Monday, June 1, 2020

Thailand to Postpone Data Privacy Law









Thailand Postpones Effective Date of Data Privacy Law

By

Attorneys Naytiwut Jamallsawat & John Formichella


Background

The Thai Cabinet, on May 19, 2020, approved a Royal Decree on Organizations and Businesses which shall be exempted from compliance with the Personal Data Protection Act B.E. 2562 (2019) ("Royal Decree") to delay the enforcement date of the Personal Data Protection Act B.E. 2562 (2019) ("PDPA"). The Royal Decree has been published in the Royal Gazette on May 21, 2020, and will be effective from May 27,2020 to May 31, 2021. It provides exemptions to data controllers listed under the Royal Decree to certain chapters and section under the PDPA which include:

-          Chapter 2 (data controllers' obligations relating to the use, collection, and disclosure of personal data, privacy notices, consent requirements, exemptions and cross-border of data privacy);
-          Chapter 3 (data subject rights, data protection officer and record of processing);
-          Chapter 5 (complaints and administrative punishments);
-          Chapter 6 (civil penalties and punitive damages);
-          Chapter 7 (criminal liabilities and administrative punishments); and
-          Section 95 (transitional matter).

Data controllers who shall obtain the exemptions under the Royal Decree are as follows:

1)      Government authorities;
2)      Foreign public authorities and international organizations;
3)      Foundations, associations, religious organizations, and non-profit organizations;
4)      Agricultural businesses;
5)      Industrial businesses;
6)      Commercial businesses;
7)      Medical and public health businesses;
8)      Energy, steam, water and waste disposal businesses, including their related business;
9)      Construction businesses;
10)  Repair and maintenance businesses;
11)  Transportation, logistic, and warehouse business;
12)  Tourist businesses;
13)  Communication, telecommunication, computer, and digital businesses;
14)  Financial, banking and insurance business;
15)  Real estate businesses;
16)  Professional businesses;
17)  Management and support services business;
18)  Scientific and technological, academic social welfare and artistic businesses;
19)  Educational businesses;
20)  Entertainment and recreational businesses;
21)  Security business; and
22)  Household and community enterprise businesses whose activities cannot be clearly classified.

If there is any question as to whether particular organizations or businesses are fallen under the above list, the Personal Data Protection Committee (PDPC) shall consider and render its final decision at its sole discretion.

The main reason as specified in the Royal Decree is to provide more time for the business operators, which shall be regarded as data controllers by the PDPA, to prepare themselves to be fully compliant with the PDPA. The Royal Decree further specifies that business operators, including private and government sectors, are not ready to be in compliance with the PDPA. This was mainly due to requests from the private sector filed with the government indicating problems with the economy and within their organizations, such as the economic impact and other restrictions due to the Covid-19 situation. 

The extension is not to be interpreted that the Government of Thailand is relaxing its readiness to implement the PDPA. An essential action by the Thai government is that the PDPC committee has been appointed and will start the process of formulating regulations and an enforcement culture surrounding the PDPA.  The list of the PDPC members approved by the Cabinet, as announced on 19 May 2020, are as follows (note that this list is not official until published in The Government Gazette):

1)      The Chairman: Mr. Thienchai Na Nakorn
Professor of faculty of law, Sukhothai Thammatirat Open University
Former Constitution Drafting Committee (CDC)
The former senior member of various committees (e.g. Committee of Official Information Commission, Committee of National Institute of Educational Testing Service (NIETS) and secretary-general of Political Development Council).

2)      Senior committee (personal data protection): Mr. Nawanan Theera-Ampornpunt
Technocrat on health informatics;
Deputy dean on practitioner level of faculty of medicine, Ramathibodi Hospital.

3)      Senior committee (consumer protection): Pol.Lt.Col Thienrath Vichiensan
Senior committee of Official Information Commission;
Former chief of inspector of Prime Minister Office;
Director of the Official Information Commission.

4)      Senior Committee (Information and communication technology): Mr. Pansak Siriruchatapong
Former Vice Minister of Ministry of Digital Economy and Society;
Former director of National Electronics and Computer Technology Center (NECTEC)

5)      Senior committee (social science): Asst. Prof. Tossapon Tassanakunlapan
Professor and researcher of faculty of law, Chiang Mai University

6)      Senior committee (legal): Ms. Thitirat Thipsamritkul
Teacher of faculty of law, Thammasat University

7)      Senior committee (legal): Prof. Supalak Pinitpuvadol
Professor of faculty of law, Chulalongkorn University

8)      Senior committee (health): Prof. Prasit Watanapa
Dean of faculty of medicine, Siriraj Hospital

9)      Senior Committee (finance): Ms. Ruenvadee Suwanmongkol
Secretary-general of the Securities and Exchange Commission

10)  Senior Committee (Government Information Management): Mrs. Methinee Thepmanee
Former secretary-general, Office of the Civil Service Commission (OCSC);
Former permanent secretary, Ministry of Information and Communication Technology (ICT).

