How is personal data protection and privacy law in Cambodia? What are the governing laws and regulations? And what can you expect as a company dealing with the privacy data?
More and more companies are collecting, storing and processing personal data of people in Cambodia. So, here’s what they should know (and maybe more cautious) about this.
Law and regulations governing personal data protection and privacy in Cambodia
There are only few laws and regulations currently that govern privacy and data protection including the Constitution, Civil Code, law on telecommunications and the press law. However, none of those law has anything substantial. Article 40 of the constitution (the only article), for example, only provides for the rights of privacy of residence:
The rights to privacy of residence, and to the secrecy of correspondence by mail, telegram, fax, telex and telephone shall be guaranteed.
The Law on Telecommunications (Article 65b) states:
Subscribers shall have the basic rights… to privacy, security and safety of using the telecommunications service, excepted otherwise determined by other specific law; …
The Press Law (Article 7) requires journalists to respect the right to privacy of individuals.
The Civil Code (Article 10) provides for the concept of personal rights, stating:
Personal rights include the rights to life, personal safety, health, freedom, identity, privacy, and other benefits and interests.
Again, none of these addresses (or is comprehensive enough to address) how privacy and personal data should be collected, stored and processed.
The draft law on consumer protection and e-commerce
On July 12, 2019, the Cambodian government has just adopted the consumer protection and e-commerce draft law. The laws will likely be passed by the parliament this year.
While I haven’t gotten a hold of the copy of the draft laws and while we cannot be sure how it will turn out to be after the passing by the parliament, I believe that they (especially the draft consumer protection law) will have a great influence on the practices of collecting, storing and processing privacy and personal data of the people in Cambodia.
What should companies in Cambodia do then?
Digital collection of personal data might require people’s explicit agreement. If you collect it online, you might have to also comply withe the law on digital signature.
And as a company, you should also carefully evaluate the security of your application and data model.
How about the EU’s GDPR?
The European Union’s Data Protection Regulations (GDPR) covers all EU residents. Companies in Cambodia dealing with privacy and personal data of an EU resident should review the rules. Whether your companies are local or international, European or non-European, my advice is to comply with the GDPR rules.