Data protection & privacy laws in Laos (2026)

The law covers personal data exclusively in electronic/digital form; physical or paper-based records fall outside its scope. It applies to domestic and foreign individuals, organisations, and legal entities handling electronic data within Lao PDR.

The law distinguishes 'general data' (personal/organisational data accessible with proper identification) from 'specific data' (official and personal data requiring explicit owner or authority permission before access, use, or disclosure).

Individuals hold rights to be informed, to access, to rectification, to erasure, and to object/opt-out of processing. Consent from the data owner is required as a baseline for collection and processing.

Transferring personal or official electronic data outside Lao PDR requires consent from the designated Data Administrator and must not contravene national interests or security.

The Ministry of Technology and Communications (MTC) and its 17 provincial departments are the primary enforcement bodies. Penalties for violations range from 5 million to 50 million Lao Kip (approximately USD 250–2,500). Implementing regulations were issued in 2018.

The Bank of Lao PDR's Decree on Consumer Protection Concerning Financial Services No. 225/GOV (April 6, 2020) requires financial service providers to notify affected customers of data breaches and report significant incidents to the central bank, supplementing the general electronic data protection law.