Upcoming Digital Laws Thailand: Cybersecurity & Personal Data Protection
John P.
Formichella
On 28 February 2019, a Personal Data Protection Bill and Cybersecurity Bill
were approved by the National Legislative Assembly. Subject to final approval
by the King of Thailand, both bills will then be published in the Government
Gazette before being enacted into as effective law, which is expected to be
within 2019. Owing to Thailand’s rapidly-growing digital economy and society,
such proposed bills aim to pave the way for the country to enforce legal
safeguards to ensure national security in cyberspace, covering both private and
public sector databases as well as privacy of individual’s personal data. According
to legislative intent, a strong cybersecurity stance is believed to be a key
defense against cyber threats and unauthorized exploitation of networks,
systems and technologies, which are mostly caused by a human mistake or
behavior. John Formichella, partner, Naytiwut Jamallsawat, senior
associate, and Artima Brikshasri, associate of Blumenthal Richter & Sumet, discuss herein the approach and also controversial issues towards both the Cyber
Security Bill and Personal Data Protection Bill.
The balance of power under cybersecurity law
The operations of several public and private sectors are driven by computer
systems and such organizations in Thailand are digitizing such systems. The
information and communications over such computer systems, especially those of critical
infrastructure entities (e.g. material public service, national security, transportation,
information technology, telecommunications, public health, financial
institutions, etc.) affect the maintenance of vital social functions, health,
safety, security, and economy. The disruption to such information or
communication systems shall be considered as “cyber threats” that may have
serious consequences to its citizens as well as Thailand’s national security
and economic systems.
The Cybersecurity Bill sets out obligations to both government agencies and
critical infrastructure entities to draft and implement internal cybersecurity
guidelines according to policy and action plans issued by the National Cyber
Security Committee (NCSC), including a cybersecurity risk assessment plan, and
obligation to notify the NCSC of any cyber threats. The Cybersecurity Bill defines
“cyber threat” as any illegal actions that use computers, network systems, or
programs to cause an adverse impact to a computer, a computer network or data.
The Cybersecurity Bill further provides broader definition and coverage to
“cyber threat” by broadly categorizing cyber threats into the following three
levels. The definitions in this regard seem to mainly focus on the impact
arising from the threat and its result, rather than the method or source of the
action, which may come in any form, such as malware, phishing, or system hacking,
etc.;
(i)
Non-critical – any threat that may negatively impact
the performance of a government computer system;
Impacting “performance” is not yet defined given the bill
has not yet been implemented but will likely be understood as a non-critical
service level failure such as a reduction of processing speeds, which can be
rectified by a standard maintenance action.
(ii)
Critical – any threat to a government computer
system relating to national infrastructure, national security, the economy,
healthcare, international relations, the functions of government, etc., which may
cause damage and/or impair a government computer system; and
(iii) Crisis – any threat greater
than a Critical level event, which may have widespread impact such
as causing the government to lose control of a computer system, or an
immediate threat to public order or national security that could lead to
mass destruction, terrorism, war, the overthrow of the government and/or the
monarchy.
If an official believes that there is a Critical level
threat, then such official is empowered, subject to judicial permission, to
access information and facilities of private entities including seizure of
computer systems, data, and related equipment to prevent such cyber threats. On
the other hand, in case of a Crisis level, which in the opinion of a
competent official requires an immediate response, such official shall be
empowered to perform any act warranted as necessary to prevent or mitigate such
threat without judicial permission. For example, an official is authorized to
order a computer owner, possessor, or users relating to a cyber threat to
rectify a cyber threat, terminate the use of a computer or computer system, or
even enter private entities’ property and access data systems without having to
obtain a court order. This Crisis level authority is at the center of
debate amongst privacy advocates and there is suspicion of authoritative
overreach.
Although such concerns are not without merit, it would be
remiss for any government to ignore the increasing sophistication of machine
learning, IoT botnets, etc. as challenges to cyber security. With the rapid
advances in technologies, governments cannot be idle in protection measures of
cyberspace. According to an article dated 10 May 2019 in the Bangkok Post[1], a
Thai cyber-security expert warned that Thailand “is at now at considerable risk of seeing people’s personal
data pilfered”.
To temper such concerns, the Cybersecurity Bill does require an official to
report all information regarding his/her actions immediately to a relevant
court. In practice, being able to act without judicial permission under Crisis
level, which requires an immediate response, seems reasonable in order to
prevent an unexpected impact from such high level threat. Yet, the freedom to
act without judicial permission justifies privacy and legal due process concerns.
