Upcoming Digital Laws Thailand: Cybersecurity & Personal Data Protection
John P.
Formichella
On 28 February 2019, a Personal Data Protection Bill and Cybersecurity Bill
were approved by the National Legislative Assembly. Subject to final approval
by the King of Thailand, both bills will then be published in the Government
Gazette before being enacted into as effective law, which is expected to be
within 2019. Owing to Thailand’s rapidly-growing digital economy and society,
such proposed bills aim to pave the way for the country to enforce legal
safeguards to ensure national security in cyberspace, covering both private and
public sector databases as well as privacy of individual’s personal data. According
to legislative intent, a strong cybersecurity stance is believed to be a key
defense against cyber threats and unauthorized exploitation of networks,
systems and technologies, which are mostly caused by a human mistake or
behavior. John Formichella, partner, Naytiwut Jamallsawat, senior
associate, and Artima Brikshasri, associate of Blumenthal Richter & Sumet, discuss herein the approach and also controversial issues towards both the Cyber
Security Bill and Personal Data Protection Bill.
The balance of power under cybersecurity law
The operations of several public and private sectors are driven by computer
systems and such organizations in Thailand are digitizing such systems. The
information and communications over such computer systems, especially those of critical
infrastructure entities (e.g. material public service, national security, transportation,
information technology, telecommunications, public health, financial
institutions, etc.) affect the maintenance of vital social functions, health,
safety, security, and economy. The disruption to such information or
communication systems shall be considered as “cyber threats” that may have
serious consequences to its citizens as well as Thailand’s national security
and economic systems.
The Cybersecurity Bill sets out obligations to both government agencies and
critical infrastructure entities to draft and implement internal cybersecurity
guidelines according to policy and action plans issued by the National Cyber
Security Committee (NCSC), including a cybersecurity risk assessment plan, and
obligation to notify the NCSC of any cyber threats. The Cybersecurity Bill defines
“cyber threat” as any illegal actions that use computers, network systems, or
programs to cause an adverse impact to a computer, a computer network or data.
The Cybersecurity Bill further provides broader definition and coverage to
“cyber threat” by broadly categorizing cyber threats into the following three
levels. The definitions in this regard seem to mainly focus on the impact
arising from the threat and its result, rather than the method or source of the
action, which may come in any form, such as malware, phishing, or system hacking,
etc.;
(i)
Non-critical – any threat that may negatively impact
the performance of a government computer system;
Impacting “performance” is not yet defined given the bill
has not yet been implemented but will likely be understood as a non-critical
service level failure such as a reduction of processing speeds, which can be
rectified by a standard maintenance action.
(ii)
Critical – any threat to a government computer
system relating to national infrastructure, national security, the economy,
healthcare, international relations, the functions of government, etc., which may
cause damage and/or impair a government computer system; and
(iii) Crisis – any threat greater
than a Critical level event, which may have widespread impact such
as causing the government to lose control of a computer system, or an
immediate threat to public order or national security that could lead to
mass destruction, terrorism, war, the overthrow of the government and/or the
monarchy.
If an official believes that there is a Critical level
threat, then such official is empowered, subject to judicial permission, to
access information and facilities of private entities including seizure of
computer systems, data, and related equipment to prevent such cyber threats. On
the other hand, in case of a Crisis level, which in the opinion of a
competent official requires an immediate response, such official shall be
empowered to perform any act warranted as necessary to prevent or mitigate such
threat without judicial permission. For example, an official is authorized to
order a computer owner, possessor, or users relating to a cyber threat to
rectify a cyber threat, terminate the use of a computer or computer system, or
even enter private entities’ property and access data systems without having to
obtain a court order. This Crisis level authority is at the center of
debate amongst privacy advocates and there is suspicion of authoritative
overreach.
Although such concerns are not without merit, it would be
remiss for any government to ignore the increasing sophistication of machine
learning, IoT botnets, etc. as challenges to cyber security. With the rapid
advances in technologies, governments cannot be idle in protection measures of
cyberspace. According to an article dated 10 May 2019 in the Bangkok Post[1], a
Thai cyber-security expert warned that Thailand “is at now at considerable risk of seeing people’s personal
data pilfered”.
