Skip to content
World Watch/Cambodia/Data & Privacy

Data & Privacy ยท Cambodia

Data protection & privacy law in Cambodia (2026)

ProposedDraft Law on Personal Data Protection (LPDP, July 2025), not yet enacted; existing regime relies on Sub-Decree No. 252 (2021), the E-Commerce Law, and general constitutional/civil/criminal-code privacy provisions. Designated supervisory authority (under draft): Ministry of Post and Telecommunications (MPTC).Country index 64 ยท C+

Cambodia shaded by its data & privacy status

Data protection in Cambodia: proposed, under Draft Law on Personal Data Protection (LPDP, July 2025), not yet enacted; existing regime relies on Sub-Decree No. 252 (2021), the E-Commerce Law, and general constitutional/civil/criminal-code privacy provisions. Designated supervisory authority (under draft): Ministry of Post and Telecommunications (MPTC)..

Cambodia does not yet have a comprehensive, in-force personal data protection law. A final draft LPDP modelled closely on the EU GDPR was released on 23 July 2025 and was still pending parliamentary promulgation as of May 2026. In the interim, personal data is covered only by fragmented sectoral rules, chiefly Sub-Decree 252 (Ministry of Interior identification data), limited E-Commerce Law provisions, and broad constitutional privacy guarantees.

Key points

Draft LPDP (2025)

Cambodia's Ministry of Post and Telecommunications published a final English-language draft of the Law on Personal Data Protection on 23 June/July 2025. The draft adopts GDPR-style principles, lawful basis, data-subject rights, data-breach notification, and cross-border transfer controls, but had not been promulgated into law as of May 2026.

Sub-Decree No. 252 (2021), narrow scope

Sub-Decree No. 252 of 22 December 2021 on the Management, Use, and Security Protection of Personal Identification Data applies only to personal identification data held by the Ministry of Interior (national ID system); it does not extend to private-sector data processing.

Sectoral and general-law privacy protections

Outside Sub-Decree 252, privacy is protected in broad terms under the Constitution, Civil Code (2007), Criminal Code (2009), and specific sectoral laws such as the E-Commerce Law (limited to virtual/digital consumer-data contexts) and the Banking Law. No single comprehensive statute governs private-sector data controllers.

Designated supervisory authority (MPTC)

The draft LPDP designates the Ministry of Post and Telecommunications (MPTC) as the primary data-protection supervisory authority, with powers to issue regulations (Prakas), conduct audits, receive complaints, mediate disputes, and manage cross-border transfer approvals. Critics note the draft delegates substantial rule-making to ministerial Prakas, limiting legal certainty.

Extraterritorial scope in the draft

The LPDP draft targets both Cambodian-based and foreign entities that offer goods or services to individuals residing in Cambodia, mirroring GDPR's territorial reach. Sensitive categories (biometrics, health, race/ethnicity, political opinion, religion, sexual orientation) attract heightened protection.

Implementation timeline

Once promulgated, the LPDP is expected to enter force after a two-year transitional/implementation period, giving organisations time to comply. As of May 2026 the law had not yet been signed or tabled before the National Assembly, and no official promulgation date had been announced.

Timeline - major decisions & events

Apr 3, 2026law
Senate Gives Final Approval to Law on Anti-Technology Fraud

All 55 senators unanimously adopted Cambodia's first dedicated cybercrime statute without amendment, completing the legislative process and sending the bill to King Norodom Sihamoni for royal promulgation. Gang leaders of scam operations face 15-30 years in prison; life imprisonment applies where victims die, and organisers face fines up to $250,000.

Xinhua News Agency โ†—
Mar 30, 2026law
National Assembly Unanimously Passes Anti-Technology Fraud Bill

All 112 members of Cambodia's National Assembly voted in favour of the country's first standalone cybercrime law, targeting online scam compounds with 2-5 year sentences and fines up to $125,000 for individual offenders. The passage followed intense international pressure and sanctions over Cambodia's role as a hub for cyber-fraud operations.

