The Cambodian government defends its proposed restrictions on the free transfer of data across international borders
The question of unobstructed transfer of data across international borders is at the heart of a dispute over Cambodia’s pending cybersecurity Draft Law.
The Asia Internet Coalition (AIC), a consortium of technology companies, maintains that limiting data transfer – as proposed in the new law – would negatively impact international companies doing business in Cambodia. The group is supported in its objections by the International Commission of Jurists (ICJ) and Access Now.
But the Ministry of Post and Telecommunications (MPTC), responding to the criticisms, insists the goal of the law is “to fortify consumer interests and protect the safety of individuals utilising critical information infrastructure services, by offering them technical support,” according to spokesman Liv Sophanarith.
“The free movement of data across borders is vital to Cambodia’s economy and supports the best outcomes for Cambodian businesses and citizens,” the AIC asserts in its statement. “Enabling cross-border data transfers protects consumers by allowing businesses to implement best practices for data privacy and security.”
These practices, the AIC said, include decentralised cloud data storage and shared systems resilient to outages from malfunctions or natural disasters.
“Cross-border data transfers will also lower barriers to international trade and investment in the Cambodian economy by reducing compliance costs,” the AIC statement adds.
The World Bank supports this view, emphasising the importance of open data flows for developing countries and warning against data localization’s negative impact on GDP, jobs and investments.
Research from the Information Technology and Innovation Foundation also suggests that each point of cross-border data flow restriction reduces trade output by 7%, lowers productivity by 2.9%, and increases downstream prices by 1.5%.
Other agencies claim the pending Law falls short of Cambodia’s human rights commitments – that it would impede the ability of citizens and businesses to protect themselves from intrusions into their networks, and from safeguarding their private data. The ICJ and Access Now made these statements in a joint letter and accompanying legal analysis to the MPTC on 2 October.
“There are no provisions in the proposed law that compromise human rights,” Sophanarith said in a statement issued on 5 October in response to the joint letter.
Among other issues that the NGOs found in the draft’s provisions are draconian fines and imprisonment, no independent oversight body, restrictions to access private cybersecurity tools, executive overreach, and vague provisions that could encourage self-censorship.
The Draft Law, now nearly one year into legislative review, has received criticism in the past for harnessing expanded censorship powers. Yet, the closed-door policy-making approach to the Draft Law has experts asserting that no real revisions have been made since its onset – despite continued advocacy for substantial amendments or a withdrawal. As Cambodia adopts the cybersecurity legislative trends in the region — often driven to expand government or military power — the country’s actual capacity to even implement the infrastructure is also in question.
In November 2022, the MPTC prepared the Draft Law aimed to “determine principles, rules and mechanisms to manage and maintain cybersecurity of Critical Information Infrastructures (CIIs) for the purpose of safely and sustainably ensuring essential national services”.
The Draft Law has not undergone any significant changes since 2022. That is in spite of Access Now’s conversations with Cambodian activists, who suggested the government was willing to collaborate with the private sector and civil society. “It’s a bit disappointing that the law has not really evolved to a place where it’s now a safe law with good framing,” said Golda Benjamin, Access Now’s campaigner for Asia-Pacific.
“Cambodia is pressured internally and externally to have a law because ASEAN already has a strategy on cybersecurity. That’s one context,” said Benjamin. “The second context is that Cambodia is trying to grow its economy and diversify.”
The ASEAN strategy is to satisfy United Nations-advised measures in the hope of gaining international cooperation in the event of cyber attacks.
While Cambodia is well known as a hub for garments and manufacturing, it is now starting to expand financial services to offshore and outsourcing services. Hence, the government needs a framework that sends the message that they are cyber resilient and data custodians, Benjamin mentioned.
But she said the Draft Law does little to assuage malicious cyber activities symptomatic of Cambodia’s “scamdemic”.
“We are concerned that the Draft Law would actually expose people instead to increased cyber threats, by requiring government licences of cybersecurity services and imposing unreasonable administrative burdens on organisations who may lack the capacity to meet them,” said Daron Tan, an associate international legal adviser at the ICJ.
As of now the MPTC has yet to make any amendments or a withdrawal of the Draft Law. Instead, the agency asserts that the draft abides by human rights obligations and bolsters consumers’ interest.
The MPTC has not responded to an email from Focus-Cambodia about revisions to the Draft Law.