The creation of the CNDP an imperative for morocco’s attractiveness on an international scale
The promulgation of Law 09-08 is part of the modernization of the Moroccan legal system relating to the protection of personal data in order to consolidate and strengthen its system of citizen protection against new technologies, and so that Morocco is up to the new challenges posed by digital, and in particular electronic commerce. The security of personal data has become a central issue for investors who before transferring their data to a target country no longer hesitate to conduct a very thorough due diligence of the standards and rules applicable to their client’s personal data and the security of their data.
It is in this spirit and in accordance with international conventions and in application of European directives, precisely by virtue of Morocco’s accession to Convention No. 108 of the Council of Europe, that Law 09-08 created in accordance with Article 27, the National Commission for the Control of the Protection of Personal Data, its main objective is to ensure the implementation of the provisions of this law, to be the first institution responsible for ensuring the application of the rules on the protection of personal data.
Despite these efforts, Morocco to date, does not appear in the list of states recognized by the European Union as ensuring sufficient protection of personal data, which represents a certain obstacle for companies wishing to establish themselves in Morocco, as well as Moroccan subcontractors of European companies.
The CNDP has significant investigative powers
To carry out its missions, the CNDP has powers of investigation and investigation allowing it to control and verify that the processing of personal data is carried out in accordance with the provisions of Law 09-08 and its implementing texts. To this end, its agents can directly access all the elements involved in the processing processes (data, equipment, premises, information media, etc.). Such checks may give rise to administrative, pecuniary or criminal penalties.
This power of investigation conferred by Article 30 of Law 09-08 appears to be a discretionary power, not subject to judicial review. Indeed, Law 09-08 does not mention the need to obtain the authorization of the prosecutor or the investigating judge to conduct an investigation on the premises of a company. A simple prior information of the prosecutor is required and only the seizure of material requires the authorization of the public prosecutor in accordance with article 21 of Decree 2-09-165.
Section 30 of the Act allows the CNDP to conduct four separate measures to ensure compliance with the Act, its Orders in Council and the deliberations of the CNDP.
The first step is to conduct an investigation. CNDP officers may visit the premises, request access to the data being processed and enter any information or documents necessary to carry out the monitoring mission.
The second measure is to order that documents be communicated to him within a certain period of time and to set penalties in the event of failure to communicate.
The third measure is the possibility of making any modification of the data to allow processing in accordance with the Law.
Finally, the CNDP may order the blocking, destruction or erasure of data and the prohibition of data processing.
In view of this power of investigation, complying with Law 09-08 may appear to be a necessity for Moroccan but also foreign companies.
Offences introduced by Law 09-08
Chapter VII of Law No. 09-08 sets out the facts that constitute offences. We can summarize them as follows:
- Any treatment that undermines public order, safety, morality and morality;
- The implementation of a treatment without the required authorization or declaration;
- Refusal of the right of access, rectification or opposition;
- Any incompatibility with the declared purpose;
- Failure to comply with the data retention period;
- Failure to comply with the security measures of the treatments;
- Failure to comply with the consent of the data subject, in particular when it comes to direct marketing for commercial purposes, with increased penalties when it comes to sensitive data;
- Any transfer of personal data to a country that is not recognized as ensuring adequate protection;
- Any obstacle to the exercise of the CNDP’s control missions;
- Any refusal to implement the decisions of the CNDP.
Sanctions against natural persons
Law 09-08 provides for various penalties for data controllers who do not comply with the provisions of this law aimed at protecting personal data. These sanctions and their amounts can be substantial in order to play a deterrent role. They have been designed in such a way as to oblige controllers to act with greater transparency in the collection of personal data, but above all to use them while respecting the rights and freedoms of data subjects.
Against the natural persons responsible for the processing of personal data, and without prejudice to their civil liability towards persons who have suffered damage as a result of the offence, the penalties vary according to the seriousness of the acts complained of, with regard to imprisonment between three months and two years in prison, and with regard to fines between 10,000 and 300,000 dirhams. These penalties may be doubled in the event of a repeat offence.
Where the offender is a legal person, and without prejudice to the penalties that may be applied to its managers, the fines shall be doubled. The legal person may have its property confiscated and its establishments closed.
This part is dealt with by article 64 of Law 09-08 which provides:
Where the perpetrator of one of the offences provided for and punished under this Chapter is a legal person and without prejudice to the penalties which may be applied to its directors who commit any of the offences provided for above, the penalties for a fine shall be doubled.
In addition, the legal person may be punished by one of the following penalties:
- the partial confiscation of his property;
- confiscation of the property that is the subject of the offence;
- the closure of the establishment or establishments of the legal person where the offence was committed.
