Tuesday, August 6, 2019

Upcoming Digital Laws Thailand: Cybersecurity & Personal Data Protection







John P. Formichella

On 28 February 2019, a Personal Data Protection Bill and Cybersecurity Bill were approved by the National Legislative Assembly. Subject to final approval by the King of Thailand, both bills will then be published in the Government Gazette before being enacted into as effective law, which is expected to be within 2019. Owing to Thailand’s rapidly-growing digital economy and society, such proposed bills aim to pave the way for the country to enforce legal safeguards to ensure national security in cyberspace, covering both private and public sector databases as well as privacy of individual’s personal data. According to legislative intent, a strong cybersecurity stance is believed to be a key defense against cyber threats and unauthorized exploitation of networks, systems and technologies, which are mostly caused by a human mistake or behavior. John Formichella, partner, Naytiwut Jamallsawat, senior associate, and Artima Brikshasri, associate of Blumenthal Richter & Sumet, discuss herein the approach and also controversial issues towards both the Cyber Security Bill and Personal Data Protection Bill.

The balance of power under cybersecurity law     

The operations of several public and private sectors are driven by computer systems and such organizations in Thailand are digitizing such systems. The information and communications over such computer systems, especially those of critical infrastructure entities (e.g. material public service, national security, transportation, information technology, telecommunications, public health, financial institutions, etc.) affect the maintenance of vital social functions, health, safety, security, and economy. The disruption to such information or communication systems shall be considered as “cyber threats” that may have serious consequences to its citizens as well as Thailand’s national security and economic systems.

The Cybersecurity Bill sets out obligations to both government agencies and critical infrastructure entities to draft and implement internal cybersecurity guidelines according to policy and action plans issued by the National Cyber Security Committee (NCSC), including a cybersecurity risk assessment plan, and obligation to notify the NCSC of any cyber threats. The Cybersecurity Bill defines “cyber threat” as any illegal actions that use computers, network systems, or programs to cause an adverse impact to a computer, a computer network or data.

The Cybersecurity Bill further provides broader definition and coverage to “cyber threat” by broadly categorizing cyber threats into the following three levels. The definitions in this regard seem to mainly focus on the impact arising from the threat and its result, rather than the method or source of the action, which may come in any form, such as malware, phishing, or system hacking, etc.;

(i)      Non-critical – any threat that may negatively impact the performance of a government computer system;

Impacting “performance” is not yet defined given the bill has not yet been implemented but will likely be understood as a non-critical service level failure such as a reduction of processing speeds, which can be rectified by a standard maintenance action.

(ii)    Critical – any threat to a government computer system relating to national infrastructure, national security, the economy, healthcare, international relations, the functions of government, etc., which may cause damage and/or impair a government computer system; and

(iii)      Crisis – any threat greater than a Critical level event, which may have widespread impact such as causing the government to lose control of a computer system, or an immediate threat to public order or national security that could lead to mass destruction, terrorism, war, the overthrow of the government and/or the monarchy.

If an official believes that there is a Critical level threat, then such official is empowered, subject to judicial permission, to access information and facilities of private entities including seizure of computer systems, data, and related equipment to prevent such cyber threats. On the other hand, in case of a Crisis level, which in the opinion of a competent official requires an immediate response, such official shall be empowered to perform any act warranted as necessary to prevent or mitigate such threat without judicial permission. For example, an official is authorized to order a computer owner, possessor, or users relating to a cyber threat to rectify a cyber threat, terminate the use of a computer or computer system, or even enter private entities’ property and access data systems without having to obtain a court order. This Crisis level authority is at the center of debate amongst privacy advocates and there is suspicion of authoritative overreach.

Although such concerns are not without merit, it would be remiss for any government to ignore the increasing sophistication of machine learning, IoT botnets, etc. as challenges to cyber security. With the rapid advances in technologies, governments cannot be idle in protection measures of cyberspace. According to an article dated 10 May 2019 in the Bangkok Post[1], a Thai cyber-security expert warned that Thailand “is at now at considerable risk of seeing people’s personal data pilfered”.

To temper such concerns, the Cybersecurity Bill does require an official to report all information regarding his/her actions immediately to a relevant court. In practice, being able to act without judicial permission under Crisis level, which requires an immediate response, seems reasonable in order to prevent an unexpected impact from such high level threat. Yet, the freedom to act without judicial permission justifies privacy and legal due process concerns. As we will discuss herein, the process for reporting to the judiciary, although a form of oversight, is questionable in terms of its adequacy.

Failure of the private sector to comply with certain obligations to report cyber treats to the NCSC, or providing information/documents requested for a cyber threat investigation may result in a fine and/or imprisonment. For a juristic person offender, its directors, managers, or any person responsible for the operation may also face civil and/ or criminal penalties. One point to keep in mind is that information discovered by an official under such circumstances may be shared with other government agencies for prosecution under any applicable laws such as banking, telecommunications, criminal, labour, the Computer Crimes Act, etc. Clearly there is an argument for advocates of due process and privacy that the Cybersecurity Bill does not adequately address issues of privacy and warranted search and seizure.

