I concluded my work in Cambodia by comparing what I've learned about Digital Human Rights with the current Cambodian laws. At the ICT Camp, a government official compared Cambodia's direction in cybercrime to that of the United States. American cyber and data law is fragmented when compared with the GDPR, Singapore's PDPA, or China's central management of its Internet. Cambodian Internet regulation, like American law, is currently sector specific, with laws on e-commerce and domain names, but no overarching privacy law.
One of my conclusions from these more recent laws follows that of Phin Sovath's article for the Konrad Adenauer Foundation, "Privacy and Data Protection in the Digital Age: A Holistic Approach to Privacy and Data Protection in Cambodia." Current Cambodian laws could in theory form a foundation for privacy law in lieu of a GDPR style regulation. As with much of U.S. law, this would be a form of tort-based deterrent, with questionable incentives for consumers to hold companies accountable, and problems of legal access. Moreover, the biggest consequences of data privacy are not always direct effects and proximately caused, which the legal system is best positioned to handle, but second-, third-, and fourth- order effects, as the story behind China's PIPL demonstrates. The effects of irresponsible data handling or of data preach may not be felt until years later. This makes ex-ante regulation attractive, and is possibly the reason why the GDPR is seen as a 'gold standard'--though this, too, has room for improvement in a fast-changing digital landscape.
I have enjoyed my time in Cambodia, particularly in excursions to the Siem Reap and Ratanakiri provinces. The Open Development Cambodia team was welcoming and hardworking, and they never missed an opportunity to demonstrate their kindness and show off their culture to a foreigner. This was a memorable first trip to Southeast Asia, and I look forward to returning both as a professional and as a tourist!