Cambodia - Data Protection Overview
1. Governing Texts
Cambodia has not yet enacted any comprehensive data protection legislation.
The latest update on a comprehensive personal data protection law was announced by the Ministry of Post and Telecommunications ('MPTC') on 19 February 2021, which stated that the MPTC intended to prepare a draft personal data protection law after finalising its draft cybersecurity law ('the Draft Cybersecurity Law'). As of mid-2022, neither legislation is available.
Cybercrime law and cybersecurity law are different in the way that cybersecurity is to protect network, software, or hardware while cybercrime focuses on crime against human or human's data. In Cambodia, cybercrime legislation is drafted by the Ministry of Interior ('MOI'), while cybersecurity legislation is drafted by the MPTC.
On 22 December 2021, the Royal Government of Cambodia issued Sub-Decree No. 252 on the management, use, and protection of personal identification data (only available in Khmer here) ('the Sub-Decree') in order to promote broad policy objections, such as:
- to ensure the protection of peace and order;
- in furtherance of the public interest; and
- to promote national development by improving the provision of services.
However, the Sub-Decree only applies to 'personal identification data' owned by the MOI and does not apply to personal identification data used by other entities.
Prior to that, the piece of legislation impacting the country's data protection landscape has come in the form of the E-Commerce Law of 2 November 2019 (only available in Khmer here), which contains provisions for the protection of consumer data that has been gathered over the course of electronic communication. The E-Commerce Law is thereby restricted in scope to virtual and/or digital data protection.
Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the Constitution of the Kingdom of Cambodia 2010 ('the Constitution'), the Civil Code of the Kingdom of Cambodia 2007 ('the Civil Code'), the Criminal Code of the Kingdom of Cambodia 2009 ('the Penal Code'), and the Code of Criminal Procedure of the Kingdom of Cambodia ('CCP').
In addition, for specific industries, there are other laws of general application that involve data protection issues.
The Constitution generally recognises its citizens' right to privacy. Article 40 of the Constitution provides that all Cambodian citizens have the right to privacy of residence and to the confidentiality of correspondences by mail, telegram, fax, telex, and telephone. However, Cambodia does not yet have any specific laws elaborating on the meaning or scope of Article 40 of the Constitution or providing any implementing measures on this constitutional right to privacy.
Under Article 31 of the Constitution, rights described in the Charter of the United Nations and the Universal Declaration of Human Rights ('UDHR') have been recognised and ratified, and thereby carry legal force in Cambodia. The UDHR prohibits 'arbitrary interference with privacy, family, home, or correspondence' and asserts that individuals have the right to legal protection against such interference or attacks (Article 12 of the UDHR). The legal force of the UDHR further enforces the Constitution's recognition of a fundamental right to privacy set forth in Article 40 of the Constitution. Even so, legal remedies for interference in individuals' privacy are not always explicitly stated in the law.
The E-Commerce Law
The E-Commerce Law, which was enacted on 2 November 2019 and entered into effect on 23 May 2020, imposes basic disclosure and data protection requirements for consumers engaged in transactions via electronic systems. The E-Commerce Law broadly applies to all commercial and civil acts, documents, and transactions executed via an electronic system, except those that are related to powers of attorney, wills and successions, and real estate.
It is possible that authorities will issue regulations in the near future to clarify the data protection provisions outlined in the E-Commerce Law. Although plans to do so have not yet been announced, implementing such regulations is a relatively common practice in Cambodia.
Protecting personal data
The E-Commerce Law also makes a blanket prohibition on certain forms of cybercrime, including interference with any electronic system for the purpose of accessing, downloading, copying, extracting, leaking, deleting, or otherwise modifying any stored data in bad faith or without authorised permission.
The Civil Code
Although Cambodia has not enacted any comprehensive data protection legislation, an individual's personal data may be protected under the Civil Code as part of their 'personal rights'.
Article 10 of the Civil Code provides that individuals are entitled to their personal rights. Article 10 further provides that personal rights include the right to privacy and other personal benefits and interests, along with other rights, such as the rights to life, personal safety, health, freedom, identity, and dignity. This legal provision may be interpreted as protecting individual personal data as part of the right to privacy.
Article 11 of the Civil Code provides a person with the right to an injunction where there is a danger that an infringement of that person's personal rights may occur or there is a danger that a past unlawful infringement will continue or occur again. If personal data constitutes personal rights, the owner of the right may seek a court order to stop any unlawful infringement of his or her personal data (e.g. data collection without consent) on the basis of Article 13 of the Civil Code.
