Tilleke & Gibbins
The following law(s) specifically govern personal data / information:
Cambodia has not yet enacted any comprehensive data protection legislation.
The most recent update to the country's data protection landscape has come in the form of the Law on Electronic Commerce 2019 (E-Commerce Law), which contains provisions for the protection of consumer data that has been gathered over the course of electronic communication. The E-Commerce Law is thereby restricted in scope to virtual and/or digital data protection.
Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the Constitution of the Kingdom of Cambodia 2010 (“the Constitution”), the Civil Code of Cambodia 2007 (“the Civil Code”), and the Criminal Code of the Kingdom of Cambodia 2009 (“the Penal Code”).
The key data protection principles in this jurisdiction are:
As Cambodia has not enacted a specific data protection law, the below principles are implied under Cambodia's laws of general application.
- Lawfulness: The data must be processed lawfully and in a transparent manner.
- Specific Purpose: The data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Purpose Limitation: The data collected, processed or used must be relevant and limited to what is necessary in relation to the purposes for which they are processed. Please see the section on restrictions on international data transfers below for further information on processing personal data for a different purpose.
- Accurate: The data must be correct and accurate, and up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is corrected, or deleted without delay.
- Security and Confidentiality: The data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful accessing and processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The supervisory authority / regulator in charge of data protection is:
Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing or implementing personal data protection matters in Cambodia.
That said, the following governmental bodies may have substantial powers over data protection matters:
- the Ministry of Commerce (the “MOC”)
- the Ministry of Post and Telecommunications (the “MPTC)
- the Ministry of Interior (the “MOI”).
Is there a requirement to register with a supervisory authority / regulator?
Is there a requirement to notify the supervisory authority / regulator?
This is generally not applicable. However, specialized guidelines exist for banking and financial institutions.
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
Data subjects have the right to correct (and potentially access) their personal data under the E-commerce Law.
An organization is required to allow data subjects or their agents to correct or delete any incorrect or inaccurate personal data that they have input in the automated system of the organization. Data subjects should notify the organization of the error as soon as they have learned of the error, and indicate they have made such an error.
The E-Commerce Law does not explicitly provide a clear access right to data subjects. However, organizations must allow data subjects to access their information to the extent necessary for the data subjects to exercise their rights to correct or delete incorrect or inaccurate personal data.
Is there a requirement to appoint a data protection officer (or equivalent)?
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Does this jurisdiction have any specific data breach notification requirements?
The following restrictions apply to the international transfer of personal data / information:
Cambodia does not specifically restrict the transfer of personal data out of the jurisdiction.
However, while Cambodian law does not explicitly prohibit an organization from disclosing or transferring the data to a third party whether such third party is based within Cambodia or not, Cambodian law implies a disclosure / notification obligation under its existing legal framework for data protection.
Personal data can only be collected, used, or disclosed for purposes that the individual understands and has given consent to at the time of giving initial consent or a new consent. Such purposes must be disclosed or notified to data subjects in a reasonable manner based on the circumstances.
Where the use and disclosure of the personal data is for a purpose different from which it was initially collected, the service provider using the data would need to notify the individual of the new purpose and obtain a new consent unless:
- the new purpose is within the scope of the original consent; or
- where implied consent can be established.
Implied consent refers to any act that is generally recognized as consent under applicable trade practices. However, express and written consent should be obtained if the service provider wishes to use or disclose personal data for a purpose different from which it was collected.
When a service provider is seeking consent from the data subject, the service provider must disclose or notify the data subject of the purpose(s) for which it intends to collect, use or disclose the data subject’s personal data before such collection, use or disclosure of the personal data.
Cambodia's data protection laws do not prescribe how an organization should notify individuals. Organizations must determine what would be the most appropriate form of notification.
The form of the disclosures / notifications to obtain each data subject’s consent should be as close to a formal contract as possible. Moreover, requirements such as clicking on the consent button, typing a full legal name for the signature, and/or scrolling through all terms of the disclosure / notification should be implemented. Furthermore, disclosures / notifications to the individuals regarding the purpose of the collection, use, and disclosure of personal data must not be too vague or broad in scope, i.e. an appropriate level of specificity should be provided.
If an organization wishes to disclose or transfer personal data to third parties including those outside Cambodia the organization should notify the individuals of such disclosure or transfer. Any consent provided by the individual without first being notified or disclosed of the purposes would not be valid.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
As Cambodia has not enacted any dedicated or comprehensive data protection laws, there are no laws or regulations that specifically discuss the extra-territorial effect of data protection laws.
In the e-commerce context, Cambodia has recently enacted the E-Commerce Law and Sub-Decree on Classifications, Formalities and Procedures on the Issuance of Permits and Licenses to Intermediaries and Electronic Commerce Service Providers and Exemptions and amended tax regulations to clarify that companies engaged in e-commerce, which have a permanent establishment in Cambodia.
