When your smartphone becomes an open window into your private life
A Casablanca client once asked me a simple question that captures the whole problem. He had downloaded a ride-hailing app, used it for months, then discovered by reading the privacy policy—very late, like most people—that part of his location history could be processed outside Morocco. His reaction was immediate: who exactly has my movements, and under which law? That question is no longer theoretical. It concerns taxi apps, food delivery platforms, social networks, Android phones, cloud services, online advertising, and increasingly even health and education apps.
In Morocco, more than 20 million people use smartphones, and the overwhelming majority rely every day on foreign applications: Facebook, Instagram, WhatsApp, TikTok, Google Maps, Gmail, YouTube, InDrive, Yango, Glovo, and many others. These services know where we go, who we call, what we search for, what we buy, who we follow, what time we sleep, and in some cases even how our face looks or how our voice sounds. That is not a metaphor. It is the business model of the digital economy.
The public debate was recently sharpened by reporting such as the Challenge article asking whether Moroccans should fear for their data when using apps like InDrive, Yango or Glovo. The question is urgent because data sovereignty is no longer just a state issue. It has become a daily consumer issue. Every Moroccan user with a phone in hand is affected.
So here is the central legal question: does Moroccan law really protect citizens against foreign digital platforms? The short answer is yes, in principle. The more honest answer is more frustrating: the law exists, but its practical reach against foreign apps remains limited.
The main reference text is Law No. 09-08 relating to the protection of individuals with regard to the processing of personal data, promulgated by Dahir No. 1-09-15 of 22 Safar 1430 (18 February 2009) and published in the Bulletin Officiel No. 5714 of 23 April 2009. It created Morocco’s basic framework for personal data protection and the supervisory authority known as the CNDP, the Commission Nationale de contrôle de la protection des Données à caractère Personnel.
But let us be direct. Law 09-08 was drafted in 2009, at a time when TikTok did not exist, AI had not entered ordinary consumer life, and mobile ecosystems were far less invasive than today. Applying that text to the current digital giants is a bit like using a legal map drawn for another era. It still helps. But the blind spots are real.
The InDrive, Yango and Glovo question is really a bigger sovereignty question
Apps such as InDrive and Yango raise concerns because they combine highly sensitive categories of data: geolocation, trip history, payment patterns, device identifiers and, sometimes, customer service records. Glovo, for its part, may process addresses, recurring order habits, payment details and consumption profiles. This is not just convenience data. It can reveal where you live, where you work, when you leave home, whether you visit a clinic, a mosque, a lawyer, or a political meeting.
That is why the issue goes beyond one brand or one app. It concerns protection vie privée numérique Maroc in the broadest sense. Who is the controller? Where are the servers? Which country’s courts have leverage? Can the CNDP act? Can a Moroccan user demand access, rectification or deletion? These are now everyday legal questions.
Law 09-08: Morocco’s legal shield — and its limits
What Law 09-08 actually says about personal data
Law 09-08 starts from a broad definition of personal data. Article 1 defines personal data as any information of any kind, regardless of its medium, including sound and image, relating to an identified or identifiable natural person. In plain English: if a piece of information can identify you directly or indirectly, it falls within the law.
Article 1 of Law 09-08: personal data includes any information, whatever its nature and regardless of the medium, including sound and image, relating to an identified or identifiable natural person.
This matters because many apps pretend that what they collect is “technical” or “anonymous”. In reality, device IDs, GPS traces, account IDs, advertising identifiers, contact lists, voiceprints and behavioural profiles often make a person identifiable. Under the spirit of the law, these are personal data.
Article 3 then defines the data controller—in French, responsable du traitement—as the natural or legal person, public authority, service or any other body which, alone or jointly with others, determines the purposes and means of the processing. This definition is crucial for foreign apps. When a Moroccan user opens a foreign platform, who is the controller? The local branch? The Irish company? The Dutch holding? The U.S. parent? The answer is often buried in terms and conditions drafted for another jurisdiction.