In addition to the abovementioned members, please note that the PDPA requires that the PDPC must appoint the permanent secretary of the MDES as the vice-president of the PDPC, together with 5 additional board members which include (i) the permanent secretary of the Prime Minister Office, (ii) the secretary-general of the juridical council, (iii) the secretary-general of the office of consumer protection board, (iv) the director-general of the Rights and Liberties Protection Department, and (v) the attorney-general. Please note that as of the writing of this article 27 May 2020, the official list of the PDPC members are not yet published in The Government Gazette.

The above is for general information purposes only and should not be relied upon as legal advice.

Monday, December 2, 2019

Cybersecurity Law/Thailand




Cybersecurity Law in Thailand

John P. Formichella, Naytiwut Jamallsawat and Artima Brikshasri

Thailand has rapidly grown its digital economy, and has made a concerted push towards technological innovation. As technology has evolved within the country, however, so has the threat of cybersecurity issues.
In order to tackle this looming threat, the government of Thailand released the Cybersecurity Act B.E. 2562 (2019) (“Cybersecurity Act”), which was published in the Government Gazette on 27 May 2019 and is now in effect. The Cybersecurity Act endeavors to enforce legal safeguards to ensure the security of cyberspace, and in particular, sets out a cybersecurity risk assessment plan to prevent and mitigate against cybersecurity threats that may affect the stability of national security and the public interest, including interests related to the economy, healthcare, international relations and other governmental functions, among other areas.
The Cybersecurity Act applies to both public and private sector entities that: i) own information and communication infrastructure which are integral for the maintenance of vital societal functions, otherwise known as Critical Information Infrastructure (“CII”); and ii) are engaged in the following services:
1.       National security;
2.       Material public service;
3.       Banking and finance;
4.       Information technology and telecommunications;
5.       Transportation and logistics;
6.       Energy and public utilities;
7.       Public health; and
8.       Others areas that may be further prescribed by the relevant cybersecurity authority.