As we will discuss herein, the process for reporting to the judiciary, although
a form of oversight, is questionable in terms of its adequacy.
Failure of the private sector to comply with certain obligations to report cyber
treats to the NCSC, or providing information/documents requested for a cyber threat
investigation may result in a fine and/or imprisonment. For a juristic person
offender, its directors, managers, or any person responsible for the operation
may also face civil and/ or criminal penalties. One point to keep in mind is
that information discovered by an official under such circumstances may be
shared with other government agencies for prosecution under any applicable
laws such as banking, telecommunications, criminal, labour, the Computer
Crimes Act, etc. Clearly there is an argument for advocates of due process and
privacy that the Cybersecurity Bill does not adequately address issues of
privacy and warranted search and seizure.
A clear issue with respect to due process is that although judicial review
is required, the action of an official under Critical level and Crisis
level is not subject to adverse hearing. In other words, an official only
need to report his/her actions are justifiable without an opportunity of a
counter party to challenge such claims.
Thus in our opinion, a clearer definition to Crisis level threat, as
well as procedural guidelines, is fundamental to balance the interests between
national security, privacy, and due process.
Clarity of privacy rights under new personal data protection law
Privacy rights
have become more significant in the digital age. Each person accepts to hand
over his/her personal data, either willingly or unwillingly, to other persons or
government agencies for several purposes including convenience, access to
platforms, etc. In this regard, Thailand currently provides legal protection to
certain types of personal data in specific areas such as confidentiality under
the National Health Act and Financial Institution Business Act. However, such
limited protection is not sufficient in the view of Thai authorities as
personal data is spread through various channels, devices, and platforms.
Therefore, the new Personal Data Protection Bill has been drawn up to directly govern
the collection, storage, or use/processing of personal data, as part of the
right to privacy prescribed under the Constitution of the Kingdom of Thailand.
Provisions
under the bill mostly replicate the EU General Data Protection Regulation.
According to the bill, the definition of personal data includes any data
pertaining to a person, which enables the identification of such person. The
basis of personal data protection is “consent” of a data owner. In this regard,
a data controller is required to have consent to gather, use, disclose or alter
of any personal data from data owner, either in writing or via electronic
system, unless otherwise permitted by express law. Such consent on the use of
personal data may be withdrawn at any time unless there is a restriction on
withdrawal specified by law or by any contract which is beneficial to a data
owner. Examples of a benefit to a data owner would be bank statements (so a
data owner knows its financial information on its bank account), debt payment
reminder (so late payment and additional interest won’t occur), etc.
However,
there are exemptions to the consent requirement under certain circumstances. For
example, if data needs to be collected in order to evaluate the data owner’s
work credentials (such as an academic certificate), or provide services (such
as a medical license), or financial information of employees (salary), which an
employer is required to submit to the Social Security Office in order for
employees to receive the Social Security benefits. At this point, it remains to
be seen how extensive the authorities will interpret those exemption
circumstances but believe the above examples will be put into practice.
In addition,
a data owner must be adequately informed of the purposes of personal data
collection as a condition to a data owner providing consent. Nevertheless, a
data controller does not need to inform details and purposes of data collection
to a data owner for his/her consent if he/she already knew the details and
purposes of such data collection. The burden of proof in this regard is on the
data controller. It follows that such collected personal data can be used or
disclosed for approved purposes only. Non-compliance with such obligation will
result with an administrative fine at the maximum of THB 1 million. Therefore,
a data controller should adopt a cautious approach and take measures to inform a
data owner as to the purposes(s) of data collection under any circumstances.
Further, a
data owner can request access to his/her personal data retained by a data
controller, subject to the rules of access, which will be later prescribed by regulation.
Any rejection to such request is allowed only upon legitimate purposes or for
the protection of third party rights. The request for such access may affect
personal data of third parties that is retained on the same platform, and also
create a burden to a data controller. Therefore, the scope of “access” should
not be too broad or too narrow so as to have balance between a data owner’s
privacy rights, a data controller’s obligation, as well as a protection of
other third parties’ personal data.
Implementation of new digital laws
The Cyber Security Bill and Personal Data Protection Bill are quite new in Thailand.
Subordinate regulations are also in the pipeline to supplement the
implementation of such bills. Therefore, a grace period prior the promulgation will
be provided for both business operators and government agencies to consider and
implement internal systems and control for compliance purposes.
posted by John Formichella @ August 06, 2019
25 Comments