Though an offshore company is unlikely to be deemed “doing business” in Cambodia, it is likely that the offshore company would have a “permanent establishment” in Cambodia by virtue of engaging in e-commerce and deriving profits from supplying goods and services into Cambodia.
As such, Cambodian law would likely have extra-territorial effect. That said, there are growing pains with these new regulations, and we are not aware of the Cambodian government extending them, or other laws, to offshore providers of goods and services at this time, though the framework for a future extension is in place.
The following rules specifically deal with marketing:
There are no specific laws specifically dealing with marketing in Cambodia, and the below (non-exhaustive) list of laws address marketing issues:
- The Consumer Law prohibits "unfair practices" in relation to consumer transactions. Unfair practices include:
The Trademark Law is relevant to comparative advertising. The following acts are considered acts of unfair competition:
- • unfair sales;
- • bait advertising;
- • unfair solicitation sales;
- • demanding or accepting payments without intention to supply goods or services per the purchase order;
- • making a false claim or representation of some business activity;
- • coercion by force and mental threats;
- • pyramid schemes;
- • selling goods bearing a false trade description; and any other unfair practices.
The Telecom Law prohibits all activities against the principles of fair, free, equal, and effective competition. The Telecom Law authorizes the Telecommunications Regulator of Cambodia (the “TRC”) to monitor, oversee and evaluate lawful and fair competition in the telecommunications market.
Prakas 170 is applicable to website publications and any kind of social media networks on the internet in Cambodia. Prakas 170 prohibits all publications or news content sharing or written messages, audio, photos, videos, and/or other means intended to create turmoil leading to undermine national defence, national security, relation with other countries, national economy, public order, discrimination and national culture and tradition.
Under Prakas 340, advertisements on mass media (radio, TV, cable TV, MMDS, newspaper, magazine, bulletin, poster, billboard, calendar, business sign posted in public place or on vehicle, broadcasting on mobile or fixed bullhorn) is allowed in Cambodia only when there is permission from the Ministry of Information.
Letter 276 requires all mobile service operators to obtain approval from the TRC prior to carrying out any mobile phone advertisements.
- • all acts that create confusion with the establishment, the goods, or the industrial, commercial or service activities of a competitor;
- • false allegations in the course of trade of such a nature as to discredit the establishment, the goods, or the industrial, commercial or service activities of a competitor; and
- • indications or allegations of the use of marks which, in the course of trade, misleads the public as to the nature, manufacturing process, characteristics, suitability for their purpose, or quantity of the goods.
If an organization wishes to send unsolicited marketing communications to an individual via any electronic media, intermediary or telecommunications service provider, the organization is obligated under the E-Commerce Law to provide clear and straightforward opt-out instructions. This obligation applies regardless of whether the individual resides in Cambodia. However, the E-Commerce Law suggests that it is not necessary to obtain consent from the individual to send marketing communications as long as each marketing communication has clear and straightforward opt-out instructions and the individual has not exercised his or her opt-out right previously.
Do different rules apply to business-to-business and business-to-consumer marketing?
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
There are no laws specifically dealing with electronic marketing in Cambodia.
Electronic marketing in Cambodia is subject to the general laws discussed under our response to the question on marketing rules.
The following rules specifically deal with cookies:
The consequences of non compliance with data protections laws (including marketing laws) are:
There are no specific penalties for violating the Constitution and no penalties for violating the Civil Code apart from the risk of potential civil claims by data subjects.
However, violating data protection obligations under the E-Commerce Law may result in the following penalties:
- Failure to provide clear and straightforward opt-out instructions for unsolicited marketing communications will subject the organization to:
(1) a written warning; (2) suspension or revocation of business licenses and permits, and/or(3) disabling the means of marketing and communication to individuals.
- Failure to comply with the Consent, Purpose Limitation, Disclosure / Notification, and Protection Obligations will subject the organization to Imprisonment from 1 to 2 years and a fine amounting to KHR 2 million to KHR 4 million (approx. USD 500 to USD 1,000)
- Failure to comply with the Retention Obligation will subject the organization to Imprisonment from 1 month to 1 year and a fine amounting to KHR 100,000 to KHR 2 million (approx. USD 25 to USD 500)
The law is silent on failure to comply with the Correction and Access Obligations.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
As individual privacy rights are broadly protected under Cambodian laws of general application, we recommend that multinationals acquire the consent from each individual before processing their personal data even if the multinational is not registered in Cambodia.
MCI establishes that clauses of standard form contracts shall be deemed null and void unless consumer is offered the possibility of choosing Brazilian courts to resolve disputes arising from services provided in Brazil.
Multinational organisations should be aware of the following upcoming data protection developments:
The Cambodian government has been preparing a draft anti-cyber crime law, and if this law is enacted, it would implicate data privacy and data protection issues.