State of Privacy Morocco

Morocco

Table of contents

Introduction

Acknowledgment

The State of Privacy in Morocco is the result of an ongoing collaboration by Privacy International and its partners.

Key privacy facts

1. Constitutional privacy protection: The constitution contains an explicit protection of the right to privacy.

2. Data protection law: There is a data protection law in Morocco (Law 1-09-15 of February 2009)

3. Data protection agency: Morocco has a data protection agency, the Commission nationale de contrôle de la protection des données à caractère personnel (CNDP)

4. Recent scandals: In June 2017, an investigation by BBC Arabic and Danish newspaper Dagbladet revealed that UK defense firm BAE Systems had sold mass surveillance technologies —called Evident— through its Danish subsidiary ETI, to six middle eastern governments, including Morocco.

5. ID regime: In 2008, Morocco launched a new identification scheme: the Carte nationale d'identité électronique (CNIE), a national biometric ID card issued by the National Police.

Right to Privacy

The constitution

The Moroccan constitution contains a specific provision related to privacy. Article 24 states:

"Any person has the right to the protection of their private life.

The domicile is inviolable. Searches may only intervene in the conditions and the forms provided by the law.

Private communications, under whatever form that may be, are secret. Only justice can authorize, under the conditions and following the forms provided by the law, the access to their content, their total or partial divulgation or their summons [invocation] at the demand [charge] of whosoever."

Regional and international conventions

The Preamble of the Constitution recognizes the primacy of international treaties over national law. It, however, limits their scope "within the framework of the dispositions of the Constitution and laws of the Kingdom, in respect of its immutable national identity".

Morocco is a signatory of a number of treaties with privacy implications, including:

Communication Surveillance

Introduction

Communications surveillance in Morocco is governed by the Constitution, the Code of Criminal Procedure and the Law on the Protection of Individuals with Regard to the Processing of Personal Data.


Individual privacy may be breached as part of a criminal investigation when a judicial order is issued. And though the law identifies specific conditions under which such orders may be granted, there remains vast grey areas regarding the discretionary powers offered judges and intelligence agencies.


The lack of a strong independence of the judiciary and the absence of public scrutiny over the work of intelligence services, challenge the democratic oversight over these operations.

Surveillance laws

A large corpus of statutory laws governs data management, cybercrime and access to communications data in Morocco. Many of these laws have privacy implications. They include:

Surveillance actors

Intelligence and security agencies

The Moroccan intelligence and security structure comprises a number of agencies with overlapping mandates. These agencies' organizational charts remain classified, complicating the task of mapping their work and oversight mechanisms. A lack of official statistics makes it difficult to establish their size.

Most of the agencies are under the control of either the Ministry of the Interior or the military. Recent legislative reforms have allowed for a relative level of accountability and transparency, thanks in no small measure to the efforts of human rights organisations.

Under the authority of the Ministry of Interior are the following agencies:

  1. Renseignements généraux marocains (RG), which is part of the Direction générale de la sûreté nationale (DGSN, or Sûreté nationale), the national police;
  2. Direction générale de la surveillance du territoire (DST; sometimes also referred to as DGST), the domestic intelligence agency;
  3. Service autonome de renseignement des Forces auxiliaires marocaines, an intelligence service attached to the Forces Auxiliaires (FA), a paramilitary force that supports the work of law enforcement agencies and participates in ensuring the security of the royal palaces and the personal security of the king

  4. Direction générale des affaires intérieures (DGAI), historically the largest service with five divisions (including the Direction des affaires générales) with a web of informants and functionaries across the country.

In 2015, an elite counter-terrorism unit, the Central Bureau of Judicial Investigation (BCIJ), was founded and placed under the authority of the DST.

 

The Direction de la police des communications radio-electriques (DPCR) is a subunit of the DST, headquartered in Termara south of the capital Rabat. Founded in the 1960's it specializes in communications interceptions and wiretapping.

Under the authority of the military are the following agencies:

  1. Conseil supérieur de la Défense nationale (CSDN), a council of Morocco's various security agencies (whose existence is not confirmed);
  2. Direction Générale de la Sécurité des Systèmes d'Information (DGSSI), the Moroccan authority responsible for computer systems security and that supervises the work of the Moroccan Computer Emergency Response Team, known as ma-CERT;
  3. Direction générale des études et de la documentation (DGED), the external spy agency;
  4. 2e Bureau (2B), reportedly the military external spy agency, responsible for collecting external military intelligence;
  5. 5e Bureau (5B), reportedly the military internal spy agency; and
  6. Service de Renseignement de la Gendarmerie Royale, responsible for internal intelligence, primarily in rural areas and small towns; and
  7. Centre royal de télédétection spatiale (CRTS), responsible for the acquisition, analysis and dissemination of satellite data and imagery.

Law enforcement

A constellation of law enforcement agencies works under the authority of, or conjointly with, the DGSN, and the national police including:

  1. Police judiciaire, also known as Brigade Nationale de la Police Judiciaire (PJ, or BNPJ), with regional branches;
  2. Direction de la sécurité royale (DSR);
  3. Police aux frontières (PAF);
  4. Groupes d'intervention rapide (GIR); and
  5. Brigades Régionales d'Intervention (BRI).

The data protection authority, CNDP, enjoys law enforcement powers, as does the ANRT, the telecommunications industry regulator: In addition to accredited CNDP and ANRT agents, Judicial Police officers can be commissioned by either agency to investigate violations of the law.

Surveillance capabilities

Internet monitoring

In 2011, the Moroccan Government was revealed to have invested 2 million euros in the "Eagle" surveillance system, which would allow the government to perform censorship and monitoring of internet traffic using deep packet inspection. Eagle was developed by Bull Amesys, a French company that sold a similar technology to the Libyan government of former President Muammar Gaddafi.

In January 2015, following pressure from Privacy International and Swiss journalists, the Swiss government released a documents revealing a list of countries that had purchased surveillance technologies from Swiss companies. Among the purchasers of advanced surveillance technology was Morocco, which appeared to have tested mobile telecommunication interception or jamming equipment in 2013 or 2014.

