Laos’ law on electronic data protection No. 25/NA

May 2017

View the original document

National Regulations

The Lao People’s Democratic Republic (Lao PDR) has established a legal framework to safeguard personal data, primarily through the law on electronic data protection No. 25/NA, enacted on 12 May 2017. This legislation outlines the principles and requirements for the collection, processing, and protection of electronic data within the country.

Key provisions of the law on electronic data protection

  • Scope and application: The law applies to individuals, organisations, and legal entities, both domestic and international, that handle electronic data within Lao PDR (Article 3, Section 12). It also extends to foreign entities without a physical presence in Laos but engaged in activities subject to the law’s provisions.
  • Data classification: Electronic data is categorised into two main types:
    • General data: Information related to individuals, legal entities, or organisations that can be accessed, used, and disclosed upon proper identification by the relevant controller or processor.
    • Personal data: Information that can identify an individual, including names, addresses, and contact details.
  • Data controller responsibilities: Entities responsible for managing electronic data must ensure:
    • Legality and transparency: Data collection and processing must have a legitimate basis, such as consent or legal obligation, and individuals should be informed about how their data will be used.
    • Data security: Implementation of appropriate technical and organisational measures to protect data from unauthorised access, alteration, or disclosure.
    • Data accuracy: Maintaining accurate and up-to-date data, with mechanisms for individuals to request corrections.
    • Data retention and deletion: Personal data should be retained only as long as necessary for its intended purpose and securely deleted thereafter.
  • Cross-border data transfer: Transferring personal or official data outside of Lao PDR requires consent from the Data Administrator and must not contravene national interests.

Enforcement and penalties

Non-compliance with the law can result in:

  • Warnings and re-education: For minor infractions, entities may receive warnings and be required to undergo re-education on data protection practices.
  • Disciplinary actions: Government officials violating the law may face disciplinary measures.
  • Legal sanctions: Serious violations can lead to penalties under the Penal Code No. 26/NA dated 17 May 2017.

Individual rights

Under Lao data protection laws, individuals have the right to:

  • Access personal data: Request information about the data held by organisations.
  • Rectification: Seek corrections to inaccurate or outdated data.
  • Deletion: Request the removal of data that is no longer necessary for its original purpose.
  • Objection: Oppose data processing based on legitimate interests, such as direct marketing.

Regulatory authority

The Ministry of Technology and Communications (MTC), formerly the Ministry of Post and Telecommunications, is the primary authority overseeing electronic data protection in Lao PDR. The MTC operates through its provincial departments and is supported by the Lao Computer Emergency Response Team (LaoCERT), which handles cybersecurity incidents and enforces data protection regulations.