Human Rights Watch (HRW) has said the Cambodian government should immediately scrap its draft cybercrime law, which the rights group says threatens increased surveillance of internet users, privacy rights, and free speech online.
The rights group said that it obtained the third known draft, dated Aug. 4. In a statement HRW said that the Cambodian government has received private advice from the United States, but it had not shared the draft with the public or consulted with civil society organizations or experts.
“Prime Minister Hun Sen has long bragged about listening in on phone calls and intercepting emails, and the proposed cybercrime law would give him further legal cover to do so,” said Brad Adams, HRW’s Asia director. “The draft cybercrime law’s terms are incredibly broad and vague and would give an already authoritarian government even more power to arbitrarily prosecute critics and political opponents,” Adams said.
HRW said that Article 45 calls for up to three years in prison for intentional false statements that have an “adverse effect” on national security; public health, public safety, or public finances; relations with other countries; the results of a national election; that incite racial hostility, hatred or discrimination; or cause a loss of public confidence in the government or state institutions.
The rights group pointed out that Article 40 prohibits acts that vaguely constitute “disturbing, frightening, threatening, violating, persecuting or verbally abusing others by means of computer.”
The bill does not define any of these terms, such as “adverse effect,” “national security,” “public safety,” or “loss of confidence.” It also does not specify which authority would decide when the terms of the law have been violated, HRW said.
Articles 32 and 33 on “unauthorized access” to a computer system, or transferring data from a system without authorization, face up to 10 years in prison. The provisions could be used to prosecute whistleblowers and investigative journalists who use leaked materials in their work.
Chapter 3 of the draft law mentions the obligations of “service providers,” but fails to clarify whether its application is limited to internet and mobile service providers, or also includes internet cafes or other places, including company offices, that provide internet access to staff.
Articles 8 and 12 require service providers to store internet traffic data for at least 180 days upon request by the authorities. Failure to preserve data or to cooperate with the authorities are punishable by fines and prison sentences.
The draft states that its purpose is “to ensure probity in the use and the management of computer systems and computer data and to protect security and public order.”
HRW said that the most recent draft follows earlier versions in 2014 and 2015 that were sharply criticized by civil society and media groups for restricting the rights to privacy and free expression. The groups expressed concerns that the drafting process lacked inclusivity, transparency, and public participation.
The Cambodian government has already enacted several repressive laws that allow for increased governmental control over information and communications technologies, HRW said.
The Cambodian government has a long record of targeting critics of the government. Cambodia now has more than 50 political prisoners. The authorities also have arrested 30 people for peacefully expressing their views on social media related to COVID-19.
“Cambodia lacks a data protection law with safeguards to ensure that official requests for data are necessary and proportionate,” said Adams. “But this bill grants the authorities the power to conduct fishing expeditions for data without independent oversight. Governments should call for the Cambodian government to start over and draft a law that ensures protection for online speech and privacy rights.”