Tuesday, August 6, 2019

Upcoming Digital Laws Thailand: Cybersecurity & Personal Data Protection







John P. Formichella

On 28 February 2019, a Personal Data Protection Bill and Cybersecurity Bill were approved by the National Legislative Assembly. Subject to final approval by the King of Thailand, both bills will then be published in the Government Gazette before being enacted into as effective law, which is expected to be within 2019. Owing to Thailand’s rapidly-growing digital economy and society, such proposed bills aim to pave the way for the country to enforce legal safeguards to ensure national security in cyberspace, covering both private and public sector databases as well as privacy of individual’s personal data. According to legislative intent, a strong cybersecurity stance is believed to be a key defense against cyber threats and unauthorized exploitation of networks, systems and technologies, which are mostly caused by a human mistake or behavior. John Formichella, partner, Naytiwut Jamallsawat, senior associate, and Artima Brikshasri, associate of Blumenthal Richter & Sumet, discuss herein the approach and also controversial issues towards both the Cyber Security Bill and Personal Data Protection Bill.

The balance of power under cybersecurity law     

The operations of several public and private sectors are driven by computer systems and such organizations in Thailand are digitizing such systems. The information and communications over such computer systems, especially those of critical infrastructure entities (e.g. material public service, national security, transportation, information technology, telecommunications, public health, financial institutions, etc.) affect the maintenance of vital social functions, health, safety, security, and economy. The disruption to such information or communication systems shall be considered as “cyber threats” that may have serious consequences to its citizens as well as Thailand’s national security and economic systems.

The Cybersecurity Bill sets out obligations to both government agencies and critical infrastructure entities to draft and implement internal cybersecurity guidelines according to policy and action plans issued by the National Cyber Security Committee (NCSC), including a cybersecurity risk assessment plan, and obligation to notify the NCSC of any cyber threats. The Cybersecurity Bill defines “cyber threat” as any illegal actions that use computers, network systems, or programs to cause an adverse impact to a computer, a computer network or data.

The Cybersecurity Bill further provides broader definition and coverage to “cyber threat” by broadly categorizing cyber threats into the following three levels. The definitions in this regard seem to mainly focus on the impact arising from the threat and its result, rather than the method or source of the action, which may come in any form, such as malware, phishing, or system hacking, etc.;

(i)      Non-critical – any threat that may negatively impact the performance of a government computer system;

Impacting “performance” is not yet defined given the bill has not yet been implemented but will likely be understood as a non-critical service level failure such as a reduction of processing speeds, which can be rectified by a standard maintenance action.

(ii)    Critical – any threat to a government computer system relating to national infrastructure, national security, the economy, healthcare, international relations, the functions of government, etc., which may cause damage and/or impair a government computer system; and

(iii)      Crisis – any threat greater than a Critical level event, which may have widespread impact such as causing the government to lose control of a computer system, or an immediate threat to public order or national security that could lead to mass destruction, terrorism, war, the overthrow of the government and/or the monarchy.

If an official believes that there is a Critical level threat, then such official is empowered, subject to judicial permission, to access information and facilities of private entities including seizure of computer systems, data, and related equipment to prevent such cyber threats. On the other hand, in case of a Crisis level, which in the opinion of a competent official requires an immediate response, such official shall be empowered to perform any act warranted as necessary to prevent or mitigate such threat without judicial permission. For example, an official is authorized to order a computer owner, possessor, or users relating to a cyber threat to rectify a cyber threat, terminate the use of a computer or computer system, or even enter private entities’ property and access data systems without having to obtain a court order. This Crisis level authority is at the center of debate amongst privacy advocates and there is suspicion of authoritative overreach.

Although such concerns are not without merit, it would be remiss for any government to ignore the increasing sophistication of machine learning, IoT botnets, etc. as challenges to cyber security. With the rapid advances in technologies, governments cannot be idle in protection measures of cyberspace. According to an article dated 10 May 2019 in the Bangkok Post[1], a Thai cyber-security expert warned that Thailand “is at now at considerable risk of seeing people’s personal data pilfered”.

To temper such concerns, the Cybersecurity Bill does require an official to report all information regarding his/her actions immediately to a relevant court. In practice, being able to act without judicial permission under Crisis level, which requires an immediate response, seems reasonable in order to prevent an unexpected impact from such high level threat. Yet, the freedom to act without judicial permission justifies privacy and legal due process concerns. As we will discuss herein, the process for reporting to the judiciary, although a form of oversight, is questionable in terms of its adequacy.

