Cambodia has not yet enacted comprehensive cybersecurity and data protection legislation, although the Ministry of Post and Telecommunication (MPTC) announced in 2021 that it would be drafting the Personal Data Protection Law after finalizing the draft Cybersecurity Law. In November 2022, the MPTC announced that it had completed the first draft of the draft Personal Data Protection Law and planned to hold internal discussions. The MPTC's draft Cybersecurity Law is also still being discussed and refined.
Under current practices, matters pertaining to data protection and privacy fall broadly under the right to privacy as addressed in Cambodia's constitution and certain provisions under the Civil Code, the Penal Code, and other specific laws, such as the Law on Electronic Commerce (E-commerce Law) and the Law on Banking and Financial Institutions. These laws generally protect the right to privacy, which could cover personal data.
Constitution
Cambodia's constitution generally recognizes citizens' right to privacy in broad terms. It provides that all Cambodian citizens have the right to privacy of residence, and to the secrecy of correspondence by mail, telegram, fax, telex, and telephone. However, Cambodia does not yet have any specific laws elaborating on the meaning or scope of this provision or providing any implementing measures.
Civil Code
An individual's personal data may be protected under the Civil Code, dated December 3, 2007, as part of "personal rights," which include the right to privacy and other personal benefits and interests, as well as the rights to life, personal safety, health, freedom, identity, and dignity. This right to privacy may be interpreted as including the protection of individual personal data.
The Civil Code gives a person the right to an injunction where an infringement of that person's personal rights may occur (or continue). Assuming that personal data constitutes personal rights, an owner may seek a court order to stop any unlawful infringement of his or her personal data (e.g., data collection without consent).
Further, the Civil Code states that a rights owner may seek the elimination of effects stemming from an infringement. In the context of data privacy, this potentially means that a person can seek an order to remove, for example, storage of his or her personal data collected unlawfully.
Finally, a person is allowed to seek compensation for damage suffered from an infringement of his or her personal rights.
Penal Code
The Penal Code criminalizes the following activities relevant to the collection of personal data:
- Intercepting or recording private conversations and images without consent (unless otherwise authorized by law). Consent is presumed to be given if the concerned person does not object to the notification of the interception or recording.
- Unauthorized breaches of professional secrecy. This does not apply to the disclosure of confidential information required or authorized by law, or to sharing information on mistreatment of a child under 15 with governmental authorities.
- Violating the secrecy of correspondence and telephone conversations
- Fraudulent access or connection to an automated data processing system.
The above violations may incur imprisonment for between one month and one year and a fine of KHR 100,000–2 million (approx. USD 25–500). For the violations below, imprisonment may be increased to between one and two years and a fine of KHR 2–4 million (approx. USD 500–1,000):
- Fraudulent access or connection to an automated data processing system that damages or alters data in that system or the functioning of the system itself.
- Obstruction of the functioning of an automated data processing system.
- Fraudulent introduction, deletion, or modification of data in an automated data processing system. Participation in (or helping to plan) any of these information technology crimes.
Law on Electronic Commerce 2019 (E-commerce Law)
On November 2, 2019, Cambodia adopted the E-commerce Law to govern all commercial and civil acts, documents, and transactions executed via an electronic system, except those related to powers of attorney, wills and succession, and real estate. The law came into force on May 23, 2020. In addition to providing legal certainty for electronic transactions, the E-commerce Law regulates domestic and cross-border ecommerce activities in Cambodia and enacts important protections for consumers, including the protection of consumer data.
The provision in the E-commerce Law that mentions data protection broadly requires any person who stores electronic data to establish all necessary measures to ensure that the data is reasonably protected from loss, unauthorized access, use, alteration, leaks, or disclosure. In addition, people who mistakenly enter the wrong details into an automated system must be allowed to correct or delete the data, unless they have benefited or caused damage to others by inputting the inaccurate information.
The E-commerce Law also prohibits the following actions:
- Electronically accessing, downloading, copying, obtaining, leaking, deleting, or altering data possessed by another person, maliciously or without consent;
- Encrypting electronic communications data or electronic evidence related to an offense or accusation thereof;
- Using another person's data for any reason with malicious intent or without authorization;
- Creating, enabling, or sharing malicious codes; and
- Creating electronic systems for purposes of falsification or causing confusion in order to obtain benefits or to attract users or transactions, and causing damage to others;
To strengthen the security of electronic transfers and payments, the E-commerce Law prohibits payment service providers from issuing a payment instrument to a consumer unless another has or needs to be replaced, or the consumer requests one
Customers must notify service providers of any unauthorized transactions or errors in their accounts. Consumers must also notify their payment service providers electronically or in writing within two days of becoming aware of any loss or theft of electronic fund transfer instruments (or data for using them).
Additionally, payment service providers must identify consumers and verify the correctness of electronic fund transfer transactions before processing them. Unless it is a case of force majeure or there is sufficient evidence proving that the customer is at fault, payment service providers must be responsible for unauthorized transactions, fraudulent activity after a customer's notification (see above), or otherwise failing to comply with customers' orders, as well as some other technical irregularities or misuse. If payment service providers are liable in any of these circumstances, they must pay damages to customers within 30 days of receiving a consumer's notification.
The E-commerce Law also sets conditions for recognizing the security of electronic records and electronic signatures. It is legally assumed a secured electronic record is unaltered, and a secured e-signature belongs to the signatory unless proven otherwise. The E-commerce Law empowers the Ministry of Posts and Telecommunications as the competent authority to govern the security procedures for electronic records and e-signatures.
Failing to comply with the E-commerce Law is punishable by imprisonment for 1 month to 3 years and a fine from KHR 100,000 to KHR 10 million (approx. USD 25–2,500). Other disciplinary sanctions may also apply.
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.