Furthermore, Article 12 of the Civil Code states that when the effects of an infringement of a personal right continue to exist, the owner of the right may seek the elimination of such effects. In the data privacy context, this legal provision potentially means that a person can seek an order to remove, for example, any storage of his or her personal data collected unlawfully.
Lastly, Article 13 of the Civil Code allows a person to seek compensation for any damage suffered from an infringement of their personal rights.
Contractual agreements on personal data
If personal data is protected as part of an individual's personal rights, accessing, obtaining, processing, or otherwise commercialising personal data must be contractual, and thus requires the data owner's consent in a valid agreement.
Under Article 336 of the Civil Code, the conformation of an offer and an acceptance is a requirement for an agreement to be valid. This means that an expressed consent must be obtained from the data owner for the purposes of the data usage. This potentially creates proper disclosure obligations for obtaining the data owner's consent.
Article 345 of the Civil Code allows a person to rescind an agreement if the declaration of his or her consent to the agreement is made:
- as a result of a mistake/misunderstanding (arguably applies to misleading material terms to obtain a user's consent);
- as a result of the other party's fraud (arguably applies to intentionally providing false information to obtain a user's consent);
- as a result of the other party's misrepresentation (arguably applies to unintentionally providing false information or withholding material information to obtain a user's consent); or
- as a result of the other party's act that aims to obtain excessive profits and exploits the surrounding situation (arguably applies to failure to explain technical provisions to obtain a user's consent).
The Penal Code
Recording private conversations and images
Articles 301 and 302 of the Penal Code generally prohibit people from intercepting or recording private conversations, or recording a person's image in a private location, without his/her consent. Consent is presumed to be given if the concerned person does not object to the notification of the interception or recording. The aforementioned articles do not apply to interception or recording of private conversations and images authorised by law.
Violations of these clauses are punishable by imprisonment of between one month and one year and a fine ranging between KHR 100,000 (approx. €25) to KHR 2 million (approx. €504).
Breaches of professional secrecy
Article 314 of the Penal Code prohibits unauthorised breaches of professional secrecy by any person who holds, by reason of his/her position, profession, function, or mission, information of a confidential nature. Similar to Articles 301 and 302 of the Penal Code, Article 314 does not apply to the disclosure of information required or authorised by law, or information of mistreatment of a child under 15, to governmental authorities.
Violations of this clause are punishable by imprisonment of between one month and one year and a fine ranging between KHR 100,000 (approx. €25) to KHR 2 million (approx. €504).
Secrecy of correspondences and telephone conversations
Article 318 of the Penal Code prohibits the malicious opening, destroying, delaying, diverting, or intercepting of correspondence sent to a third party, while Article 319 of the Penal Code prohibits malicious intercepting or jamming of telephone communications or any telecommunications messages.
Violations of these clauses are punishable by imprisonment of between one month and one year and a fine ranging between KHR 100,000 (approx. €25) to KHR 2 million (approx. €504).
Article 427 of the Penal Code subjects any person who fraudulently accesses or maintains access to an automated data processing system to imprisonment of between one month and one year and a fine ranging between KHR 100,000 (approx. €25) to KHR 2 million (approx. €504).
Article 427 of the Penal Code imposes penalties of imprisonment of between one year and two years and a fine ranging between KHR 2 million (approx. €504) to KHR 4 million (approx. €1,010) for the following acts:
- fraudulently accessing or remaining connected to an automated data processing system that causes destruction or alteration to data in that system, or causes damage to the function of that system;
- obstructing the functioning of an automated data processing system;
- fraudulently introducing data into, deleting, or modifying data in an automated data processing system; and
- participating in a group conducting or planning to conduct any of these IT crimes.
The Code of Criminal Procedure
The CCP which outlines procedures to be followed in criminal investigations, provides a basic privacy framework for searches of suspects involved in criminal proceedings.
According to Article 83 of the CCP, all information gathered over the course of an investigation, including technical data gathered on the individual(s) being investigated, must be kept confidential.
The CCP also provides parameters for the conducting of 'searches' in Article 91, which arguably includes searches of private data. Article 91 of the CCP states that authorisation must be sought prior to a search, and that the search should take place during specified hours, in front of the owner, and/or in front of witnesses. Evidence gathered during a search deemed to be in violation of Article 91 of the CCP is inadmissible in court (in keeping with Article 109 of the CCP).
As mentioned in the section on governing texts, the Sub-Decree only applies to 'personal identification data' owned by the MOI.
