In the digital era, personal data has become a critical asset, routinely collected and utilized in various transactions. Recognizing the need for robust data protection, Cambodia is taking significant steps towards a comprehensive legal framework with the introduction of the Draft Law on Personal Data Protection, the Draft Law on Cybersecurity, and the Draft Law on Cyber Crimes. These initiatives align with Cambodia’s existing policies aimed at enhancing digital governance and security.
The Cambodian government has emphasized the importance of safeguarding digital information and infrastructures through initiatives such as the “Policy on Digital Government 2022-2035” and the “Policy on Digital Economy and Society 2021-2035.” Both policies highlight the necessity of robust data protection and cybersecurity measures to support the country’s digital transformation. These frameworks underscore the need for secure digital environments to facilitate economic growth and societal development.
Moreover, existing laws such as the “Telecommunications Law” and the “E-Commerce Law” provide foundational elements for regulating digital activities. However, the emerging complexities of data privacy and cyber threats necessitate more specific and comprehensive legal frameworks. The new draft laws, along with existing general and sector-specific regulations, collectively address personal data and privacy protection, ensuring a secure digital environment in Cambodia.
A. Current Legal Framework
General Laws
The Cambodian Constitution provides the foundational legal basis for privacy rights, particularly through Article 40, which guarantees the privacy of residence and the confidentiality of communications via mail, telegram, fax, telex, and telephone. These provisions establish a constitutional framework for safeguarding personal data.
Complementing the constitutional provisions, the Civil Code of Cambodia, specifically Articles 10-13, outlines the right to personality. This broad concept includes rights to life, personal safety, health, freedom, identity, dignity, and privacy. The protection of personal data can be inferred under these broad personality rights, offering a civil law basis for privacy protection.
The Criminal Code addresses breaches of privacy through various provisions. For instance, Articles 301 and 302 penalize the unauthorized recording of private conversations and images, while Article 314 deals with breaches of professional secrecy. Additionally, Article 318 ensures the confidentiality of correspondence and telephone conversations, collectively providing criminal sanctions against privacy infringements.
Sector-Specific Laws
Several sector-specific laws impose professional secrecy obligations, providing targeted protections for personal data. In the banking sector, Article 47 of the Law on Banking and Financial Institutions prohibits the disclosure of confidential customer information without consent. Similarly, the Law on Negotiable Instruments mandates banks to maintain the secrecy of account information, barring disclosure without customer consent or legal mandate. In the health sector, laws and codes of ethics require the confidentiality of patient information, supported by the Health Profession Law. The insurance sector is governed by Article 106 of the Law on Insurance, which mandates the confidentiality of insurance-related information. For legal professionals, Article 58 of the Law on the Bar and the Lawyer’s Code of Ethics require absolute confidentiality of client information. The Labor Law, specifically Article 239, includes confidentiality obligations for employee health records, ensuring personal data protection within employment contexts.
Additionally, the Law on Telecommunications, through Article 65(b), provides a key principle of consumer right to privacy, stating that subscribers have the right to privacy, security, and safety when using telecommunications services. However, the law does not provide a detailed definition of these terms, leaving some ambiguity in their application to data protection.
The Law on E-Commerce, introduced in 2019, marks a significant development in Cambodia’s legal landscape. Article 32 of this law mandates the protection of electronic records containing personal information, ensuring they are safeguarded against unauthorized access, use, or disclosure. However, the Law on Consumer Protection, while broadly aiming to protect consumer rights, lacks explicit provisions on data protection, leaving a potential gap that could be addressed through implementing regulations.
B. Draft Laws on Data Protection, Cybersecurity, and Cyber Crimes
The Draft Law on Personal Data Protection aims to provide a comprehensive framework for the protection of personal data in Cambodia. This draft law introduces key principles such as data minimization, purpose limitation, and data security. It establishes the rights of data subjects, including the right to access, correct, and delete their personal data. The draft law also outlines the obligations of data controllers and processors, ensuring that personal data is handled with care and responsibility.
The Draft Law on Cybersecurity seeks to enhance the security of digital infrastructure and protect against cyber threats. It introduces measures to safeguard critical information infrastructure, mandates cybersecurity standards, and establishes mechanisms for incident response. This law is crucial for creating a secure environment for personal data processing and protecting the integrity and confidentiality of data.
The Draft Law on Cyber Crimes addresses various cyber-related offenses, including hacking, identity theft, and data breaches. This law provides legal tools to combat cybercrime and ensure that perpetrators are held accountable. By criminalizing activities that compromise personal data, the draft law strengthens the overall framework for data protection in Cambodia.
C. Legal Challenges and Gaps
One of the primary challenges in Cambodia’s legal framework is the need for a unified interpretation of privacy and personality rights across various laws. Consistency is crucial to avoid conflicts and ensure comprehensive data protection. The introduction of the Draft Law on Personal Data Protection, along with the Draft Laws on Cybersecurity and Cyber Crimes, aims to address these challenges by providing clear and cohesive legal standards.
The absence of a specific data protection law necessitates reliance on implied rights and sector-specific regulations, which can lead to fragmented and inconsistent protections. The Draft Law on Personal Data Protection aims to unify these principles and provide clear guidelines on data processing, subject rights, and enforcement mechanisms, ensuring a coherent approach to personal data protection.
Additionally, existing rules on professional secrecy need to be reconciled with data protection principles. This reconciliation is essential to balance confidentiality obligations and the rights of data subjects, ensuring that professional secrecy does not hinder individuals’ access to and control over their personal data.
D. Future Directions
To address the gaps in the current framework, the Draft Law on Personal Data Protection, covering all aspects of data protection from data collection to deletion, is needed. Adopting and Implementing the Draft Laws on Cybersecurity and Cyber Crimes will further strengthen the legal framework, providing robust protection against cyber threats and ensuring accountability for cyber offenses.
Public awareness and capacity building are also critical for the effective implementation and enforcement of these laws. Increasing public awareness about data protection rights and responsibilities, coupled with building the technical, financial, and institutional capacity to enforce these measures, is essential for fostering a culture of data protection in Cambodia.
E. Conclusion
Cambodia’s legal framework for personal data and privacy protection is advancing with the introduction of the Draft Law on Personal Data Protection, the Draft Law on Cybersecurity, and the Draft Law on Cyber Crimes. These draft laws, in conjunction with existing regulations, aim to create a comprehensive and cohesive system for data protection. By addressing current challenges and implementing these new laws, Cambodia can establish a robust data protection regime that effectively safeguards personal information in the digital age, ensuring the security and privacy of its citizens while supporting the country’s digital growth and transformation.
