Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Cambodia - Data Protection Overview
Back

Cambodia - Data Protection Overview

September 2021

1. Governing Texts

Cambodia has not yet enacted any comprehensive data protection legislation.

The latest update on a comprehensive personal data protection law was announced by the Ministry of Post and Telecommunications ('MPTC') on 19 February 2021, which stated that the MPTC intended to prepare a draft personal data protection law after finalising its draft cybercrime law ('the Draft Cybercrime Law').

The most recently enacted piece of legislation impacting the country's data protection landscape has come in the form of the E-Commerce Law (only available in Khmer here), which contains provisions for the protection of consumer data that has been gathered over the course of electronic communication. The E-Commerce Law is thereby restricted in scope to virtual and/or digital data protection.

Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the Constitution of the Kingdom of Cambodia 2010 ('the Constitution'), the Civil Code of the Kingdom of Cambodia 2007 ('the Civil Code'), the Criminal Code of the Kingdom of Cambodia 2009 ('the Penal Code'), and the Code of Criminal Procedure of the Kingdom of Cambodia ('CCP').

In addition, for specific industries, there are other laws of general application that involve data protection issues.

1.1. Key acts, regulations, directives, bills

Draft Cybercrime Law

Cambodia is currently working on reviewing and updating its the Draft Cybercrime Law, which contains specific data protection clauses that address the preservation of data during criminal investigations, the search and seizure of computer data for use as evidence, and potential safeguards for suspects to prevent data privacy abuses.

Suggested fines and/or terms of imprisonment have been outlined in the Draft Cybercrime Law for potential cybercrime offences, which include accessing a computer system without a legal right and engaging in data espionage, illegal interception of non-public computer transmissions, and data interference, among others.

The Draft Cybercrime Law, originally drafted in 2016, is still pending final approval. As of mid-2021, the Draft Cybercrime Law is still being reviewed and revised by the Ministry of Interior ('MOI').

The Constitution

The Constitution generally recognises its citizens' right to privacy. Article 40 of the Constitution provides that all Cambodian citizens have the right to privacy of residence and to the confidentiality of correspondences by mail, telegram, fax, telex, and telephone. However, Cambodia does not yet have any specific laws elaborating on the meaning or scope of Article 40 of the Constitution or providing any implementing measures on this constitutional right to privacy.

Under Article 31 of the Constitution, rights described in the Charter of the United Nations and the Universal Declaration of Human Rights ('UDHR') have been recognised and ratified, and thereby carry legal force in Cambodia. The UDHR prohibits 'arbitrary interference with privacy, family, home, or correspondence' and asserts that individuals have the right to legal protection against such interference or attacks (Article 12 of the UDHR). The legal force of the UDHR further enforces the Constitution's recognition of a fundamental right to privacy set forth in Article 40 of the Constitution. Even so, legal remedies for interference in individuals' privacy are not always explicitly stated in the law. 

The E-Commerce Law

The E-Commerce Law, which was enacted on 2 November 2019 and entered into effect on 23 May 2020, imposes basic disclosure and data protection requirements for consumers engaged in transactions via electronic systems. The E-Commerce Law broadly applies to all commercial and civil acts, documents, and transactions executed via an electronic system, except those that are related to powers of attorney, wills and successions, and real estate.

It is possible that authorities will issue regulations in the near future to clarify the data protection provisions outlined in the E-Commerce Law. Although plans to do so have not yet been announced, implementing such regulations is a relatively common practice in Cambodia.

Protecting personal data

The E-Commerce Law also makes a blanket prohibition on certain forms of cybercrime, including interference with any electronic system for the purpose of accessing, downloading, copying, extracting, leaking, deleting, or otherwise modifying any stored data in bad faith or without authorised permission.

The Civil Code

Although Cambodia has not enacted any comprehensive data protection legislation, an individual's personal data may be protected under the Civil Code as part of their 'personal rights.'

Article 10 of the Civil Code provides that individuals are entitled to their personal rights. Article 10 further provides that personal rights include the right to privacy and other personal benefits and interests, along with other rights, such as the rights to life, personal safety, health, freedom, identity, and dignity. This legal provision may be interpreted as protecting individual personal data as part of the right to privacy.

Article 11 of the Civil Code provides a person with the right to an injunction where there is a danger that an infringement of that person's personal rights may occur or there is a danger that a past unlawful infringement will continue or occur again. If personal data constitutes personal rights, the owner of the right may seek a court order to stop any unlawful infringement of his or her personal data (e.g. data collection without consent) on the basis of Article 13 of the Civil Code.

