
Data Protection in Cambodia
Data protection laws in Cambodia
Data protection laws in Cambodia
The Ministry of Post and Telecommunications (MPTC) announced on 19 February 2021 their intention to prepare a comprehensive personal data protection law after finalizing the draft cybersecurity law.
On 22 December 2021, the Royal Government of Cambodia issued Sub-Decree No. 252 on the Management, Use, and Protection of Personal Identification Data (only available in Khmer) (Sub-Decree 252) in order to promote broad policy objections, such as:
- ensuring the protection of peace and order;
- serving the public interest; and
- promoting national development by improving the provision of services.
However, Sub-Decree 252 only applies to "personal identification data" owned by the Ministry of Interior (MOI) and does not apply to personal identification data used by other entities.
In September 2023, the MPTC made available to select private organizations and companies a Draft Law on Personal Data Protection for their review and comment. However, it has not been made available to the public as of writing. Therefore, the information provided regarding the data protection law should be used as a reference and not considered final, as the draft law has not been officially released to the public. The Draft Law on Personal Data Protection establishes rules, principles, and mechanisms to govern the collection, use, and disclosure of personal data. Its main objective is to safeguard the privacy rights of individuals and encourage the lawful and responsible use of personal data.
The E-Commerce Law contains provisions for the protection of consumer data that has been gathered over the course of electronic communications. The E-Commerce Law is thereby restricted in scope to virtual and / or digital data protection.
Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the Constitution of the Kingdom of Cambodia 2010, the Civil Code of the Kingdom of Cambodia 2007, the Criminal Code of the Kingdom of Cambodia 2009, the Code of Criminal Procedure of the Kingdom of Cambodia 2010, and other specific laws such as the Banking Law.
Definitions in Cambodia
Definition of Personal Data
Cambodian law does not specifically define the term "personal data," or discuss what specific information constitutes personal data.
The E-commerce Law defines the term "data" as "a group of numbers, characters, symbols, messages, images, sounds, videos, information or electronic programs that are prepared in a form suitable for use in a database or an electronic system".
According to the Draft Law on Personal Data Protection, personal data is defined as information pertaining to an individual that can directly or indirectly identify them. This information includes, but is not limited to, names, identification numbers, location data, and online identifiers. As the Law on Personal Data Protection has not yet been implemented, this definition should not be regarded as official.
Therefore, due to the absence of a definition of "personal data", it remains plausible that any data of a data subject may be viewed by the regulatory and enforcement authorities as personal data of that data subject. As such, conventional data, such as full names, national identification numbers, passport numbers, photographs, video, images, phone numbers, personal email addresses, biometric data, IP addresses, and other network identifiers, etc., may arguably constitute personal data.
Definition of Sensitive Personal Data
There is no express definition of what constitutes sensitive personal data. That said, based on laws applicable to persons and entities in other sectors (such as healthcare and banking), the types of data below are generally considered to be of a more sensitive nature, and thus should be handled with more stringent data protection mechanisms:
- medical data;
- financial data;
- personal data of children; and
- personal identifiers (e.g. national identification cards and passport details).
As there is no clear limit as to the scope of what may be considered sensitive data, any data of a data subject should be prudently treated as sensitive data to the greatest extent possible.
National data protection authority in Cambodia
Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing or implementing personal data protection matters in Cambodia.
That said, the following governmental bodies may have substantial powers over data protection matters:
- the Ministry of Commerce (“MOC”);
- the Ministry of Post and Telecommunications (“MPTC”); and
- the Ministry of Interior (“MOI”).
Registration in Cambodia
Since Cambodia does not have any dedicated laws on data protection, there are no specific registration requirements for data controllers, data processors, or data processing activities.
Data protection officers in Cambodia
Since Cambodia does not have any dedicated laws on data protection, there are no specific requirements in Cambodia to appoint data protection officers who are specifically tasked with handling, overseeing or implementing data protection matters in Cambodia.
Collection and processing in Cambodia
As Cambodia has not enacted any dedicated or comprehensive data protection laws, there are no laws or regulations in Cambodia that explicitly and specifically discuss the concept of collection and processing of data. Under current practice, matters pertaining to data protection and privacy generally fall under the right to privacy that is protected in broad terms under Cambodia’s Constitution, specific legal provisions under the Civil Code, the Criminal Code, and other specific laws such as the Banking Law and the E-Commerce Law. However, none of the legislations mention a consent requirement.
Under the Draft Law on Personal Data Protection, which is subject to further revisions, the term “data controller” is defined as a natural person, private legal entity, public establishment of administrative character, or public entry that determines the purpose and means of collecting, using, or disclosing personal data. On the other hand, a “data processor” is defined as a natural person, private legal entity, public establishment of administrative character, or public entry that processes personal data on behalf of a data controller or public authority.
The Draft Law on Personal Data Protection contains provisions on consent requirement for collecting, using, or disclosing personal data and further stipulates that the principles of personal data protection include:
- lawfulness, fairness, and transparency;
- purpose limitation;
- accuracy of personal data;
- retention limitation;
- security safeguards; and
- accountability.
Transfer in Cambodia
There are no existing regulations or provisions on the restriction of the transfer of data, including international transfer, except for licensed banks and financial institutions licensed by the National Bank of Cambodia, which need to follow guidelines under the Technology Risk Management Guidelines. Those guidelines contain provisions that restrict the international transfer of data.
Security in Cambodia
Article 32 of the E-Commerce Law directly addresses matters of data protection in the course of electronic communication.
