مجلة مغرب القانونمقالاتSalma Moubtakir: impact of globalisation on the personal data protection law in Morocco

Salma Moubtakir: impact of globalisation on the personal data protection law in Morocco

Salma Moubtakir

PHD student in faculty of law

University Ibno Zohr

Globalization has become one of the key words of the last two decades mainly as a consequence of the sudden increase in the exchange of knowledge, trade and capital around the world, driven by technological innovation., it has influenced human life scopes with multifariousness of mechanisms, in particular in terms of global economy and politics .[1]

Law industry in one of many systems that have been afflicted by the globalization impact, .notably human rights , considering that we are getting more involved in the idea that one’s indentity transcends geography or political borders and that responsibilities or rights are derived from membership in a boarder class ‘’ humanity’’, in onther words , we call it ‘’ world citizen’’ or ‘’cosmopolitan’’ , in fact ,this idea is  increasingly relying on global values to fulfil humans existential nature .

To get to the point, we dedicate this essay to discuss the impact of  globalization on moroccan laws  this subject is no longer a theory, it is a real international world process . Our kingdom has faced many challenges to catch up with globalization, namely, technological, economic, political, and cultural fields , however the challenges are getting bigger and deeper. My essay will focus on the sphere of the law concerning the Moroccan Data Protection, as a demonstration of how globalization has affected the law industry. and as a part of the globalization of trade and the use of new technologies of information, the problem of protecting and transferring personal data is posed with acuity.

In fact, the international dimension of exchanges requires first of all that the texts to apply in matters of personal data. Secondly, it is interesting to specify the concrete methods of implementing the principles of protection resulting from the transfer of personal data abroad.

Morocco, like the rest of the world is connected to the Internet, in fact, more than 22 million Moroccans have access to the Web, of all social and cultural classes, and of all ages, this can create an important t risk of security, knowing that, personal information has become more likely to be stolen, and misused,, veritabely,  blacknet has become a dangerous game within the reach of people who seek to abuse people’s personal data to achieve dishonest purposes, many victims all over the world have been affected by these criminal attitudes, and have suffered from material and mental damage.

To deal with these reprehensible acts, Morocco, like other countries, had to react by promulgating texts of firm and strict laws and by intensifying its institutions to ensure the cybersecurity and to be part of the global community which defends the need for the protection of personal data.

1.protection and processing of personal data :

Globalization generates a significant increase in the volume of trade in personal data in all its forms , it is now commonplace for multinationals to use the databases of their subsidiaries across the world.

The protection of privacy in Morocco is a constitutional principle enshrined in article 24 of the constitution of the moroccan kingdom promulgated by the Dahir ( Royal decreed) n° 1-11-91, of July 29, 2011which states that :’’ everyone has the right to protection of their private life).

In Morocco, personal data protection is governed by Law n° 09-08 of 18 February 2009 relating to the protection of individuals with respect to the processing of personal data and by its Implementation Decree n° 2-09-165 of 21 May 2009, the aim goal was to encourage foreign investment, including the offshoring and outsourcing of processing activities related to European residents’ personal data . Morocco , in the process of global integration, has taken in consideration many international texts, legislations and conventions, we mention The OECD Guidelines on the Protection of Privacy and Cross-Border Flows of Personal Data, adopted on September 23, 1980, the Charter of fundamental Rights of the European Union: Articles 7 and 8, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95 / 46 / EC[2] (general data protection regulation)…

Over 100 countries, including Morocco have now enacted data protection laws[3], many of which have been influenced by EU Directive 95/46. EU law also includes the right to data protection at the constitutional level (for example, in the EU Charter of Fundamental Rights), and the European Court of Human Rights has construed Article 8[4] of the European Convention on Human Rights to include data protection.

Since the adoption of the law, Morocco has made large efforts to ensure the effective protection of personal data to promote further international business and development on a universal scale, for this, Morocco has created several governmental and non-governmental institutions to strengthen the protection of personal data, following the model derived from the main lines of international law on this subject, particularly the CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel).