Article 4 adds another key principle: personal data must be processed for specified, explicit and legitimate purposes. Concretely, if an app says it collects your location to match you with a driver, but then uses the same data for profiling, targeted advertising or algorithmic ranking without proper transparency, there is a serious legal problem under the logic of Law 09-08.
The founding text and implementing decree
The legal foundation is the Dahir No. 1-09-15 of 22 Safar 1430. Its implementing framework was completed by Decree No. 2-09-165 of 25 Joumada I 1430 (21 May 2009), published in the Bulletin Officiel No. 5744 of 18 June 2009. The decree details declarations, authorisations and procedures before the CNDP.
In my practice, I still see Moroccan SMEs, clinics, schools, e-commerce businesses and even some service providers who have never filed the required CNDP declaration for ordinary processing operations. That is already a compliance issue domestically. Once foreign platforms enter the picture, the legal complexity multiplies.
Territorial scope: where foreign apps create the real problem
The real difficulty lies in the territorial reach of the law. The editorial debate often points to Article 43 and the provisions on international transfers, but the broader issue is simpler: Moroccan law is strongest when the controller is established in Morocco or the processing is clearly anchored on Moroccan territory through a legal presence. It becomes much weaker when the controller is established abroad and has no representative or legal entity in Morocco.
This is one of the major differences between Law 09-08 protection données personnelles Maroc and the European GDPR. Under Article 3 of the GDPR, European law can apply extraterritorially to controllers outside the EU if they offer goods or services to people in the Union or monitor their behaviour. Moroccan Law 09-08 does not contain such a strong and explicit extraterritorial mechanism.
That is why the answer to a common question—does Moroccan law apply to Facebook, TikTok and Google?—must be nuanced. In principle, yes, Moroccan residents’ data deserve protection. In practice, enforcement becomes difficult when the legal controller is in Ireland, California, Singapore or elsewhere, with no real representative in Morocco.
Honest legal writing requires saying this clearly: the gap is not in the principle of protection; it is in enforceability.
The CNDP: Morocco’s data watchdog, but with limited leverage abroad
The CNDP is Morocco’s supervisory authority for personal data protection. It receives declarations and authorisation requests, issues deliberations, handles complaints, and can refer matters to the Public Prosecutor where criminal offences may be involved. Its role is essential. Without it, Law 09-08 would be little more than a statement of principle.
But attention toutefois: a regulator is only as effective as its legal tools and jurisdictional reach. When the target company is a Moroccan operator, a local employer, a bank, a clinic, or a business with an establishment in Casablanca, Rabat, Marrakech or Tangier, the CNDP can act with much more practical effect. When the target is a foreign platform with no legal seat in Morocco, things become harder. Not impossible in every case, but harder.
At the time of writing, to my knowledge, there is no widely published Moroccan court decision specifically dealing with enforcement of Law 09-08 against major foreign consumer platforms such as TikTok, Meta or Google in the same way European regulators and courts have done. That lack of published local jurisprudence is itself telling.
Facebook, Instagram, TikTok and Google: what they really collect from Moroccan users
Far more than your name and email
Most users think of personal data as their name, phone number and email address. That is only the beginning. The major platforms collect geolocation data, device identifiers, IP addresses, search history, contacts, metadata, browsing behaviour, purchase interests, ad interaction history, voice data, and in some contexts biometric information. Instagram and Facebook process image-based signals. Google, through Android and its ecosystem, often knows app usage patterns, device activity and location history with extraordinary granularity.
For Moroccan users, the practical implication is simple: if you use an Android phone, a Google account, WhatsApp, Instagram, or TikTok, you are generating a dense and valuable behavioural profile. This profile can reveal habits, routines and vulnerabilities.
That is why Google TikTok collecte données utilisateurs marocains is not a sensationalist phrase. It describes a legal and economic reality.
Privacy policies in small print: legal fiction or valid consent?
Under Article 6 of Law 09-08, processing is lawful where the data subject has given consent, or where another lawful basis provided by the law exists. The key point is that consent must be free, specific and informed. Those three words matter enormously.