Furthermore, Article 12 of the Civil Code states that when the effects of an infringement of a personal right continue to exist, the owner of the right may seek the elimination of such effects. In the data privacy context, this legal provision potentially means that a person can seek an order to remove, for example, any storage of his or her personal data collected unlawfully.

Lastly, Article 13 of the Civil Code allows a person to seek compensation for any damage suffered from an infringement of their personal rights.

Contractual agreements on personal data

If personal data is protected as part of an individual's personal rights, accessing, obtaining, processing, or otherwise commercialising personal data must be contractual, and thus requires the data owner's consent in a valid agreement.

Under Article 336 of the Civil Code, the conformation of an offer and an acceptance is a requirement for an agreement to be valid. This means that an expressed consent must be obtained from the data owner for the purposes of the data usage. This potentially creates proper disclosure obligations for obtaining the data owner's consent.

Article 345 of the Civil Code allows a person to rescind an agreement if the declaration of his or her consent to the agreement is made:

  • as a result of a mistake/misunderstanding (arguably applies to misleading material terms to obtain a user's consent);
  • as a result of the other party's fraud (arguably applies to intentionally providing false information to obtain a user's consent);
  • as a result of the other party's misrepresentation (arguably applies to unintentionally providing false information or withholding material information to obtain a user's consent); or
  • as a result of the other party's act that aims to obtain excessive profits and exploits the surrounding situation (arguably applies to failure to explain technical provisions to obtain a user's consent).

The Penal Code 

Recording private conversations and images

Articles 301 and 302 of the Penal Code generally prohibit people from intercepting or recording private conversations, or recording a person's image in a private location, without his/her consent. Consent is presumed to be given if the concerned person does not object to the notification of the interception or recording. The aforementioned articles do not apply to interception or recording of private conversations and images authorised by law.

Violations of these clauses are punishable by imprisonment of between one month and one year and a fine of KHR 100,000 (approx. €20) to KHR 2 million (approx. €413).

Breaches of professional secrecy

Article 314 of the Penal Code prohibits unauthorised breaches of professional secrecy by any person who holds, by reason of his/her position, profession, function, or mission, information of a confidential nature. Similar to Articles 301 and 302 of the Penal Code, Article 314 does not apply to the disclosure of information required or authorised by law, or information of mistreatment of a child under 15, to governmental authorities.

Violations of this clause are punishable by imprisonment of between one month and one year and a fine of KHR 100,000 (approx. €20) to KHR 2 million (approx. €413).

Secrecy of correspondences and telephone conversations

Article 318 of the Penal Code prohibits the malicious opening, destroying, delaying, diverting, or intercepting of correspondence sent to a third party, while Article 319 of the Penal Code prohibits malicious intercepting or jamming of telephone communications or any telecommunications messages.

Violations of these clauses are punishable by imprisonment of between one month and one year and a fine of KHR 100,000 (approx. €20) to KHR 2 million (approx. €413).

IT crimes

Article 427 of the Penal Code subjects any person who fraudulently accesses or maintains access to an automated data processing system to imprisonment of between one month and one year and a fine of KHR 100,000 (approx. €20) to KHR 2 million (approx. €413).

Article 427 of the Penal Code imposes penalties of imprisonment of between one year and two years and a fine of KHR 2 million (approx. €413) to KHR 4 million (approx. €827) for the following acts:

  • fraudulently accessing or remaining connected to an automated data processing system that causes destruction or alteration to data in that system, or causes damage to the function of that system;
  • obstructing the functioning of an automated data processing system;
  • fraudulently introducing data into, deleting, or modifying data in an automated data processing system; and
  • participating in a group conducting or planning to conduct any of these IT crimes.

The Code of Criminal Procedure

The CCP which outlines procedures to be followed in criminal investigations, provides a basic privacy framework for searches of suspects involved in criminal proceedings.

According to Article 83 of the CCP, all information gathered over the course of an investigation, including technical data gathered on the individual(s) being investigated, must be kept confidential.

The CCP also provides parameters for the conducting of 'searches' in Article 91, which arguably includes searches of private data. Article 91 of the CCP states that authorisation must be sought prior to a search, and that the search should take place during specified hours, in front of the owner, and/or in front of witnesses. Evidence gathered during a search deemed to be in violation of Article 91 of the CCP is inadmissible in court (in keeping with Article 109 of the CCP).

1.2. Guidelines

Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing, or implementing personal data protection matters in Cambodia.

