On November 2, 2019, Cambodia enacted the Law on Electronic Commerce (“E-commerce Law”). This development makes Cambodia the last member of the Association of Southeast Asian Nations (ASEAN)—one of the world's fastest-growing internet markets—to adopt a domestic e-commerce law. The E-commerce Law addresses electronic communications, signatures, records, and evidence, and serves to clarify the legal environment for e-commerce in Cambodia.
In the last decade, Cambodia has experienced rapid development in the financial technology sector, and financial services and products have become more accessible to Cambodians. This financial inclusion, coupled with the availability of smart devices connected to the internet, enables local e-commerce startups and encourages foreign e-commerce businesses to enter the market. To strengthen trust and security in the online realm, Cambodia's E-commerce Law regulates the activities of e-commerce service providers and intermediaries. The law also imposes consumer protection obligations, including data protection and cybersecurity obligations, on all e-commerce businesses.
The E-commerce Law aims to regulate domestic and cross-border activities in Cambodia. All commercial and civil acts, documents, and transactions executed via an electronic system are subject to the E-commerce Law unless they are related to powers of attorney, wills and successions, or real estate.
The E-Commerce Law will take effect in May 2020. During the six-month gap between the law’s passage and its implementation, companies should familiarize themselves with the new obligations under the law, while government agencies are expected to issue regulations to clarify and implement the law.
The provisions on electronic communications that are found in a portion of Cambodia’s E-commerce Law primarily derive from two influential works of the United Nations Commission on International Trade Law (UNCITRAL); the 1996 Model Law on Electronic Commerce (MLEC) and the 2005 United Nations Convention on the Use of Electronic Communications in International Contracts (the “Electronic Communications Convention” or ECC).
Cambodia’s E-commerce Law explicitly recognizes the validity, legal effect, admissibility, and enforceability of electronic communications and reconfirms that contracts can be made electronically. Furthermore, electronic communications may satisfy requirements imposed by outdated laws (e.g., “written,” “signed,” or “original” documents), if they fulfill certain conditions set out in the law.
The E-commerce Law generally considers an electronic communication to be sent when it leaves the originator’s information system and to be received when it becomes capable of being retrieved by the addressee. The places of business of the originator and addressee, respectively, are considered as the locations where an electronic communication is dispatched and received.
It should be noted that Cambodia’s E-commerce Law does not include comprehensive provisions on matters related to the attribution of electronic communications and acknowledgment of receipt, as suggested by the MLEC. For example, the MLEC clarifies that if an originator states that an email is conditional on receipt of its acknowledgment, that email would not be considered as sent until the originator receives the acknowledgment. The Cambodian legislation contains no such clarification.
Electronic Signatures, Electronic Records, and Electronic Evidence
The E-commerce Law sets conditions for electronic signatures, including digital and biometric signatures, and electronic records to be deemed secure. By meeting these statutory qualifications, secure electronic records are presumed to have not been altered, and secure electronic signatures are presumed to be of the signatories having the intent to sign.
In late 2017, prior to the enactment of the E-commerce Law, Cambodia introduced a sub-decree on digital signatures. This regulation provides legal recognition to digital signatures with a digital signature certificate issued by a licensed digital signature certification authority. However, the sub-decree has not been implemented yet as no license has been issued to any digital signature certification authority. Cambodia is likely to start implementing the regulation at the same time as the E-commerce Law. It will be important to observe how these two legal instruments correspond with each other in practice.
Cambodia’s E-commerce Law, with certain provisions similar to the Model Law on Electronic Evidence by the Commonwealth of Nations, also supports the admissibility of electronic records as evidence in legal proceedings. The mere fact that evidence is an electronic record cannot be used as grounds to render the evidence inadmissible.
The E-commerce Law also establishes rules on the validity, integrity, and authenticity of electronic evidence. The validity of electronic evidence relies on the integrity of the electronic system that stores or records the data in question. The E-commerce Law determines circumstances in which an electronic record satisfies the element of integrity unless proven otherwise. The party introducing the evidence has the burden to prove its authenticity, and to do so the E-commerce Law allows that party to present the court with an authenticity certificate issued by, for example, a competent authority or a court-appointed expert.
E-commerce Service Providers and Intermediaries, and Electronic Payment Systems
E-commerce service providers and intermediaries are now required under the E-commerce Law to obtain operating licenses from the Ministry of Commerce (MOC) and the Ministry of Post and Telecommunications (MPTC). However, the definitions of e-commerce service providers and intermediaries are crafted broadly, and it is unclear whether these licensing requirements also capture offshore e-commerce service providers and intermediaries operating without any local presence or permanent establishment in Cambodia. Since the E-commerce Law states that exceptions to this licensing regime will be clarified in the future, we hope Cambodia will issue implementing regulations that address this ambiguity before the law is implemented in May 2020.
The E-commerce Law creates a safe harbor rule for e-commerce service providers and intermediaries whereby they are not liable for unlawful third-party content on their online platforms; however, they must comply with certain mandatory content removal procedures upon becoming aware of such content. Additionally, they are obligated to comply with an e-commerce code of conduct.
The E-commerce Law also reaffirms that e-commerce service providers and intermediaries are subject to tax laws and incentives, just like brick-and-mortar businesses.
Payment service providers must also obtain authorization or a license from the National Bank of Cambodia (NBC) before commencing operations, such as operating a payment system, providing payment services, or issuing electronic payments. However, many existing banking and financial institutions in Cambodia have already been providing these payment services and have obtained necessary authorizations under various laws (e.g., the Prakas on Payment Service Providers and the Law on Banking and Financial Institutions). For that reason, it remains uncertain whether the E-commerce Law merely reiterates the existing licensing regime for payment service providers or establishes a new, separate one.
In addition, the E-commerce Law outlines situations where payment service providers must be liable for the damage caused to customers unless the damage is caused by force majeure or the customer's own fault. Consumer Protection and Data Protection
Besides obligations under the newly legislated Law on Consumer Protection, which are applicable to both online and offline businesses, the E-commerce Law imposes additional requirements to which e-commerce enterprises must adhere.
The E-commerce Law requires anyone selling goods or services using electronic communications, except insurance and security companies, to disclose information that is necessary for customers to decide whether to purchase the goods or services. The information must at least include names, addresses, contacts, costs of the products and services, and terms and conditions for payments, cancellation, refunds, and so on. Furthermore, it is strictly prohibited to send unsolicited communications without providing clear and straightforward opt-out instructions irrespective of the originator’s or recipient’s locations.
Data protection rules that apply to all sectors have also been set out for the first time in the E-commerce Law. Any business that electronically stores personal information is now obligated to establish all necessary measures to ensure that the data are reasonably protected from loss or unauthorized access, use, alteration, leaks, or disclosures. In addition, a person who enters information inaccurately to an automated system that does not allow any modification has the right to correct or delete the inaccurate information.
The E-commerce Law is much-welcomed by consumers, and is a positive step for the country’s digital environment. In addition, the harmonization that it brings with other countries should encourage cross-border transactions and paperless interactions among businesses and between businesses and governmental bodies.