Clause 7 of the Inter-ministerial Prakas No. 170 requires all Internet Service Providers (ISPs) operating in Cambodia to install software programs and equip themselves with Internet surveillance tools to easily filter and block any social media accounts or pages that run their business activities and/or publicise illegal activities. In addition, Clause 6 establishes that the Ministry of Information should manage information published through electronic systems, including all news content, written messages, audio, photos, videos, and/or other means, on websites and social media using the internet in the Kingdom of Cambodia.

According to Section 7 of Inter-ministerial Prakas No. 170, the Ministry of Posts and Telecommunications (MPTC) may block or close websites and social media pages that disseminate content deemed illegal, including that which incites unrest or threatens national security, public interest, or social order. However, these grounds are not clearly defined. Similarly, Art. 7 of the Law on Telecommunications authorises the MPTC or other ministries to instruct telecom operators to take unspecified necessary measures in cases of "force majeure", without defining such circumstances or actions. Both provisions have been criticised for their broad scope and potential for misuse, including the restriction of internet-based services.
Moreover, news and other websites have reportedly been blocked by the Cambodian government. In April 2020, two websites owned by TVFB were reportedly blocked by the Cambodian Telecommunication Regulator (TRC) and remain inactive. In February 2023, the TRC instructed internet service providers to block access to VOD’s news sites in both English and Khmer, following the revocation of its parent organisation’s licence. In the lead-up to the July 2023 general election, access to independent outlets such as Radio Free Asia (RFA), the Cambodia Daily, and Kamnotra was also blocked, with restrictions remaining in place until the end of 2024.

Art. 27.2 of the Law on Consumer Protection mandates that any advertising must be in Khmer. Furthermore, Art. 9 of Sub-Decree No. 232 requires all commercial advertising of products and services, by any channel, to use Khmer as the primary language. If foreign-language text is used in advertisements, it must comply with the Sub-Decree rules on placement and font size to ensure the Khmer text retains its prominence. It is reported that the Khmer language requirement can be an onerous obligation for some businesses.

Art. 15 of the Law on Telecommunications provides that a license from the Telecommunication Regulator of Cambodia (TRC) and the Ministry of Posts and Telecommunications (MPTC) is required for the provision of VoIP and Internet café services.

It is reported that the Telecommunication Regulator of Cambodia (TRC), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Art. 99 of the Law on Telecommunications introduces sentences of six months to two years imprisonment and heavy financial penalties for “any act of producing, installing or distributing software or hidden audio recorders for recording dialogue” without approval from the authorities. It is reported that this unclear provision, which seems to require government approval for any software that can record sound, could potentially criminalise the basic use, sharing, or development of software such as smartphone apps. Additionally, the range of sound-recording hardware concerned with this provision is unclear.

Pursuant to Art. 109 of the Law on Commercial Enterprises, a company is required to prepare and maintain at its registered office in the Kingdom of Cambodia the following corporate records: the articles of incorporation and by-laws, together with any amendments thereto; minutes of meetings and resolutions of shareholders; copies of all notices mandated by law to be issued or filed; and a register of securities. In addition, in accordance with Art. 113, a company must also prepare and retain adequate accounting records for a minimum period of ten years following the conclusion of the financial year to which such records pertain. In instances where these accounting records are maintained outside Cambodia, duplicate copies must be preserved at the company’s registered office within the country.

Art. 51 of the Law on Customs stipulates that all individuals or entities engaged in the import or export of goods must maintain accurate documentation, including books, records, and other information, in both digital and traditional formats. These records must be retained for a minimum of 10 years at the business premises in Cambodia. This obligation extends to importers, exporters, customs brokers, operators of customs temporary storage facilities and customs bonded warehouses, transportation operators, and other relevant parties.

Art. 6 of Sub-Decree No. 287 stipulates that ministries and governmental institutions intending to utilise the national domain name designated for such entities must store their data within the Kingdom of Cambodia. The Ministry of Post and Telecommunications is responsible for hosting and storing the data of all ministries and governmental institutions using national domain names, either in the national data centre or in a government-operated data centre.

