Personal data protection in Morocco
The protection of personal data is a matter of primary importance for Morocco. Several commitments were made by the National data protection commission (CNDP), to align with the European Data Protection Model. Morocco’s accession to Convention 108 is an important step for Morocco’s adequacy process. Morocco deposited its instruments of ratification on 23 May 2019 in Strasbourg.
The Moroccan legal framework for data protection
The legislation relating to the protection of personal data comes from the Moroccan Constitution, “Everyone has the right to the protection of his private life”, as well as Law 09-08 relating to the protection of individuals with regard to data processing personal character.
The convergences between the Moroccan law and the RGPD
Law 08-09 is converging with European regulations as it relies heavily on Directive 95/46 on which the RGPD is based.
The difference between the law 09-08 and the RGPD
The Moroccan regulation on the protection of personal data is marked by the absence of conditions applicable to the consent of minors as regards the services of the information society. Moreover, the Moroccan law does not answer all the points, in particular the obligations of conformity, treatment and transparency. To make up for the legal and cultural gap, Morocco is working in the framework of a European Union program called “Southern III” and is making sure that businesses and citizens are aware of the protection of personal data.
The role of the national data protection commission
The main objective of the CNDP is to ensure respect for the fundamental rights and freedoms of natural persons with regard to the processing of personal data. It issues advice and proposals to the government, parliament and other administrations, on aspects related to data protection. It also has a mission of control and investigation enabling it to check and verify that the processing of personal data is carried out in accordance with the provisions of Law 09-08.
Despite Morocco’s efforts, it still has some way to get the adequacy decision that certifies that it provides adequate protection of personal data.