and a culture of law, texts often remain a dead letter. Data protection becomes a formal exercise, sometimes useful for international relations, but rarely mobilized by citizens themselves.

What the laws say: apparent convergences, deep divides

If we simply read the texts, personal data protection seems to have found a common language. Algeria, Tunisia, Morocco, Egypt and the European Union share key words: consent, transparency, purpose, right of access, national authority. Everything leads us to believe that legislation is converging towards a common model, inspired by the European RGPD.

In reality, this resemblance is often deceptive. Normative mimicry is very real. It sometimes responds to the demands of international cooperation, obligations under trade agreements or the desire to win over external partners. But it masks considerable discrepancies in the practical application of rights.

In Europe, the rights enshrined in the RGPD can be mobilized, institutions enforce them, and sanctions have a dissuasive effect. In the countries of the South, the situation is different.

Protection authorities lack resources. Their independence is often fragile, sometimes nonexistent. Complaints mechanisms are little known, and appeals are long, uncertain and even risky. Citizens are often unaware of their rights, or lack confidence in their ability to assert them.

There is also a fundamental difference. In Europe, data protection is part of a tradition of democratic regulation. It is based on a balance between individual freedom and the public interest. In the countries of North Africa and the Middle East, this framework has yet to be established. Security considerations still dominate. Data is not perceived as a right, but as a strategic resource to be controlled.

In other words, it is not so much the law that is lacking as the political context that prevents it from being effective. As long as institutions remain fragile, as long as the justice system is unable to arbitrate impartially, and as long as digital education remains marginal, regulation will be unable to produce its effects. It will remain formal, often decorative, sometimes instrumentalized.

So the heart of the problem lies not in the absence of law, but in the absence of guarantees surrounding the law. This is where the real divide lies.

Data: a political and social battleground

Today, personal data are no longer just simple files stored on servers. They have become identity markers, tools of influence and sources of power. In the globalized digital economy, data circulates at high speed, feeding algorithms and shaping decisions. They are extracted, cross- referenced and resold, without those who produce them being fully aware of it.

In liberal economies, data collection is massive and industrialized. It is used to profile behavior, anticipate choices and guide consumption. It fuels a digital capitalism based on discreet surveillance and fine-grained manipulation. In authoritarian regimes, the same tool takes a different turn. It becomes an instrument of control, intimidation and neutralization. Personal data becomes incriminating evidence, a pretext for censorship and a lever for blackmail.

In such contexts, asserting the right to data protection is not a luxury. It’s not a legal whim. It’s an act of resistance. It means demanding to be treated as a subject of law, not as an object to be modeled or monitored. It means refusing to let your opinions, movements and habits be exploited without your knowledge. It means refusing to be reduced to a risk index or a line of code.

It’s a difficult battle, because it’s a power struggle because there are three opposing logics. The first is security, based on fear, and demands unlimited access to data in the name of public order. The second is economic, dictated by the promises of the digital market and the quest for competitiveness. The third, more fragile but essential, is civic. It defends privacy, freedom of expression and self-control in the digital space.

In many countries of the South, it is the first logic that dominates. The security apparatus imposes its priorities. Institutions struggle to play their balancing role. The law becomes a facade, rarely applied. As for the citizen, they are often left alone to face the risks.

Digital sovereignty cannot be reduced to a confrontation between states and platforms. It also implies that each individual has the capacity to act, to refuse, to understand. It is this individual autonomy that forms the basis of a democratic order in the digital sphere.

The GDPR offers a framework, an inspiration. But it is not enough. We need solid institutions, a culture of law, digital education accessible to all. We also need the political courage to make digital a space for freedom, not submission.

Rethinking national laws: tools to protect, not to monitor

Taking up the principles of the GDPR does not mean copying them line by line. It means understanding its spirit. It means adapting its requirements to local realities, while keeping one end in mind: making personal data an effective right, a bulwark against abuse, a tool for emancipation.

This reform can only succeed if it is based on a few fundamental pillars.