Article 6 of Law 09-08: processing of personal data is lawful only if the data subject has unambiguously given consent or if one of the legal grounds provided by the law applies.
Now compare that principle with real app practice. Long privacy policies. Bundled permissions. “Take it or leave it” terms. Pre-checked boxes in some interfaces. Consent inferred merely from use of the service. In my view, and I say this plainly, much of that is difficult to reconcile with the spirit of Moroccan law. If refusing data exploitation means you cannot use a service at all, the freedom of consent becomes questionable.
This is where consentement données personnelles loi marocaine becomes more than a textbook issue. It becomes a daily consumer rights issue.
The default consent problem
Pre-ticked boxes, vague “improve your experience” language, or hidden permissions do not sit comfortably with a serious reading of Article 6. European law is more explicit on this point: Recital 32 of the GDPR states that silence, pre-ticked boxes or inactivity should not constitute consent. Moroccan law does not formulate it in the same level of detail, but the underlying logic is comparable.
Concrètement, if an app asks for access to your contacts, location, microphone and camera when only one of these is technically necessary, the user should be able to refuse non-essential processing without losing the service altogether. That is not always how platforms operate.
Meta’s legal structure adds another layer. For many users outside North America, the contractual entity is in Ireland. That means that even if Moroccan users are affected, enforcement often runs into the problem of a controller located abroad. Again, the legal issue is not whether the user deserves protection. It is whether Moroccan institutions can effectively impose it.
Transfers of data outside Morocco: the most dangerous grey zone
Articles 43 to 52: the legal regime for international transfers
The provisions on international data transfers are central to the problem of foreign apps. Articles 43 to 52 of Law 09-08 regulate transfers of personal data abroad. The basic principle is restrictive: personal data should not be transferred to a foreign state unless that state ensures an adequate level of protection of privacy and the fundamental rights and freedoms of persons in relation to the processing.
Article 43 of Law 09-08: transfer of personal data to a foreign state may not take place unless that state ensures an adequate level of protection of privacy and the fundamental rights and freedoms of persons with regard to the processing.
Article 44 then provides exceptions, including where the data subject has expressly consented, where the transfer is necessary for the performance of a contract, or for other specific legal grounds. But these exceptions should not be read as a blanket permission slip. They are exceptions, not the rule.
There is also the CNDP’s practice and deliberations, including Deliberation No. D-096/2013 concerning transfers to third countries. In theory, this creates a framework. In practice, users rarely know where their data actually goes, and businesses often underestimate the need for prior authorisation where required.
The CNDP and the “adequate countries” question
The CNDP may recognise certain destinations or evaluate transfer safeguards, but the process is not always transparent to the ordinary user. Unlike the highly publicised adequacy decisions in EU law, Morocco’s transfer regime is less visible and less widely understood by the public and even by some professionals.
I once advised a Moroccan startup that wanted to use Amazon Web Services for customer management data. The founders assumed that because the servers were “in Europe”, there was no issue. In reality, we had to examine where the data would be hosted, whether sub-processors outside Europe were involved, whether support access from other countries existed, and whether a CNDP authorisation or declaration was necessary. This is exactly the sort of compliance question many businesses ignore until a dispute arises.
InDrive, Yango and Glovo: a case-by-case legal analysis
InDrive is often discussed because of concerns around Russian-linked infrastructure and the sensitivity of ride data. If the legal entity is in the Netherlands but part of the technical infrastructure or support chain involves Russia, the analysis becomes complex. Which entity is the controller? Where are the servers? Which law governs onward access? If data is effectively accessible from Russia, users may worry about the impact of Russian surveillance laws, including legislation often referred to in discussions about data retention and state access.
Yango, associated with the Yandex ecosystem, raises similar concerns. Geolocation data is among the most sensitive categories in consumer tech. A ride-hailing app can reconstruct a person’s movements better than many employers, neighbours or even family members. In one matter I reviewed, an independent driver working through a foreign platform was shocked to discover that continuous location-related monitoring could reveal his activity beyond working hours. The terms designated a foreign entity, which made any direct Moroccan enforcement strategy much more difficult.