In June 2017, an investigation by BBC Arabic and Dagbladet, a Danish newspaper, revealed that UK defense firm BAE Systems had sold mass surveillance technologies —called Evident— through its Danish subsidiary ETI, to six middle eastern governments with questionable human rights records, including Morocco.
According to the report, the technology would allow governments to carry out mass surveillance of emails and mobile phone calls at the level of an entire country. It would also allow governments to carry out targeted surveillance of individuals by name, email address or specific IP addresses.
According to documents obtained by the BBC, the Evident system was first sold to the former Tunisian president Ben Ali who used it to crack down on opponents until his overthrow in January 2011.

Intrusion malware

As described in a Privacy International report, Morocco also purchased malware from Hacking Team to use it against journalists. The Hacking Team leaks showed that the two Moroccan intelligence agencies — the High Council for National Defence (CSDN) and the Directory of Territorial Surveillance (DST) — have both purchased Remote Control System intrusion malware product. The CSDN first acquired it in 2009 and the DST obtained it in 2012.

The leaked documents showed that the two intelligence agencies have been renewing their contracts with Hacking Team and, as of July 2015, were still using the spyware. Since 2009, according to the same documents, Morocco has spent over 3 million euros on Hacking Team equipment.

Moreover, in April 2015, the Moroccan Royal Gendarmerie was listed as an "opportunity" for a 487,000 euro contract and said to be "very interested" in Hacking Team products, "especially for mobile", according to a leaked document.

A report by The Citizen Lab from 2015 published evidence that the Moroccan government had also used FinFisher malware produced by the British-German Gamma group of companies.

Satellite surveillance

On November 8, 2017, Morocco launched the first of two spy satellites with military and intelligence applications designed on the model of the French imaging system Pléiades. Designed by the Franco-Italian consortium Thales Alenia Space and the French Airbus, the satellites are able to provide high definition images with a resolution of up to 70 cm from any point on the planet. The satellites were purchased by Morocco to France as part of a € 500 million contract signed in secret in 2013 on the sidelines of an official visit to Rabat by then-French president François Hollande.

The technical specifications of the two satellites remain shrouded in mystery. Moroccan officials insist on its strict civilian use, but experts pointed to the potential security and military applications of the system that could allow Morocco to obtain information on the military installations and the movements of troops of neighboring countries, especially Spain and Algeria.

The satellites are due to be operational in 2018 and will be able to take up to 500 photos per day which will then be collected by a team based in Rabat, presumably under the supervision of the Centre royal de la télédétection spatiale.

Surveillance oversight, checks and balances

Criminal investigations

Criminal investigation techniques involving communications surveillance are considered exceptional procedures under criminal law.

Procedural rules governing the production and admissibility of evidence obtained through such techniques are defined in Chapter 5, Articles 108 to 116 of the Code of Criminal Procedure (as amended in June 2015).

According to the Code, the surveillance of communications is placed under the authority and oversight of the First President of the Appeals Court who issues a written warrant to the Investigative Judge in charge of an ongoing investigation, or to the Crown Prosecutor when the crimes under investigation might constitute a particular threat to the security of citizens or the state.

These are specifically: crimes undermining state security; crimes of terrorism; criminal association; homicide; poisoning; kidnapping; hostage-taking; counterfeiting of currency; drugs and weapons trafficking; and crimes that undermine public health.

Exceptionally, the Crown Prosecutor may trigger the surveillance operation before obtaining a written warrant in cases of "extreme emergency" or when the destruction of evidence is feared. These cases must, however, fall within specific categories: crimes undermining state security; crimes of terrorism; kidnapping; hostage-taking; or drugs and weapons trafficking.

In that case, the Crown Prosecutor must immediately inform the District's First President of the Appeals Court who must either support, amend or abrogate the procedure within 24 hours.

The warrants must include all evidence necessary to identify the specific type of communications to be monitored and the exact motive behind the operation which must not exceed a total period of 4 months. That period is renewable once.

Judicial Police (PJ) officers, who conduct the investigation under the authority of the Crown Prosecutor or the Investigating Judge, are required by law to keep a written record of the surveillance operation, including its start and finish date. The recordings themselves must be kept under seal.

The law also requires that the recordings be destroyed following the lapse of the statute of limitation date related to the legal action, or when the case has been subject to a final judgement and is no longer subject to an appeal.

The unauthorized interception, the destruction, publication or use of private communications, or the unlawful installation of listening devices is punishable by up to one year in prison. The crime is aggravated when it is related to a terrorism act, or when the offender is an official or an employee of a telecom company -- in which case the penalty can reach as high as 10 years in jail.

Security and intelligence operations

The DST is the Moroccan domestic spy agency, and probably Morocco's largest intelligence gathering service.

It was created in 1973 following a military coup attempt against King Hassan II (1929-1999). It was then placed under the authority of the Ministry of Interior, which answers directly to the royal palace. Royal Decree or Dahir 1-73-652 — its founding document — provides no clear accountability mechanism.

Ever since its creation DST built a reputation of violence and secrecy. Its controversial history is mired in torture allegations and human rights violations. It remains a very secretive institution with no public outreach or website. Its officials rarely appear before Parliament or the press.

In May 2011, in the wake of the "Arab Spring", hundreds of pro-democracy protesters marched on the Temara interrogation center, a prison operated by the DST located within a forested area about 15 kilometres south of the capital Rabat. Activists hoped to bring attention to the facility which they suspected of hosting a secret extrajudicial torture center. The protest sparked a debate in Morocco about the work of the DST and the intelligence services more broadly.

In October 2011, Act 35-11 amending the Code of Criminal Procedure was enacted. This brought the work of the DST under unprecedented judicial review.

The amendment gave DST agents the status of Judicial Police officers, placing them under the authority of Crown Prosecutors. The status applies only in relation to crimes related to Article 108 that governs the procedural rules of production and admissibility of evidence obtained through the surveillance of private communications, raising the question of whether it should not be extended to other activities conducted by the spy agency.

In December 2005, King Mohammed VI appointed Abdellatif Hammouchi at the helm of DST. Hammouchi also serves as the personal advisor to the monarch on terrorism-related affairs, and, since 2015, as the head of the national police as well. Hammouchi has faced accusations of torture and abductions of political opponents and terrorism suspects in the past, culminating in a major diplomatic crisis between Morocco and France in 2014. Morocco suspended all judicial cooperation with France over lawsuits in Paris that accused Hammouchi of complicity in torture.

Relations between the two countries were later restored when France granted Hammouchi its highest distinction, the Legion d'Honneur, in an apparent move to regain Morocco's cooperation in its fight against Islamist terrorism following the attacks on the headquarters of French satirical magazine Charlie Hebdo in 2015.

