In 2009, Morocco enacted Law No. 09-08 relating to protection of individuals with regard to the processing of personal data and its corresponding implementation decree, Decree No. 2-09-165 (referred to collectively as DP Law). The legislation—which created an independent data regulator in the Commission Nationale de Protection des Données Personnelles (CNDP)—was progressive for its time.
While Morocco’s data protection framework is still well-ahead of many jurisdictions in Africa, it lags behind leading international standards. In a 2018 meeting with an EU delegation, the shortcomings were highlighted—including a lack of detailed conditions related to the validity of consent, the lack of requirements to notify the authority of data breaches, the absence of a data minimization principle, and limits of powers granted to the CNDP.
Under the DP Law, data subjects have the right to:
- have their personal data corrected;
- access their personal data and the reasons for its processing;
- object to the further processing of their personal data, at any time;
- prevent processing of personal data for purposes of direct marketing; and
- object to a decision based solely on automatic processing that would significantly affect the or produce adverse legal repercussions for them.
Omar SEGHROUCHNI is the President of the Data Protection National Commission (Commission Nationale de Protection des Données Personnelles).