Under the Cybersecurity Act, these companies must put in place internal guidelines for managing cybersecurity issues, and these guidelines must be in accordance with the national cybersecurity master plan.
In addition to the Cybersecurity Act, cybersecurity matters are addressed in the Computer Crimes Act B.E. 2550 (2007) (“CCA”) which stipulates that any import, dissemination or forwarding of data through a computer system that may cause damage to the public (i.e., public security, the national economy, public infrastructure, etc.) shall be considered as an offense under the CCA.
Regulatory Authority
There are two main cybersecurity regulatory authorities, as follows:
a) National Cyber Security Committee
The National Cyber Security Committee (“NCSC”) is comprised of the Prime Minister of Thailand as the chairman, and directors from the government and the private sector that hail from areas that are of benefit to cybersecurity such as engineering, law and information technology. The NCSC sets out general cybersecurity policies and action plans as well as minimum standards for computer systems used in both government agencies and CII entities, in accordance with the national cybersecurity master plan.
The NCSC also has the authority to determine the levels of cybersecurity threats under the Cybersecurity Act (i.e., non-critical, critical and crisis) as well as the preventive and mitigative measures that should be in place for each of these levels. To enable this, the NCSC is empowered to request information and documents from and access the facilities of private entities, subject to the owner’s consent to analyze and evaluate the impact of critical cyber threat in order to determine cybersecurity threat levels and appropriate preventive and mitigative measures.
b) Cyber Security Regulatory Committee
The Cyber Security Regulatory Committee (“CSRC”) consists of the Minister of the Ministry of Digital Economy and Society as the chairman, and similar to the NCSC, has directors from the government and the private sector from areas that benefit cybersecurity. The role of the CSRC is to set out codes of practice and minimum standards for cybersecurity in the public and private sectors relating to CII, including risk assessment and mitigation plans against cyber threats. In addition, the CSRC may order public and private sector entities to prevent, mitigate and/or re-evaluate cyber threats in line with prescribed cybersecurity minimum standards.
If a critical level threat is discovered, the CSRC is empowered to perform any action to prevent or mitigate such threat. For example, the CSRC may order an owner or user of a computer that is the subject of a cyber threat to fix defects or eliminate undesirable programs. Furthermore, if judicial permission is granted, the CSRC may access information and/or seize computer systems, data and related equipment for a maximum of 30 days to prevent and mitigate cyber threats.
In the case of a crisis-level threat, the National Security Council shall be in charge to carry out its duties. For any crisis-level threat which requires an immediate response, however, the CSRC is authorized to perform any act warranted as necessary without judicial permission.
In addition to the two main regulatory authorities above, there are two other relevant authorities, including the Computer Security Coordination Center and competent regulators responsible for monitoring and taking action against cyber threats as well as regulating cybersecurity minimum requirements for CII entities under their supervision.
Regulatory Authority Guidance
The guidance on cybersecurity under the Cybersecurity Act relates to the development of security mechanisms to safeguard CII and enhance the prevention and mitigation of national cyber threats. The guidance also emphasizes the importance of cooperation between public and private sectors as well as international organizations in order to cope with cyber threats. Development of cybersecurity research and local expertise, including effective cybersecurity related laws and regulations are also considered as key factors in enforcing cybersecurity. The NCSC’s policies and plans on cybersecurity measures must be formulated in line with this general guidance.
Scope of Application
There are a number of main concepts in cybersecurity that are addressed or have been adopted under the Cybersecurity Act, as follows:
a) Network and Information Systems
Network and information systems may be similar to CII under the Cybersecurity Act, which again refers to information and communication infrastructure such as a computer system of either public or private entities that is essential for the maintenance of core societal functions including national security, public safety, or public utility infrastructure. A computer system in this context is considered to be a network and have information that is critical to national security and the public interest, and therefore must be protected from cyber threats by implementing cybersecurity standards issued by regulatory authorities.
b) CII Operators
Under Section 3 of the Cybersecurity Act, CII operators refers to any public or private entity responsible for information which is critical to national security and the public interest such as banking, information technology, telecommunications, and transportation. CII Operators are required to have cybersecurity measures that comply with standards specified by their local regulators, code of practice and other relevant authorities such as the NCSC and CSRC.
c) Operator of Essential Services
An operator of essential services is similar to a CII operator. Any public or private entity that provides a service that is essential for the maintenance of vital societal functions must have standard cybersecurity measures in place in order to cope with cybersecurity incidents.
d) Cloud Computing Services
Cloud computing service is not specifically defined in the Cybersecurity Act. These services, however, can be subject to the Cybersecurity Act as they can be categorized as information technology and telecommunications services, which are services relating to CII and therefore services which are subject to the Cybersecurity Act.
e) Digital service providers
Digital service provider is not specifically defined in the Cybersecurity Act, however, similar to cloud computing services these providers can be considered as CII Operators as digital service falls within the classification of CII; these providers would therefore be subject to the Cybersecurity Act.
f) Other