Safeguards regarding service providers

The ANRT is the national telecommunications regulator. It is placed under the authority of the Prime Minister.

ANRT's mandate, articulated in Article 10 of Act 24-96 on Post and Telecommunications, is to insure that service providers respect the "conditions of confidentiality and neutrality of the service with regard to transmitted messages."

ANRT makes sure that equipment made available by operators is up to the standards of safety. It also makes sure that operators and service providers respect the confidentiality of correspondence and the conditions for the protection of privacy and personal data of the users.

ANRT does have law enforcement powers: in addition to accredited ANRT agents, Judicial Police officers can be commissioned by the agency to investigate violations of the law.

The unauthorized disclosure, misappropriation, destruction, or violation of private correspondence is punishable by up to 5 years in jail. Service providers who feel wronged or want to oppose ANRT injunctions can resort the Administrative Court of Rabat.

Between the letter of the law and its application

During the last decade Morocco has achieved substantial progress with regard to its legislation on the protection of privacy. However, civil society organizations, independent media and international watchdogs regularly point to the discrepancy between the law and its application.

In December 2015, a national coalition of NGOs strongly criticized the persistent legal vacuum surrounding security and intelligence agencies. In a report submitted to the UN Committee for Human Rights, 14 NGOs including the Moroccan Digital Rights Association called on the government to comply with the requirements of international law, in particular the International Covenant on Civil and Political Rights regarding the protection of privacy.

As early as 2005, the head of the Equity and Reconciliation Commission (IER), a human rights and truth commission created by King Mohammed VI to investigate past human rights abuses lamented that he found it "difficult to obtain the regulations governing each of the various security agencies, their fields of action, their recruitment policies, their training, and methods of recruiting." "This lack of clarity," he warned at the time, "could make it easier for abuses to take place." The IER was criticized by sections of the human rights community because it was not allowed to report about human rights violations occurring after 1999, when Mohammed VI was enthroned. The IER was also attacked because it lacked the authority to publicly name perpetrators or to compel state agents to provide information.

In its final report addressed to king Mohammed VI in December 2005, the IER called for the:

  • "Development and publication of the government's security policy;
  • Clarification and publication of the legal framework regulating the institutional powers, the process of decision making, monitoring and evaluation mechanisms for all security agencies and administrative authorities;
  • Government to inform the public and parliament of any event requiring the intervention of security forces; and
  • Establishment of internal control mechanisms within the security agencies that are fair and transparent."

More than a decade after IER recommendations were first made, the progress is somewhat mixed.

Article 54 of the 2011 Constitution established the Superior Council of Security, little is known about the laws and regulations that would govern its authority.

After decades of protest from Morocco's legal profession as well as several national and international NGOs, in addition to recommendations issued by the National Council on Human Rights (CNDH), the Code of Military Justice was finally amended in July 2014 to ensure the unification of the judicial system and the protection of fundamental rights so that civilians could no longer be investigated under a military jurisdiction or brought before military courts. The same year, Parliament abrogated the status given to so-called special courts, namely the Permanent Tribunal of the Royal Armed Forces (TPFAR) that could until then carry out criminal investigations independently of the civilian court system.

But despite the legislative reforms, the judiciary's lack of independence remains a major concern for professional associations of judges and civil society organizations.

The overly vague language of the Criminal Code and the Anti-Terrorism Law is often stretched to justify groundless surveillance of political opponents and independent journalists. It relies heavily on the discretionary powers of judges. Those judges depend in turn on the High Council of the Judicial Power and the Ministry of Justice that still have comprehensive and effective control over their career advancements, the entire judiciary and judicial administration.

Surveillance case law

Our research has not yet identified any specific examples of surveillance case law in Morocco. Please send any tips or information to: research@privacyinternational.org

Examples of surveillance

Civil society, journalists, academics and other citizens report widespread surveillance, both physical and digital, by the Moroccan government.

The Moroccan government has used spyware from Italian surveillance company Hacking Team to target journalists from the publishing collective Mamfakinch in 2012. Technical evidence was collected by the Citizen Lab from targeted devices and published in 2012. Privacy International published a report in 2015 exploring the impacts of the surveillance on those targeted.

Activists and journalists have also reported being the victims of hacks from groups or media that claim to be defending the government. Cases of physical surveillance from the police were also mentioned in the Privacy International report.

In his memoir published in January 2015, Patrick Ramaël, a French judge who, until 2013, was in charge of investigating the "disappearance" in Paris in 1965 of the Moroccan opposition leader Mehdi Ben Barka, reported that French police officers working on his behalf in Morocco were under Moroccan police surveillance. A French police officer, working from the French Embassy in Rabat, who was cooperating with Ramaël on the investigation into the disappearance of Ben Barka, saw his personal phone line disconnected minutes after ending a phone conversation with the French judge. Two days later, the officer was reportedly summoned and instructed to leave the country.

During the regional and local elections of September 2015, 30,000 mobile phone lines were reportedly tapped across the country. The mass surveillance operation, ordered by the Ministry of Interior, was first reported by the Assabah newspaper. The Ministry set up commissions headed by Crown Prosecutors to supervise the operation. The authorities, who acknowledged the operation, explained that the measure was dictated by "the desire to ensure a degree of transparency in the election." The list of individuals targeted by the operation included candidates, regional or provincial party officials, in addition to local government officials and people with no direct link to the vote but whose "occupations or activities" were deemed "related to the elections," according to the Ministry.

In October 2015, seven activists and investigative journalists including historian and academic Maati Monjib, as well as investigative journalists Hicham Mansouri and Samad Aït Aïcha, and the founder of the Digital Rights Association, Hisham Almiraat, were brought before the Tribunal of First Instance of Rabat and charged with "using foreign funding to undermine State security" -- a charge that carries up to five years in jail. The charges were widely seen as politically motivated.The activists were involved in a program funded by Dutch NGO Free Press Unlimited, to train journalists and human rights activists on reporting techniques as well as on tactics to evade government interception, including encryption.

During their interrogation by PJ officers, the activists reported being shown transcripts of their private Skype and phone calls as well as copies of email exchanges. The defendants' lawyers also learned that at least one of the activists' phones was tapped for a period of three months.

