Data Protection in Laos, New Regulations for Privacy

Law on Electronic Data Protection No. 25/NA dated 12 May 2017 is a data protection law that was recently passed in Lao People’s Democratic Republic or Laos for short in 2017. The Law on Electronic Data Protection No. 25/NA dated 12 May 2017 establishes the basis upon which personal data may be legally collected and processed within Laos, as well as the punishments that may be imposed against data controllers and processors operating within the country to violate the provisions set out in the law. Moreover, the law also provides a variety of personal data protection rights to Laotian citizens, for the purposes of ensuring that their personal privacy is protected.

What is the scope and application?

In terms of the scope and application of Law on Electronic Data Protection No. 25/NA dated 12 May 2017, the personal scope of the law is applicable to individuals, organizations, and legal entities, whether they be domestic or international. Conversely, the territorial scope of the law applies to the collection and processing of personal data within Laos, as well as “foreign entities without a physical presence in Lao PDR, but who engage in activities that are subject to the application of its provisions”, albeit under certain circumstances. Furthermore, the material scope of the law applies to all general data that is collected or processed within Laos, defined as “data which may be accessed, used, and disclosed upon correct identification of the source by the relevant controller or processer.”

What are the requirements of data controllers and processors under the Law?

Under the Law on Electronic Data Protection No. 25/NA dated 12 May 2017, the term data processor is not defined, as the obligations under the law apply strictly to data controllers. To this point, the law defines a data controller as “individuals, legal entities, or organizations that are responsible for managing electronic data, such as ministry, internet data centre, telecommunication service provider, internet service provider, and banking.” As such, data controllers have the following responsibilities under the Law on Electronic Data Protection No. 25/NA dated 12 May 2017:

• Data controllers are required to comply with all “policy, laws, strategic plans, and the national socio-economic development plan.”
• Ensuring that all personal data that is collected or processed is done so in accordance with the national security, stability, and social order of Laos.
• Ensuring that all personal data that is collected or processed is done so in accordance with the principles of confidentiality and safety as it relates to government, individual, legal entity, or organizational data.
• Ensuring that the rights and interests of data subjects are protected at all times.
• Maintaining “compliance to treaties and international agreements which the Lao PDR is a party to.”
• Creating and updating a “database system, database backup system, secured system, automatic data searching system, data restoring system, among others.”
• Complying with all other requirements or responsibilities as set forth by other Lao PDR laws.

What are the rights of data subjects under the Law?

Under the Law on Electronic Data Protection No. 25/NA dated 12 May 2017, Laotian citizens have the following rights as it relates to the protection of their personal data:

• The right to be informed.
• The right to access.
• The right to rectification.
• The right to erasure.
• The right to object/opt-out.
• The right to “propose to the data controller and other relevant sectors to access, use, disclose, provide, update, terminate, or delete their data.”
• The right to “inform the data controller and other relevant sectors to secure their electronic data when the data has been damaged or is at risk.”
• The right to “complain to the relevant organizations when receiving no benefit from electronic data protection.”
• Various other rights as prescribed other Lao PDR laws.

What are the penalties for violating the provisions established by the Law?

In terms of sanctions with respect to non-compliance, the Law on Electronic Data Protection No. 25/NA dated 12 May 2017 is enforced through the Penal Code No. 26/NA dated 17 May 2017, or the Penal Code for short. As such, penalties that can be imposed against data controllers with Loas who fail to comply with the law include:

• Warnings and re-education.
• Disciplinary action in instances where government officials violate the law.
  Fines of LAK 15 million ($1,399) in case of engagement in a prohibited action which does not constitute a criminal offense.
• The application of criminal sanctions based on the seriousness of the wrongful act.

As has been with the case with other data privacy laws passed within the region of Southeast Asia in recent years, such as Thailand’s Personal Data Protection Act of PDPA and China’s Personal Information Security Specification, the Law on Electronic Data Protection No. 25/NA dated 12 May 2017 guarantees the protection of the personal data of Laotian citizens. As the law provides said citizens with a multitude of rights as it relates to personal privacy, individuals residing in Laos can have the assurance that their personal data is being protected at all times whenever it is collected or processed.