Data Privacy

Cambodian law contains general principles that address privacy rights or the protection of personal information collected from individuals in Cambodia.

Cambodian Constitution Article 31

Article 31 recognizes and respects human rights as stipulated in the United Nations Charter, the Universal Declaration of Human Rights, and the Covenants and Conventions related to human rights, women’s rights and children’s rights. Article 12 of the Universal Declaration of Human Rights 1948 and Article 17 of the United Nations International Covenant on Civil and Political Rights of 1966, ratified by Cambodia in 1992 prohibits the arbitrary or unlawful interference with privacy, family, home or correspondence, or unlawful attacks on the honor and reputation of people.

Cambodian Constitution – Article 40

Although there is no specific personal data protection or personal data privacy law in effect (and none under draft, to the best of our knowledge), the right to privacy enshrined in Article 40 of the Constitution.

Article 40 states: The right to privacy of residence and to the confidentiality of correspondence by mail, telegram, fax, telex and telephone, is guaranteed.

What this “right of privacy” means in practice is to be determined by further implementing laws and regulations as well as by the interpretation and application by Cambodian courts.

The Civil Code – Article 10 (Concept of Personal Rights)

Article 10 states: Personal rights include the rights to life, personal safety, health, freedom, identity, dignity, privacy, and other personal benefits or interests.

While we are not aware of any specific legal sanctions available to an individual claiming infringement of personal rights under the Civil Code, an aggrieved party would, in principle, still have legal recourse to the courts to request an injunction, a right to demand to eliminate the effect of an infringing act, as well as a right to damages for any harm suffered from infringement of a personal right. (Articles 11, 12, & 13 of Civil Code.


The Criminal Code – Article 317 (Breaches of Correspondence)

Article 317 states: Maliciously opening, destroying, delaying, or diverting correspondence sent to a third party, shall be punishable by imprisonment from one month to one year and a fine from one hundred thousand to two million Riels. The same penalty shall apply to the malicious interception of correspondence sent to a third party.

As we understand, the personal emails of the employee are stored in the employee’s personal account hosted by Yahoo! and accessible on a company-owned computer. The issue here is whether the employer maliciously opened the employee’s personal emails saved on the company-owned computer. The Criminal Code does not define the word “malice” or “maliciously”.

Since it is the employer’s standard operating procedure that employees are not allowed to store personal data on company-owned equipment and assuming that the employee was made aware of this operating procedure, the employer would have a defense to a possible claim by the employee that the opening and viewing of emails stored on company property was done maliciously.



While the above listed articles of Cambodian law do not specifically mention the protection of personal email correspondence, both the Constitution and the Civil Code recognize a fundamental right to privacy which may be invoked by individuals to support a claim that his/her right has been violated. However, to the best of our knowledge, we are not aware of any penalty having been imposed by a court due to such a constitutional/civil code violation. Provisions of the Constitution and the Civil Code generally serve as guiding principles which are usually supplemented by more specific implementing legislation.

Although, in principle, a claim by an employee could be made with respect to infringement of the right to privacy due to the opening and viewing of personal email correspondence stored on the company-owned computer, as a practical matter, such a claim would be unlikely to succeed given that the employee had been advised that the equipment was not to be used to store personal data and the employee’s emails were accessible on the computer without the malicious intent of the employer (the employer was merely reviewing its returned property when it accessed the emails).