In July 2017, Hamid Hamdaoui, the editor-in-chief of the news site al-Badil and an outspoken critic of the government, was arrested at a demonstration in al-Hoceima, in northern Morocco. He was charged with "incitement to commit an offence" and "participating in an unauthorized protest" and sentenced to a three-month prison sentence. A few days after the sentence, a transcript from a wiretap on Mahdaoui's mobile phone emerged and was used as evidence against him in the case. In September 2017, Mahdaoui's sentence was extended to one year by an appeals court in Casablanca.

As of July 2016, the new Press Code mandates the registration of online journalists, in a move Freedom House fears "could stifle free reporting, [bringing the media] further under the authorities' control."

 

Data Protection

Data protection laws

In 2009, a national data protection authority was created in Morocco. The mission of the Commission nationale de contrôle de la protection des données à caractère personnel (CNDP) is to "ensure that the processing of personal data is lawful, legal and does not violate the privacy, fundamental freedoms and human rights" of Moroccan citizens and foreign residents.

The CNDP reports to the Prime Minister. It is responsible for advising the government and parliament on bills or legislative proposals and regulations related to the processing of personal data.

The Commission consists of seven members. At its head is a Chairman who is directly appointed by the king. The six remaining members are also appointed by the King following recommendations from the Prime Minister, and the Leaders of the Upper and Lower houses of Parliament.

The rights of individuals with regards to their personal data as recognized by the law are:

  • the right to be informed about data collection, who is responsible for processing data, the aim of the processing for which the data are intended; and "any additional information";
  • the right to access personal information;
  • the "right of correction" of incomplete or inaccurate data; and
  • the right to oppose that personal data be processed.

Personal data "must be processed fairly and lawfully; collected for explicit and a legitimate aim only, and not further processed in a way incompatible with the stated purposes."

Law 1-09-15 of February 2009 also states that personal data must be kept in a form that permits the identification of the persons concerned, and for no longer than is necessary for the purposes for which they were collected. It does not, however, specify a standardized retention period. When there is a legitimate interest in keeping personal data beyond the period provided for, the CNDP may authorize an extension of the retention period.

The law insists on informed consent: "Data processing of personal data can only be made if the subject has unambiguously given his or her consent to the transaction or all proposed transactions pertaining to his or her personal data." Additionally, the law stipulates that personal data cannot be disclosed to third parties without prior consent.

But the law provides for exceptions and the language is left open to interpretation. For example, Article 44 states disclosure to third parties may occur without prior consent if the processing is necessary for the performance of a task of "public interest". The law stresses, however, the importance of respecting fundamental rights and freedoms of individuals.

The law also forbids the use of automated personal data processing in any court decision: "No decision producing legal effects in respect to a person may be taken on the basis of automated processing data intended to define the person's profile or evaluate aspects of their personality."Data processing must be subject to prior authorization when that data is related to past offenses or convictions.

The law also introduces new obligations for data controllers. These must make a formal statement of intent which includes a commitment that the data will be treated in accordance with the law. That statement is filed with the CNDP.

With regard to transferring data to a foreign State, data controllers can only transfer data if that state "ensures an adequate level of protection of privacy and fundamental rights and freedoms of individuals with regard to the treatment of their personal data." The National Commission establishes the list of countries that satisfy these requirements and defines the exceptions.

The Commission can also receive complaints from any plaintiff. The CNDP can order the publication of corrections or refer the matter to justice for the purpose of prosecution. In addition, the Commission also offers expert opinion in front of the courts.

The CNDP also has a role in informing the general public about their rights and obligations and the provisions adopted for the protection of personal data. The establishment of a public register intended for public information about the protection of personal data, including a listing of data controllers and an updated registry of legislations and regulations, has been long in the making.

The Commission also has investigative powers. It can require direct access to facilities in which data is being processed. It can collect all data under investigation. It has also the power to order the rectification, blocking, removal or destruction of data and to temporarily or permanently ban the processing of personal data in servers located on the Moroccan territory. The Commission can launch investigations, summon persons to a hearing, proceed to the seizure of equipment, and inform the public prosecutor.

The Commission is endowed with law enforcement powers: in addition to accredited CNDP agents, Judicial Police officers can be commissioned by the president to investigate violations of the data protection law.

Limits of the data protection provisions

Act 09-08 governing the work of CNDP is in many ways similar to French data protection law of 1978, which the Moroccan text seems to emulate.

However, the Moroccan law, in contrast to its French counterpart, does not include, as "protected data," information related to a person's sexual life. Also, the CNDP, in contrast to its French counterpart the CNIL, does not have a say on the processing of data involving State security, defence, public safety or criminal offences that are left for the State to interpret. (In contrast, the CNIL can issue a public opinion on matters related to State security and defence, according to Articles 11 and 26 of French Act 78-17).

The Moroccan law contains an significant exception to data protection. it states:

"This Act does not apply to personal data collected and processed in the interest of national defense, the internal or external security of the state and the prevention or repression of crime."

Moreover, the Moroccan law does not specifically explain the conditions under which an exemption from the obligation to inform a data subject are applied when, for example, processing is carried out on behalf of the state and related to matters of "state security", defence, or public safety.

In December 2015, a coalition of 14 local human rights NGOs addressed a joint report to the United Nations Human Rights Committee lamenting the fact that "to date, the CNDP has not conducted any investigation to shed light on the situation of [communications] surveillance in Morocco, which would have had the advantage of establishing a debate within society on the challenges posed by the use of new communication technologies and on the legitimate security concerns the State might have."

The report called for the establishment of "a framework guaranteeing the protection of privacy against all forms of abuse, whether it emanates from the State itself or any other party."

Accountability mechanisms

Freedom of Information

Article 27 of the Moroccan Constitution guarantees freedom of access to publicly-held information:

"The citizens [...] have the right of access to information held by the public administration, the elected institutions and the organs invested with missions of public service."

A Right of Access to Information Act, known as Bill 31-13, was drafted by the government as early as March 2013 and later approved by the cabinet in July 2014.

The early version of the bill received mixed reactions from civil society due to its limitations. It introduces new obstacles to the right to access publicly held information, such as information pertaining to "relations with a third State or an international organization", "information that could prejudice the ability of the State to manage its monetary, economic and financial policy", or information related to "the deliberations of the Government". The draft also introduces jail penalties against officials who may disclose information that is deemed confidential.