Glovo presents a different profile. Because it is linked to Spain, the GDPR environment is more directly relevant. That is better from a legal protection standpoint than a transfer chain involving countries with weaker or less transparent protections. But from the point of view of a Moroccan consumer, the practical question remains: if there is a violation affecting a user in Casablanca or Rabat, what is the fastest and most effective remedy? The answer may still involve navigating foreign legal structures.
So when people ask whether these apps comply with Moroccan law, the intellectually honest answer is: it depends on the exact data flows, the contractual controller, the location of servers, and whether there is any establishment or representative in Morocco. Anyone who gives a simpler answer is skipping the hard part.
The prior authorisation requirement is often ignored
For Moroccan companies, one point deserves emphasis. If you operate an app or service in Morocco and transfer personal data abroad, CNDP Maroc transfert données hors Maroc is not a theoretical issue. It can require prior authorisation depending on the type of transfer and destination. Many founders discover this too late—sometimes when a client asks for proof of compliance, sometimes when a complaint lands on the regulator’s desk.
That is one reason Moroccan businesses should not wait for reform. A serious internal data mapping exercise, clear privacy notices, and proper CNDP procedures are no longer optional for any company handling customer data at scale.
Your concrete rights as a Moroccan user
The right of access under Article 7
Article 7 of Law 09-08 gives individuals a right of access. You may ask whether your data is being processed, what categories of data are involved, the purposes of processing, and the recipients to whom data is disclosed. The law also provides that the controller should respond within a legally framed period; in practice, the commonly cited reference is around 30 days.
Article 7 of Law 09-08: every person may obtain from the controller confirmation as to whether data relating to them is processed and communication of such data in an intelligible form.
In practical terms, if you want to exercise this right with Facebook or Google, use the platform’s built-in data access tools first. For Facebook and Instagram, this often means going to account settings and downloading your information. For Google, services such as Google Takeout are the first step. But do not stop there if your request is specific. Send a written request through the official privacy or support channel and keep proof.
Rectification and opposition: Articles 8 and 9
Article 8 allows you to seek rectification, erasure or blocking of inaccurate, incomplete, equivocal or unlawfully processed data. Article 9 recognises a right to object, for legitimate reasons, to processing of personal data concerning you. These are important rights, even if they are underused.
Suppose an app wrongly associates your account with a false identity marker, an incorrect address, a mistaken photo, or an inaccurate risk profile. Article 8 gives you a legal basis to demand correction. Suppose a platform processes your data for marketing or profiling in a way you consider unjustified. Article 9 can support an objection.
What Moroccan law does not provide as clearly as the GDPR is an explicit and developed right to be forgotten equivalent to Article 17 of the GDPR. That is a major gap. You can still seek deletion through rectification/erasure logic and through platform tools, but the legal architecture is less robust than in Europe.
How to make your request effectively
Here is the practical advice I give clients. Do not just click around in settings and hope for the best. Send a dated written request. Include your full name, account identifier, the legal basis invoked under Law 09-08, the exact data concerned, and the remedy requested: access, correction, objection, or deletion. Attach screenshots if necessary. Keep copies of every email, form submission and automated acknowledgment.
This paper trail matters. If the platform ignores you and you later file a recours CNDP violation données personnelles, your prior attempts show seriousness and help structure the complaint.
How to file a complaint with the CNDP — and what to realistically expect
Where and how to complain
The CNDP is based in Avenue Annakhil, Hay Riad, Rabat. A complaint can be submitted by registered mail or deposited directly. The process is free of charge. There is no court filing fee simply to alert the CNDP.
Your complaint should contain, at minimum, a copy of your national identity card, a clear description of the facts, relevant dates, the categories of personal data involved, evidence such as screenshots, emails or extracts from the terms of service, and proof that you first tried to resolve the issue directly with the controller. That last point is not always formally mandatory in every configuration, but in practice it strengthens the file considerably.
