WeCyberYou! Unlocked Podcast

The WeCyberYou! Unlocked Podcast breaks down cyber security, online safety and digital risks into clear, practical conversations anyone can understand.
Each episode is designed for a specific audience, ensuring the advice is relevant, accessible and grounded in real-world scenarios - not technical jargon.

All Episodes

WeCyberYou! Unlocked Podcast

Global Privacy & Data Protection Laws Demystified Part 26 - The Moroccan Law No. 09-08 on Personal Data Protection

March 11, 2026 • Season 1 • Episode 26

0:00 | 18:27

In this episode, we break down what the Moroccan Law No. 09-08 on Personal Data Protection is and how it regulates the collection, processing and protection of personal data in Morocco.

Duration: 0:18:27

Visit https://www.wecyberyou.com for more cyber security education, resources and awareness content like this.

Thank you for listening.
WeCyberYou! Team

Support the show

Like and follow us to be notified when a new episode is released on this channel.

SPEAKER_00 0:00

Welcome everyone to the WeCyberU Unlocked podcast. We are absolutely thrilled to have you sitting in with us today.

SPEAKER_01 0:06

So glad you're here with us.

SPEAKER_00 0:07

Yeah. Before we jump right into today's deep dive, I want to ask a quick favor. Make sure you hit that follow button on whatever platform you're listening on right now.

SPEAKER_01 0:15

Definitely do that.

SPEAKER_00 0:16

And uh please take a moment later to visit WeCyberU.com for more incredible content just like this. You really aren't going to want to miss the resources we have waiting for you over there.

SPEAKER_01 0:25

Aaron Powell It's always great to have you joining our conversation. And um our mission today is well, it's an incredibly important one.

SPEAKER_00 0:33

It really is.

SPEAKER_01 0:34

We've got a stack of legal texts, uh, regulatory briefs, implementation notes in front of us, and we're using them to explore a crucial set of rules governing digital lives in North Africa. We are digging deep into Morocco's Law No, 0908.

SPEAKER_00 0:52

Aaron Powell That's right. Law no, 0908 on personal data protection. It's a it's the primary data privacy framework in Morocco. And for anyone operating in building tech for or even just interacting with the digital space in that region, understanding this isn't optional. It's the foundational framework for how your digital identity is treated by the organizations that collect it.

SPEAKER_01 1:13

To give it its formal title from our sources, um, we are looking at law No 0908 relating to the protection of individuals with regard to the processing of personal data.

SPEAKER_00 1:23

It's quite mouthful.

SPEAKER_01 1:24

It is a mouthful, yeah. But the real mission of our deep dive today is to understand exactly how this legal framework balances the responsibility of organizations with your empowerment as an individual. Ultimately, everything we're going to discuss today is about building and enforcing trust in online services.

SPEAKER_00 1:40

Okay, let's unpack this. Let's start with the actual blueprint of this digital trust. What is the core purpose of law 0908? Because regulatory frameworks like this, they don't just materialize out of thin air.

SPEAKER_01 1:52

No, they don't.

SPEAKER_00 1:53

They're engineered to solve a specific set of problems in the digital economy.

SPEAKER_01 1:57

They're built to establish boundaries, where, frankly, none previously existed. When we look at the source material, the purpose of the law is broken down into four main objectives. First, it aims to protect the privacy of individuals. That's the bedrock.

SPEAKER_00 2:11

Right.

SPEAKER_01 2:12

Second, it regulates how organizations handle personal data. It takes what historically might have been a bit of a wild west of corporate data hoarding, and it puts up very strict fences and signposts.

SPEAKER_00 2:25

And before we go further, we should probably define what the law actually means by handling or processing data, right? Because that's a term that gets thrown around a lot in tech.

SPEAKER_01 2:34

It does.

SPEAKER_00 2:34

Processing isn't just a tech company running complex algorithms on a server somewhere. Under these kinds of frameworks, processing includes the initial collection of the data. It's recording it, organizing it, storing it, altering it.

SPEAKER_01 2:46

Even the eventual deletion of it.

SPEAKER_00 2:48

Exactly. If an organization touches your data in any capacity, they are processing it.

SPEAKER_01 2:53

That's a vital distinction. Which leads us to the third goal: preventing the misuse or unlawful processing of that personal information. This addresses the inherent friction in the modern internet.

SPEAKER_00 3:04

Yeah, that friction of you hand over your information to use a service, but there's always that lingering fear of what they're actually doing with it behind closed doors.

SPEAKER_01 3:14

Right. This law is designed to illuminate that dark space.

SPEAKER_00 3:17

And that leads directly into the fourth goal, which is promoting trust in digital systems and online services. The logic here is pretty straightforward. If you, as the user, don't trust that your information is safe from misuse, you aren't going to use the online service.