1.3. Case law

Cambodia is a civil law system, and the courts are not bound by previous decisions. In addition, the records and decisions of a Cambodian court are not available to the public as they do not report their decisions. Therefore, we are not aware of any case law applicable in Cambodia.

2. Scope of Application

2.1. Personal scope

Cambodia's data protection laws do not limit their scope of application because they are laws of general application. Therefore, any natural person or private/public organisation that collects, uses, or discloses personal data in Cambodia is generally captured under Cambodia's data protection laws.

2.2. Territorial scope

As discussed above, Cambodia's data protection laws do not limit their scope of application because they are laws of general application. Therefore, any natural person or private/public organisation that collects, uses, or discloses personal data in Cambodia is generally captured under Cambodia's data protection laws.

In addition, as the purpose of the E-Commerce Law is to manage e-commerce in Cambodia and with other countries, businesses interacting with Cambodian consumers would be captured by the data protection related provisions of the E-Commerce Law.

2.3. Material scope

The E-Commerce Law defines the term 'data' as 'a group of numbers, characters, symbols, messages, images, sounds, videos, information, or electronic programs that are prepared in a form suitable for use in a database or an electronic system.'

It is plausible that any data gathered in the course of an online transaction may be viewed by regulatory authorities as 'personal data.' Therefore, conventional data, such as full names, national identification numbers, passport numbers, photographs, images, phone numbers, personal email addresses, IP addresses, and other network identifiers may arguably constitute personal data under the E-Commerce Law.

Since Cambodia does not have any dedicated laws on data protection, we recommend that data processors adhere to the general principles set out in section on principles below.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are specifically tasked with the handling, overseeing or implementing personal data protection matters in Cambodia.

That said, the following governmental bodies may have substantial powers over data protection matters:

3.2. Main powers, duties and responsibilities

Please see section on main regulator for data protection above.

4. Key Definitions

Data controller: As Cambodia has not enacted any dedicated or comprehensive data protection laws, there are no laws that explicitly define or list data protection obligations for data controllers. 

Data processor: As Cambodia has not enacted any dedicated or comprehensive data protection laws, there are no laws that explicitly define or list data protection obligations for data processors, and no laws that distinguish the obligations of data controllers and data processors. 

Personal data: Cambodian law fails to specifically define the term 'personal data,' or discuss what specific information constitutes personal data. The E-commerce Law defines the term 'data' as 'a group of numbers, characters, symbols, messages, images, sounds, videos, information, or electronic programs that are prepared in a form suitable for use in a database or an electronic system.' Due to the absence of a definition of 'personal data,' it remains plausible that any data of a data subject may be viewed by the regulatory and enforcement authorities as personal data of that data subject. Therefore, conventional data, such as full names, national identification numbers, passport numbers, photographs, video, images, phone numbers, personal email addresses, biometric data, IP addresses, and other network identifiers, etc., may arguably constitute personal data.

Sensitive data: Cambodian law does not make a distinction between 'sensitive personal data' and personal data. As such, there is no express definition of what constitutes sensitive personal data. Also, there is no formal guidance from the regulatory and enforcement authorities on what may constitute sensitive data. That said, based on the laws applicable to persons and entities in other sectors (such as health and banking), the types of data below are generally considered to be of a more sensitive nature, and thus should be handled with more stringent data protection mechanisms than other personal data:

  • medical data;
  • financial data;
  • personal data of children; and
  • personal identifiers (e.g. government issued IDs, such as national ID cards and passports, and ID card and passport details)

Health data: While the term 'health data' is not specifically defined under Cambodian law, there are separate Codes of Ethics for Health Professionals (physicians, midwives, nurses, pharmacists and dentists), which address confidentiality between health care providers and patients. 

Biometric data: Under Cambodian law, the term 'biometric data' is not used or defined.

Pseudonymisation: Under Cambodian law, the phrase 'pseudonymisation' is not used or defined.

Data subject: Under Cambodian law, the term 'data subject' is not used or defined.

5. Legal Bases

5.1. Consent

Consent should be obtained from an individual before collecting, using, or disclosing his or her personal data for a purpose. An individual who previously gave consent should be permitted to withdraw his or her consent. This obligation is implied under Cambodia's existing legal framework.

There is a general obligation to obtain consent prior to gathering and storing personal data from consumers as well. This consent, in practice, is often obtained via an acceptance of online terms and conditions and can also be obtained through use of e-signatures. According to Article 7 of the E-Commerce Law, e-signatures are legally allowable when it is possible to identify the signatory and the signature is collected via 'reliable' means.