مقال قد يهمك :   الحسن الشركيلي: خصائص التدبير الملكي لأزمة كورونا

CNDP, a genuine model of globalization in Morocco :

CNDP , (National Commission for the Control of the Protection of Personal Data)is responsible for verifying that the processing of personal data is lawful, legal and that it does not infringe on privacy, fundamental freedoms and rights.

De facto, Morocco is the first Arab, African and Muslim country to be accredited to the International Conference of Data Protection and Privacy Commissioners during the 33rd session held in Mexico City in November 2011[5]. This conference gathers annually representatives of national, regional and international supervisory authorities as well as experts in the field of personal data[6] protection.

the law09-08  provides in its article 1 that: ” IT is at the service of the citizen and evolves within the framework of international cooperation. It must not affect the identity, rights or collective or individual freedoms of a person. It should not be a means of disclosing secrets of citizens’ privacy. ”

Moreover, The CNDP is a member of the French-speaking Association of personal data protection authorities (AFAPDP)[7] which brings together the personal data protection authorities of countries of La Francophonie.

Currently ,Morocco co-chairs with the Belgian authority the working group set up within the AFAPDP in order to define a frame of reference framing the transfer of personal data within the French-speaking area.

To boot, Morocco has applied to the Council of Europe for accession to Convention 108. Adopted by the Council of Europe in 1981, this convention is the first legally binding international instrument for the protection of personal data.

Morocco’s request has been accepted by the Council of Europe.

GDPR[8] and Morocco, compulsory reinforcement:

Since the adoption of the GDPR[9], Morocco is even more solicitous with enhancing the protection of personal data and coordinationg its legal framework to the European Union standards, further, the GDPR extends to subcontractors which include Moroccan companies operating in the offshoring sector, that is why, it is important for Moroccan companies that process personal data of EU data subjects, as a controller or processor, to ensure that they comply with the GDPR enquirements.

to ensure better integration into the GDPR, an event was held on July 2018 in Rabat , to inform the ministries, concerned public institutions, the private sector, and the civil society of the areas of merging and divergency of the current Moroccan Law n° 09-08 of protection of personal data towards the GDPR. The seminar focused mainly on providing its attendees with an overview of the gap analysis results between the the two laws, basically, the general conclusion was about the necessity to align the national law fully to human rights principles defined by national constitutional and fundamental laws and in international legal instruments .

It must be mentioned that, there is no special legislations  in morocco in relation to cloud computing and big data. the latter obviously raise the question of the extent of the processing of certain data bases and their location, which often remains unknown.

however, it is important to emphasize that Morocco has set up a special portal containing the public data of the Moroccan administration accessible at the address  http://www.data.gov.ma/fr .

2.transfer of personal data abroad :

Data transfer abroad necessarily arises when a company is part of an international group. As an example, we will cite the cases in which the group to which said company belongs, decides to centralize resource management human.

The cross-border flow of personal data concerning employees example raises particular legal questions which are added to those traditionally referred to as the protection of privacy, the formalities of creation of files by a company, the limits of remote monitoring…

as a developing country, Morocco has made great strides towards the integration of globalization in the personal data protection sector, but that does not prevent that Morocco still needs to evolve by strengthening its technical and legal infrastructure, to guarantee a high level of security for its citizens, and to increase its opportunities for foreign investment.

Data transfer outside Morocco[10], such as data communication to a third party on the Moroccan territory, undoubtedly constitutes a processing of personal data. As such, it is subject to all of the provisions of the Law.

