Cambodia moves to enact comprehensive data privacy law

What is the objective of the LPDP?

The LPDP borrows much of its architecture from the European Union’s General Data Protection Regulation (“GDPR”), and aims to establish principles, rules and mechanisms of processing personal data transparently, responsibly, and ethically. It aims to achieve this by introducing rules, empowering guidelines and supporting various mechanisms for processing private information in Cambodia.

Who are covered by the LPDP?

The LPDP targets both domestic and foreign entities involved in the processing of personal data. Specifically, it covers data controllers and data processors located within the Kingdom of Cambodia, as well as foreign entities based outside Cambodia if they offer goods or services to individuals residing in Cambodia.

The law also specifically exempts “natural persons” acting in a personal capacity, and “public authorities” performing functions within their jurisdiction.

What type of data is covered?

The LPDP defines personal data as “information relating to a natural person who identifies or can be identified by that natural person”.

Within this broad umbrella, the LPDP also defines “sensitive personal data” to include biometric data, genetic data, health status, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning a person's sex life or sexual orientation. 

Whilst similar definitions are also found in the GDPR, the LPDP is not as specific in its definitions. For instance, the definition of “genetic data” in the GDPR spells out specific ways in which the data can be obtained, and particularly relates to one’s health and physiology.¹In contrast, the Cambodian LPDP covers all genetic data, so long as it relates to one’s identity or characteristics. 

What rights and responsibilities are covered by the LPDP?

1. Data subject rights

The LPDP establishes substantially the same rights for data subjects as the GDPR, including:

• The right to information
• The right to access
• The right to rectification
• The right to erasure
• The right to restriction
• The right to personal data portability
• The right to object
• The right to remedy 
• The right to request human intervention in automated decision-making.

2. Data controllers/processors

The LPDP closely mirrors the GDPR  with regards to the distinction between and obligations imposed on data controllers and processors respectively.

These include requirements to:

• Establish a lawful basis for processing personal data. The list of legal bases recognised in the LPDP are largely similar to those in the GDPR, including consent, legitimate interests, contractual necessity, and legal obligation, among others.
• Implement appropriate security measures, including technical and organisational measures.
• Maintain records of their data processing activities.
• Conduct a data protection impact assessment for high-risk processing
• Transfer personal data outside Cambodia.
• Notify the regulator and data subjects of an eligible data breach.

However, the LPDP appears to adopt a more stringent stance compared to the GDPR, in mandating the appointment of a certified² data protection officer for all controllers and processors, regardless of the scale of personal data processing or risk.³ Such data protection officer’s name and information must also be reported to the Ministry of Post and Telecommunications within thirty working days from his or her appointment. Where there is a change in such appointment the update must be notified to the Ministry within fifteen working days. This is unlike the GDPR, which only applies the requirements in certain specified high-risk contexts.⁴

3. Foreign entities

Foreign entities that are data controllers or involved in data processing are also subject to Cambodia’s LPDP, if their activities are related to the offering of goods or services to individuals living in Cambodia, or monitor the behaviour of individuals within the country. These entities will then be required to appoint a representative and provide their details with the Cambodian authorities. The guidelines on the appointment of such a representative are currently to be determined.

What are the repercussions of non-compliance?

Any non-compliance with the LPDP could trigger both administrative and criminal sanctions. Administrative fines can reach up to approximately 150,000 USD (600,000,000 Riels) and 10% of annual turnover for businesses and legal persons, and up to 15,000 USD (60,000,000 Riels) for each natural person involved. Criminal liabilities set forth by the LPDP (imprisonment and fines) also distinguishes it from the GDPR’s purely regulatory nature.

Conclusion

The draft LPDP represents a significant step in aligning Cambodia with international data privacy standards, and is another example of the “Brussels effect” insofar as its provisions are so closely aligned with that in the GDPR.

With that said, there are certain local nuances and requirements that entities operating in or targeting Cambodia should be aware of, particularly as this new law imposes criminal liabilities.

To this end, early compliance planning is recommended, and one should keep a keen eye out for any clarifications, guidelines and other refinements that may be in the pipeline.

Should you need support in coming into compliance with this new law, or to understand how it might impact your business, feel free to reach out to the authors or your usual Hogan Lovells contact.

Authored by Charmian Aw and Ciara O’Leary.