The MOI is authorised to collect, compile, keep, manage, and protect the security of personal identification data that is under the authority of the MOI, including the registration of birth certificates, ID cards, statistics and management of residency, passport, nationality, and other registrations. If private entities wish to gain access to personal identification data owned by the MOI for the purpose of advancing the provision of their services, they can request for permission by signing a Memorandum of Understanding between a representative of the MOI and a representative of the entity. Further forms and procedures will be set out in future internal regulations by the MOI.
The Sub-Decree also provides definitions of the term 'personal identification data' and 'personal private information', but not the term 'personal data'.
Draft Cybercrime Law
Cambodia is currently working on reviewing and updating its Draft Cybercrime Law, which contains specific data protection clauses that address the preservation of data during criminal investigations, the search and seizure of computer data for use as evidence, and potential safeguards for suspects to prevent data privacy abuses.
Suggested fines and/or terms of imprisonment have been outlined in the Draft Cybercrime Law for potential cybercrime offences, which include accessing a computer system without a legal right and engaging in data espionage, illegal interception of non-public computer transmissions, and data interference, among others.
The Draft Cybercrime Law, which was originally drafted in 2016, is still pending final approval. As of mid-2022, the Draft Cybercrime Law is still being reviewed and revised by the MOI.
Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing, or implementing personal data protection matters in Cambodia.
1.3. Case law
Cambodia is a civil law system, and the courts are not bound by previous decisions. In addition, the records and decisions of a Cambodian court are not available to the public as they do not report their decisions. Therefore, we are not aware of any case law applicable in Cambodia.
2. Scope of Application
Cambodia's data protection laws do not limit their scope of application because they are laws of general application. Therefore, any natural person or private/public organisation that collects, uses, or discloses personal data in Cambodia is generally captured under Cambodia's data protection laws.
As discussed above, Cambodia's data protection laws do not limit their scope of application because they are laws of general application. Therefore, any natural person or private/public organisation that collects, uses, or discloses personal data in Cambodia is generally captured under Cambodia's data protection laws.
In addition, as the purpose of the E-Commerce Law is to manage e-commerce in Cambodia and with other countries, businesses interacting with Cambodian consumers would be captured by the data protection related provisions of the E-Commerce Law.
The E-Commerce Law defines the term 'data' as 'a group of numbers, characters, symbols, messages, images, sounds, videos, information, or electronic programs that are prepared in a form suitable for use in a database or an electronic system.'
It is plausible that any data gathered in the course of an online transaction may be viewed by regulatory authorities as 'personal data.' Therefore, conventional data, such as full names, national identification numbers, passport numbers, photographs, images, phone numbers, personal email addresses, IP addresses, and other network identifiers may arguably constitute personal data under the E-Commerce Law.
The terms 'personal identification data' and 'personal private information' are defined under the Sub-Decree. Please see the section on key definitions below.
Since Cambodia does not have any dedicated laws on data protection, we recommend that
3.1. Main regulator for data protection
Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are specifically tasked with the handling, overseeing or implementing of personal data protection matters in Cambodia.
That said, the following governmental bodies may have substantial powers over data protection matters:
- the Ministry of Commerce ('the MOC');
- the MPTC; and
- the MOI.
3.2. Main powers, duties and responsibilities
Please see section on main regulator for data protection above.
4. Key Definitions
Data processor: As Cambodia has not enacted any dedicated or comprehensive data protection laws, there are no laws that explicitly define or list data protection obligations for data processors, and no laws that distinguish the obligations of data controllers and data processors.
Personal data: Cambodian law fails to specifically define the term 'personal data', or discuss what specific information constitutes personal data. The E-commerce Law defines the term 'data' as 'a group of numbers, characters, symbols, messages, images, sounds, videos, information, or electronic programs that are prepared in a form suitable for use in a database or an electronic system'. Separately, the term 'personal identification data' is defined under the Sub-Decree as 'all information that can identify the identity of a person. It can be data about name, gender, date of birth, place of birth, current residential address, citizenship, nationality, as well as biometric data or other data that relates to the identity of a person'. The Sub-Decree also defines 'personal private information' as a combination of data that can give information about a person's private life or secrets. These definitions are likely to influence the MOC, the MPTC, and the MOI in terms of how they understand personal data.
However, due to the absence of a definition of 'personal data', it remains plausible that any data of a data subject may be viewed by the regulatory and enforcement authorities as personal data of that data subject. Therefore, conventional data, such as full names, national identification numbers, passport numbers, photographs, video, images, phone numbers, personal email addresses, biometric data, IP addresses, and other network identifiers, may arguably constitute personal data.