  • Any transfer of data must have a specific, explicit and legitimate purpose ;
  • The data transferred must be adequate, relevant and not excessive with regard to the or the purposes for which they are transferred;
  • The persons whose data are transferred must be informed[11] of the existence of this transfer;
  • The period of storage by the importer of the transferred data must not be excessive;
  • Data subjects have a right of access to their data which is transferred and

a right of rectification, as well as a right of opposition, for legitimate reasons, to

transfer of their data;

  • Technical security measures must be put in place to protect data against any access by an unauthorized third party and against any destruction, alteration or dissemination unauthorized from said data.
مقال قد يهمك :   مـــلود عشعاش: علاوة الأقدمية في مدونة الشغل -قراءة في القانون وموقف القضاء وواقع الممارسة-

The Law expressly provides for a special regime for the transfer of personal data abroad. Indeed, article 43 of the Law specifies that the transfer of data to personal character abroad can only be carried out in the following cases:

  • To a country appearing on the list established by the CNDP;
  • To a country that is not on the list established by the CNDP under the following conditions:
  • When the data subject has expressly given his consent to the transfer
  • If transfer is necessary to :
  1. to safeguard the life of the person concerned;
  2. to thepreservation of the public interest;
  3. compliance with obligations to ensure theestablishment, exercise or defense of a legal claim;
  4. the execution of a contract between the controller and the data subject;
  5. to the performance of a contract, inthe interest of the data subject, between the controller and a third party;
  6. atthe execution of an international mutual legal assistance measure;
  7. prevention, diagnosisor the treatment of medical conditions;
  • In application of an international agreement to which Morocco is a party;
  • With the express authorization of the CNDP if the processing guarantees a level of protection sufficient privacy and fundamental rights and freedoms of individuals;

It should be noted that the CNDP’s deliberation n ° 464-2013[12] of September 06, 2013 established the list of States ensuring sufficient protection of privacy and freedoms and fundamental rights of individuals with regard to the processing of personal data

as follows: Germany, Austria, Belgium, Bulgaria, Canada, Cyprus, Denmark, Spain,Estonia, United States of America (Safe Harbor member companies), Finland, France, Greece, Hungary, Ireland, Iceland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta,Norway, Netherlands, Poland, Portugal, Czech Republic, Romania, United Kingdom,Slovakia, Slovenia, Sweden, Switzerland.

Finally, the Law provides for criminal and pecuniary provisions in the event of transfer of data to personal character towards a foreign state not ensuring an adequate level of protection of the privacy and fundamental rights and freedoms of persons with regard to the treatment of which this data is the subject or can be the subject.

Indeed, article 60 of the Law 09-08 punished by imprisonment of three months to one year, and a fine of 20,000 to 200,000 DH or one of these two penalties only, whoever transfers personal data to a foreign state, in violation of provisions of articles 43[13] and 44[14] of this law.

In view of what above,the challenge would seem to be to find ways to tap into the forces which are shaping the world and ensure that powerful global, regional and private actors are not only made aware of their human rights responsibilities, but also made accountable under the rule of law to ensure that their daily activity respects the fundamental human rights people have struggled to have recognized as part of the international rule of law .

Personal security is a universally recognized and protected right, whether through constitutions, legal texts, or international charters, and countries are bound to stand together in order to confront this phenomena spread throughout the world. And in matter of fact, experience has shown that legal harmonization is a needful choice to provide an adequate way forward given the fast-moving nature of data protection law.

To conclude, we are hopeful that the next version of the digital code should include most of the missing concepts mentioned above as well as other innovations in electronic advertising and marketing, online minors protection as well as security and digital trus.


This article is accepted by the scientific committee
of the Moroccan Center for Law for Legal Studies and Research

[1] At this juncture, it is well understood that globalization encapsulates the fact that decisions are no longer taken at the local, or national level, but in some supranational global gathering, it also symbolizes the increasing influence of global corporations, new means of communication, and consumerism .

[2] Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on free movement.

[3] Such a push may not actually be a very new idea, but recent legislations certainly points to an increased push for data protection guaranteed by national ( sometimes international) law, see Treaty of Lisbon Amending the Treaty european union and the treaty establishing the european community ,Dec.2007,2007 O.j (C 306) 51 hereinafter Treaty of Lisbon, declaring in article 16 B that ‘’ everyone has the right to the protection of personal data concerning them’’.