The term “cyber threat” is a key definition in the implementation of the Cybersecurity Act, and refers to any illegal actions that use computers, network systems or offensive programs to cause or that are likely to cause an adverse impact on a computer, a computer network or data.
The Cybersecurity Act further elaborates on “cyber threat” by categorizing it into three levels, as follows:
(i) Non-critical – any threat that may negatively impact the performance of a CII Operator’s computer system or services provided by government entities;
(ii) Critical – any threat to a computer system or computer data that is significantly increased with the intention to attack CII relating to national infrastructure, national security, the economy, healthcare, international relations, governmental functions, etc., and such an attack would impair the provision of CII-related services; and
(iii) Crisis – any threat greater than a critical-level event, which may have a widespread impact such as causing the government to lose control of a computer system, or any threat that may lead to mass destruction, terrorism or an overthrow of the government.
Details of cyber threats as well as the preventive and mitigative measures employed for each level of cyber threat shall be further determined by the NCSC.
Requirements
a) Security Measures
Under Sections 44 and 56 of the Cybersecurity Act, each government entity, competent regulator and CII entity must have in place a code of practice, organizational measures and a cybersecurity framework that complies with prescribed cybersecurity minimum standards. The code of practice must at least cover cybersecurity risk identification and assessment performed by either an internal or external independent auditor at least once a year (which must be reported to the NCSC office within 30 days) and a cyber threat response plan.
CII entities must further provide monitoring mechanisms for cyber threats and cybersecurity incidents that threaten their CII according to standards as prescribed by the NCSC or CSRC. CII entities must also participate in cybersecurity testing organized by the NCSC in order to assess and ensure their readiness in responding to cyber threats.
b) Notification of Cybersecurity Incidents
There is an obligation to notify the competent regulatory authority in the event of a cybersecurity incident.
In the event of a cybersecurity incident involving the CII of either public or private entities, these entities must investigate all of their information, computer data and computer systems, including any circumstances related to the incident to evaluate the cyber threat, with measures under the code of practice and cybersecurity standards followed in responding to and mitigating the cyber threat and notify the NCSC office and competent regulator of each entity involved in the cybersecurity incident.
A specific timeline for the notification is not addressed under the Cybersecurity Act. It does, however, include details on process and requirements, and a timeline for the notification may be prescribed by the CSRC in the future.
c) Registration with Regulatory Authority
There is no requirement to register with a regulatory authority. Under the Cybersecurity Act, the NCSC shall be responsible for designating entities which have services relating to CII, to be deemed as CII Operators, which shall be subject to obligations under the Cybersecurity Act. The criteria for making such designations shall be published in the Royal Gazette, which may be periodically revised as deemed necessary.
d) Appointment of a Security Officer
There is an obligation to appoint a security officer as prescribed under Section 46 of the Cybersecurity Act. Each government entity, competent regulator and CII entity must notify the names of its personnel at both management level and practitioner level to the NCSC office to coordinate cybersecurity matters. If there is a change of responsible personnel, this change must be notified to the NCSC office. However, no specific timeline for the notification is stipulated in the Cybersecurity Act.
e) Other Requirements
Under Section 52 of the Cybersecurity Act, for coordination purposes, CII operators are required to notify the names and contact details of owners, possessors and administrators of their computers and computer systems that have management-level control over the entity to the NCSC office, the competent regulator and the Computer Security Coordination Center within 30 days from the date the NCSC publishes criteria designating entities which have services relating to CII in the Royal Gazette. In the event of a change of owner, possessor or administrator, the notice must be sent to each responsible authority at least seven days prior to the change.
Penalties
CII operators that fail to report cybersecurity incidents to the NCSC office and their competent regulator, without reasonable cause, shall be subject to a maximum fine of THB 200,000.
Any person who refuses to provide information and documents required for the assessment of a cyber threat and its impacts, without reasonable cause, shall be subject to a maximum fine of THB 100,000.
During a critical-level threat, any owner, possessor, user or administrator of a computer or computer system who fails to monitor and/or verify the computer or computer system to search for defects or assess impacts from cyber threats as ordered by a competent officer shall be subject to a maximum fine of THB 300,000 and an additional daily fine of up to THB 10,000 until the order is complied with.
In addition, a failure to fix defects and/or eliminate undesirable programs, retain any computer or computer system for forensic purposes or access any computer or computer system to prevent a cyber threat as ordered by a competent officer shall be subject to imprisonment of up to one year and/or a maximum fine of THB 20,000.
During a critical-level threat, any person who obstructs or refuses a competent official access to information or premises and/or the seizure of computer systems, data and related equipment endeavoring to prevent and mitigate a cyber threat, without reasonable cause, shall be subject to imprisonment of up to three years and/or a maximum fine of THB 60,000.
If an offender is a juristic person or an authorized person of the juristic person who is involved in an offense, either by performing unlawful actions or failing to perform certain actions that cause the juristic person to commit an offense, shall be subject to the above penalties.
The contents herein are for informational purposes only and should not be relied upon as legal advice. For more information, please contact John P. Formichella at john@fosrlaw.com.