Sensitive data: Cambodian law does not make a distinction between 'sensitive personal data' and personal data. As such, there is no express definition of what constitutes sensitive personal data. Also, there is no formal guidance from the regulatory and enforcement authorities on what may constitute sensitive data. That said, based on the laws applicable to persons and entities in other sectors (such as health and banking), the types of data below are generally considered to be of a more sensitive nature, and thus should be handled with more stringent data protection mechanisms than other personal data:
- medical data;
- financial data;
- personal data of children; and
- personal identifiers (e.g. government-issued IDs, such as national ID cards and passports, and ID card and passport details).
Health data: While the term 'health data' is not specifically defined under Cambodian law, there are separate Codes of Ethics for Health Professionals (physicians, midwives, nurses, pharmacists and dentists), which address confidentiality between healthcare providers and patients.
Data subject: Under Cambodian law, the term 'data subject' is not used or defined.
5. Legal Bases
Consent should be obtained from an individual before collecting, using, or disclosing his or her personal data for a purpose. An individual who previously gave consent should be permitted to withdraw his or her consent. This obligation is implied under Cambodia's existing legal framework.
There is a general obligation to obtain consent prior to gathering and storing personal data from consumers as well. This consent, in practice, is often obtained via an acceptance of online terms and conditions and can also be obtained through use of e-signatures. According to Article 7 of the E-Commerce Law, e-signatures are legally allowable when it is possible to identify the signatory and the signature is collected via 'reliable' means.
As discussed above, the consent of the data subject should be obtained. While there is no express requirement for a contract, a data controller or data processer should maintain a record of the data subject's consent. Generally, consent can be either express consent or implied consent, and can be given either in writing or through verbal communications. Implied consent refers to any act that is generally recognised as consent under applicable trade practices. It is strongly advised, however, that express consent be obtained in writing from data subjects. There are some legal uncertainties with implied consent. Express consent in writing can serve as stronger evidence in demonstrating that a data subject has provided his or her consent.
There are no public interest exceptions expressly set out under Cambodia's data privacy framework.
The legitimate interests of the data controller are not expressly discussed under Cambodia's data privacy framework.
Under Cambodia's existing legal framework, the following obligations are implied or imposed:
- Consent obligation: Consent from an individual should be obtained before collecting, using, or disclosing his or her personal data for a purpose. An individual who previously gave consent should be allowed to withdraw his or her consent. This obligation is implied under Cambodia's existing legal framework;
- Purpose Limitation Obligation: The collection, use, or disclosure of personal data about an individual should only be for purposes that are reasonable and that have been disclosed/notified to the individual concerned. This obligation is implied under Cambodia's existing legal framework;
- Disclosure obligations: Individuals should be notified of the purpose(s) for which the personal data will be collected, used, or disclosed on or before such collection, use, or disclosure of the personal data. The purposes notified must be reasonable (see the Purpose Limitation Obligation). This obligation is implied under Cambodia's existing legal framework;
- Correction Obligation: Any incorrect or inaccurate personal data of a data subject that is in the possession or under the control of the data controller should be corrected upon request of the data subject. This obligation is imposed under the E-Commerce Law;
- Access Obligation: Data subjects should be permitted to access their personal data in the possession or under the control of the data controller for correcting the information under the Correction Obligation. This obligation is implied under the E-Commerce Law;
- Protection Obligation: Personal data in the data controller's possession or under its control should be protected by taking necessary measures to prevent loss, unauthorised access, use, alterations, leaks, disclosures, or otherwise. This obligation is imposed under the E-Commerce Law; and
- Retention Obligation: All personal data should be retained that is in the data controller's system that may give rise to civil and criminal liability. This obligation is imposed under the E-Commerce Law.
7. Controller and Processor Obligations
Cambodia has not yet enacted any comprehensive legislation on data protection or data privacy and there are no regulations or provisions that explicitly list the different obligations of data controllers and data processors or the differences thereof.
The E-Commerce Law imposes important data protection obligations on electronic commerce service providers and intermediaries alike. An 'electronic commerce service provider' is defined in the E-Commerce Law as 'any person using electronic means to sell goods or services, except for insurance companies,' while an 'intermediary' in the electronic commerce context is 'any person who provides sending, receiving, transmitting, or storing services, either on a temporary or permanent basis, of electronic communication or provides other services relating to the electronic communication.'
Moreover, service providers that electronically store consumers' private information must take all 'reasonable' security measures to avoid the loss, modification, leakage, and/or unauthorised disclosure of all consumer data (Article 32 of the E-Commerce Law). The E-Commerce Law notes, however, that disclosures are allowable with the consent of authorities, or with the consent of the person whose data is being disclosed.