In the summer of 2016, a revised version of the bill introduced the National Commission for the Right of Access to Information (CNDAI), a new body that would be chaired by the President of the CNDP and attached to the Prime Minister.

The bill went on to pass the Lower House of the Moroccan Parliament in July 2016. It has since been pending a second reading by the Upper House.

At the time of the publication of this report, there were no known cases in which activists or journalists or others have tried to legally obtain information from the government regarding surveillance or privacy-related cases.

Ombudsman (Médiateur du Royaume)

The institution of the Médiateur (Ombudsman) was established in 2011 in an effort to fight endemic corruption and force transparency in the management of public services, according to Article 162 of the Constitution and Royal Decree Dahir 1-11-25.

The Médiateur is appointed by royal decree for a five-year term, and is mandated to hear complaints about grave abuses of office. The Médiateur and his deputies are responsible for facilitating access to administrative information. If the requested information is considered secret, the Médiateur has the authority to adjudicate the confidentiality of the information by requesting evidence from the relevant administration.

The information requester does not bear any costs relating to the completion of the request, but must demonstrate a vested interest and clearly state the goal sought through the information request.

The Médiateur or his deputies may use any means necessary to investigate the legitimacy of the claims and the reality of the damage suffered. They do not, however, have jurisdiction over complaints implicating judicial organs, or matters within the province of the National Council for Human Rights.

The Médiateur submits an annual report to the king, including the results of complaints and recommendations to address cases of poor administration affecting public services. He/She also sends regular reports to the Prime Minister on cases where the administration has refrained from responding to requests for information, or when it failed to act on its recommendations.

Parliamentary Commissions of Inquiry

In July 2014, Act 85-13 was adopted pursuant to the provisions of Article 67 of the Constitution. It clarifies the functioning of Parliamentary Commissions of Inquiry, an important accountability mechanism.

A Commission of Inquiry may be appointed by the king or by one of the two houses of Parliament and can, in theory, investigate wrongdoings by officials and institutions, including law enforcement agencies and security services.

The law, however, imposes a series of restrictions on commissions' ability to access documents deemed "of a secret nature," or subject to "national defense," or related to the "interior or external security of the State," or in connection with "Morocco's relations with a foreign State." The secret nature of those documents is left to the discretion of the Prime Minister who can refuse that documents deemed confidential be communicated to the Commission or that witnesses produce sensitive testimonies.

At the end of its inquiry, the Commission is required to communicate its report to Parliament. The content of the report must be discussed during a public session of the Parliament within a period of 15 days after its submission to the House.

Consumer protection

Since its implementation in 2009, Act 09-08 on the protection of personal data, has offered a legal framework for ensuring that the processing of personal data is in line with consumers' fundamental freedoms and human rights.

It committed the government to establishing a national registry for the protection of personal data, that would ensure transparency in terms of who processes citizens' private data, according to what laws and the means by which to exercise the rights of information, access, rectification, cancellation and opposition — an important instrument that concerned citizens and consumers would benefit from greatly. To date, the project has not yet come to light.

In 2007, Act 53-05 on the electronic exchange of legal data added more clarity to the conditions of validity and protection of data related to contracts established and, or transmitted electronically. The law set up a National Accreditation Authority that controls electronic certification standards.

But in January 2015, in a surprise move, the government decided to transfer that authority from civilian control to the military — to the General Directorate for the Security of Information Systems, or DGSSI. The move raised questions about the integrity of consumers' data when the authority in charge of standardizing the means of encryption and protection of the electronic exchange of legal and commercial documents is the military — an institution that is traditionally beyond democratic oversight in Morocco.

In 2011, Royal Decree 1-11-03 enacted Law 31-08 that governs consumer protection rules. It is a complementary part of the legal system in terms of consumer protection. It reinforces consumers' rights including the right to information; the right to protection of economic rights; the right to a representation; the right to withdraw; and the right to be heard.

The law introduced changes to allow consumer organizations to bring class action claims on behalf of consumers.

In terms of the security of payment methods, the vendor guarantees the security of transaction data. In case of unlawful disclosure, the vendor is liable and bears the burden of proof in case of dispute.

Although the law does not contain explicit provisions regarding the protection of consumers' data (with regards to their banking information, for instance), data controllers must meet the conditions set forth by Act 09-08: vendors must submit a statement of intent and request an authorisation from the data protection authority, CNDP, prior to processing consumers' data.

In January 2014, the CNDP launched its first large-scale control operation to verify the compliance with the law of Moroccan websites and online businesses, including banks and online shopping websites, with the provisions of Act 09-08 on the protection of personal data. Contravening websites were invited to comply with the law. Past a certain deadline, CNDP warned that they could face sanctions, including legal actions.

In January 2016, CNDP issued recommendations regarding unsolicited electronic marketing. It called for the creation of a national opt-out list in which consumers would register to stop receiving commercial marketing messages. This raised the question of a potential misuse of the database that could be exploited for the opposite of the intended purpose. The CNDP did recommend setting up a permanent working group to ensure a proper implementation of its recommendations.

In June 2015, Saïd Ihrai, the president of the CNDP, laid out an assessment of his organisation's work citing statistics and actions undertaken by the data protection authority.

Most of the complaints received by the CNDP were related to "harassment through SMS text messages and spam" (67% in 2014). Consequently, according to Ihrai, the CNDP addressed warnings to companies and individuals who are known to trade on personal databases for use in direct marketing campaigns, reminding them that the practice was considered a serious offense and could lead to harsh penalties under the law.

Data breaches: case law

Our research has not yet identified any case laws related to data breaches in Morocco. Please send any tips or information to: research@privacyinternational.org

Examples of data breaches

Our research has not yet identified any issues relating to examples of data breaches in Morocco. Please send any tips or information to: research@privacyinternational.org

Identification Schemes

ID cards and databases

National biometric ID card

In April 2008, the National Police (DGSN) started issuing the Carte nationale d'identité électronique (CNIE) — a national biometric ID card, "based on contactless smartcard technology" containing both personal details and biometric data.

The government hailed the new identification scheme as an efficient way to "simultaneously fight terrorism," "control migration flows" and "guarantee respect for citizens' rights and liberty."

The card has a 10-year validity period, and was designed to replace four administrative documents previously required by the Moroccan government: the birth certificate, the certificate of "life", the certificate of residence and the certificate of nationality.