Al Jazeera โ†—
Jun 23, 2025guidance
MPTC Publishes Final Consultation Draft of Law on Personal Data Protection

The Ministry of Posts and Telecommunications released the substantially revised final draft of Cambodia's first comprehensive data-protection law (LPDP), modelled on the EU GDPR; it mandates lawful-basis processing, data-subject rights, mandatory DPO appointment for all controllers and processors, cross-border transfer rules, and administrative fines up to ~$150,000 (600 million KHR) plus 10% of annual turnover. A two-year grace period will follow royal promulgation.

Open Development Cambodia / MPTC โ†—
Jul 1, 2023guidance
MPTC Circulates First Draft Personal Data Protection Law for Industry Consultation

Cambodia's Ministry of Posts and Telecommunications distributed an initial draft Law on Personal Data Protection (LPDP) to selected companies and held workshops, the first formal step toward a standalone data-protection statute. Critics and industry groups noted the draft applied only to the private sector and delegated more than 20 key obligations to future ministerial decrees (prakas), leaving significant legal uncertainty.

Global Data Alliance (formal comments on draft) โ†—
Feb 16, 2021law
Sub-Decree on National Internet Gateway Signed, Mandating 12-Month Traffic Data Retention

Prime Minister Hun Sen signed Sub-Decree No. 23 requiring all domestic and international internet traffic to route through a government-controlled National Internet Gateway (NIG); ISPs must retain all traffic data for 12 months, block prohibited content, and report identifiable user activity to the Ministry of Posts and Telecommunications and the Telecommunications Regulator of Cambodia. Human-rights organisations condemned the measure as enabling mass surveillance incompatible with the right to privacy.

Human Rights Watch โ†—
Nov 2, 2019law
Law on Electronic Commerce Enacted, First Statutory Digital Data-Protection Obligations

Cambodia's e-commerce law imposed the country's first explicit statutory data-security duties: any business electronically storing personal information must implement reasonable measures against loss, unauthorised access, alteration, or disclosure. It also introduced consumer disclosure requirements and rights to correct inaccurate data, making it the primary enacted instrument governing personal data in digital transactions until a comprehensive law is passed.

Tilleke & Gibbins โ†—
Jan 1, 2009law
Criminal Code Enacted with First Cyber-Offense Provisions

Cambodia's comprehensive Criminal Code (promulgated 2009, in force 2010) introduced Articles 317-320 and 427-432 covering unauthorised computer access and related offences, the first cyber-specific criminal provisions in Cambodian law. The provisions were narrow, lacked a definition of cybercrime, and contained no data-privacy enforcement mechanism, driving subsequent calls for a standalone cybercrime statute that took 17 years to materialise.

Konrad-Adenauer-Stiftung Cambodia โ†—
Jan 1, 2007lawofficial
Civil Code Promulgated, Article 10 Recognises Privacy as a Personal Right

Cambodia's Civil Code formally listed privacy alongside life, identity, and dignity as a protected personal right under Article 10, giving individuals a civil-law basis to seek injunctions and damages for privacy violations. The provision is broadly drafted and lacks implementing regulations, so its practical scope has depended entirely on court interpretation.

FAO FAOLEX (UN Food and Agriculture Organisation) โ†—
Sep 21, 1993lawofficial
Constitution Adopted, Article 40 Enshrines Right to Privacy of Communications

Cambodia's post-UNTAC Constitution enshrined in Article 40 the rights to privacy of residence and to confidentiality of postal, telegraph, fax, telex, and telephone communications, the foundational constitutional basis for all subsequent data-protection claims. The provision predates the internet era and makes no reference to digital data, leaving a significant gap that modern legislation has been slow to fill.

OHCHR Cambodia (official constitutional text) โ†—

Cambodia - other topics

Data & Privacy in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’