Update: 10 October 2023 – On October 5, the spokesperson of the Ministry of Post and Telecommunications responded to the joint letter, stating the draft law was “crafted with the intent of safeguarding vital information infrastructure and essential public services.” A statement by the ministry further highlighted that the draft law aligned with the “Cambodia Digital Economy and Society Policy Framework and the digital government policy” towards “promoting development and mitigating risks in the digital sector.”
These statements do not adequately respond to or alleviate the substantial human rights risks which will emerge should the draft law come into force. Access Now acknowledges the official response, but continues to call for the withdrawal or a substantial amendment to the Draft Law on Cybersecurity. Access Now remains available and willing to engage with authorities to ensure the necessary amendments are made.
Today, 2 October 2023, Access Now and the International Commission of Jurists (ICJ) sent a joint letter to Cambodia’s Ministry of Post and Telecommunications and Ministry of Justice, calling for the withdrawal or substantial amendment of its Draft Law on Cybersecurity to bring its provisions in line with international human rights standards.
The draft law, if adopted, would likely undermine the rights to privacy and freedom of expression, while also risking personal security and exposing people to increased cyber threats.
The Draft Law would require government licenses of cybersecurity services — an excessive provision that would hamper the ability of people and businesses in Cambodia from being able to secure themselves against intrusion into their networks and safeguard their data. Cambodia wants this draft law to deal with malicious cyber activities but in its current form, it will only create a new problem of having a cybersecurity landscape that imposes unreasonable administrative burdens to organizations, including small and medium enterprises and civil society.Golda Benjamin, Asia Pacific Campaigner at Access Now
In the legal analysis attached to the joint letter, Access Now and the ICJ point out that the vaguely worded and sweeping provisions in the Draft Law may be abused to allow government cybersecurity inspectors overbroad access to private data. It fails to provide for safeguards, but instead would grant a newly created body of cybersecurity inspectors immense power to investigate, observe, monitor, prevent, and respond to cybersecurity threats and incidents. The Draft Law also fails to make provision to ensure that cybersecurity inspectors are properly qualified.
These proposed arrangements are a recipe for executive abuse, especially given that the bill fails to provide for any independent or effective oversight or remedial mechanism to serve as a check on governmental conduct and safeguard against any potential overreach. If this legislation is put forward for adoption, it needs to be amended to correct these deficiencies and comply with Cambodia’s international legal obligations and rule of law principles.Ian Seiderman, Legal and Policy Director at the ICJ
Access Now and the ICJ urge Cambodia to strengthen its cybersecurity landscape to deal with malicious cyber activities and ensure that any law, policy, or practice to implement this goal complies with the country’s international human rights obligations. Effective cybersecurity requires a human-centric and human rights-respecting approach.