Clause 7 of the Inter-ministerial Prakas No. 170 requires that all Internet Service Providers who operate in Cambodia, have to install software programs and equip themselves with internet surveillance tools to easily filter and block any social media accounts or pages that run their business activities and/or publicize illegally. In addition, Clause 6 establishes that the Ministry of Information should manage information published through electronic system including all news contents or written messages, audios, photos, videos, and/or other means on website and social media by using internet in the Kingdom of Cambodia.

According to Clause 7 of the Inter-ministerial Prakas No. 170, the Ministry of Posts and Telecommunication can “block or close the websites and/or social media page which (...) publicize illegally which considered as incitement, breaking solidarity, discrimination, create turmoil by will, leading to undermine national security, and public interests and social order”. Some of the grounds, notably on "national economy", “public interest” and “national security” are not specifically defined and thus could be interpreted broadly, including to discriminate foreign websites and content providers. It is reported that such strict surveillance of social media and the internet has caused online users to stop posting and sharing content.

It is reported that news and other websites are periodically blocked in Cambodia. In the wake of the COVID-19 pandemic, the Cambodian government has reportedly blocked access to news sites. In March 2020, Monoroom.info, a Khmer-language news website based in France, was blocked after it published numerous articles on the impact of the coronavirus in Cambodia. The site was accessible as of April 2021. Also, the Telecommunication Regulator Cambodia (TRC) blocked two websites owned by news outlet TVFB in April 2020. The websites still appeared to be inactive in 2022.

Lastly, in July 2018, a number of independent news websites, including Radio Free Asia (RFA) and Voice of America (VOA), were blocked. The blocks were implemented two days before the general elections. Other blocked websites included Cnrp7.org, Khmer Political.com, Khmersharingnews.com, Camnews.com, Stubes.info, Pinterest.de, Vithyu.com, Freecambodia.org, Apkpure.com, and Imnsj.org.

Art. 7 of the Law on Telecommunications provides that in the event of “force majeure”, the Ministry of Post and Telecommunications or other relevant ministries may order private telecommunications operators to “take necessary measures.” The Law does not specify the force majeure circumstances compelling discretionary government powers to direct the operation of private companies, or what “necessary measures” may entail. This leaves this provision vulnerable to abuses, including shutting down social networks and other internet-based services.

Cambodia requires mobile operators to register the identities of consumers. SIM card dealers are being asked to make copies of client's’ national identity cards, passports, or any other valid identity document before activating the SIM card.

Art. 14 of Sub-Decree No. 23 imposes an obligation on National Internet Gateway (NIG) operators to retain traffic data for a year. National Internet Gateway refers to the gateway where all Internet services must be connected nationally and internationally, and traffic refers to the amount of data that passes through a network in one second of a certain time (Annex 1). It establishes that the Ministry of Post and Telecommunications (MPTC) and Telecommunication Regulator of Cambodia (TRC), if necessary, are mandated to monitor the infrastructure, connections, and equipment of the NIG. NIG operators shall:
- Prepare and maintain technical records, IP Address allocation table, and route identification of traffic transiting through NIG;
- Compile and maintain reports and relevant documents concerning the connections and all Internet traffic;
- Provide other information as required by the MPTC and TRC.
NIG operators shall maintain technical records, IP Address allocation table, and route identification of traffic transiting through NIG for the latest twelve months.

Art. 6 of the Law on Telecommunications requires that “all telecommunications operators and persons involved with the telecommunications sector shall provide to the Ministry of Post and Telecommunications the telecommunications information and communication technology service data”. In practice, this gives the Ministry unfettered rights to demand that all telecommunications service providers provide data on their service users. This could operate as an obligation for companies to surrender data without the requirement of a judicial warrant or other safeguards protecting the right to privacy.
Art. 97 of the law permits the secret surveillance of any and all telecommunications where it is conducted with the approval of a “legitimate authority.” There is no definition of what constitutes a “legitimate authority,” or the means by which such authority is competent to approve surveillance. This appears to create a power to secretly eavesdrop without any public accountability or safeguards to protect individuals’ right to privacy.