SPEAKER_01 3:34

You just won't.

SPEAKER_00 3:35

You won't adopt digital banking, you won't use e-commerce, and you definitely won't engage with digital government services. The entire digital economy relies on that foundational trust.

SPEAKER_01 3:45

So if the goal is to build a trusted digital economy, the scope of the law has to reflect that massive ambition. The source of state it applies to organizations, businesses, institutions, and individuals that process personal data in Morocco.

SPEAKER_00 3:59

Which is huge. That covers practically everyone touching a keyboard.

SPEAKER_01 4:02

It really does.

SPEAKER_00 4:03

Whether it's a massive multinational corporation setting up a regional headquarters in Casablanca, a local hospital digitizing its patient records, a small e-commerce startup, or even just an individual running a consulting business from their laptop. If they're processing personal data within Morocco, this legal framework applies to them. Which brings us to a really critical question. We keep saying personal data, but what actually qualifies as your personal data under this digital blueprint?

SPEAKER_01 4:46

The definition provided in the framework is extremely comprehensive. Under law 0908, personal data includes absolutely any information that can identify a person. And the crucial part of that definition is the phrase, directly or indirectly.

SPEAKER_00 5:00

That indirectly part is doing a massive amount of heavy lifting.

SPEAKER_01 5:03

Oh, absolutely.

SPEAKER_00 5:04

Let's look at the specific examples the law provides to make this tangible for you, the listener. The direct identifiers, they're obvious. It's your name, your physical address, your phone number, your email address. If I have those, I know exactly who you are.

SPEAKER_01 5:17

But the framework goes much deeper to account for how modern data systems actually work. It also includes national identification numbers and financial information. And perhaps the most vital inclusion for the modern web is online identifiers.

SPEAKER_00 5:32

Let's spend a second on that because online identifiers is where privacy laws truly intersect with modern technology. We aren't just talking about a username. We're talking about IP addresses, browser fingerprinting, cross-site tracking cookies, advertising profiles.

SPEAKER_01 5:47

Spot on, an online identifier might not have your legal name attached to it. It might just be a randomized string of alphanumeric characters in a database somewhere.

SPEAKER_00 5:54

Right.

SPEAKER_01 5:55

But if an ad network or a tech company can use that string of characters to track your behavior across the internet, build a profile on your habits, and indirectly figure out who you are, or even just single you out from a crowd to target you, it counts as personal data.

SPEAKER_00 6:09

So companies can't use the old excuse of, well, we don't know your actual name, so it's not personal data.

SPEAKER_01 6:15

They can't.

SPEAKER_00 6:16

The law ensures your entire digital footprint is thoroughly covered. It's basically saying if you can connect the dots back to a real human being, it's personal data and you have to protect it.

SPEAKER_01 6:28

What's fascinating here is how the law then takes that broad definition of data and applies four very strict principles to how organizations are allowed to handle it. They completely change the default corporate setting from collect everything, just in case we need it later, to collect only what you're strictly allowed to for a specific, justified reason.

SPEAKER_00 6:50

I love that framing. Let's call them the four pillars of processing. The first pillar is consent. And the rule is very straightforward. Personal data generally cannot be collected or processed without the individual's consent.

SPEAKER_01 7:01

Meaning you have to say yes.

SPEAKER_00 7:02

You have to say yes. You have to agree to it. Organizations can't just harvest your information in the shadows by scraping it or buying it from a data broker without your knowledge.

SPEAKER_01 7:10

And that consent ties directly to the second pillar, which is purpose limitation. Even if an organization gets your consent, data collection isn't a free-for-all. They can't just ask for your data and then do whatever they want with it in perpetuity. The law states data must be collected for a specific and legitimate purpose.

SPEAKER_00 7:28

Aaron Powell Meaning if an organization collects your email address to send you a weekly security newsletter, that is the specific and legitimate purpose. Yes. They can't suddenly decide six months later to package that email address and sell it to a third-party marketing firm. That would completely violate the purpose limitation. They would need to come back to you and get an entirely new layer of consent for that new purpose.

SPEAKER_01 7:52

Aaron Powell To reinforce that further, we have the third pillar, data minimization. And this is where a lot of traditional tech companies run into major friction with these types of privacy laws.

SPEAKER_00 8:00

It's a massive shift in mindset. Let's use a relatable technology to explain this concept to you. Think about downloading a simple flashlight app on your phone. All that app needs to function is access to your phone's camera LED. That's it.

SPEAKER_01 8:14

That's all needs.