Tuesday, August 6, 2019

Upcoming Digital Laws Thailand: Cybersecurity & Personal Data Protection







John P. Formichella

On 28 February 2019, a Personal Data Protection Bill and Cybersecurity Bill were approved by the National Legislative Assembly. Subject to final approval by the King of Thailand, both bills will then be published in the Government Gazette before being enacted into as effective law, which is expected to be within 2019. Owing to Thailand’s rapidly-growing digital economy and society, such proposed bills aim to pave the way for the country to enforce legal safeguards to ensure national security in cyberspace, covering both private and public sector databases as well as privacy of individual’s personal data. According to legislative intent, a strong cybersecurity stance is believed to be a key defense against cyber threats and unauthorized exploitation of networks, systems and technologies, which are mostly caused by a human mistake or behavior. John Formichella, partner, Naytiwut Jamallsawat, senior associate, and Artima Brikshasri, associate of Blumenthal Richter & Sumet, discuss herein the approach and also controversial issues towards both the Cyber Security Bill and Personal Data Protection Bill.

The balance of power under cybersecurity law     

The operations of several public and private sectors are driven by computer systems and such organizations in Thailand are digitizing such systems. The information and communications over such computer systems, especially those of critical infrastructure entities (e.g. material public service, national security, transportation, information technology, telecommunications, public health, financial institutions, etc.) affect the maintenance of vital social functions, health, safety, security, and economy. The disruption to such information or communication systems shall be considered as “cyber threats” that may have serious consequences to its citizens as well as Thailand’s national security and economic systems.

The Cybersecurity Bill sets out obligations to both government agencies and critical infrastructure entities to draft and implement internal cybersecurity guidelines according to policy and action plans issued by the National Cyber Security Committee (NCSC), including a cybersecurity risk assessment plan, and obligation to notify the NCSC of any cyber threats. The Cybersecurity Bill defines “cyber threat” as any illegal actions that use computers, network systems, or programs to cause an adverse impact to a computer, a computer network or data.

The Cybersecurity Bill further provides broader definition and coverage to “cyber threat” by broadly categorizing cyber threats into the following three levels. The definitions in this regard seem to mainly focus on the impact arising from the threat and its result, rather than the method or source of the action, which may come in any form, such as malware, phishing, or system hacking, etc.;

(i)      Non-critical – any threat that may negatively impact the performance of a government computer system;

Impacting “performance” is not yet defined given the bill has not yet been implemented but will likely be understood as a non-critical service level failure such as a reduction of processing speeds, which can be rectified by a standard maintenance action.

(ii)    Critical – any threat to a government computer system relating to national infrastructure, national security, the economy, healthcare, international relations, the functions of government, etc., which may cause damage and/or impair a government computer system; and

(iii)      Crisis – any threat greater than a Critical level event, which may have widespread impact such as causing the government to lose control of a computer system, or an immediate threat to public order or national security that could lead to mass destruction, terrorism, war, the overthrow of the government and/or the monarchy.

If an official believes that there is a Critical level threat, then such official is empowered, subject to judicial permission, to access information and facilities of private entities including seizure of computer systems, data, and related equipment to prevent such cyber threats. On the other hand, in case of a Crisis level, which in the opinion of a competent official requires an immediate response, such official shall be empowered to perform any act warranted as necessary to prevent or mitigate such threat without judicial permission. For example, an official is authorized to order a computer owner, possessor, or users relating to a cyber threat to rectify a cyber threat, terminate the use of a computer or computer system, or even enter private entities’ property and access data systems without having to obtain a court order. This Crisis level authority is at the center of debate amongst privacy advocates and there is suspicion of authoritative overreach.

Although such concerns are not without merit, it would be remiss for any government to ignore the increasing sophistication of machine learning, IoT botnets, etc. as challenges to cyber security. With the rapid advances in technologies, governments cannot be idle in protection measures of cyberspace. According to an article dated 10 May 2019 in the Bangkok Post[1], a Thai cyber-security expert warned that Thailand “is at now at considerable risk of seeing people’s personal data pilfered”.

To temper such concerns, the Cybersecurity Bill does require an official to report all information regarding his/her actions immediately to a relevant court. In practice, being able to act without judicial permission under Crisis level, which requires an immediate response, seems reasonable in order to prevent an unexpected impact from such high level threat. Yet, the freedom to act without judicial permission justifies privacy and legal due process concerns. As we will discuss herein, the process for reporting to the judiciary, although a form of oversight, is questionable in terms of its adequacy.

Failure of the private sector to comply with certain obligations to report cyber treats to the NCSC, or providing information/documents requested for a cyber threat investigation may result in a fine and/or imprisonment. For a juristic person offender, its directors, managers, or any person responsible for the operation may also face civil and/ or criminal penalties. One point to keep in mind is that information discovered by an official under such circumstances may be shared with other government agencies for prosecution under any applicable laws such as banking, telecommunications, criminal, labour, the Computer Crimes Act, etc. Clearly there is an argument for advocates of due process and privacy that the Cybersecurity Bill does not adequately address issues of privacy and warranted search and seizure.

A clear issue with respect to due process is that although judicial review is required, the action of an official under Critical level and Crisis level is not subject to adverse hearing. In other words, an official only need to report his/her actions are justifiable without an opportunity of a counter party to challenge such claims.