First and foremost, we must guarantee the genuine independence of data protection authorities. Without budget of their own, no investigative powers and no statutory autonomy, they are little more than showcases. They must be given the means to act, to sanction and  to publish their opinions in complete freedom. Independence must not be a principle in law, but a reality in practice.

Secondly, we need to strictly control the processing carried out by state institutions. There is a great temptation, especially in authoritarian regimes, to use data for control purposes.

Security services cannot be left outside the scope of the law. Derogations must be limited,clearly framed and submitted to a judicial authority. Security must never justify generalized surveillance.

Thirdly, we must[l1]  make rights concrete and accessible. It is not enough to enshrine the right to erasure or opposition in an article. We need simple, fast, free procedures. Online complaint platforms. Legible appeals and clear deadlines. If exercising rights is an obstacle course, then those rights are fictitious.

Fourth, focus on digital education. The best legislation is useless if citizens don’t know that they have rights, or how to enforce them. We need to introduce a digital culture right from school, offer training courses to for administrations, and organize clear, accessible information campaigns.

Fifth, we need to change the way we look at data. As long as we see data as a resource to be exploited, a commodity to be valorized, the market logic will take precedence over the logic of rights. We need to develop a different culture: we need to consider data as a common good, which engages society as a whole.

Finally, we need to involve civil society at every stage. Associations, journalists, researchers and experts must have their place in the drafting, implementation and evaluation of legislation. Transparency and participation are not optional. They are the only guarantees of a real balance.

In short, reform is not just a question of the articles of a law. It is based on a vision. Either we choose to reinforce state control, or we choose to reinforce citizens’ freedom. There is no possible compromise between massive surveillance and respect for fundamental rights.

Defending freedoms in the age of algorithms

Personal data has become a central political issue. It reveals much more than our habits: it tells us who we are, what we think, what we fear. It traces the contours of our digital and physical

existence. The way it is protected, or exploited, says a lot about the nature of the regime that controls it.

In Algeria, Morocco, Tunisia and Egypt, the texts exist. Laws have been passed. Authorities have been created. Speeches have been made. But the gap between principles and implementation remains wide. Too often, data protection is used as a diplomatic showcase, with no tangible effect for citizens.

Yet expectations are high. Societies are changing. Digital usage is exploding. Citizens want to understand, want to choose, want to retain control over their digital footprints. They want to know why their data is collected, how it is used, and for what purposes.

The European GDPR offers a source of inspiration. It doesn’t solve everything. It is not perfect. But it provides a framework. It affirms that individual freedoms must survive digital transformation. It reminds us that no technical progress justifies the erosion of rights.

Drawing inspiration from this model does not mean reproducing a recipe. It means choosing a democratic digital future. It means asserting that the rule of law does not stop at the virtual frontier. It means recognizing that mass surveillance is not inevitable.

It’s a battle worth fighting. By lawyers, by journalists, by activists, by teachers. It deserves to be taken up in schools, in the media, and in parliaments. For without citizen control over digital technology, there can be no democracy in the 21st century.

Bibliography

• CNIL. Le RGPD en pratique. Paris : CNIL, 2022.
• Union européenne. Règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel. Disponible sur : https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32016R0679
• République algérienne démocratique et populaire. Loi n° 18-07 du 10 juin 2018 relative à la protection des personnes physiques dans le traitement des données à caractère personnel, modifiée par la Loi n° 25-11 du 17 juillet 2025.
• République tunisienne. Loi organique n° 2004-63 du 27 juillet 2004 relative à la protection des données à caractère personnel.
• Royaume du Maroc. Loi n° 09-08 du 18 février 2009 relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel.
• République arabe d’Égypte. Loi n° 151 de 2020 sur la protection des données personnelles.
• OHCHR (Haut-Commissariat des Nations unies aux droits de l’homme). Guidelines on the Right to Privacy in the Digital Age, 2022.

 [l1]Strengthened directive tone for consistency with rest of the list