The Moroccan data protection law (Law no. 09-08) extends its applicability to processing activities that occur within Morocco's territory, even when the data controller is not established in the country. This provision is designed to ensure that the law covers situations where foreign entities process personal data within Morocco's borders.

The law specifically states that it applies when a data controller "is not established on Moroccan territory" but "uses automated or non-automated means, located on Moroccan territory" for processing personal data. This language is broad and encompasses both digital and physical processing methods, as long as they are located within Morocco.

However, the law provides an important exception: it does not apply to processing activities that are "used solely for transit within the national territory" or through a country with equivalent data protection legislation. This exception likely aims to facilitate international data flows and avoid imposing unnecessary burdens on data controllers who are merely routing data through Morocco without engaging in substantive processing activities.

Implications

This provision has significant implications for businesses and organizations processing personal data in Morocco:

1. Foreign companies: Entities without a legal presence in Morocco are still subject to the law if they use processing means located in the country. This could include using local servers, data centers, or even paper-based filing systems.
2. Cloud services: Companies using cloud services with data centers in Morocco may fall under the law's jurisdiction, even if they have no other presence in the country.
3. Data localization: The provision might encourage some organizations to locate their data processing activities outside of Morocco to avoid falling under the law's scope.
4. Compliance requirements: Foreign entities processing data in Morocco need to appoint a local representative, as specified in Article 2(2) of the law, to ensure compliance with Moroccan data protection regulations.
5. Transit exception: Organizations involved in data transfer operations that only pass through Morocco without further processing may be exempt from the law's requirements, potentially facilitating international data flows.

This factor extends the territorial scope of Morocco's data protection law beyond its borders, ensuring that foreign entities cannot circumvent data protection obligations simply by not having a legal establishment in the country while still processing data within its territory.