Failure of the private sector to comply with certain obligations to report cyber treats to the NCSC, or providing information/documents requested for a cyber threat investigation may result in a fine and/or imprisonment. For a juristic person offender, its directors, managers, or any person responsible for the operation may also face civil and/ or criminal penalties. One point to keep in mind is that information discovered by an official under such circumstances may be shared with other government agencies for prosecution under any applicable laws such as banking, telecommunications, criminal, labour, the Computer Crimes Act, etc. Clearly there is an argument for advocates of due process and privacy that the Cybersecurity Bill does not adequately address issues of privacy and warranted search and seizure.

A clear issue with respect to due process is that although judicial review is required, the action of an official under Critical level and Crisis level is not subject to adverse hearing. In other words, an official only need to report his/her actions are justifiable without an opportunity of a counter party to challenge such claims.

Thus in our opinion, a clearer definition to Crisis level threat, as well as procedural guidelines, is fundamental to balance the interests between national security, privacy, and due process.  

Clarity of privacy rights under new personal data protection law  

Privacy rights have become more significant in the digital age. Each person accepts to hand over his/her personal data, either willingly or unwillingly, to other persons or government agencies for several purposes including convenience, access to platforms, etc. In this regard, Thailand currently provides legal protection to certain types of personal data in specific areas such as confidentiality under the National Health Act and Financial Institution Business Act. However, such limited protection is not sufficient in the view of Thai authorities as personal data is spread through various channels, devices, and platforms. Therefore, the new Personal Data Protection Bill has been drawn up to directly govern the collection, storage, or use/processing of personal data, as part of the right to privacy prescribed under the Constitution of the Kingdom of Thailand.

Provisions under the bill mostly replicate the EU General Data Protection Regulation. According to the bill, the definition of personal data includes any data pertaining to a person, which enables the identification of such person. The basis of personal data protection is “consent” of a data owner. In this regard, a data controller is required to have consent to gather, use, disclose or alter of any personal data from data owner, either in writing or via electronic system, unless otherwise permitted by express law. Such consent on the use of personal data may be withdrawn at any time unless there is a restriction on withdrawal specified by law or by any contract which is beneficial to a data owner. Examples of a benefit to a data owner would be bank statements (so a data owner knows its financial information on its bank account), debt payment reminder (so late payment and additional interest won’t occur), etc.

However, there are exemptions to the consent requirement under certain circumstances. For example, if data needs to be collected in order to evaluate the data owner’s work credentials (such as an academic certificate), or provide services (such as a medical license), or financial information of employees (salary), which an employer is required to submit to the Social Security Office in order for employees to receive the Social Security benefits. At this point, it remains to be seen how extensive the authorities will interpret those exemption circumstances but believe the above examples will be put into practice.

In addition, a data owner must be adequately informed of the purposes of personal data collection as a condition to a data owner providing consent. Nevertheless, a data controller does not need to inform details and purposes of data collection to a data owner for his/her consent if he/she already knew the details and purposes of such data collection. The burden of proof in this regard is on the data controller. It follows that such collected personal data can be used or disclosed for approved purposes only. Non-compliance with such obligation will result with an administrative fine at the maximum of THB 1 million. Therefore, a data controller should adopt a cautious approach and take measures to inform a data owner as to the purposes(s) of data collection under any circumstances.     

Further, a data owner can request access to his/her personal data retained by a data controller, subject to the rules of access, which will be later prescribed by regulation. Any rejection to such request is allowed only upon legitimate purposes or for the protection of third party rights. The request for such access may affect personal data of third parties that is retained on the same platform, and also create a burden to a data controller. Therefore, the scope of “access” should not be too broad or too narrow so as to have balance between a data owner’s privacy rights, a data controller’s obligation, as well as a protection of other third parties’ personal data.  

Implementation of new digital laws

The Cyber Security Bill and Personal Data Protection Bill are quite new in Thailand. Subordinate regulations are also in the pipeline to supplement the implementation of such bills. Therefore, a grace period prior the promulgation will be provided for both business operators and government agencies to consider and implement internal systems and control for compliance purposes.

The contents herein are for informational purposes only and should not be relied upon as legal advice. For more information please contact John Formichella at john@fosrlaw.com