Cambodia has not joined any agreement with binding commitments to open transfers of data across borders. Art. 12.15 of the Regional Comprehensive Economic Partnership (RCEP) recognises that each party may maintain its own regulatory requirements governing cross‑border transfers of information by electronic means and stipulates that such transfers shall not be restricted when undertaken for the conduct of business by a covered person; however, the article simultaneously allows parties to adopt or maintain any measures they themselves deem necessary to achieve a legitimate public policy objective, as well as any measures necessary to protect essential security interests, with the parties expressly affirming that the determination of such necessity lies solely with the implementing party and that such measures shall not be subject to dispute. It is reported that this formulation enables the parties to preserve their domestic data‑control regime under the rubric of national security without risking inter‑state disputes, and that the relative weakness of Chapter 12 renders its provisions largely ineffectual in facilitating the liberalisation of cross‑border data flows, particularly because the clause entrusting necessity assessments to the implementing party effectively permits any measure to be characterised as legitimate at that party’s discretion.

There is currently no comprehensive data protection regime in Cambodia. However, certain general privacy provisions exist in the 2010 Constitution of the Kingdom of Cambodia (Art. 40), the 2007 Civil Code (Art. 10), the 2009 Penal Code (Arts. 301, 302, 314, 318, and 427), and the Telecommunications Law (Art. 56). In addition, the Law on Electronic Commerce includes some measures to protect consumer data collected through electronic communication; notably, Art. 32 prohibits interference with, or unauthorised access to, data held by others. Sub-Decree No. 252 on the Management, Use, and Protection of Personally Identifiable Data further applies to data in the custody of the Ministry of Interior (MOI). It is reported that the Ministry of Posts and Telecommunications (MPTC) has already circulated a draft Personal Data Protection Law to selected companies for comment and held a consultative workshop on the draft in December 2024. However, as of 2025, this law has not yet been enacted.

Art. 14 of Sub-Decree No. 23 imposes an obligation on National Internet Gateway (NIG) operators to retain traffic data for a year. The National Internet Gateway is the gateway through which all Internet services must be connected, both nationally and internationally. Traffic refers to the amount of data that passes through a network in one second (Annex 1). NIG operators shall maintain technical records, IP address allocation table, and route identification of traffic transiting through NIG for the last 12 months. It is reported that Art. 14 means the operator(s) of the NIG can track the activities of all internet users in Cambodia, including a user’s browser history and unencrypted search history for up to 12 months. Art. 13 imposes an obligation on NIG operators to report and monitor traffic data and submit monthly, quarterly, semi-annual, third-quarterly, and annual traffic reports within seven days after the end of each month, quarter, semester, third-quarter and year to both the Telecommunication Regulator of Cambodia (TRC) and the Ministry of Posts and Telecommunications (MPTC). It is reported that, although the law is in force, it has not yet been implemented in practice.

Art. 6 of the Law on Telecommunications requires that all telecommunications operators and persons involved with the telecommunications sector shall provide "telecommunications information and communication technology service data" to the Ministry of Post and Telecommunications. In practice, this gives the Ministry unfettered rights to demand that all telecommunications service providers provide data on their service users. This could serve as an obligation for companies to surrender data without the requirement of a judicial warrant or other safeguards protecting privacy rights.
Art. 97 of the law permits the secret surveillance of any telecommunications where it is conducted with the approval of a “legitimate authority.” There is no definition of what constitutes a “legitimate authority”. This appears to create a power to secretly eavesdrop without any public accountability or safeguards to protect individuals’ right to privacy.

It is reported that some articles of Sub-Decree No. 23 may require the government to have direct access to personal data collected. Art. 14 establishes that the Ministry of Post and Telecommunications (MPTC) and Telecommunication Regulator of Cambodia (TRC) can monitor the infrastructure, connections, and equipment of the National Internet Gateway (NIG). NIG refers to the gateway through which all Internet services must be connected, both nationally and internationally (Annex 1). NIG operators shall:
- Prepare and maintain technical records, IP Address allocation table, and route identification of traffic transiting through NIG;
- Compile and maintain reports and relevant documents concerning the connections and all Internet traffic;
- Provide other information as required by the MPTC and TRC.
It is reported that, although the law is in force, it has not yet been implemented in practice.

Cambodia does not yet have a specific law on trade secrets, and no comprehensive framework is in place to ensure their effective protection. However, there are limited measures that address some related issues. Under the Contract Law of 1998, non-disclosure agreements may be used and enforced to protect confidential information within employment or other contractual relationships. In addition, the Ministry of Commerce is drafting a Law on Trade Secrets and Undisclosed Information.