To temper such concerns, the Cybersecurity Bill does require an official to
report all information regarding his/her actions immediately to a relevant
court. In practice, being able to act without judicial permission under Crisis
level, which requires an immediate response, seems reasonable in order to
prevent an unexpected impact from such high level threat. Yet, the freedom to
act without judicial permission justifies privacy and legal due process concerns.
As we will discuss herein, the process for reporting to the judiciary, although
a form of oversight, is questionable in terms of its adequacy.
Failure of the private sector to comply with certain obligations to report cyber
treats to the NCSC, or providing information/documents requested for a cyber threat
investigation may result in a fine and/or imprisonment. For a juristic person
offender, its directors, managers, or any person responsible for the operation
may also face civil and/ or criminal penalties. One point to keep in mind is
that information discovered by an official under such circumstances may be
shared with other government agencies for prosecution under any applicable
laws such as banking, telecommunications, criminal, labour, the Computer
Crimes Act, etc. Clearly there is an argument for advocates of due process and
privacy that the Cybersecurity Bill does not adequately address issues of
privacy and warranted search and seizure.
A clear issue with respect to due process is that although judicial review
is required, the action of an official under Critical level and Crisis
level is not subject to adverse hearing. In other words, an official only
need to report his/her actions are justifiable without an opportunity of a
counter party to challenge such claims.
Thus in our opinion, a clearer definition to Crisis level threat, as
well as procedural guidelines, is fundamental to balance the interests between
national security, privacy, and due process.
Clarity of privacy rights under new personal data protection law
Privacy rights
have become more significant in the digital age. Each person accepts to hand
over his/her personal data, either willingly or unwillingly, to other persons or
government agencies for several purposes including convenience, access to
platforms, etc. In this regard, Thailand currently provides legal protection to
certain types of personal data in specific areas such as confidentiality under
the National Health Act and Financial Institution Business Act. However, such
limited protection is not sufficient in the view of Thai authorities as
personal data is spread through various channels, devices, and platforms.
Therefore, the new Personal Data Protection Bill has been drawn up to directly govern
the collection, storage, or use/processing of personal data, as part of the
right to privacy prescribed under the Constitution of the Kingdom of Thailand.
Provisions
under the bill mostly replicate the EU General Data Protection Regulation.
According to the bill, the definition of personal data includes any data
pertaining to a person, which enables the identification of such person. The
basis of personal data protection is “consent” of a data owner. In this regard,
a data controller is required to have consent to gather, use, disclose or alter
of any personal data from data owner, either in writing or via electronic
system, unless otherwise permitted by express law. Such consent on the use of
personal data may be withdrawn at any time unless there is a restriction on
withdrawal specified by law or by any contract which is beneficial to a data
owner. Examples of a benefit to a data owner would be bank statements (so a
data owner knows its financial information on its bank account), debt payment
reminder (so late payment and additional interest won’t occur), etc.
However,
there are exemptions to the consent requirement under certain circumstances. For
example, if data needs to be collected in order to evaluate the data owner’s
work credentials (such as an academic certificate), or provide services (such
as a medical license), or financial information of employees (salary), which an
employer is required to submit to the Social Security Office in order for
employees to receive the Social Security benefits. At this point, it remains to
be seen how extensive the authorities will interpret those exemption
circumstances but believe the above examples will be put into practice.
In addition,
a data owner must be adequately informed of the purposes of personal data
collection as a condition to a data owner providing consent. Nevertheless, a
data controller does not need to inform details and purposes of data collection
to a data owner for his/her consent if he/she already knew the details and
purposes of such data collection. The burden of proof in this regard is on the
data controller. It follows that such collected personal data can be used or
disclosed for approved purposes only. Non-compliance with such obligation will
result with an administrative fine at the maximum of THB 1 million. Therefore,
a data controller should adopt a cautious approach and take measures to inform a
data owner as to the purposes(s) of data collection under any circumstances.
Further, a
data owner can request access to his/her personal data retained by a data
controller, subject to the rules of access, which will be later prescribed by regulation.
Any rejection to such request is allowed only upon legitimate purposes or for
the protection of third party rights. The request for such access may affect
personal data of third parties that is retained on the same platform, and also
create a burden to a data controller. Therefore, the scope of “access” should
not be too broad or too narrow so as to have balance between a data owner’s
privacy rights, a data controller’s obligation, as well as a protection of
other third parties’ personal data.