The CNIE assigns a unique national identity number to every resident over 18 years of age. Personal details appear on both sides of the card, including the full name of the cardholder, his or her date of birth, birthplace, photograph, family history, home address and gender. Encoded and encrypted into a barcode and microchip are, in addition to the personal details, two fingerprints of the cardholder stored in vector format.

The Criminal Code (Article 607-3) restricts access to the data contained in the barcode and microchip to "national security personnel and authorized officials." The law also allows the cardholder to access the data stored in the card's microchip and barcode.

French security company Thales provided the system including the security software and the production equipment. The American company Cogent Systems provided the "Automated Fingerprint Identification System" which acquires digital fingerprints.

As of 2013, over 20 million cards had been produced according to Thales that was awarded a follow-on contract to supply 5 million cards a year.

In November 2017, the Moroccan Deputy Interior Minister headed a delegation made up of ICT officials and experts from Bank Al Maghrib, the country's national bank, to Delhi, India. The 10-day visit was described in the Indian press as an effort to "Replicate India's Aadhaar biometric identification scheme".

Introduced in 2010, Aadhaar is the largest biometric identification system in the world. Developed by the French company Morpho (subsidiary of the Safran group), the American L1 and the Japanese NEC, it is a 12 digit unique-identity number system covering all 1.3 billion Indian residents based on their biometric and demographic data.

It is not clear what the conclusions of the talks between the two countries in this regard have been.

 

 

e-Passports

Since December 2010, a biometric passport (e-Passport) is available for all new applicants. In December 2008, following a public tender, the contract for the e-Passports was awarded to the Marubeni-Gemadec consortium, under which smart card manufacturer Gemalto—through secure border management systems specialist Avalon Biometrics—acted as a subcontractor. Gemalto was responsible for the supply, operating and securing of the e-Passports. Gemalto's systems have been known to contain serious vulnerabilities.

Each e-Passport contains a concealed microchip and barcodes storing personal details, a digitized passport photo and two fingerprints.

It uses Extended Access Control (EAC), a security system that "restricts access to biometric data to authorized parties, [and verifies] the authenticity of the microprocessor and the reading device," using an encryption mechanism, according to the manufacturer.

Electronic driver's licenses

In February 2007, the company Assiaqa Card, a consortium of Sagem Sécurité, a French company involved in defense electronics, Moroccan manufacturer M2M Group, and the Attijari Capital Risque bank, won a seven-year contract with the Moroccan Ministry of Equipment and Transportation to produce 12 million biometric driver's licenses and vehicle registration cards. Sagem Sécurité has since changed its name to Safran Identity and Security in May 2016. The new driver's licenses and vehicle registration cards use a contactless electronic card containing an encrypted microchip built by Sagem Orga GmbH, the smartcard division of the French company.

Personal details and biometric data are stored in the electronic driver's licenses and vehicle registration cards including the national ID card number, the driver's photograph and medical data such as the blood type, and transportation access.

Oversight

Little is known about the data management and storing policy of either of the national IDs and biometric databases, which is the responsibility of the Ministry of Interior and the Ministry of Equipment and Transportation.

The CNDP, whose job it is to ensure that the processing of personal data "does not violate the privacy, fundamental freedoms and human rights" of Moroccan citizens and foreign residents, seems to be taking a backseat when it comes to the national ID systems. Part of CNDP's apparent reluctance stems from the fact that the law restricts its scope of intervention: the processing of data involving State security and defence, remains the privy of the State.

In November 2013, the CNDP published a series of recommendations on the use of biometric devices, but focused exclusively on devices used for access control in a private setting. The Commission is yet to look into the national IDs and biometric databases and answer many pressing questions, including the agency responsible for managing and storing the national databases, what safeguards exist concerning its storage, and any procedural oversight to guarantee that personal data is not exploited unlawfully by the government or third parties.

These questions are all the more relevant when we consider that the infrastructure of at least one of the manufacturers, Gemalto, has been known to contain serious vulnerabilities.

Voter registration

Since the electoral law reform of 2011, the voter registration system allows the computerized processing of national lists of eligible voters, known as "General Electoral Lists".

Registration on the General Electoral Lists is compulsory after the age of 18. For inclusion on the lists, applicants in each district or commune, fill in a special form indicating their first and last names, date and place of birth, occupation, address and their national biometric ID card (CNIE) number. The request bears the signature of the applicant, or his or her fingerprint. The applicants may also be asked to produce additional documents (such as their police record) showing they fulfill the conditions legally required to be registered as voters.

In December 2014, changes to the electoral law were adopted to allow individuals to register online by logging into an official website run by the Ministry of Interior. Voters can then look up, review and track their registration information in real time. They can also use smartphone applications or get SMS messages about their registration status.

The CNIE alone is required for voting. No other documentation is needed or accepted. Data about registered voters is collected and reviewed locally by Administrative Committees composed of local officials.

At the national level, the National Technical Committee (NTC) oversees the bulk data processing by the Ministry of Interior's mainframe computer to ensure there are no duplicate registrations or errors. The NTC is composed of the president of a chamber of the Supreme Court, who serves as its chairman, a representative of each of the political parties, and a representative of the Ministry of Interior.

Final electoral lists are made available for public review upon individual request at the commune or district levels and on the website. A period of time is fixed by decree (usually 5 to 10 days) during which the public can make complaints about possible errors or challenge electoral authorities before the Administrative Court.

The lists are established during each electoral cycle and undergo annual and extraordinary reviews. Once curated and adopted, the General Electoral Lists are valid for local, regional or legislative elections, as well as referenda.

Under the Moroccan system, the Ministry of Interior is in charge of the entire election process (organizing, voter registration, data processing and storage). This runs contrary to the UN Human Rights Committee's General Comment 25, explaining obligations under the ICCPR, which establishes that "[a]n independent electoral authority should be established to supervise the electoral process and to ensure that it is conducted fairly, impartially and in accordance with established laws which are compatible with the Covenant."

SIM card registration

Since April 2014, ANRT, the telecom regulator, has started enforcing a ban on anonymous SIM cards. Mobile operators were thereupon compelled to identify their subscribers, including prepaid SIM cardholders.


ANRT justified the measure by its efforts to comply with Act 09-08 on the protection of individuals with regard to the processing of personal data. The measure provoked criticism from privacy activists and journalists who pointed that anonymous phone cards were important for protecting journalistic sources.