A clear issue with respect to due process is that although judicial review is required, the action of an official under Critical level and Crisis level is not subject to adverse hearing. In other words, an official only need to report his/her actions are justifiable without an opportunity of a counter party to challenge such claims.

Thus in our opinion, a clearer definition to Crisis level threat, as well as procedural guidelines, is fundamental to balance the interests between national security, privacy, and due process.  

Clarity of privacy rights under new personal data protection law  

Privacy rights have become more significant in the digital age. Each person accepts to hand over his/her personal data, either willingly or unwillingly, to other persons or government agencies for several purposes including convenience, access to platforms, etc. In this regard, Thailand currently provides legal protection to certain types of personal data in specific areas such as confidentiality under the National Health Act and Financial Institution Business Act. However, such limited protection is not sufficient in the view of Thai authorities as personal data is spread through various channels, devices, and platforms. Therefore, the new Personal Data Protection Bill has been drawn up to directly govern the collection, storage, or use/processing of personal data, as part of the right to privacy prescribed under the Constitution of the Kingdom of Thailand.

Provisions under the bill mostly replicate the EU General Data Protection Regulation. According to the bill, the definition of personal data includes any data pertaining to a person, which enables the identification of such person. The basis of personal data protection is “consent” of a data owner. In this regard, a data controller is required to have consent to gather, use, disclose or alter of any personal data from data owner, either in writing or via electronic system, unless otherwise permitted by express law. Such consent on the use of personal data may be withdrawn at any time unless there is a restriction on withdrawal specified by law or by any contract which is beneficial to a data owner. Examples of a benefit to a data owner would be bank statements (so a data owner knows its financial information on its bank account), debt payment reminder (so late payment and additional interest won’t occur), etc.

However, there are exemptions to the consent requirement under certain circumstances. For example, if data needs to be collected in order to evaluate the data owner’s work credentials (such as an academic certificate), or provide services (such as a medical license), or financial information of employees (salary), which an employer is required to submit to the Social Security Office in order for employees to receive the Social Security benefits. At this point, it remains to be seen how extensive the authorities will interpret those exemption circumstances but believe the above examples will be put into practice.

In addition, a data owner must be adequately informed of the purposes of personal data collection as a condition to a data owner providing consent. Nevertheless, a data controller does not need to inform details and purposes of data collection to a data owner for his/her consent if he/she already knew the details and purposes of such data collection. The burden of proof in this regard is on the data controller. It follows that such collected personal data can be used or disclosed for approved purposes only. Non-compliance with such obligation will result with an administrative fine at the maximum of THB 1 million. Therefore, a data controller should adopt a cautious approach and take measures to inform a data owner as to the purposes(s) of data collection under any circumstances.     

Further, a data owner can request access to his/her personal data retained by a data controller, subject to the rules of access, which will be later prescribed by regulation. Any rejection to such request is allowed only upon legitimate purposes or for the protection of third party rights. The request for such access may affect personal data of third parties that is retained on the same platform, and also create a burden to a data controller. Therefore, the scope of “access” should not be too broad or too narrow so as to have balance between a data owner’s privacy rights, a data controller’s obligation, as well as a protection of other third parties’ personal data.  

Implementation of new digital laws

The Cyber Security Bill and Personal Data Protection Bill are quite new in Thailand. Subordinate regulations are also in the pipeline to supplement the implementation of such bills. Therefore, a grace period prior the promulgation will be provided for both business operators and government agencies to consider and implement internal systems and control for compliance purposes.

The contents herein are for informational purposes only and should not be relied upon as legal advice. For more information please contact John Formichella at john@fosrlaw.com

25 Comments:

At August 24, 2019 at 5:22 AM , Blogger sdcard said...

health supplement subscription box
health supplement stocks
health supplement slogan
health supplement stack
health supplement startup
health supplement store bangkok
health supplement stores perth
health supplement stores victoria bc
health supplement slogan live well
health supplement tablet

 
At November 11, 2019 at 5:20 AM , Anonymous Anonymous said...

Enjoyed this post, Personal Data Protection is one of the most important topics nowadays.

recovery ransomware

 
At November 18, 2019 at 3:29 AM , Blogger immigration said...

Great article. I really appreaciated.
Thanks for sharing.
Derivative Residence Card

 
At November 21, 2019 at 12:58 AM , Blogger Alina Smith said...

A confined space isn't defined by size, but instead the hazards related to the space, for instance, physical features of the space and kind of work being conducted. If you are curious to know more about online software, here you can get more information about it.

 
At December 18, 2019 at 12:07 AM , Blogger mrkdvsn said...

written content. I added new knowledge to my database for essay writing skill.digital agency bangkok

 
At January 7, 2020 at 9:28 PM , Blogger theloveandlightstore said...