SPEAKER_00 8:15

But suddenly the app is demanding access to your GPS location, your microphone, and your entire contact list. That is a massive overreach. The principle of data minimization says organizations should only collect the strictly necessary amount of personal data to achieve their stated purpose, nothing more.

SPEAKER_01 8:33

So if an e-commerce site is delivering a package to your house, they need your address and a contact number. That is the strictly necessary amount of data. They don't need to know your gender, your exact date of birth, or your marital status to drop a box on your porch. Data minimization prevents organizations from hoarding your information just because they want to build a more lucrative profile on you.

SPEAKER_00 8:54

But let me play devil's advocate here for a second, because we're living in an era where data is considered the new oil. Companies are building massive AI-driven predictive models. How does a strict data minimization rule only collecting the bare minimum actually survive contact with a modern tech landscape where business models rely on ingesting massive, unstructured data sets?

SPEAKER_01 9:15

It creates intentional friction, and that's the point. It forces companies to engineer privacy into their systems from day one. If an AI company wants to train a model, they have to figure out how to do it using anonymized data, or they have to be incredibly transparent and get explicit consent for that specific purpose.

SPEAKER_00 9:34

Aaron Powell They have to do the work.

SPEAKER_01 9:36

They can no longer just vacuum up data and figure out how to monetize it later. The law acts as a hard boundary against that kind of corporate overreach.

SPEAKER_00 9:45

Which brings us to the fourth pillar: data security. Once they have your consent for a specific purpose and they've only collected the bare minimum, they have a legal obligation to keep it safe.

SPEAKER_01 9:56

And the law is explicit about what keeping it safe actually entails. Organizations must implement both technical and organizational safeguards. Technical safeguards are the things we usually think of: strong encryption protocols, secure servers, multi-factor authentication, robust firewalls.

SPEAKER_00 10:13

But the organizational safeguards are just as important, if not more so, because the best encryption in the world doesn't matter if an employee falls for a phishing scam or leaves an unlocked laptop on a train.

SPEAKER_01 10:23

Exactly.

SPEAKER_00 10:24

Organizational safeguards mean restricting which employees even have access to the database in the first place, implementing strict data handling policies, and conducting regular security training. They must protect your personal data from unauthorized access, accidental loss, destruction, unauthorized disclosure, or misuse.

SPEAKER_01 10:43

If we connect this to the bigger picture, you can see how these four pillars consent, purpose limitation, data minimization, and security build a protective wall around your digital identity. But a wall is only part of the equation.

SPEAKER_00 10:57

Here's where it gets really interesting because the law doesn't just put the burden of compliance on the organizations, it actively hands power back to you. Law 09008 equips you with four distinct rights over your own data. This is essentially your listener toolkit for taking back control of your digital footprint.

SPEAKER_01 11:13

These rights are genuinely transformative. They take you from being a passive data subject, someone who just has things happen to their data in the background, and turn you into an active controller of your digital identity. The first is your right to access your personal data.

SPEAKER_00 11:28

Meaning you can knock on a company's digital door and demand, show me exactly what information you are holding about me. You're no longer in the dark about what a platform knows about you.

SPEAKER_01 11:38

And once you see that information, you might realize it's flawed. That brings us to the second right: the right to correct inaccurate information. If a financial institution has the wrong credit profile, or a healthcare provider has outdated medical history, you have the legal right to force them to fix it.

SPEAKER_00 11:57

Which is incredibly empowering because inaccurate data can lead to massive real-world problems. Imagine being denied a loan or a job or a vital service because a company's algorithm flagged an error in your profile, and previously you had no mechanism to force them to correct it.

SPEAKER_01 12:11

The third right addresses ongoing processing. It's the right to object to certain types of processing. Even if an organization obtained your data legally initially, there might be specific ways they're using it now that you don't agree with, like using your data for direct marketing or automated profiling.

SPEAKER_00 12:28

Yeah.

SPEAKER_01 12:29

The law gives you a formal mechanism to raise your hand and say stop doing that.

SPEAKER_00 12:34

And the final tool in your toolkit is the right to request dilution of data in some situations, often referred to as the right to be forgotten in other frameworks. If an organization no longer needs your data for the original purpose, or if you simply withdraw your consent, you can ask them to wipe the slate clean. You aren't forced to leave copies of your digital identity sitting on their servers forever.

SPEAKER_01 12:56

When you look at these four rights together, the right to access, correct, object, and request deletion, you see a very clear philosophy taking shape in the legal text. Your data belongs to you. Organizations are merely borrowing it under very strict conditions, and you have the right to revoke that privilege.

SPEAKER_00 13:12

So, what does this all mean? We have these great principles outlining how companies should act, and we have these empowering rights for the individual. But we all know that a law is just ink on paper without a robust mechanism to actually enforce it. Who is the watchdog making sure organizations actually follow law 0908?