The legislator has given victims the possibility of filing a complaint if their rights are not respected by the controller, either with the courts or with the CNDP agents, not to mention that the latter have the possibility of seeking and establishing facts constituting offences under Law 09-08.
Natural persons who consider themselves “victims” of a breach of their personal data may address their complaints to the judicial police or to CNDP agents who are authorized to investigate and record the offences. The minutes they draw up in this capacity are transmitted, within five days of the search and finding operations, to the public prosecutor. Victims may also address their complaints to the latter.
The officers of the judicial police and those of the CNDP are also responsible for investigating and ascertaining breaches of public order or the provisions of Law No. 09-08. In this case too, they send their minutes to the public prosecutor who studies the advisability of initiating proceedings against the offender.
What are the rights and procedure to follow in the event of an investigation by the CNDP?
Although the CNDP has sovereign power to conduct an investigation, this investigation must obey strict rules that are for the most part internal rules of the CNDP that are derived from its internal regulations.
Law 09-08 does not introduce a real legal framework for the investigation but sets out an important principle in Article 31, the principle of adversarial proceedings and respect for disciplinary proceedings guaranteeing the rights of the defence.However, Law 09-08 has unfortunately excluded on-site investigation procedures and the data modification measure from compliance with its principles. These principles only apply in the event of a document check (request for disclosure of documents) and a request for deletion, blocking or prohibition of data processing. This partial application of the principles of respect for the rights of the defence and adversarial proceedings may come as a surprise. Perhaps the legislator wanted to reserve its principles to measures of documentary control and deprivation of the right to carry out processing because they are accompanied by sanctions, which is not the case for other measures (on-the-spot control and right to modify data).
Decree 2-09-165 (the “Decree”) as well as the cndp’s internal regulations (resulting from the Prime Minister’s decision No. 3-33-11) provide guarantees to the citizen subject to a control measure.
Thus, the control operation must be the subject of a decision by the CNDP. This decision is voted by a majority of the present members of the CNDP (with a quorum of two-thirds of the members). The members of the CNDP are the Prime Minister, the President of the CNDP, the two members appointed on the proposal of the House of Councillors, two members appointed on the proposal of the House of Representatives, and two members appointed on the proposal of the Prime Minister. This decision must mention the name of the controller, the name of the agent commissioned (or agents commissioned) to carry out the on-the-spot check, and the duration and purpose of the check.
Thus the control operation is strictly framed by this decision of the CNDP and the agents will have to comply with the letter of the decision and will not be able to go beyond the framework set by the CNDP.
This operation shall be the subject of an investigation by the competent Prosecutor at least 24 hours in advance. This notice must state the time, date, purpose and place of the inspection.
The agents will have to present their authorization and their order of mission.
Finally, detailed minutes will have to be drawn up. This trial must include the nature, day, time and place of the control carried out. It must indicate the object, the persons met, the CNDP agents present, the statements of the persons checked and the difficulties encountered. In annex, an inventory will have to list the documents and documents so copy has been taken and countersigned by the agent of the CNDP and the person in charge on the spot.
CNDP officers may apply to the prosecutor for permission to seize equipment. The request must state the reasons on which it is based and contain all the information necessary to decide on the authorisation.
Agents may also interview any person of their choice by summoning him or her by registered letter at least seven days before the date of the hearing. The summoned person may be accompanied by the person of his choice. In case of refusal to respond to the summons, it must be mentioned on a report.
It can be seen that the legislator wanted to be strict about the penalties provided for in Law No. 09-08. The obvious objective is, as a first step, to deter persons who handle personal data from contravening the legal provisions and to encourage them to be extremely vigilant during the processing carried out. Secondly, the aim is to apply exemplary penalties to offenders so that they avoid further infringing on citizens’ rights.
The legislator has provided for a repressive arsenal against any controller, whether a natural or legal person, who does not comply with the provisions of Law 09-08.
According to the latest CNDP report published to date, the number of complaints received by the CNDP continues to increase and reached 584 units in 2016, an increase of 47% compared to 2015.
Regarding sanctions, feedback shows that formal notices and reminder letters, sent by judicial officer to public bodies and private actors are quite effective means in terms of compliance with Law 09-08.
Of the 584 complaints received in 2016, 51 were the subject of a formal notice, of which 43 concern direct prospecting and 8 relate to video surveillance. In total, 65 files were transmitted by judicial officer in 2016 against 8 in 2015.
However, we are still waiting for the publication of more recent annual reports because in recent years the CNDP has considerably increased the pace of control missions.