The Moroccan Data Protection Act (Act 09-08) was adopted by the Moroccan Parliament in December 2008, promulgated by Dahir no. 1-09-15 and published in the Official Gazette on March 5, 2009. The first article of this Act contains the majority of the principles included in the French Data Protection Act (Act 78-17 dated January 6, 1978).
The main purpose of the implementation decree(1) issued in relation to this Act was to set out the roles and responsibilities of the Moroccan data protection authority, which is called theCommission Nationale de contrôle de la protection des données à caractère personnel (CNDP) and is similar to its French equivalent, the CNIL. The implementation decree also describes how data subjects can exercise their rights in relation to the processing of personal data.
A transition period of two years began on the date on which the identity of the CNDP’s members was published in the Official Gazette. Consequently, companies based in Morocco have until November 15, 2012 in order to comply with the requirements of Act 09-08(2).
The main aims of the Moroccan Data Protection Act are to ensure the confidentiality of personal data and strengthen the applicable data protection measures (particularly for data defined as “sensitive”), but it also provides that judicial decisions requiring an assessment of a person’s behavior cannot be based on the processing of personal data that is intended to evaluate aspects of that person’s personality.
The analysis below provides a summary of how the Act is applied and notably the provisions relating to transfers of personal data between European Union countries and Morocco, which are important in light of the increasing use of Business Process Outsourcing.
1. Presentation pf Act 09-08
1.1 Definition of Personal Data
Act 09-08 defines personal data(3) as any information relating to an identified or identifiable natural person (a “data subject”), irrespective of the form or medium of said information, and including sound and images. Consequently any information relating to an employee, a customer (national or foreign) or a sub-contractor (national or foreign) could fall within the Act’s scope of application.
The Act also aims to strengthen the protection of “sensitive” data(4) which is defined as data relating to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or health (including genetic data).
Personal data processing is defined as “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.
The wording used in the Moroccan Data Protection Act is similar to that used in the equivalent European legislation(5) which states “automatic processing includes the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination.
In general, the underlying principles behind the Moroccan Act are similar in numerous respects to its EU equivalent.
1.2 Obligations of the data controller
Data controllers are required to comply with a number of obligations with respect to data subjects and are also subject to authorization and notification procedures.
- Prior authorization and notification procedures
Act 09-08 provides that all processing of data concerning identified or identifiable persons has to be notified and introduces a specific procedure for sensitive data.
- Prior notification(6)
The data controller (or his representative) is required to notify the CNDP prior to performing any wholly or partly automated processing operation or set of such operations intended to serve a single purpose or several related purposes. Such notifications are subject to specific conditions as set down by the law.
- Authorization procedure(7)
The authorization procedure applies to processing sensitive data and is aimed at strengthening the protection of this type of data in view of its nature. The data controller is also required to comply with a number of specific obligations with respect to the data subject.
- Obligations with respect to the data subject
The data controller’s obligations with respect to the data subject include the following:
- Obtaining consent from the data subject(8)
Before collecting and processing any personal data, the data controller must request consent from the data subject. However, Article 4 a) to e) of Act 09-08 provides a number of exceptions to this general rule including where the processing is necessary for the performance of a “contractual obligation”(9) or to “pursue the legitimate interests of the data controller provided that the fundamental rights and liberties of the date subject are respected”(10). In view of the difficulties in defining the exact limitations of these exceptions an interpretation from the CNDP will be required to clarify them.
- Informing the data subject
Pursuant to Article 5 of Act 09-08, prior to any data processing the data controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:
"a) the identity of the data controller and of its representative, if any;
b) the purposes of the processing for which the data are intended;
c) any further information such as the recipients or categories of recipients of the data, whether replies to the questions are obligatory or voluntary, and the possible consequences of a failure to reply;
d) the details of the notice of receipt of provided by the CNDP in the event of a prior notification or the details of the authorization issued by the CNDP;[…]
Said information must be given in an express, precise and unequivocal manner.
- Duty of confidentiality and security
In accordance with Article 23 of Act 09-08 the data controller is required to comply with a duty of confidentiality and security relating to the data processed. Consequently, if the data controller uses a sub-contractor for data processing it must ensure that it selects a service provider that can give sufficient guarantees in respect of technical security measures(11).
- Duty of quality
Under Article 3 of Act 09-08 the data controller is also subject to a duty of quality regarding the purposes of the data processing and the accuracy of the data collected. Data must be collected for specified, explicit and legitimate purposes(12) and the data must be adequate, relevant and not excessive in relation to the purposes for which they are collected. In addition, the data must be accurate and, where necessary, kept up to date, and must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected.
1.3. Examples of the scope of application of Act 09-08
In line with the European standards applicable for personal data protection, the Moroccan Data Protection Act covers a broad range of data. The Act applies to all forms of personal data processing that meet the above-mentioned definition, irrespective of whether or not the processing is automated(13).