SPEAKER_01 13:32

That massive responsibility falls to a dedicated authority created specifically by this legislative framework. It's called the National Commission for the Control of Personal Data Protection, or the CNDP.

SPEAKER_00 13:43

The CNDP. And looking at the source material, they aren't just an advisory board sitting around writing best practice white papers. They have some heavy operational responsibilities.

SPEAKER_01 13:53

They are the central nervous system for privacy enforcement in Morocco. Their responsibilities fall into four primary categories. First, they supervise compliance with the law. They are actively monitoring the digital landscape, conducting audits, and ensuring organizations are actually playing by the rules. Second, they are responsible for authorizing certain data processing activities.

SPEAKER_00 14:12

Let's clarify what that authorization means. They aren't rubber stamping every single newsletter sign-up. But if a company wants to process highly sensitive information, say a corporation wanting to use biometric data like fingerprints or facial recognition to track employee attendance, that's a massive privacy risk.

SPEAKER_01 14:29

Huge risk.

SPEAKER_00 14:30

Under this framework, they can't just deploy that tech. They have to go to the CNDP, explain their methodology, and get upfront explicit authorization before they even begin. It's a massive preventative measure.

SPEAKER_01 14:42

Spot on. But even with preventative measures, things go wrong. And that brings us to their third responsibility: investigating complaints. If you, the listener, feel that a company has violated your rights, maybe you exercised your right to access and they ignored you, or you discovered they sold your data without consent, you can take that complaint directly to the CNDP and they will launch a formal investigation.

SPEAKER_00 15:04

And what happens at the end of that investigation if the company is found guilty? Let's talk about the consequences, because it's worth noting they aren't messing around here. The source materials explicitly outline severe penalties for noncompliance. It starts with financial penalties, which can be significant enough to act as a real deterrent hitting a noncompliant company right in their operating budget.

SPEAKER_01 15:26

But the enforcement power goes well beyond just fines. There are also legal sanctions that the CNDP can apply to forcibly stop unlawful processing in its tracks, shutting down a non-compliant system or database entirely until the organization fixes the issue.

SPEAKER_00 15:43

And then there's the ultimate deterrent. The law allows for possible criminal liability in the most serious cases involving the severe misuse of personal data. That means the executives or individuals actually responsible for massive data breaches or intentional misuse could face criminal charges. That elevates this from a minor compliance checklist item to a massive board level risk. It's very much in the same vein as the strictest European frameworks like the GDPR.

SPEAKER_01 16:08

It creates a business landscape where the cost of ignoring data privacy is vastly higher than the cost of implementing strong security and compliance measures. When organizations know that the CNDP is actively watching and that financial, legal, and even criminal consequences are legitimately on the table, it fundamentally shifts how the entire C-suite views the data they collect. It's no longer just a free resource to be exploited. It is a highly regulated asset that carries heavy operational liabilities.

SPEAKER_00 16:38

This has been an incredibly insightful breakdown of a very complex regulatory framework. To summarize everything we've covered today, Law No. 0908 on personal data protection is Morocco's primary privacy law. It tightly regulates how organizations collect, use, and protect personal data by enforcing the core principles of consent, purpose limitation, data minimization, and data security. Yes. And most importantly, it gives individual it gives you actionable rights to access, correct, object to, and delete your personal information. All of this is backed by the investigative authority of the CNDP and serious tangible consequences for noncompliance.

SPEAKER_01 17:13

It serves as a comprehensive enforcible shield for your digital identity in an increasingly data-driven world.

SPEAKER_00 17:20

It really does. Thank you so much for joining us for this deep dive. Before we sign off, I want to remind you once again that you have been listening to the Waste Cyber You Unlocked podcast. Please make sure to follow the channel to stay updated on all of future discussions and head over to WasteCyberU.com right now for more deep dives, articles, and resources. We've got so much more to share with you.

SPEAKER_01 17:41

This raises an important question to leave you with today. We talked a lot about the friction caused by the principle of data minimization, the strict rule that organizations should only collect the absolute minimum amount of personal data necessary. Is strict data minimization principles, like those enforced in Morocco's law, 09 or 8, legally limit companies to collecting only what is strictly necessary for a transaction? How will this eventually force global tech giants to completely reinvent their data hungry surveillance capitalism business models?

SPEAKER_00 18:09

Ooh, that's a massive puzzle for the tech industry, and definitely something for you to think about the next time you're asked to click, except on a 50 page privacy policy. Thank you all for listening. Stay curious, stay secure, and we'll see you on the next deep dive. Goodbye.

SPEAKER_01 18:25

Goodbye, everyone. Keep your data safe.