Service providers that electronically store consumers’ private information must take all reasonable security measures to avoid loss, modification, leakage, and / or unauthorized disclosure of all consumer data. The E-Commerce Law notes, however, that disclosures are allowable with the consent of authorities, or with the consent of the individual whose data is being disclosed. The E-Commerce Law does not provide specific guidelines as to how or what mechanisms are required. It is simply required that any measures could be used as long as they could reasonably protect the data from loss, or unauthorized access, use, alteration, or disclosure without authorization or illegally.
The E-Commerce Law also prohibits any encryption of data that may be used as evidence for any accusation or offence. This obligation potentially allows governmental authorities to order the decryption of data implicated in an investigation.
The E-Commerce Law also makes a blanket prohibition on certain forms of cybercrime, including interference with any electronic system for the purpose of accessing, downloading, copying, extracting, leaking, deleting, or otherwise modifying any stored data in bad faith or without authorized permission.
Article 47 of the Banking Law prohibits those who participate in the administration, direction, management, internal control, or external audit of a covered entity, and employees of the latter from providing confidential information pertaining to statements, facts, acts, figures, or the contents of accounting or administrative documents of which they might have become aware through their functions. However, this professional secrecy obligation cannot be used as a ground for nondisclosure in relation to requests by supervisory authorities, auditors, provisional administrators, liquidators, or a court dealing with criminal proceedings.
In case the service provider is not under the scope of the E-Commerce Law or Banking Law, the obligations under the laws of general application that require protection of the right to privacy and the obligation to protect data from unauthorized access should apply when a service provider collects, uses, discloses and processes data of the subject.
Furthermore, the Draft Law on Personal Data Protection requires the data controller to protect personal data under its possession or control by setting up a security system to prevent unauthorised access, collection, use disclosure, copying, modification or disposal, or similar risks; and the loss of any storage medium or device on which personal data is stored. The data processor must also take security measures to prevent loss or unauthorised or unlawful access, use, modification, or disclosure of personal data.
Breach notification in Cambodia
Currently, there is no breach notification requirement under Cambodian law. However, it is anticipated that the requirement for data controllers and data processors to notify the competent authority and the affected data subjects will be enforced once the Draft Law on Personal Data Protection comes into effect.
Enforcement in Cambodia
Since there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing or implementing personal data protection matters in Cambodia, the enforcement of the data protection would generally fall under the auspice of authorities across various sectors:
- the Ministry of Commerce;
- the Ministry of Post and Telecommunications; and
- the Ministry of Interior.
Electronic marketing in Cambodia
Since Cambodia does not have any dedicated laws on data protection, there are no special requirements when obtaining consent for marketing purposes. The E-commerce Law suggests that it is not necessary to obtain consent from the individual to send marketing communications as long as each marketing communication has clear and straightforward opt-out instructions and the individual has not previously exercised his / her opt-out right. Electronic marketing in Cambodia is subject to the general laws relating to digital marketing issues including:
- Law on Consumer Protection, which prohibits "unfair practices" in relation to consumer transactions. Unfair practices include unfair sales; bait advertising; unfair solicitation sales; demanding or accepting payments without intention to supply goods or services per the purchase order; making a false claim or representation of some business activity; coercion by force and mental threats; pyramid schemes; selling goods bearing a false trade description; and any other unfair practices.
- Law Concerning Marks, Tradenames and Acts of Unfair Competition, is relevant to comparative advertising. The following acts are considered acts of unfair competition: all acts that create confusion with the establishment, the goods, or the industrial, commercial or service activities of a competitor; false allegations in the course of trade of such a nature as to discredit the establishment, the goods, or the industrial, commercial or service activities of a competitor; and indications or allegations of the use of marks which, in the course of trade, misleads the public as to the nature, manufacturing process, characteristics, suitability for their purpose, or quantity of the goods.
- Telecommunications Law, which prohibits all activities against the principles of fair, free, equal, and effective competition.
- Other regulations on the Management of Advertisement on Website, Social Network, Mass Media and Mobile Phone Operators.
Online privacy in Cambodia
As mentioned under the Collection and Processing and Transfer sections, the current regulations generally recognize the right to privacy and the obligation to protect data from unauthorized access. Those regulations do not specifically distinguish online privacy from privacy in general.
The Ministry of Post and Telecommunications (MPTC) announced on 19 February 2021 their intention to prepare a comprehensive personal data protection law after finalizing the draft cybersecurity law.
On 22 December 2021, the Royal Government of Cambodia issued Sub-Decree No. 252 on the Management, Use, and Protection of Personal Identification Data (only available in Khmer) (Sub-Decree 252) in order to promote broad policy objections, such as:
- ensuring the protection of peace and order;
- serving the public interest; and
- promoting national development by improving the provision of services.
However, Sub-Decree 252 only applies to "personal identification data" owned by the Ministry of Interior (MOI) and does not apply to personal identification data used by other entities.
In September 2023, the MPTC made available to select private organizations and companies a Draft Law on Personal Data Protection for their review and comment. However, it has not been made available to the public as of writing. Therefore, the information provided regarding the data protection law should be used as a reference and not considered final, as the draft law has not been officially released to the public. The Draft Law on Personal Data Protection establishes rules, principles, and mechanisms to govern the collection, use, and disclosure of personal data. Its main objective is to safeguard the privacy rights of individuals and encourage the lawful and responsible use of personal data.
The E-Commerce Law contains provisions for the protection of consumer data that has been gathered over the course of electronic communications. The E-Commerce Law is thereby restricted in scope to virtual and / or digital data protection.
Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the Constitution of the Kingdom of Cambodia 2010, the Civil Code of the Kingdom of Cambodia 2007, the Criminal Code of the Kingdom of Cambodia 2009, the Code of Criminal Procedure of the Kingdom of Cambodia 2010, and other specific laws such as the Banking Law.