The E-Commerce Law also prohibits any encryption of data that may be used as evidence for any accusation or offence. This obligation potentially allows governmental authorities to order the decryption of data implicated in an investigation.
There are no data processing registration requirements under Cambodian law.
There are currently no data localisation requirements under Cambodian law. Therefore, any foreign party that wishes to collect or process Cambodians' personal data is not required to establish local data storage facilities in Cambodia.
All personal data should be retained that that may give rise to civil and criminal liability. This obligation is imposed under the E-Commerce Law.
There are no general data protection requirements to carry out a Data Protection Impact Assessment ('DPIA') under Cambodian law.
There is no requirement under Cambodian law to appoint a data protection officer ('DPO').
There are no data breach notification requirements under Cambodian law.
The E-commerce Law does not prescribe the minimum or the maximum period for the retention of personal data, or documents containing personal data. Where sectoral laws provide for specific retention periods, such as for tax records, they should be followed.
There is no maximum time limit set for the retention of personal data, and if an organisation has clearly notified its data subjects of its intended unlimited retention of personal data before obtaining data subjects' consent, then the retention is permissible by law.
While the E-Commerce Law also does not set a minimum time limit requirement for data retention, it does specify that when an intermediary or service provider becomes aware that information on record may lead to civil or criminal liability, they are required by law to preserve this information as evidence (Article 25 of the E-Commerce Law). This retention obligation would suggest that service providers and intermediaries are expected to retain data collected for a reasonable amount of time.
Although the E-Commerce Law does not prescribe a minimum or maximum period for the retention of personal data or of documents containing personal data, other laws provide some basic guidelines for how long information should generally be retained across various sectors. Accounting records, tax invoices, and records of imports and exports should all be retained for at least ten years, for example, while payroll ledgers should be retained for at least three years.
There are no requirements for children's data, since Cambodia does not have any dedicated laws on data protection.
There are no requirements for special categories of personal data, since Cambodia does not have any dedicated laws on data protection.
There are no requirements for controller and processor contracts, since Cambodia does not have any dedicated laws on data protection.
8. Data Subject Rights
Individuals should be notified of the purpose(s) for which the personal data will be collected, used, or disclosed on or before such collection, use, or disclosure of the personal data. This obligation is implied under Cambodia's existing legal framework.
Prior to collecting personal data, the E-Commerce Law imposes a requirement that a base amount of information should be shared by all sellers with their potential consumers prior to engaging in commercial activity. Any person who uses electronic communications to sell goods must provide their legal name and corporate name, business address, contact phone number, a description of the types of goods being sold, and basic terms and conditions related to the transaction (Chapter 6, Article 29 of the E-Commerce Law).
Data subjects should be permitted to access their personal data in the possession or under the control of data controller in order to rectify the information under the Correction Obligation. This obligation is implied under the E-Commerce Law.
Any incorrect or inaccurate personal data of a data subject that is in the possession or under the control of the data controller should be corrected upon request of the data subject. This obligation is imposed under the E-Commerce Law.
This right is not explicitly set out under Cambodian law.
Under the E-Commerce Law, all marketing communications must contain opt-out instructions.
There are currently no data portability requirements under Cambodian law.
This right is not provided under Cambodian law.
Violating data protection obligations under the E-commerce Law will result in the following penalties:
- failure to provide clear and straightforward opt-out instructions for unsolicited marketing communications:
- a written warning;
- suspension or revocation of business licenses and permits; and/or
- disabling the means of marketing and communication to individuals;
- failure to comply with the consent, purpose limitation, disclosure/notification, and protection obligations:
- imprisonment from one to two years and a fine amounting ranging between KHR 2 million to KHR 4 million (approx. € 504 to €1,010);
- failure to comply with the retention obligation:
- imprisonment from one month to one year and a fine ranging between KHR 100,000 to KHR 2 million (approx. € 25 to € 504); and
- failure to comply with the correction and access obligations:
- no specific penalties apply.
In addition, the Civil Code provides the right for individuals who suffer loss or damage as a result of an organisation's breach of his or her personal rights to pursue civil claims. The forms of relief available are:
- injunction where there is a danger that the infringement may occur or re-occur (e.g. an injunction to stop the continuing collection of personal data without consent);
- elimination of the effects of the infringement (e.g. removal of any storage of personal data collected without consent); and
- compensation for any damage suffered from the infringement.
As the courts of Cambodia do not publish their decisions, we are not aware of any notable enforcement decisions.