Art. 15 of the Law on Telecommunications provides that a license from the Telecommunication Regulator of Cambodia (TRC) and the Ministry of Posts and Telecommunications (MPTC) is required for the provision of VOIP and Internet café services.

Cambodia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Art. 99 of the Law on Telecommunications introduces sentences of six months to two years imprisonment and heavy financial penalties for “any act of producing, installing or distributing software or hidden audio recorders for recording dialogue” without approval from the authorities. It is reported that this unclear provision, which seems to require government approval for any software that can record sound, could potentially criminalise the basic use, sharing, or development of software such as smartphone apps. Additionally, the range of sound-recording hardware concerned with this provision is unclear.

It is reported that although the Telecommunication Regulator of Cambodia (TRC), the executive authority for the supervision and administration of services in the telecommunications sector, proclaims itself to be an autonomous public entity independent from the government in the decision-making process, the Telecommunications Law significantly undermined its independence by granting the Ministry of Posts and Telecommunications (MPTC) ultimate authority over the regulator. The TRC’s lack of independence was reportedly demonstrated in 2017 when it followed the MPTC’s order to block access to the Cambodia Daily and other news sites in the run-up to the general election in July 2018.

In March 2012, the Cambodia Custom and Excise General Department announced a ban on the import of old computers and spare parts for occupational purposes, except for self-consumption and/or charity, in a minor amount.

Art. 51 of the Law on Customs stipulates that all individuals or entities engaged in the import or export of goods must maintain accurate documentation, including books, records, and other information, in both digital and traditional formats. These records must be retained for a minimum of ten years at the premises of the business in Cambodia. This obligation extends to importers, exporters, customs brokers, operators of customs temporary storage facilities and customs bonded warehouses, transportation operators, and other relevant parties.

Cambodia has not joined any agreement with binding commitments to open transfers of data across borders.

There is no comprehensive data protection regime in Cambodia, although there are some general provisions on privacy in the 2010 Constitution of the Kingdom of Cambodia (Art. 40), the 2007 Civil Code (Art. 10), the 2009 Penal Code (Arts. 301, 302, 314, 318 and 427) and the Telecommunications Law (Art. 56). Also, the Law on Electronic Commerce provides for some measures to protect consumer data collected in electronic communication. Art. 32 of the law prohibits the interference, access, retrieval, copying, extraction, filtering, deletion, or modification of data in the custody of another person without permission or in a malicious manner. Moreover, Sub-Decree No. 252 on the Management, Use, and Protection of Personally Identifiable Data applies to personally identifiable data belonging to the Ministry of Interior (MOI).

Art. 14 of Sub-Decree No. 23 imposes an obligation on National Internet Gateway (NIG) operators to retain traffic data for a year. National Internet Gateway refers to the gateway where all Internet services must be connected nationally and internationally, and traffic refers to the amount of data that passes through a network within one second of a certain time (Annex 1). NIG operators shall maintain technical records, IP address allocation table, and route identification of traffic transiting through NIG for the last 12 months. It is reported that Art. 14 means the operator(s) of the NIG can track the activities of all internet users in Cambodia, including a user’s browser as well as unencrypted search history for up to 12 months. Art. 13 imposes an obligation on NIG operators to report and monitor traffic data and submit monthly, quarterly, semesterly, third-quarterly, and annual traffic reports within seven days after the end of each month, quarter, semester, third-quarter and year to both Telecommunication Regulator of Cambodia (TRC) and the Ministry of Posts and Telecommunications (MPTC).

Art. 6 of the Law on Telecommunications requires that all telecommunications operators and persons involved with the telecommunications sector shall provide "telecommunications information and communication technology service data" to the Ministry of Post and Telecommunications. In practice, this gives the Ministry unfettered rights to demand that all telecommunications service providers provide data on their service users. This could operate as an obligation for companies to surrender data without the requirement of a judicial warrant or other safeguards protecting the right to privacy.
Art. 97 of the law permits the secret surveillance of any and all telecommunications where it is conducted with the approval of a “legitimate authority.” There is no definition of what constitutes a “legitimate authority”. This appears to create a power to secretly eavesdrop without any public accountability or safeguards to protect individuals’ right to privacy.

It is reported that some articles of Sub-Decree No. 23 could imply the requirement to provide the government with direct access to personal data collected. Art. 14 establishes that the Ministry of Post and Telecommunications (MPTC) and Telecommunication Regulator of Cambodia (TRC) can monitor the infrastructure, connections, and equipment of the National Internet Gateway (NIG). NIG refers to the gateway where all Internet services must be connected nationally and internationally (Annex 1). NIG operators shall:
- Prepare and maintain technical records, IP Address allocation table, and route identification of traffic transiting through NIG;
- Compile and maintain reports and relevant documents concerning the connections and all Internet traffic;
- Provide other information as required by the MPTC and TRC.

The E-commerce Law establishes a safe harbour regime for intermediaries for copyright infringements. According to Art. 24 of the law, internet intermediaries are not liable for unlawful third-party content on their online platforms. However, they must comply with certain mandatory content removal procedures upon becoming aware of such content (Art. 25). Additionally, pursuant to Art. 27, intermediaries are obligated to comply with an e-commerce code of conduct.

The E-commerce Law establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Art. 24 of the law, internet intermediaries are not liable for unlawful third-party content on their online platforms. However, they must comply with certain mandatory content removal procedures upon becoming aware of such content (Art. 25). Additionally, pursuant to Art. 27, intermediaries are obligated to comply with an e-commerce code of conduct.

It is reported that Cambodia imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card or a passport in case of foreigners to activate a new prepaid SIM card.

Clause 7 of the Inter-ministerial Prakas No. 170 requires that all Internet Service Providers (ISPs) who operate in Cambodia have to install software programs and equip themselves with Internet surveillance tools to easily filter and block any social media accounts or pages that run their business activities and/or publicise illegally. In addition, Clause 6 establishes that the Ministry of Information should manage information published through electronic systems, including all news contents or written messages, audio, photos, videos, and/or other means on websites and social media by using the internet in the Kingdom of Cambodia.