Some articles of Sub-Decree No. 23 could mean the existence of requirements to provide the government with direct access to personal data collected. Art. 14 establishes that the Ministry of Post and Telecommunications (MPTC) and Telecommunication Regulator of Cambodia (TRC), if necessary, are mandated to monitor the infrastructure, connections, and equipment of the National Internet Gateway (NIG). NIG refers to the gateway where all Internet services must be connected nationally and internationally (Annex 1). NIG operators shall:
- Prepare and maintain technical records, IP Address allocation table, and route identification of traffic transiting through NIG;
- Compile and maintain reports and relevant documents concerning the connections and all Internet traffic;
- Provide other information as required by the MPTC and TRC.

NIG operators shall maintain technical records, IP Address allocation table, and route identification of traffic transiting through NIG for the latest twelve months. Traffic refers to the amount of data that passes through a network in one second of a certain time (Annex 1). It is reported that Art. 14 means the operator(s) of the NIG can track the activities of all internet users in Cambodia, including a user’s browser as well as unencrypted search history for up to one year. On the other hand, Art. 13 imposes an obligation on NIG operators to report and monitor traffic data and submit monthly, quarterly, semesterly, third-quarterly, and annual traffic report within seven days after the end of each month, quarter, semester, third-quarter and year to both MPTC and TRC. It is reported that the Sub-Decree poses risks to data protection and data privacy, requiring gateway operators to retain and share metadata.

Cambodia has not joined any agreement with binding commitments to open transfers of data across borders.

There is no comprehensive data protection regime in Cambodia, although there are some general laws on privacy protection in the 2010 Constitution of the Kingdom of Cambodia (Art. 40), the 2007 Civil Code (Art. 10), the 2009 Penal Code (Arts. 301, 302, 314, 318 and 427) and the Telecommunications Law (Art. 56). Also, the Law on Electronic Commerce provides for some measures to protect consumer data collected in electronic communication. Art. 32 of this law prohibits the interference, access, retrieval, copying, extraction, filtering, deletion, or modification of data in the custody of another person without permission or in a malicious manner. Sub-Decree No. 252 on the Management, Use, and Protection of Personally Identifiable Data is the only legislation specifically addressing personal data protection in Cambodia. However, it is limited in scope as it only applies to personally identifiable data belonging to the Ministry of Interior (MOI), i.e., it does not cover all personally identifiable data.

Art. 51 of the Law on Customs states that traders and government agencies must keep accurate documents, records, and other information, including information in electronic format, pertaining to import and export of goods for a period of 10 years.

There is no requirement for functional or accounting separation for operators with significant market power.

The Law on Telecommunications sets the Telecommunication Regulator of Cambodia (TRC) to have autonomy in administrative and regulatory matters for the telecommunications sector and are in charge of licences to engage in telecommunications operator services. The Ministry of Posts and Telecommunications (MPTC) is responsible for networks and infrastructure supporting the telecommunication sector. Art. 17 of the Law on Telecommunications regulates a unified (multi-service) licenses by TRC for the followings: construction and/or providing services for utilization of telecommunications infrastructures and networks; providing telecommunications services; and other operation as defined by Prakas of MPTC based on the proposal of TRC.

A license is required from the TRC/MPTC for the provision of: mobile telecommunications services, fixed-line telecommunications services, VOIP services, Internet service provider (ISP), telecommunications-type approval form, national numbering plan, access code, public switched telephone network (PSTN), and Internet cafés. TRC/MPTC grant licenses and set the terms and conditions on a case-by-case basis, but there are some customary licensing terms and steps including: (i) license terms of between 10 to 30 years onward (with some renewability); (ii) license fees based on a combination of a percentage of gross revenue (the percentage usually increases throughout the license) plus a percentage of dividend sharing; and (iii) there may be inter-connection fees, an annual frequency charge fee, micro-wave license fees, etc., applicable on a case-by-case basis. The percentage of revenue and dividends to be shared increases incrementally and reaches around 10% over 10 years. Older licensees sometimes have to pay a higher revenue share. Licensees that have some fixed-network capability or carry international traffic may also be required to share up to 50% of their gross revenue with the MPTC or TRC.

Sub Decree No.111 ANK/BK stipulates that Cambodia permits full foreign ownership in the telecommunication sector. However, Art. 3 of Law on Public Enterprise states that the Cambodian government must directly or indirectly hold more than 51% of the capital or the right to vote in state-owned enterprises. Given that Telecom Cambodia, the principal telecom company in Cambodia, is fully state-owned, some restrictions apply.

Telecom Cambodia, the principal telecom company in Cambodia, is fully state-owned.