As of December 2017, however, unregistered SIM cards were still available in the black market.

 

Policies and Sectoral Initiatives

Cybersecurity Policy

On 22 March 2016, Decree 2-15-712 on the Protection of Sensitive Information Systems and Infrastructures of Vital Importance was enacted.

The law fixes a list of activities and entities of vital importance. A detailed list of sensitive infrastructure is kept secret by the government and its content reviewed at least once a year.

Each entity affected by the law is required to put in place the necessary means for supervision and detection of cyber attacks, as well as contingency plans to ensure continuity of its operations. It must host its sensitive data within the national territory of Morocco. It is also required to submit to a security audit program carried out by the General Directorate for the Security of Information Systems (DGSSI), or by certified private auditors under its supervision. It must communicate all information and technical data generated by any major security event targeting its sensitive information systems to the Computer Emergency Response Team (ma-CERT) within 48 hours of the event. The ma-CERT is a subunit of the Direction Générale de la Sécurité des Systèmes d'Information (DGSSI), of the Defence Administration. Within a month after any major security incident, the DGSSI must transmit a summary of its investigation and its recommendations to the affected entity.

Cybercrime

Act 07-03 was enacted in November 2003, introducing for the first time the notion of cybercrime to the Moroccan Criminal Code, defined as "offenses related to automated data processing systems".

Cybercrime includes the unauthorized access to, in all or part, an automated data processing system and electronic documents, the fraudulent introduction of data into such systems, the obstruction or distortion of their operations or mode of transmission. The crime is aggravated in the case of unlawful tampering, deletion or modification of data or in the event of impaired functioning of the system, or when the automated data processing system is assumed to contain information relating to the "internal or external security of the State" or "secrets concerning the national economy."

The penalty is most severe when the offense is committed by an officer or employee while carrying out his or her duties, or for any person who "manufactures, acquires, transfers, offers equipment or data" designed to commit a cybercrime.

The sentences for cybercrime convictions range from 1 month to 5 years in prison and 2,000 dirhams (US$ 200) to 2 million dirhams (US$ 200,000). The court may also order the confiscation of property used to commit the offences. The culprit may be further prevented from exercising his or her civil rights or any public function for a term of two to ten years.

While the Moroccan government does not publish statistics pertaining to crime, the government seems to have stepped up its efforts to fight the phenomenon. In a statement to the press in October 2015, the head of the data protection authority CNDP, Saïd Ihrai, said that Morocco had put in place 29 units specialized in the fight against cybercrime. It is not clear, however, under which authority these units work or according to what law.

In February 2016, the Moroccan Ministry of Industry launched the "National Campaign to Fight Cybercrime", an initiative particularly aimed at supporting the private sector. In July 2016, the Ministry of Justice, together with the Council of Europe, organized an international workshop in the capital Rabat, on best practices regarding cybercrime legislation and electronic evidence.

Morocco also participates in an anti-cybercrime initiative sponsored by the European Union, Action Globale sur la Cybercriminalité Elargie (GLACY+).

Encryption

Act 53-05 on the electronic exchange of legal data restricts the use of cryptography.

According to the law, "[i]n order to prevent its use for illegal purposes, and to protect the interests of national defense and the internal or external security of the State, the import, export, supply, operation or use of means or cryptographic services" is subject to a prior statement and prior approval from the administration.

Heavy penalties are reserved for the unauthorized use of cryptographic means which is punishable by one year imprisonment and a fine of up to 100,000 dirhams (US$10,000). The court may also order the forfeiture of cryptographic means involved.

For the sake of comparison, the French Act 2004-575, which is very similar to its Moroccan counterpart, exempts the use of means of cryptography from prior authorization. In France, only the supply, importation or export of encryption means, rather than their use, are subject to reporting and/or authorization requirement from ANSSI, the French authority responsible for computer systems security.

In January 2015, the government issued Decree 2-13-881 which transfers the authority for the approval and monitoring of electronic certifications and regulation of cryptographic means from the ANRT, a civilian agency, to the military (Direction Générale de la Sécurité des Systèmes d'Information or DGSSI) which became de facto the national authority with the power to approve and monitor electronic certifications.

The move alarmed human rights and pro-democracy activists who worried that the vague language of the law could lead to state curtailment of free speech and increase the number of unfair prosecutions. In December 2015, a coalition of 14 local human rights NGOs condemned the restrictions imposed on the use of cryptography, calling for its complete decriminalization.

Licensing of industry

The National Telecommunications Regulatory Agency (ANRT) estimates that the number of internet subscribers in Morocco (population of approximately 34 million) will have reached 22.56 million by the end of 2017, bringing the rate of Internet penetration to about 65%, one of the highest in the region.

The telecommunications market is divided between three operators: Maroc Telecom (55 % of market share), Méditelecom or Méditel (22.5 %) and Wana Corporate (22.5 %). Maroc Telecom is the historic operator and former state company that held a monopoly over the sector until its liberalization in 1999. It is owned by Etisalat, the Emirati Telecommunications Corporation, which holds 53 % of its shares, the Moroccan government holds 30%, while private investors own the rest of the company's equities. Méditel is owned by local investment groups (50%) and French Orange Telecom (40%). Wana Corporate (also known by its brand name, Inwi) is owned by the Moroccan royal family through its private holding company Société Nationale d'Investissements, or SNI.

Morocco's internet infrastructure remains largely centralized and dominated by the state through it's partial or total control over the 16,000 kilometer-long fiber-optic backbone which is owned by Maroc Telecom, the national railroad company, ONCF, and the national electricity and water utility, ONEE.

 

 

E-governance/digital agenda

In May 2009, Royal Decree 2-08-444 established the National Council of Information Technology and the Digital Economy (Conseil National des Technologies de l'Information et de l'Economie Numérique).

Under the chairmanship of the Prime Minister, the Council was to coordinate and monitor the implementation of a national strategy to promote the use of information technology by both the public and private sectors. It was also tasked with guiding the development of the information society and the digital economy.

A national strategy, Maroc Numeric 2013, was conceived for the period 2009-2014. Substantial financial resources of 5.19 billion dirhams (US$ 500 million) were allocated to the project.

