Data Protection by Default
Strategic Insight: Data Protection by Default represents a paradigm shift from reactive privacy management to proactive data minimization, establishing automatic safeguards that protect data subjects without requiring their active intervention or technical expertise.
Cambodia's Draft Law on Personal Data Protection, version on 23rd June 2025, introduces a comprehensive framework for data protection that aligns with international standards, especially gets model from General Data Protection Regulation (GDPR). Article 15 of the Draft Law establishes mandatory requirements for "Personal Data Protection by Design and by Default", marking a significant shift in how organizations must approach personal data processing from the outset of their operations.
This provision represents a proactive approach to data protection, requiring data controller embeds protective measures into their systems and processes rather than treating data protection as an afterthought.
What does Data Protection by Default mean?
Data Protection by Default refers to the approach requires data controller to automatically set settings in devices or systems that make it easier for data subject to control their privacy when using or receiving services electronically.
Additionally, Article 15(2) of the Draft mandates that the data controller shall implement data protection measures by default in the processing of personal data, ensuring that only personal data necessary for a specific purpose is processed. These measures shall be applied by determining the amount of personal data collected, the scope of the processing, the period of storage and the accessibility of the personal data.
Key Legal Requirement: Article 15(2) establishes four critical parameters that data controllers must evaluate and minimize by default: data collection amount, processing scope, storage periods, and data accessibility.
How does data controller implement the Data Protection by Default?
The implementation of Data Protection by Default requires data controller to adopt three interconnected strategies that work together to minimize privacy risk:
1Optimization
Optimization involves analyzing processing operations to minimize the amount of data collected, reduce processing extent, limit storage periods, and restrict accessibility. This requires breaking down processing activities into phases and evaluating the necessity of each operation within those phases.
2Configurability
Configurability ensures that processing systems can be adjusted to accommodate different levels of data processing based on specific use cases. The data controller must establish configuration options that allow for varying degrees of data collection and processing, with parameters that can be modified either by the data controller or, where appropriate, by the data subject.
3Restriction
Restriction guarantees that the default configuration is set to the most data protection option available. When data subject first interacts with a system or device, the settings must automatically limit data processing to the minimum necessary for basic functionality.
Regulatory Compliance Implications
Data Protection by Default represents a fundamental shift in how organizations must approach personal data processing under Cambodia's new legal framework. Rather than treating privacy as an optional add-on, the law requires that protective measures be embedded as the starting point for all processing operations. This approach recognizes that many data subjects lack the knowledge, time, or technical capability to actively management their privacy settings, making default protection essential.
Disclaimer: This legal insight is provided for general information purposes only and should not be construed as legal or professional advice on any particular matter, nor create a Privacy Iuris-client relationship. Before you take any action that may have legal implications, please inquire with your contact at Privacy Iuris.
Contact Us: info@privacyiuris.com