[4] ‘’ Right to respect for private and family life

  1. Everyone has the right to respect for his private and family life,home and correspondence.
  1. There can be no interference by a public authority in the exercise of this right only insofar as this interference is provided for by law and that it constitutes a measure which, in ademocratic society, is necessary for national security,’’
مقال قد يهمك :   محمد طاتي: الجريمة المعلوماتية بالتشريع المغربي -قراءة تحليلية للنصوص القانونية المنظمة وموقف القضاء-

[5] please check this link for more details : http://privacyconference2011.org/index.php?lang=Eng .

[6] the law 09-08 defines personal data in its article 1 as being: ” any information, of whatever nature and independently of its medium, including sound and image, concerning an identified or identifiable person ‘’ .

[7] Association Francophone des Autorités de Protection des Données Personnelles , Created in 2007, on the initiative of some thirty representatives of supervisory authorities and representatives of French-speaking states. The purpose of this association is to promote the right to the protection of personal data, in States not yet having legislation (the majority of States in the world), and to encourage, at the international level, the establishment of a binding international legal instrument. It contributes to developing and enhancing French-speaking expertise in the protection of personal data.

https://www.cnil.fr/fr/definition/afapdp  ( translated) visited in 15/01/2020.

[8] The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Since the Regulation applies regardless of where websites are based, it must be heeded by all sites that attract European visitors, even if they don’t specifically market goods or services to EU residents.

https://www.investopedia.com/ visited in 15/01/2020.

[9] The GDPR entered into force on May 24, 2016, twenty days after its publication in the Official Journal of the European Union. However, it will only be applicable from May 25, 2018.

[10]  the territorial scope of the new regulation has been widened and may cover companies which are not established on European soil when they process personal data linked to: a) the supply of goods or services to data subjects who are in the territory of the Union, whether or not payment is required from the said persons; or

  1. b) monitoring the behavior of these persons, insofar as this is behavior which takes place within the Union.

[11]  According to the law 09-08 Personal data processed by a website cannot be used for direct prospecting concerning a product or service, unless the Internet user:

express their prior consent at the time of collection; or

has previously benefited from a similar product or service provided by the same site manager.

In all cases, a user has the right to object, without charge, to the sending of prospecting messages. To this end, the data controller must provide – when sending a prospecting message – a telephone number, an email address or any other means allowing to unsubscribe from the list of prospects.

[12] Deliberation n ° 464-2013 of September 06, 2013 relating to the conditions of the exercise of the right to be communicated personal data.

[13] ‘’The controller cannot transfer personal data to a foreign state only if that state provides an adequate level of protection for life privacy and fundamental rights and freedoms of individuals with regard to processing to which this data is subject or may be subject.

The sufficiency of the level of protection provided by a State is appreciated in particular according to the provisions in force in this State, measures of security applied to it, specific characteristics of the processing such as its purposes and duration, as well as the nature, origin and destination of the treated data.

The National Commission draws up the list of States meeting the criteria defined in paragraphs 1 and 2 above.’’

[14]‘’ Notwithstanding the provisions of article 43 above, the person in charge of a processing may transfer personal data to a non-member state not meeting the conditions set out in the above article, if the person to whom relate the data expressly consented to their transfer or:

1- If the transfer is necessary:

  1. a) to safeguard the life of this person;
  2. b) the preservation of the public interest;
  3. c) compliance with obligations to ensure the establishment,

the exercise or defense of a legal claim;

  1. d) the execution of a contract between the controller and the person concerned, or pre-contractual measures taken at the request of

this one ;

  1. e) to the conclusion or execution of a contract concluded or to be concluded, in the interest of the data subject, between the controller and a third;
  1. f) the execution of a measure of international mutual legal assistance;
  2. g) prevention, diagnosis or treatment of medical conditions.

2- If the transfer is made pursuant to a bilateral or multilateral agreementto which the Kingdom of Morocco is a party;

3- With express and reasoned authorization from the National Commission when the processing guarantees a sufficient level of protection of privacy as well as fundamental freedoms and rights of individuals, in particular because of the contractual clauses or internal rules to which it is subject.’’

error: عذرا, لا يمكن حاليا نسخ او طباعة محتوى الموقع للمزيد من المعلومات المرجوا التواصل مع فريق الموقع عبر البريد الالكتروني : [email protected]