Your blog is very informative. Eating mindfully has been very hard for people these days. It's all because of their busy schedules, work or lack of focus on themselves. As a student I must admit that I have not been eating mindfully but because of this I will start now. It could help me enjoy my food and time alone. Eating mindfully may help me be aware of healthy food and appreciating food.
Best surge protector

 
At February 12, 2020 at 12:35 AM , Blogger Helnoson Sherry said...

I would like to know more about these suggestive points. Give me little more brief and I think they can help me. Here the mentioned points are very useful and I am definitely going to adopt in my life.
Best power filter

 
At February 15, 2020 at 11:43 PM , Blogger Unknown said...

Cyber security is important to protect personal data and cyber security training center help to give professional training in cyber security.

 
At March 31, 2020 at 11:41 AM , Blogger Kristen Brown said...

Truly a fine approach to express and looking an exceptionally charming article with loaded with solid data. I am unquestionably going to enlighten in my class concerning this stage and the data shared here. Extremely elegantly composed. Elephant volunteers

 
At April 22, 2020 at 4:24 AM , Blogger shanewarner said...


The post is written in very a good manner and it contains many useful information for me.


gexton safety system

 
At April 23, 2020 at 3:20 PM , Blogger ICS Cyber Security said...

It is really important to have a best plan to fight against cyber attack. Cyber security training center help to respond quickly before damage done. Thanks

 
At July 1, 2020 at 11:12 PM , Blogger ITGOLD Solutions said...

I am happy to this blog site giving one-of-a-kind and also useful knowledge concerning this topic. antivirus protection brisbane

 
At July 6, 2020 at 2:19 AM , Blogger Fonts Mania said...

Wao, Really Amazing Work, So here is a best file converter which can convert your one file to another;

File Free Converter

 
At July 6, 2020 at 2:22 AM , Blogger Fonts Mania said...

So when you need a file converter then that will definitely convert several files;

Ts to mp4

Mxf to Mp4

Mp4 to android

Mxf to mp4

Mts to Mp4

 
At August 24, 2020 at 5:11 AM , Blogger ITBMO said...

I read your blog now share great information here. ITFM

 
At December 18, 2020 at 2:28 AM , Blogger techperson said...

I appreciate the fact that you have the knowledge to fix the problems and deliver the best results. Excellent work!
pc system repair

 
At March 30, 2021 at 9:34 AM , Blogger Technology said...

Wow what a Great Information about World Day its very nice informative post. thanks for the post.
essay writer UK

 
At May 2, 2021 at 6:07 PM , Blogger seoexpert said...

Creative Web Studio - The Cyber Defense Company bietet als zertifiziertes Unternehmen lösungsorientierte und zeitgemässe ICT-Services für KMUs an Hauptfokus: Cloud, IT-Security und Informatik.The Cyber Defense Company

 
At May 31, 2021 at 2:58 AM , Blogger seoexpert said...

This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information...cyber security

 
At July 14, 2021 at 4:29 AM , Blogger britney said...

Will these laws affect the Penetration Test implementation as well?

 
At September 7, 2021 at 1:02 AM , Blogger SEO Services said...

You have a real ability for writing unique content. Eames Office Chair

 
At January 17, 2022 at 5:20 AM , Blogger jon said...

I have found that these are uncomfortable only when I roll them too close to my scalp. If I leave about an inch of hair from my scalp, I can easily adjust them if they start to feel uncomfortable when sleeping. I also wear a triangle mesh scarf, that you use with rollers when sitting underneath the dryer.Please Visit here:fuzzy beauty blender It helps keep the rollers in place, preventing them from moving too much, as well as allowing air flow if you have used product on your hair.

 
At January 24, 2022 at 1:38 AM , Blogger jon said...

Most local search directories have automatic filters that attempt to mitigate fake reviews from being posted on local business listings, however, some still seem to slip through the cracks. In these cases, you can flag the reviews in order to bring them to Google’s attention directly.Please Visit here:Remove Unfair Google Reviews To spot a fake review look for signs like overly generic reviews, ridiculous usernames, fake/non-human avatars, nearly identical reviews left by the same person for different businesses, or multiple reviews posted by the same reviewer in a short period of time.

 
At June 4, 2022 at 10:43 PM , Anonymous Anonymous said...

beykoz daikin klima servisi
üsküdar daikin klima servisi
pendik toshiba klima servisi
üsküdar alarko carrier klima servisi
çekmeköy mitsubishi klima servisi
maltepe vestel klima servisi
kadıköy vestel klima servisi
maltepe bosch klima servisi
kadıköy bosch klima servisi

 
At June 27, 2022 at 3:58 AM , Anonymous Anonymous said...

nft nasıl alınır
en son çıkan perde modelleri
en son çıkan perde modelleri
yurtdışı kargo
lisans satın al
uc satın al
minecraft premium
özel ambulans

 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home