Implementation of new digital laws
The Cyber Security Bill and Personal Data Protection Bill are quite new in Thailand.
Subordinate regulations are also in the pipeline to supplement the
implementation of such bills. Therefore, a grace period prior the promulgation will
be provided for both business operators and government agencies to consider and
implement internal systems and control for compliance purposes.
25 Comments:
health supplement subscription box
health supplement stocks
health supplement slogan
health supplement stack
health supplement startup
health supplement store bangkok
health supplement stores perth
health supplement stores victoria bc
health supplement slogan live well
health supplement tablet
Enjoyed this post, Personal Data Protection is one of the most important topics nowadays.
recovery ransomware
Great article. I really appreaciated.
Thanks for sharing.
Derivative Residence Card
A confined space isn't defined by size, but instead the hazards related to the space, for instance, physical features of the space and kind of work being conducted. If you are curious to know more about online software, here you can get more information about it.
written content. I added new knowledge to my database for essay writing skill.digital agency bangkok
Your blog is very informative. Eating mindfully has been very hard for people these days. It's all because of their busy schedules, work or lack of focus on themselves. As a student I must admit that I have not been eating mindfully but because of this I will start now. It could help me enjoy my food and time alone. Eating mindfully may help me be aware of healthy food and appreciating food.
Best surge protector
I would like to know more about these suggestive points. Give me little more brief and I think they can help me. Here the mentioned points are very useful and I am definitely going to adopt in my life.
Best power filter
Cyber security is important to protect personal data and cyber security training center help to give professional training in cyber security.
Truly a fine approach to express and looking an exceptionally charming article with loaded with solid data. I am unquestionably going to enlighten in my class concerning this stage and the data shared here. Extremely elegantly composed. Elephant volunteers
The post is written in very a good manner and it contains many useful information for me.
gexton safety system
It is really important to have a best plan to fight against cyber attack. Cyber security training center help to respond quickly before damage done. Thanks
I am happy to this blog site giving one-of-a-kind and also useful knowledge concerning this topic. antivirus protection brisbane
Wao, Really Amazing Work, So here is a best file converter which can convert your one file to another;
File Free Converter
So when you need a file converter then that will definitely convert several files;
Ts to mp4
Mxf to Mp4
Mp4 to android
Mxf to mp4
Mts to Mp4
I read your blog now share great information here. ITFM
I appreciate the fact that you have the knowledge to fix the problems and deliver the best results. Excellent work!
pc system repair
Wow what a Great Information about World Day its very nice informative post. thanks for the post.
essay writer UK
Creative Web Studio - The Cyber Defense Company bietet als zertifiziertes Unternehmen lösungsorientierte und zeitgemässe ICT-Services für KMUs an Hauptfokus: Cloud, IT-Security und Informatik.The Cyber Defense Company
This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information...cyber security
Will these laws affect the Penetration Test implementation as well?
You have a real ability for writing unique content. Eames Office Chair
I have found that these are uncomfortable only when I roll them too close to my scalp. If I leave about an inch of hair from my scalp, I can easily adjust them if they start to feel uncomfortable when sleeping. I also wear a triangle mesh scarf, that you use with rollers when sitting underneath the dryer.Please Visit here:fuzzy beauty blender It helps keep the rollers in place, preventing them from moving too much, as well as allowing air flow if you have used product on your hair.
Most local search directories have automatic filters that attempt to mitigate fake reviews from being posted on local business listings, however, some still seem to slip through the cracks. In these cases, you can flag the reviews in order to bring them to Google’s attention directly.Please Visit here:Remove Unfair Google Reviews To spot a fake review look for signs like overly generic reviews, ridiculous usernames, fake/non-human avatars, nearly identical reviews left by the same person for different businesses, or multiple reviews posted by the same reviewer in a short period of time.
beykoz daikin klima servisi
üsküdar daikin klima servisi
pendik toshiba klima servisi
üsküdar alarko carrier klima servisi
çekmeköy mitsubishi klima servisi
maltepe vestel klima servisi
kadıköy vestel klima servisi
maltepe bosch klima servisi
kadıköy bosch klima servisi
nft nasıl alınır
en son çıkan perde modelleri
en son çıkan perde modelleri
yurtdışı kargo
lisans satın al
uc satın al
minecraft premium
özel ambulans
Post a Comment
Subscribe to Post Comments [Atom]
<< Home