Legal Update - 25 January 2017
Data Protection and Cyber Security law in Thailand
Thailand has been in the spotlight over recent years in the areas of data protection and cyber security. It is perceived that Thailand does not have adequate protection covering this very fast developing environment. On a platform where social media and e-commerce is developing fast in Thailand, the lack of any legal platform covering this area is a rising concern.
In other parts of this region, it is seen that the legal framework concerning data protection and cyber security is developing in a very speedy manner; thus, Thailand has been under pressure to keep up with these developments. The Thai Government has taken steps to pave the way for the enactment of bills to address these areas.
There has been much focus on computer crimes and internet frauds committed in or against Thailand, which poses serious cyber security risks. One such incident that caused great havoc in Bangkok and in several other provinces across Thailand was the hacking of over 20 ATMs, resulting of over Baht 12 million being stolen. This is clear evidence of security flaws that have been exploited by criminals.
The year 2016 was quite a roller coaster in terms of getting bills/acts passed by the Government as there has been a lot of criticism in terms of who would actually benefit from these bills/acts: would it be the Government or the people of Thailand?
Thailand has experienced serious cyber attacks and internet security breaches in the past. It is commonly known that both Government and private websites have been hacked, and that hackers frequently use Thailand as their base for launching local and global cyber attacks.
There is thus an urgent need to have adequate protection. The Government is indeed aware of this and has been active in developing adequate laws to safeguard public interests. This is evidenced in the drafting of the Personal Data Protection Bill, which unfortunately raised severe criticism from the general public and is currently still under consideration, and approval by the National Legislative Assembly (“NLA”).
It is anticipated that the draft bill will be amended and will eventually be passed by the NLA as this has been pending with the NLA for quite some time now. It is anticipated that there will be some developments relating to this by the end of the second quarter of this year.
The pending approval of said bill does not mean that it should be considered that Thailand does not have any protection for personal data protection. On the contrary, there are various elements within the current working system which provide safeguards to individuals.
Although there is no specific law directly concerning data protection, there are quite a few existing provisions within the legal framework which are sufficient to take care of the privacy of individuals with regard to personal data.
One fundamental platform is the Constitution of the Kingdom of Thailand, which provides the protection for the right of privacy, which is in line with personal data protection; under which a person’s personal data is protected from any unlawful act against the person.
Another area where it can be seen that the personal data of a person is protected from any wrongful act is in the Thai Civil and Commercial Code (CCC). It is quite clear in the CCC that a wrongful act would amount to any person who wilfully, negligently or unlawfully injures the life, body, health, liberty, property or any right of another person. In this context, "disclosure" or "transfer" of data may be considered a wrongful act if it causes damage to the data owner.
On a different level, the Computer Crime Act (2007) plays an extremely important role in protecting the public against internet spam, hackers and identity theft by imposing heavy fines and imprisonment on perpetrators if found guilty of such crimes. Although the amendments of said Act late last year sparked some concerns as to the vague definitions of certain terms in the Act, another act also came into force last year, the Cyber Security Act, which gives wider power to the authorities.
Furthermore, there is the Official Information Act, which extends to cover the protection of personal information of Thai people and foreigners who have residence in Thailand. This Act defines personal data quite broadly, which gives a wider protection to any person. In this Act, personal data includes ‘any’ information relating to the person.
State enterprises which provide the services electronically are required to ensure that data collected from persons in the course of provided the services are properly stored, secured and not disclosed by virtue of the Notification of the Electronic Transaction Committee on the Policy and Practice relating to the Personal Data Protection of the State Enterprises of B.E. 2553 (A.D. 2010).
The Financial Institution Act, the National Health Service Act and other specific businesses have set out additional criteria to ensure that data collected from persons in the course of trading are not disclosed, and are adequately protected. These restrictions are in place to ensure that the data is kept within a business and only used for the purpose of its own business operation. In addition to this, there are also requirements in some businesses that the business should have proper security mechanisms put in place to ensure that the data in their possession is safe and adequately protected. Obtaining consent from an individual prior to the release of personal data of the individual is also something that is typically built into a contract with various businesses.
There are rarely any exceptions to these requirements, except for instances where it relates to the national security of the Kingdom of Thailand.
When the said Personal Data Protection Bill, which is still pending approval from the NLA, comes into force, it would no doubt provide a comprehensive regulatory structure for personal data which can be enforced across the board in all sectors.
If the year 2016 was seen as a year that introduced several important legislations addressing the issues relating to data protection and cyber security; 2017 is expected to be a year when these legislations actually come into force, thus giving some protection in these areas.
The first step would be the approval of the pending bills by the NLA. It is expected that this would be a starting/trigger point for the development and the growth of a comprehensive legal regime, and one that would be in-sync with the developments within these areas globally.
This article is not to be treated as a legal opinion but rather only as a guide to data protection under Thai Law.
This article is prepared by Rajen Ramiah
Telephone: +66 2 676 6667
Telephone: +66 2 676 6667
SCL Law Group