5.2. Contract with the data subject

As discussed above, the consent of the data subject should be obtained. While there is no express requirement for a contract, a data controller or data processer should maintain a record of the data subject's consent. Generally, consent can be either express consent or implied consent, and can be given either in writing or through verbal communications. Implied consent refers to any act that is generally recognised as consent under applicable trade practices. It is strongly advised, however, express consent be obtained in writing from data subjects. There are some legal uncertainties with implied consent. Express consent in writing can serve as stronger evidence in demonstrating that a data subject has provided his or her consent.

5.3. Legal obligations

Not applicable. 

5.4. Interests of the data subject

Not applicable. 

5.5. Public interest

There are no public interest exceptions expressly set out under Cambodia's data privacy framework.

5.6. Legitimate interests of the data controller

The legitimate interests of the Data Controller are not expressly discussed under Cambodia's data privacy framework.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Under Cambodia's existing legal framework, the following obligations are implied or imposed:

  • Consent obligation: Consent from an individual should be obtained before collecting, using, or disclosing his or her personal data for a purpose. An individual who previously gave consent should be allowed to withdraw his or her consent. This obligation is implied under Cambodia's existing legal framework;
  • Purpose Limitation Obligation: The collection, use, or disclosure of personal data about an individual should only be for purposes that are reasonable and that have been disclosed / notified to the individual concerned. This obligation is implied under Cambodia's existing legal framework;
  • Disclosure obligations: Individuals should notified of the purpose(s) for which the personal data will be collected, used or disclosed on or before such collection, use or disclosure of the personal data. The purposes notified must be reasonable (see the Purpose Limitation Obligation). This obligation is implied under Cambodia's existing legal framework;
  • Correction Obligation: Any incorrect or inaccurate personal data of a data subject that is in the possession or under the control of the data controller should be corrected upon request of the data subject. This obligation is imposed under the E-Commerce Law;
  • Access Obligation: Data subjects should be permitted to access their personal data in the possession or under the control of data controller for correcting the information under the Correction Obligation. This obligation is implied under the E-Commerce Law;
  • Protection Obligation: Personal data in its possession or under its control should be protected by taking necessary measures to prevent loss, unauthorised access, use, alterations, leaks, disclosures, or otherwise. This obligation is imposed under the E-Commerce Law; and
  • Retention Obligation: All personal data should be retained that is in its system that may give rise to civil and criminal liability. This obligation is imposed under the E-Commerce Law.

7. Controller and Processor Obligations

The E-Commerce Law imposes important data protection obligations on electronic commerce service providers and intermediaries alike. An 'electronic commerce service provider' is defined in the E-Commerce Law as 'any person using electronic means to sell goods or services, except for insurance companies,' while an 'intermediary' in the electronic commerce context is 'any person who provides sending, receiving, transmitting, or storing services, either on a temporary or permanent basis, of electronic communication or provides other services relating to the electronic communication.'

Moreover, service providers that electronically store consumers' private information must take all 'reasonable' security measures to avoid the loss, modification, leakage, and/or unauthorised disclosure of all consumer data (Article 32 of the E-Commerce Law). The E-Commerce Law notes, however, that disclosures are allowable with the consent of authorities, or with the consent of the person whose data is being disclosed.

The E-Commerce Law also prohibits any encryption of data that may be used as evidence for any accusation or offence. This obligation potentially allows governmental authorities to order the decryption of data implicated in an investigation

7.1. Data processing notification

There are no data processing registrations requirements under Cambodian law.

7.2. Data transfers

There are currently no data localisation requirements under Cambodian law. Therefore any foreign party that wishes to collect or process Cambodians' personal data is not required to establish local data storage facilities in Cambodia.

7.3. Data processing records

All personal data should be retained that that may give rise to civil and criminal liability. This obligation is imposed under the E-Commerce Law.

7.4. Data protection impact assessment

There are no general data protection requirements to carry out a Data Protection Impact Assessment ('DPIA') under Cambodian law.

7.5. Data protection officer appointment

There is no requirement under Cambodian law to appoint a data protection officer.

7.6. Data breach notification

There are no data breach notification requirements under Cambodian law.

7.7. Data retention

The E-commerce Law does not prescribe the minimum or the maximum period for the retention of personal data, or documents containing personal data. Where sectoral laws provide for specific retention periods, such as for tax records, they should be followed. 

There is no maximum time limit set for the retention of personal data, and if an organisation has clearly notified its data subjects of its intended unlimited retention of personal data before obtaining data subjects' consent, then the retention is permissible by law.

