Cyber norms operationalization in Cambodia and the ASEAN

Andrew Coccoli, a legal research intern at Open Development Cambodia (ODC), held an exciting and informative session on Cyber Norms Operationalization in Cambodia and the ASEAN  attended by 25 participants, 10 of which were women. Andrew’s presentation compared cyber law in Cambodia, Singapore, Vietnam, the EU, China, and the US. Discussing cyber norms in Cambodia, ASEAN, and the rest of the world is important because internet penetration indexes worldwide are growing rapidly. As of January 2022, 72% of the total population in Southeast Asia used the internet. In Eastern Asia and Oceania, 73% of the population were internet users, and in Cambodia, the percentage was 79%. In the United States and Western Europe, 92% and 94% of their population use the internet, respectively. Andrew started the session by asking the participants to compare cyber laws in the six countries covered in the presentation. In Cambodia, there are five main laws related to cyber law: The Law on Telecommunications (2015), the Inter-Ministerial Prakas (2018), the Law on E-commerce (2019), the National Internet Gateway (NIG) (2021), and Sub-Decree No. 252 (2021). The Ministry of Post and Telecommunications has jurisdiction over most cyber laws and collaborates with the Ministry of Information, Ministry of Interior, and Ministry of Commerce to share experiences in their respective fields of expertise. The areas for legal development in Cambodia focus on Cybercrime Law, data privacy (consumer protection), the National Policy on the Development of Digital Sector 2030, and the ASEAN Masterplan 2025. Currently, much of the debate has focused on analyzing the implementation of the national internet gateway (NIG), which threatens to impose a draconian system to monitor netizens’ online activity, strengthening the state’s role and empowering it to prosecute dissenting voices at its discretion.

In Singapore, there is the Personal Data Protection Act 2012 (PDPA), which is similar in many ways to the EU General Data Protection Regulation (GDPR). The areas of legal development center around interpretations of the PDPA by the Personal Data Protection Commission (PDPC) and the Singapore High Court. Andrew also stressed that the 2020 amendments narrowed the gap between the PDPA and GDPR in many ways, including mandatory data breach notifications, civil cause of action for damages, expanded definitions of “deemed consent,” and expanded enforcement and evidentiary powers for the PDPC.

The last ASEAN country Andrew covered was Vietnam. He claimed that its law is a little bit behind Cambodia’s. The Law on Cybersecurity (2018) ‘s most notable feature is a data localization requirement for all internet services that collect Vietnamese customers’ data. The areas for legal development of the cyber law in Vietnam include the level of enforcement of the localization requirement, guidelines and regulations on the actual implementation, the 2021 draft amendment, pressure by both the local and foreign business community, and definitions of illegal content.

EU law gravitates around the GDPR. The areas for legal development in EU law that Andrew focused on were the draft regulation on AI use by the European Data Protection Board and European Data Protection Supervisor (July 2021), the EU Declaration on Digital Rights and Principles for the Digital Decade (January 2022), and developments in cybersecurity during the armed conflict in Ukraine.

In the case of Chinese law, the Golden Shield Project and the Personal Information Protection Law (PIPL) of 2021 are of particular relevance. The Golden Shield involves the comprehensive state surveillance of citizens both online and offline, the use of data to analyze citizen behavior, a firewall to prevent access to specific sites, and the banning of VPNs. The PIPL seeks to limit the effects of deleterious corporate data practices on Chinese citizens, as data breaches had led to widespread cybercrime. Andrew also addressed several areas for legal development for Chinese law, such as theories of backroom policy by the Chinese government on the extraterritorial conduct of foreign corporations operating in China, the proposal of the Belt and Road Initiative, the influence of the Chinese ICT sector, and the potential disruption to the semiconductor industry by the conflict between China and Taiwan.

In the United States, cyber law is characterized by its common law jurisdiction, a market-centric approach to policy, and a decentralized legal framework following the federalist concept of government. Andrew identified areas for legal development under Congress (Art. 1), Executive (Art. 2), and Judiciary (Art. 3).

Aside from reviewing cyber laws in these six countries, Andrew also outlined international laws and initiatives, such as Budapest Convention on Cybercrime (2001), Internet Governance Forum, Civil Society digital constitutionalism, Jurisprudence by special rapporteurs, Tallinn Manual by NATO, continuing studies by the ICRC, and innumerable SDG initiatives incorporating data and internet access/use. The areas for legal development are digital human rights, data protection, tech ethics and AI development, and the Budapest convention. Andrew also talked about continuing General Assembly declarations, decreasing faith in international institutions and globalism and increasing nationalism and factionalism, identifying between the “cyber sovereignty” and “open, free, global, interoperable, reliable, and secure” internet, and having the question of the UN’s role in a tripolar model of cyber / data policy. 

Before ending the session, Andrew posed three questions to the participants to make them reflect on how cyber laws have affected relations between nations, whether laws should be harmonized globally, and, if that was the case, whether it would have an impact on country’s culture and sovereignty, and the potential benefits of various models of legislation.