Law No. 09-08, data privacy for Moroccan citizens

Law No. 09-08, data privacy for Moroccan citizens

Morocco’s Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data, also known as Law No. 09-08 for short, is a data protection law that was passed in 2009. As Morocco was one of the many non-European countries to ratify the modernized Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data or the modernized Convention 108 for short, the country has made a concerted effort to afford their citizens a similar level of data protection and privacy as is afforded to residents of EU members states under the General Data Protection Regulation or GDPR. To this end, Law No. 09-08 outlines the legal framework that data controllers in Morocco must abide by when processing personal data.

What is the scope and applicability of Law No. 09-08?

Under Law No. 09-08, a data controller is defined to mean “ ‘controller’ as the ‘natural or legal person, public authority, service or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Conversely, a data processor is defined to mean “the natural or legal person, public authority, the service or any other body which processes personal data on behalf of the controller’. These definitions are consistent with those laid out by the General Data Protection Regulation or GDPR.

Alternatively, the territorial scope of the law comes into effect under the following circumstances:

  • Instances in which data processing is carried out “by a natural or legal person whose controller is established on the Moroccan territory. The controller which carries out an activity on the Moroccan territory in the context of an establishment, whatever its legal form, is considered to be established in Morocco”
  • Instances in which a data controller is “established on Moroccan territory, but uses means (automated or not), located on the Moroccan territory, for the purpose of processing personal data (excluding processing that is only used for transit purposes on the Moroccan territory or on that of a country whose legislation is recognized as equivalent to that of Morocco in terms of protection of personal data). In this case, the controller must notify the CNDP of the identity of a representative established in Morocco who, without prejudice to its personal liability, shall substitute for it in all its rights and obligations resulting from the provisions of the Law and the texts adopted for its application.

What’s more, Law No. 09-08 defines the processing of personal data to mean “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as blocking, erasure, or destruction”. As such, the law also applies to the processing of personal data that is either wholly or partly automated, as well as the non-automated processing of personal data that is contained or intended to be contained within manual files.\

What are the responsibilities of data controllers and processors under Law No. 09-08?

In keeping the similarities between Law. No. 09-08 and the EU’s General Data Protection Regulation, Law No. 09-08 established various data protection principles that provide the legal framework for processing of personal data within Morocco. These data protection principles state that personal data should be :

  • Processed in a manner that is both fair and lawful.
  • Collected for specific, explicit, and legitimate purposes, and not processed in any manner that is inconsistent with these purposes.
  • Relevant, adequate, and non-excessive in relation to which personal data is to be collected and subsequently processed.
  • Accurate and kept up to date where necessary. Data controllers and processors must also take reasonable measures to delete and rectify personal data that is found to be inaccurate or incomplete with respect to the purposes for which said personal data was collected.
  • Kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which personal data was originally obtained and subsequently processed.

In addition to these data protection principles, Law No. 09-08 also mandates that data controllers fulfill other obligations that are commonly required by comprehensive privacy laws. These obligations include providing data subjects with data processing notifications, outlining specific rules as it pertain to international data transfers, and ensuring that data controllers and processors carry out their respective operations and duties in accordance with contracts between the two parties. Notably, Law No, 09-8 places no responsibility on data controllers and processors as it pertains to data breach notifications, specific provisions regarding children’s data, or the maintaining of data processing records.

What are the rights of data subjects under Law No. 09-08?

The rights that are afforded to data subjects under Law. 09-08 include:

  • The right to be informed.
  • The right to access.
  • The right to rectification.
  • The right to object or opt-out.
  • The right not to be subject to automated decision making.

In terms of penalties that can be levied against data controllers and processors include a term of imprisonment of up to six months, as well as monetary penalties ranging from MAD 10,000 ($1,064) to MAD 50,000 ($5,357), depending on the scope and severity of the offense Law No. 09-08 is enforced by the National Commission for the Protection of Personal Data Protection or CDNP for short, and some common example of compliance violations include hindering the functions of the CDNP as it relates to enforcement of law, refusing to comply with CDNP inspectors in regards to investigations of wrongdoing, and refusing to communicate certain documents as set forth by law.

While Law No. 09-08 is designed to provide Moroccan citizens the same level of privacy and data protection as the EU’s GDPR Law, Law No. 09-08 serves as the foremost means of protecting the personal privacy of Moroccan citizens. While the law does not provide data subjects with the rights to erasure or data portability in accordance with the EU’s GDPR Law, Law No. 09-08 and the former provide similar levels of protection. As such, Moroccan citizens have effectively been guaranteed their data privacy, joining the many countries who have made such guarantees in recent years.