The Act also prohibits any direct marketing, including through automatic calls or e-mails, using the contact details of any person without their prior consent(14). This is a key point of the Act, especially as consumer protection is generally still weak in Morocco. Despite the entry into force of the Moroccan Consumer Protection Act (Act 31-08) on April 7, 2011 there are still few laws and regulations in the country that efficiently counter “aggressive” practices targeted at Moroccan consumers.
2. Data transfers to Morocco
2.1. Personal data transferred from Morocco
In the same way as the applicable EU law, Act 09-08 provides for a system to protect transfers of personal data to foreign countries, particularly when the countries concerned do not provide a sufficient level of protection of privacy, freedom and fundamental rights of individuals concerning personal data processing.
The adequacy of the level of protection afforded by a foreign country is assessed in the light of the nature of the data concerned, the purpose and duration of the proposed processing, the country of origin and country of final destination, the rules of law in force in the foreign country in question and the security measures which are complied with in that country.
Pursuant to the third paragraph of Article 3 of Act 09-08, the CNDP has the power to establish a list of authorized countries that meet the above criteria. However, no such list has been drawn up to date.
The Act(15) provides that an authorization from the CNDP is not required when a transfer is considered necessary, notably when it is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. In addition, transfers do not require an authorization if they are carried out in connection with “the conclusion or performance of a contract concluded or to be concluded in the interest of the data subject between the data controller and a third party”.
2.2. Data transfers to Morocco
In relation to the transfer of personal data from France to Morocco, the French Data Protection Act of August 6, 2004 – which transposed into French law European Directive 95/46/EC – provides that personal data may only be transferred to a non-European Union country when the country in question ensures an adequate level of protection of privacy, freedom and fundamental rights of individuals concerning personal data processing.
Article 25.2 of Directive 95/46/EC states “the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.”
The French Data Protection Authority, the CNIL, currently considers that Morocco does not provide an adequate level of protection for personal data despite the fact that the country now has its own data protection authority. However, the CNIL’s opinion on this issue may be revised once the transition period for compliance with the Moroccan Data Protection Act has expired(16). Currently, any French company that transfers personal data to Morocco is therefore in principle required to request an authorization from the CNIL in accordance with EC Directive 96/45. The authorization request must include a description of the purpose of the data transfer, its recipients (e.g. a sub-contractor) and the nature of the guarantees put in place by any sub-contractors to ensure a satisfactory level of protection for the transferred data.
Therefore, any company that sub-contracts after-sales services, telephone sales or more generally any call center operations generally requires an authorization to transfer personal data to Morocco. In France, any failure to submit such a request for authorization is punishable by a fine of up to €300,000 and a maximum prison sentence of 5 years(17).
Lastly, the CNIL will not authorize a transfer of personal data if the original processing of the data concerned was not duly notified or authorized(18).
3. Application of Act 09-08
As Moroccan companies have until November 15, 2012 to comply with the Moroccan Data Protection Act, European companies, including French companies, are required to request an authorization from the supervisory authority in their own country in order to be able to transfer personal data to Morocco. However, contracts between Moroccan companies and their sub-contractors tend to include data protection clauses. This means that sub-contractors are required to protect personal data but do not have to make the authorization requests required by the Act. The CNIL’s website provides some examples of data protection clauses that can be used.
The Moroccan Act 09-08 has numerous similarities with the French Data Protection Act. European data protection standards are respected and the Moroccan data protection legislation forms part of the regulatory convergence program between the European Union and Morocco in line with the “advanced status” classification awarded to the country. The Act has the dual aims of promoting the digital economy while reassuring investors.
Even before Act 09-08 was adopted there were various laws and regulations already in force in Morocco that provided for a duty of confidentiality in relation to personal data, particularly in the medical and banking sectors (e.g. Act 34-03).
However, this new law will require a large amount of communication and awareness-raising measures, particularly as Morocco’s economic landscape comprises numerous SMEs. Companies based in Morocco that wish to process personal data have until November 2012 to ensure that they comply with the provisions of Act 09-08.
- Decree no. 2-09-165 of 25 Joumada I 1430 implementing Act 09-08 on personal data protection (B.O. no. 5744 of June 18, 2009).
- Article 67 of Act 09-08
- Article 1 of Act 09-08
- Article 1, para. 3 of Act 09-08
- See the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28.I.1981
- Article 4, Act 09-08.
- Article 12, Act 09-08.
- Article 4, Act 09-08
- Article 4b), Act 09-08
- Article 4 e), Act 09-08
- Article 23.2, Act 09-08
- Article 3, Act 09-08
- Article 2, Act 09-08
- Article 10, Act 09-08
- Articles 44 d) and e); and 44.2 of Act 09-08
- Pursuant to Article 67 of Act 09-08, companies have until November 2012 to ensure compliance with the provisions of the Moroccan Data Protection Act.
- Article 226-16 of the French Criminal Code
- Definition given by the CNIL in Decision 2005-305 dated 8 December 2005 relating to the single authorization of automated personal data processing concerning professional warning systems (single authorization decision AU-004).