Cambodia’s draft data privacy law: Too much is left to delegated prakas

The draft law is limited only to the private sector and does not have extra-territorial scope. By Graham Greenleaf, Honorary Professor at Macquarie University, Australia.

Cambodia is one of the last four of the 11 ASEAN countries that has not enacted a data privacy law.(1) Cambodia’s Ministry of Posts and Telecommunications (MPTC) released for consultation a draft Law on Personal Data Protection (LPDP) on 25 July 2023, but the draft Law is not known to have progressed any further toward enactment.

The key limitation on the draft Law is that its scope is limited to the private sector, plus a few aspects of what could be regarded as the public sector. It does not apply to the “collection, use, and disclosure of personal data by Public Authorities”, which the Law says “are governed by other legal instruments” (art. 2). “Public authorities” are defined as “not including public establishment of administrative character and public enterprises” (Appendix to the Law). Limitation to the private sector is also found in the data privacy laws of Malaysia and Singapore, although expressed differently, but not in the more recent laws of Thailand and Indonesia. It is therefore essential to consider the extent to which Cambodian authorities can obtain access to personal data held by the private sector, and the limitations placed on their use of this data.

Continue Reading

International Report subscribers, please login to access the full article

LOGIN

If you wish to subscribe, please see our subscription information.

Subscribe