If you are dealing with a particularly technical issue—cross-border transfer, opaque controller structure, health data, children’s data, location tracking—it is often worth asking an consulter un avocat en ligne au Maroc or meeting a cabinet d'avocat droit numérique à Rabat before filing.
What the CNDP can do
The CNDP can examine the file, seek explanations, issue recommendations, send a formal notice, and in certain cases transmit the matter to the Public Prosecutor if criminal offences appear to be constituted. For Moroccan entities, this can be effective. For foreign apps without a local legal presence, the CNDP’s practical leverage is more limited. That is the reality, and it should be said honestly.
As for timing, the law does not provide a simple universal deadline for all complaint handling. In practice, expect roughly 2 to 6 months for many files, and sometimes longer. I have seen a sensitive health-data matter involving a mobile app take close to 8 months before meaningful movement occurred. That does not mean the CNDP is inactive. It means these files can be technically and jurisdictionally difficult.
The criminal sanctions in Articles 54 to 63
Articles 54 to 63 of Law 09-08 provide criminal penalties for various violations, including fines that can range from 10,000 to 300,000 dirhams, and in some cases imprisonment of up to 5 years depending on the gravity and nature of the offence.
Articles 54 to 63 of Law 09-08: the law provides for criminal penalties including fines from 10,000 DH to 300,000 DH and, for certain offences, imprisonment that may reach 5 years.
But attention: these sanctions are only concrete where there is a person or legal representative within reach of Moroccan jurisdiction. For a large foreign platform with no establishment in Morocco, the existence of a criminal sanction on paper does not automatically mean it can be effectively enforced. This is one of the strongest arguments for legislative reform.
Going beyond the CNDP: judicial remedies
Administrative and civil routes
If a CNDP decision itself is contested, the administrative route may be relevant before the competent administrative court. But many victims are more interested in compensation than in regulatory procedure. In that case, civil liability may be explored under the Dahir des Obligations et Contrats, especially Article 77 of the DOC, which establishes the principle that any person who, without authority of law, causes material or moral damage to another is obliged to repair it.
Article 77 of the DOC: any act of a person that causes material or moral damage to another, where that person is at fault and without legal justification, obliges the author to repair the damage.
This provision can be useful where a data breach, unlawful disclosure, reputational harm or severe intrusion into private life causes measurable damage. The challenge, of course, is proving the fault, the link to the defendant, and the harm—especially where the platform is foreign.
The limitation period for civil action is generally governed by ordinary law, with Article 387 of the DOC often cited for the five-year limitation period. Do not wait. Evidence disappears quickly in digital matters.
Criminal complaint and practical obstacles
A criminal complaint may be filed with the Procureur du Roi where the facts amount to an offence under Law 09-08. This can matter in cases involving unlawful collection, disclosure, sensitive data misuse or processing without required formalities. If the target has a Moroccan representative, the route is more realistic. If not, territorial competence and execution quickly become obstacles.
For cases with a strong penal dimension, some clients may choose to consult an avocat pénaliste Casablanca alongside a digital law specialist. For business-side compliance disputes, a cabinet spécialisé conformité RGPD et loi 09-08 à Casablanca is often the better fit.
Costs and legal fees in Morocco
People often hesitate to seek advice because they assume data protection litigation is only for large companies. That is not always true. In Morocco, a first consultation with a lawyer in this area may range from about 500 to 2,000 DH. Drafting and following a CNDP complaint often falls in the 3,000 to 8,000 DH range. A full judicial procedure can start around 10,000 DH and go much higher depending on complexity, expert work, and whether appeal proceedings are involved.
For companies needing compliance work rather than litigation, a package for CNDP formalities and privacy documentation may range from 5,000 to 15,000 DH, sometimes more for larger organisations. If you are a startup founder, retailer, clinic or app operator, this is usually far cheaper than cleaning up a dispute later. Businesses in Marrakech, for example, often seek this kind of support from an avocat droit des affaires Marrakech.
