Under the 2014 decision by the Telecommunications Authority (ANRT), purchasers of SIM cards must register their names and national identity numbers with telecommunications operators.

Morocco has a safe harbour regime in place for intermediaries for copyright infringements (Law No. 34-05). A service provider is defined according to Part IV-bis as an operator of facilities for online services or for access to networks with no alteration of the content between the points specified by the user and of his choice. Under Law 34-05, a service provider is not liable for information transmitted or stored on its network if it does not modify the content of the material, or does not directly enjoy financial gain attributable to the activity of infringing copyright or related rights, under circumstances in which it has the right and ability to control that activity. However, a service provider is expected to act without delay to withdraw the material hosted on its system or network or to disable access to that material on becoming aware of an infringement of copyright or related rights, or of facts or circumstances that indicate that copyright or related rights have been infringed, as a result of formal notice of allegations of infringement of copyright.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Morocco's law and jurisprudence.

Art. 64 of Law No. 77-03 Relating to Audiovisual Communication mandates audiovisual operators to record each audiovisual program in its entirety and keep it for at least one year. In the event that the said program or one of its elements is the subject of a right of reply or a complaint concerning compliance with the laws and regulations in force, the recording shall be kept for as long as it is likely to serve as evidence. It is reported that it is not clear whether the law applies to online content.

Decision No. D-188-2020 governing the data protection impact assessment requires the data controllers or processors to carry out DPIAs when necessary, and to present the Data Protection Impact Assessments (DPIA) to the data protection authority (CNDP) in the event of a control. Situations that warrant DPIA relate mainly to processing operations presumed to involve a risk of breaching the protection of privacy and personal data, which fall into one or more of the following categories:
- Processing which violates the provisions of Art. 11 of the Law, regarding the neutrality of effects and which allow decisions to be taken on the basis of automated processing of personal data;
- Large scale processing of sensitive data which, according to Article 1 of the Law, reveal racial or ethnic origin, political opinions, political opinions, religious or philosophical convictions, or the data subject's union membership, or relating to his/her health, including his/her genetic data;
- Processing operations which allow systematic surveillance of the data subjects; and
- Processing carried out in the context of the use of innovative technological or organisational solutions.

According to Art. 7 of Law No. 43-05 relating to the fight against money laundering, institutions in finance and insurance services are obliged to keep the documents relating to the transactions carried out by their clients, as well as documents relating to the identity of their customers for 10 years.

Morocco has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data and its implementation Decree No. 2-09-165 of 21 May 2009 provide a comprehensive regime of data protection in Morocco.

According to Art. 43 of the Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data, the transfer of personal data to a foreign country is only allowed if the country offers an adequate level of protection of the privacy and fundamental rights and freedoms of individuals. In the Decision No. 236-2015 of 18 December 2015, the Moroccan data protection authority (CNDP) recognised the following countries as offering an adequate level of data protection: Austria, Belgium, Bulgaria, Canada, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, and the United Kingdom.
The transfer of personal data to a country that does not provide an adequate level of data protection is only allowed subject to the certain conditions including the express consent of the data subject or if the transfer is necessary to safeguard the data subject's life, to safeguard the public interest, to comply with judicial obligations, for the performance of a contract between the controller and the data subject or pre-contractual measures taken at the request of the latter. Personal data may also be transferred if the transfer is carried out pursuant to a bilateral or multilateral agreement to which Morocco is a party, or with the express and reasoned authorization of the CNDP when the personal data processing guarantees a sufficient level of protection of privacy and of the fundamental rights and freedoms of individuals, in particular, because of the contractual clauses or internal rules to which it is subject.

It is reported that the National Agency of Telecommunications Regulation (ANRT), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

According to Art. 9 of Decree No. 2-15-712, companies and organisations operating in sectors of vital importance and using data deemed sensitive must host their infrastructure and digital databases on Moroccan territory. The concerned entities are defined as those that undertake activities related to the production or distribution of "goods and services essential to the satisfaction of the basic needs for the life of the populations or to the maintenance of the security capacities of the country". It is reported that a detailed list of sensitive infrastructure is kept secret by the government and its content reviewed at least once a year.

Morocco has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

The government has stakes in all three telecom operators, including 22% in Maroc Telecom, and 25.5% in Orange through a state-owned company called Caisse de Dépôt et Gestion (CDG). The third operator, Inwi, is 69% owned by Al Mada (formerly the Société Nationale d'Investissement (SNI)), the royal family’s holding company. The three telecom firms control a market share of 61%, 36%, and 3%, respectively.

It is reported that Morocco does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

It is reported that there is an obligation for passive infrastructure sharing in Morocco to deliver telecom services to end users. It is practiced in the mobile sector and in the fixed sector based on commercial agreements.