In July 2018, the Moroccan data protection authority, La Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel, held a seminar in Rabat jointly with the Delegation of the European Union to Morocco in respect to the outcomes of a study they conducted. The study focused on opportunities to bring the Moroccan legal framework for the protection of personal data closer to the EU General Data Protection Regulation.
In Morocco, personal data protection is governed by Law n° 09-08 of 18 February 2009 (in French), relating to the protection of individuals with respect to the processing of personal data and by its Implementation Decree n° 2-09-165 of 21 May 2009 (in French). The law was initially enacted to encourage foreign investment, including the offshoring and outsourcing of processing activities related to European residents’ personal data. Morocco is, indeed, an important player in the offshoring and outsourcing market due to its proximity to European markets as well as its competitive telecommunication infrastructure and multilingual workforce.
Since the adoption of the law, Morocco has made large efforts to ensure the effective protection of personal data and to have its data protection level recognized by the European Union to promote further international business. Moreover, Morocco requested an adequacy recognition decision from the European Commission as early as 2009. Today this request is still pending.
Since the adoption of the GDPR, Morocco is even more concerned with enhancing the protection of personal data and aligning its legal framework to the European Union standards. This is because, under the GDPR, Moroccan companies may also be required to comply with the EU legal framework as the scope of the GDPR may cover companies which are not established in an EU member state, where they process personal data about EU data subjects in connection with the following:
- Offering of goods or services, whether or not payment is required of such persons.
- The monitoring of their behavior within the EU.
Moreover, the GDPR extends to subcontractors which include Moroccan companies operating in the offshoring sector. Subcontractors not only have additional duties under the GDPR, but more often they also face enhanced liability for non-compliance or for acting outside the authority granted by a controller. In addition, when selecting a processor, controllers must only use processors that provide sufficient guarantees of their abilities to implement the technical and organizational measures necessary to meet the requirements of the GDPR.
Therefore, it is important for Moroccan companies that process personal data of EU data subjects, as a controller or processor, to ensure that they comply with the GDPR. The economic constraints are not the only reasons driving the Moroccan legislator to adapt the national legal framework. The necessity to align the national law fully to human rights principles defined by national constitutional and fundamental laws and in international legal instruments explains this initiative as well.
The event held last July in Rabat aimed to inform the ministries, concerned public institutions, the private sector, and the civil society of the areas of convergence and divergence of the current Moroccan Law n° 09-08 of protection of personal data towards the GDPR. The seminar focused mainly on providing its attendees with an overview of the gap analysis results between the the two laws. In light of the results of such gap analysis, it also sought to provide an overview of the various potential scenarios for amending of the Law n° 09-08 and their resulting impacts. The seminar concluded by presenting which of the three scenarios is most recommended by the study.
With respect to the gap analysis, the findings revealed several areas of convergence such as the definitions, the material scope of the law, the principles of data processing, the principles applicable to trans-border transfers, and the mission of the supervisory authority. However, a number of areas of divergence were identified as well, such as the absence of references to biometric data or sexual orientation, some divergence regarding rights of data subjects (e.g., no right to be forgotten, no right to data portability), no detailed conditions related to the validity of consent, the lack of requirements to notify the authority of data breaches, the absence of a data minimization principle, and limits of powers granted to the CNDP.
Furthermore, in regard to the gap analysis, three possible scenarios of how to revise the law were considered:
- The first scenario is to maintain the current Moroccan legal framework of protection of personal data as is. Such a scheme would have a negative impact on convergence, as it would keep the identified gaps open and maintain a comparably low level of protection of personal data. Consequently, Morocco might encounter barriers to its further development on the European market, in addition to a risk of not being fully compliant with fundamental human rights.
- The second scenario calls for the full integration of the GDPR with no amendment or adaptation. The GDPR would then become the Moroccan legal framework for the protection of personal data. In this case, the main negative impact would be the likely lack of effectiveness of the protection of personal data as no local specificities would have been considered.
- The third scenario aims to integrate a “moderate” GDPR. This scheme would involve a certain number of amendments to the law to reduce the gaps with the GDPR while considering local specifications.
Not surprisingly, the study made the recommendation to opt for the third scenario on a medium to long-term basis in order to have a progressive alignment of the local legal framework. Such option would enable Morocco to have long-term results and ensure a constant involvement of relevant EU players.
Photo supplied by the Moroccan DPA.