Collective pressure through consumer law
Moroccan law does not expressly organise U.S.-style class actions in data privacy matters. Still, collective pressure can be increased through consumer associations and the framework of Law No. 31-08 on consumer protection. In some circumstances, multiple users affected by the same platform practice can coordinate complaints. A specialised avocat droit de la consommation may help evaluate that route.
What Moroccan law needs to change
Reform is no longer optional
Let us be frank. Law 09-08 was a serious and useful step in 2009. But 2009 is another digital age. Today we live with cloud computing, generative AI, biometric processing, hyper-targeted advertising, app ecosystems, and data brokers. Morocco is preparing for deeper digital transformation, major infrastructure projects, and the international visibility that comes with events such as the 2030 World Cup. Data governance cannot remain frozen in an older model.
The reform priorities are clear. Morocco needs stronger extraterritorial reach, clearer rules on children’s data, a more explicit right to erasure, stronger obligations around biometric data, and a more modern compliance framework for controllers and processors. It also needs better public guidance from the CNDP and, ideally, clearer enforcement pathways against foreign services targeting Moroccan users.
Learning from the GDPR without copying it blindly
The GDPR offers useful lessons, especially on territorial scope, transparency, accountability and consent. But Morocco should not simply copy European law line by line. It should build a model suited to Moroccan institutions, market realities and sovereignty needs. Still, one point is beyond debate: if a foreign app actively targets Moroccan users, tracks their behaviour and monetises their data, Moroccan law should have a clearer way to reach it.
This is not anti-business. On the contrary, a robust data framework helps attract serious tech investment. If Morocco wants to be a digital hub for Africa, legal certainty around personal data is an asset, not an obstacle.
Practical steps you can take today
Ten useful reflexes for ordinary users and businesses
You do not have to wait for Parliament to protect yourself better. Start with the obvious but often neglected basics. Check app permissions before installation. If a flashlight app wants your contacts and microphone, refuse. Review the “data collected” section in app stores and privacy policies. Turn on two-factor authentication for email, social media and payment-linked apps. Avoid using “Login with Facebook” or “Login with Google” for sensitive services such as health, legal or financial tools.
Ask platforms periodically for a copy of your data. Download it, review it, and delete dormant accounts. If you stop using an app for more than three months, uninstall it unless there is a good reason to keep it. Watch for privacy policy updates. Most users click through them blindly, yet they often contain major changes in data sharing or transfer practices.
If you suspect a violation, move quickly in the first 48 hours. Note the date and time. Take screenshots. Save emails and notifications. Identify the exact account and device concerned. Contact the app through official support. Then prepare a CNDP complaint if necessary.
For professionals, the advice is even more concrete. Keep a processing register even if Law 09-08 does not impose it with the same detail as the GDPR. Map your data flows. Identify every foreign provider. Review cloud contracts. Train staff. If you run a Moroccan app or service, appoint a clear internal person responsible for compliance. And if your processing is sensitive, get legal advice before launch, not after a complaint.
Conclusion: digital sovereignty begins with informed Moroccan users
The bottom line is simple. Morocco does have a personal data protection law. Law 09-08 gives users rights, creates obligations for controllers and empowers the CNDP. But when the app is foreign, the company is established abroad and the servers or support chains are scattered across multiple countries, the protection becomes harder to enforce.
That does not mean Moroccan users are helpless. Far from it. You can request access to your data, ask for correction, object to certain processing, use platform deletion tools, complain to the CNDP, and in some cases seek judicial remedies. But you must be proactive. In data law, silence almost always benefits the platform, not the user.
My view, after years of advising on digital disputes in Morocco, is straightforward: the next reform of Law 09-08 should close the foreign-platform gap. Until then, users should document everything, businesses should comply seriously, and regulators should continue pushing for stronger tools.
If you believe your personal data has been misused by a platform, a service provider or an employer, do not wait for the problem to solve itself. Preserve the evidence, identify the controller, and if necessary consult a lawyer online in Morocco or contact an avocat spécialisé en droit des données personnelles à Casablanca. In the digital economy, privacy is not lost in one dramatic moment. It is eroded quietly, click after click. The law must catch up—but citizens should not wait in the dark.