While the E-Commerce Law also does not set a minimum time limit requirement for data retention, it does specify that when an intermediary or service provider becomes aware that information on record may lead to civil or criminal liability, they are required by law to preserve this information as evidence (Article 25 of the E-Commerce Law). This retention obligation would suggest that service providers and intermediaries are expected to retain data collected for a reasonable amount of time.  

Although the E-Commerce Law does not prescribe a minimum or maximum period for the retention of personal data or of documents containing personal data, other laws provide some basic guidelines for how long information should generally be retained across various sectors. Accounting records, tax invoices, and records of imports and exports should all be retained for at least ten years, for example, while payroll ledgers should be retained for at least three years.

7.8. Children's data

No, since Cambodia does not have any dedicated laws on data protection.

7.9. Special categories of personal data

No, since Cambodia does not have any dedicated laws on data protection.

7.10. Controller and processor contracts

No, since Cambodia does not have any dedicated laws on data protection.

8. Data Subject Rights

8.1. Right to be informed

Individuals should be notified of the purpose(s) for which the personal data will be collected, used, or disclosed on or before such collection, use, or disclosure of the personal data. This obligation is implied under Cambodia's existing legal framework.

Prior to collecting personal data, the E-Commerce Law imposes a requirement that a base amount of information should be shared by all sellers with their potential consumers prior to engaging in commercial activity. Any person who uses electronic communications to sell goods must provide their legal name and corporate name, business address, contact phone number, a description of the types of goods being sold, and basic terms and conditions related to the transaction (Chapter 6, Article 29 of the E-Commerce Law).

8.2. Right to access

Data subjects should be permitted to access their personal data in the possession or under the control of data controller in order to rectify the information under the Correction Obligation. This obligation is implied under the E-Commerce Law.

8.3. Right to rectification

Any incorrect or inaccurate personal data of a data subject that is in the possession or under the control of the data controller should be corrected upon request of the data subject. This obligation is imposed under the E-Commerce Law.

8.4. Right to erasure

This right is not explicitly set out under Cambodian law.

8.5. Right to object/opt-out

Under the E-Commerce Law, all marketing communications must contain opt-out instructions.

8.6. Right to data portability

There are currently no data portability requirements under Cambodian law.

8.7. Right not to be subject to automated decision-making

This right is not provided under Cambodian law.

8.8. Other rights

Not applicable.

9. Penalties

Violating the data protection obligations outlined below, as defined in Chapter 11 of the E-Commerce Law, may result in a range of penalties including revocation or suspension of relevant licenses, imprisonment from one month to three years, and/or fines ranging from KHR 100,000 to 10 million (approx. €20 to €2,070):

  • identity theft (in violation of Article 22);
  • failure by a service provider or intermediary to report data collected (in violation of Article 25);
  • failure by a service provider or intermediary to request authorisations or licences from appropriate authorities (in violation of Article 26);
  • fraudulently seeking data from a service provider or intermediary (in violation of Article 25);
  • failure by a service provider to provide minimum personal and business information before engaging in e-commerce (in violation of Article 29);
  • falsifying electronic systems or writing, distributing, or transmitting malicious code (in violation of Article 31); and/or
  • encrypting data that 'may lead to an accusation' (in violation of Article 43).

Violating data protection obligations under the E-commerce Law will result in the following penalties:

  • failure to provide clear and straightforward opt-out instructions for unsolicited marketing communications;
    • a written warning;  
    • suspension or revocation of business licenses and permits, and/or
    • disabling the means of marketing and communication to individuals;
  • failure to comply with the Consent, Purpose Limitation, Disclosure / Notification, and Protection Obligations;
    • imprisonment from one to two years and a fine amounting to KHR 2 million to KHR 4 million (approx. € 414 to € 829);
  • failure to comply with the Retention Obligation;
    • imprisonment from one month to one year and a fine amounting to KHR 100,000 to KHR 2 million (approx. € 20 to € 414);
  • failure to comply with the Correction and Access Obligations;
    • no specific penalties apply.

In addition, the Civil Code provides the right for individuals who suffer loss or damage as a result of an organisation's breach of his or her personal rights to pursue civil claims. The forms of relief available are:

  • injunction where there is a danger that the infringement may occur or re-occur (e.g., an injunction to stop the continuing collection of personal data without consent);
  • elimination of the effects of the infringement (e.g., removal of any storage of personal data collected without consent); and
  • compensation for any damage suffered from the infringement.

9.1 Enforcement decisions

As the courts of Cambodia do not publish their decisions, we are not aware of any notable enforcement decisions.