At the conclusion of the period in September 2014, the Cour des Comptes, Morocco's public finances watchdog, published an evaluation of the strategy. It identified a litany of failures and shortcomings related to project development and priorities. Many of the resources were, for example, allocated to the purchase of expensive proprietary software.

In a statement, the Moroccan Association of Digital Rights called upon the government to adopt open-source standards in public administration. It also called for a revival of the strategy only after a broad consultation with all stakeholders and in particular civil society actors, "to build a sustainable, rational digital strategy respectful of the rights of users and taxpayers."

A new e-government plan, Maroc Numerique 2020, was launched in late 2015. Since 2014, thanks to small-scale projects spearheaded by the Ministry of Industry, slow but substantial progress was achieved in terms of e-governance and digital readiness. Many public services are now available online. A list of official platforms is regularly updated by the Ministry of Industry.

Most of the platforms require the national biometric ID card number as a unique identifier. It is not clear whether there is an associated database that links the user's access to the service. With rare exceptions, most of those websites do not use secure HTTPS protocols to encrypt communications, which can expose the user.

In 2016, the World Economic Forum's Networked Readiness Index, regarded as one of the most authoritative indicators of the propensity of countries to exploit the opportunities offered by information and communications technologies (ICTs), ranked Morocco 78th out of 139 countries.

The UN's 2016 E-Government Survey, which assesses governments' use of innovation and ICTs to deliver public services and engage people in decision-making processes, ranks Morocco highly in terms of e-participation, e-consultation and online service delivery. The same survey rewarded Morocco with a high E-Government Development Index (EGDI), a composite indicator used to measure the willingness and capacity of national administrations to use ICTs to deliver public services, making the country one of the highest performers in e-governance in Africa.

Morocco has expressed willingness to join the Open Government Partnership (OGP), an intergovernmental organisation promoting government transparency and citizen participation. A November 2016 workshop to prepare Morocco's OGP action plan was attended by civil society. A report published by the Organisation for Economic Co-operation and Development (OECD) in late 2015, pointed to Morocco's relative achievements in terms of open governance, but also highlighted its shortcomings in terms of civil society engagement.

Efforts to join the OGP may commit the country to high standards of openness and may lead to a better inclusion of civil society in decision-making processes. It may lead also to much-needed amendments, especially with regards to the freedom of information draft legislation, which has been pending a final review by the Upper Chamber of the Moroccan parliament since 2016.

Health sector and e-health

In Morocco, health workers are under the obligation to keep medical information confidential (Article 446 of the Criminal Code). They can be released from that obligation only under strict conditions defined by the law.

Since 2009, Articles 20-30 of Act 09-08 on the protection of personal data impose restrictions on the use of personal data in scientific research: data controllers must seek an authorization from the data protection authority, the CNDP, prior to use. The CNDP sets a maximum data retention period and requests written research protocols and objectives, as well as the identity of individuals with access to the data.

As early as 2006, the country has put in place two health insurance plans. The first Assurance Maladie Obligatoire (AMO) is a payroll-based mandatory health insurance plan that covers public-and private-sector employees. The second Regime d'Assistance Médicale (RAMED) is a publicly financed fund to cover basic services for the poor. It had approximately 10.4 million recipients in late 2016.

To benefit from the RAMED, an applicant must fill in an online form, providing data about their social and medical status and copies of their biometric ID cards. Eligible individuals receive individual electronic cards (RAMED cards) that they can use to access to basic care and emergency services.

Little is known about the management and storage of data related to the health insurance system.

Smart policing

Our research has not yet shown any specific examples of smart policing in Morocco. Please send any tips or information to: research@privacyinternational.org

Transport

In October 2016, Spanish company Sociedad Ibérica de Construcciones Eléctricas, S.A was awarded a contract to create and intelligent traffic control system for Casablanca. The system comprises a Vehicle Detection System made up of various sensors, claims to measure travel times using Bluetooth, maintain system user information, and monitor traffic using a network of 740 cameras. THe system also comprises a command and control system for crisis management.

Smart cities

The city of Casablanca was selected in October 2015 by the Institute of Electrical and Electronics Engineers (IEEE), an international professional association developing standards for the computer and electronics industry, to join its Core Smart Cities initiative — a program that helps cities establish and invest capital into smart city plans. As part of the development, in January 2016 Casablanca installed an intelligent urban videosurveillance system. Casablanca city was reported to have installed 500 CCTV cameras in its main neighbourhoods in late 2016 at the cost of 450 dirhams (approximately 48 million USD).

In May 2016, the city hosted Smart City Expo, a major gathering of public authorities, researchers, academics and international experts specialized in urban development. The organizers presented the event as a "catalyst for an economically viable future" for the metropolis. Another expo was held in 2017 and one is planned for 2018.

To prepare the ground for the Smart City of the future, the city recruited private consulting firms to build a blueprint for a strategy of "digital transformation" to be implemented in the next 5 years. Whilst it is hoped that smart city technology can lead to the optimization of public services, it should raise concerns about the consequences of mass transmission of personal data to government entities.

Civil society actors, especially privacy advocates, do not appear to have been involved in any stage of this process.

Migration

Our research has not yet shown any specific examples of privacy issues related to migration in Morocco. Please send any tips or information to: research@privacyinternational.org

Emergency response

Our research has not yet shown any specific examples of privacy issues related to emergency response in Morocco. Please send any tips or information to: research@privacyinternational.org

Humanitarian and development programmes

Our research has not yet shown specific examples of privacy issues related to humanitarian and development programmes in Morocco. Please send any tips or information to: research@privacyinternational.org

Social media

Social media networks are popular among the urban population. A survey by Morocco Digital Cluster with Market Research & Intelligence agency Averty in 2014 stated that around 9 million Moroccans spent on average 4 hours per day on the internet, including on social media sites.

In 2017, the Arab Social Media Report reported that with over 13 million accounts, the Facebook penetration rate in Morocco is 38%. This represents a 14.9% increase since 2014. The report also states that Facebook users are overwhelmingly male (70.7%).

On January 2016, all three internet service providers blocked free Voice over IP call services. The telecom regulator ANRT justified the ban saying the free services breached its regulations. The ban included popular platforms such as Skype, WhatsApp, Facebook Messenger, Viber, Tango. The move led to widespread anger and calls on social media for the boycott of the telecommunications companies. The ban was widely interpreted as a move to boost operators' revenues which had marked a relative decline in 2015. The ban was eventually rescinded in November 2016.