Issue Description
Good data protection and privacy are essential for the economic development of society because they create a climate of trust and confidence in which businesses can thrive. When people know that their personal data is safe and secure, they are more likely to participate in the digital economy, which can lead to increased innovation, investment, and economic growth. In addition, good data protection and privacy can help to protect consumers from fraud and abuse. When people know that their personal data is safe, they are more likely to trust businesses and share their data. This can lead to better products and services for consumers.
European countries have been at the forefront of designing detailed legal frameworks and regulations that introduce and promote several aspects of data protection and privacy for citizens. Below are some of the provisions contained in the EU’s General Data Protection Regulation (GDPR) and the Council of Europe’s Convention 108+ on Personal Protection in Automated Systems. Both the GDPR and Convention 108+ are designed to protect the privacy of individuals and to ensure that their personal data is processed in a fair and transparent manner. The GDPR is a more comprehensive and stringent set of rules, while Convention 108+ is a more general framework. Both regulations cover the following aspects that could be included in a strong data protection and privacy regulation:
- Consent: Both the GDPR and Convention 108+ require that individuals give their consent before their personal data can be collected or processed;
- Purpose limitation: Personal data must be collected and processed for specific, explicit, and legitimate purposes;
- Data minimisation: Only the minimum amount of personal data necessary for the intended purpose should be collected and processed;
- Storage limitation: Personal data should not be stored for longer than is necessary for the intended purpose;
- Data security: Personal data must be protected against unauthorised access, use, disclosure, alteration, or destruction;
- Data subject rights: Individuals have the right to access their personal data, to have their personal data corrected or deleted, and to object to the processing of their personal data.
The Royal Government of Cambodia (RGC) has committed itself to enhancing the regulatory framework to protect personal data and privacy. A recently published e-commerce law contains data protection provisions, which however apply only for data exchanged in commercial electronic transactions. Data protection falls under the right to privacy, which is protected in broad terms under the Constitution of the Kingdom of Cambodia 2010, the Civil Code of Cambodia 2007, the Criminal Code of the Kingdom of Cambodia 2009, and other specific laws such as the Banking Law. To date, however, there is no comprehensive data protection framework yet in Cambodia.
The Ministry of Post and Telecommunications (MPTC) announced in early 2021 that it intended to prepare a draft personal data protection law, in line with the RGC’s vision of a digital society laid out in the Cambodia Digital Economy and Social Policy Framework 2021-2035. However, such law has not yet been published.
Impact on business
New technologies are a significant contributor to the national development of Cambodia. However, without a robust legal framework governing the responsible use and storage of the data generated from new technology, including by third parties, the importance of data security can be overlooked and individuals, businesses or governments are potentially exposed to serious threats and instability.
The flow of data that enables digital economies to flourish is built on trust. If this trust is broken, confidence in the entity will be harmed and others will no longer trust that their information will be safe. This is a serious concern for businesses involved in the use and management of private data, as they will quickly become uncompetitive.
Furthermore, due to the growing concerns around how data is used, some countries are restricting the flow of data to countries with lax privacy and protection laws. Similarly, the laws governing the use of data are no longer bound by jurisdictions and are now being applied extraterritorially. For example, the European GDPR applies strict obligations on any business that processes the data of European citizens, regardless of a business’s physical location.
Therefore, without an effective regulatory framework that maintains progress with comparable markets, there is a risk that the competitiveness of Cambodia’s digital sector could diminish, which would increase the difficulty of attracting investment.
The absence of a personal data protection law in Cambodia also hinders the country’s regional digital integration in ASEAN, as it stifles the development of cross-border data flows. Businesses are unsure of whether the data exchanged across borders can be secured from breaches.
In conclusion, the lack of a robust legal framework governing data protection in Cambodia poses a serious threat to the country’s digital development.
Recommendation
- Prioritise the adoption of comprehensive data protection and privacy laws, taking inspiration from the EU GDPR and the Council of Europe’s Convention 108+ .
While we recognise that the pace of technology generally exceeds that of the legal framework that governs it, we respectfully recommend that the Ministry of Posts and Telecommunications prioritise the adoption of Cambodia’s data protection and privacy laws to ensure the responsible use and management of data, taking into account international best practices.
It is important that such regulations be formulated to focus on the management of risks to an acceptable level and balance the economic and social benefits that digital innovations can bring with ensuring protection from the adverse impact of the misuse of data.
Adopting such regulations would also strengthen Cambodia’s efforts to further integrate into the ASEAN Economic Community, as there is a particular focus to harmonise data protection legislation and commit to enhanced cooperation in the field of ICT, as demonstrated by the Master Plan on ASEAN Connectivity and the ASEAN Framework on Personal Data Protection.
By adopting a sound regulatory framework on privacy and data protection, Cambodian consumers and international businesses are more likely to have their data secured in the increasing number of digital transactions, in turn spurring the development of digital trade, e-commerce, and investment.
Royal government of Cambodia
Initiative from Eurocham: The EuroChan Digital & Technology Committee raised this concern in the 2024 Edition of the White Book (Recommendation No. 23).
The Ministry of Post and Telecommunications shared to EuroCham Cambodia a first draft of the Law on Data privacy for inputs from the Private Sector.
Initiative from Eurocham: EuroCham is grateful to the Ministry of Post and Telecommunications (MPTC) for sharing this first draft. The Digital & Technology Committee worked on it and provided inputs to the MPTC. EuroCham appreciate the solid basis provided by the law but looks forward for further developments, especially on the definition of certain concepts.
On 30th January 2024, at the occasion of the ‘Digital Future Forum: Building Tomorrow’s Digital Foundation’ hosted by EuroCham and its Digital & Technology Committee. H.E. Dr. Kong Phallack, Secretary of State to the MPTC, provided the latest update on the development of the data protection law. They collected feedbacks from all the stakeholders and acknowledged the comments provided by EuroCham Cambodia. The target to finalize the law is by end of 2025.
National Counterparts
Ministry of Posts and Telecommunications
Contributors
Christopher McCarthy
MANGOTANGO ASIA