Thus in our opinion, a clearer definition to Crisis level threat, as well as procedural guidelines, is fundamental to balance the interests between national security, privacy, and due process.  

Clarity of privacy rights under new personal data protection law  

Privacy rights have become more significant in the digital age. Each person accepts to hand over his/her personal data, either willingly or unwillingly, to other persons or government agencies for several purposes including convenience, access to platforms, etc. In this regard, Thailand currently provides legal protection to certain types of personal data in specific areas such as confidentiality under the National Health Act and Financial Institution Business Act. However, such limited protection is not sufficient in the view of Thai authorities as personal data is spread through various channels, devices, and platforms. Therefore, the new Personal Data Protection Bill has been drawn up to directly govern the collection, storage, or use/processing of personal data, as part of the right to privacy prescribed under the Constitution of the Kingdom of Thailand.

Provisions under the bill mostly replicate the EU General Data Protection Regulation. According to the bill, the definition of personal data includes any data pertaining to a person, which enables the identification of such person. The basis of personal data protection is “consent” of a data owner. In this regard, a data controller is required to have consent to gather, use, disclose or alter of any personal data from data owner, either in writing or via electronic system, unless otherwise permitted by express law. Such consent on the use of personal data may be withdrawn at any time unless there is a restriction on withdrawal specified by law or by any contract which is beneficial to a data owner. Examples of a benefit to a data owner would be bank statements (so a data owner knows its financial information on its bank account), debt payment reminder (so late payment and additional interest won’t occur), etc.

However, there are exemptions to the consent requirement under certain circumstances. For example, if data needs to be collected in order to evaluate the data owner’s work credentials (such as an academic certificate), or provide services (such as a medical license), or financial information of employees (salary), which an employer is required to submit to the Social Security Office in order for employees to receive the Social Security benefits. At this point, it remains to be seen how extensive the authorities will interpret those exemption circumstances but believe the above examples will be put into practice.

In addition, a data owner must be adequately informed of the purposes of personal data collection as a condition to a data owner providing consent. Nevertheless, a data controller does not need to inform details and purposes of data collection to a data owner for his/her consent if he/she already knew the details and purposes of such data collection. The burden of proof in this regard is on the data controller. It follows that such collected personal data can be used or disclosed for approved purposes only. Non-compliance with such obligation will result with an administrative fine at the maximum of THB 1 million. Therefore, a data controller should adopt a cautious approach and take measures to inform a data owner as to the purposes(s) of data collection under any circumstances.     

Further, a data owner can request access to his/her personal data retained by a data controller, subject to the rules of access, which will be later prescribed by regulation. Any rejection to such request is allowed only upon legitimate purposes or for the protection of third party rights. The request for such access may affect personal data of third parties that is retained on the same platform, and also create a burden to a data controller. Therefore, the scope of “access” should not be too broad or too narrow so as to have balance between a data owner’s privacy rights, a data controller’s obligation, as well as a protection of other third parties’ personal data.  

Implementation of new digital laws

The Cyber Security Bill and Personal Data Protection Bill are quite new in Thailand. Subordinate regulations are also in the pipeline to supplement the implementation of such bills. Therefore, a grace period prior the promulgation will be provided for both business operators and government agencies to consider and implement internal systems and control for compliance purposes.

The contents herein are for informational purposes only and should not be relied upon as legal advice. For more information please contact John Formichella at john@fosrlaw.com

Tuesday, July 30, 2019

Changes to the Thai Foreign Business Act with Certain Business Types Open to Foreign Operation





John P. Formichella
July 31, 2019

Naytiwut Jamallsawat contributed to the content of this article

According to Thailand Foreign Business Act B.E. 2542 (FBA), there are 3 types of business activities that govern foreign participation in Thai commerce:
List 1: Business Not Permitted to Foreigners
List 2: Business Permitted to Foreigners under Conditions
List 3: Business Not Yet Permitted to Foreigners

Lists 1, 2, or 3 of the Foreign Business Act in Thailand essentially cover nearly all economic sectors with a few exceptions.
However, a recent Ministerial Regulation, issued on 13 June 2019, will open up certain types of services from foreign operators to its affiliates, which means that a Foreign Business License will not be required for a registered Thai company having majority foreign ownership.

Service businesses providing services to affiliates that do not require a Foreign Business License are as follows:

1.       Providing Domestic Loan Services
2.       Leasing Office Space with Utilities
3.       Consulting Services in the following:

a.       Administration
b.       Marketing
c.        Human Resources, or,
d.       Information Technology

Juristic persons with the following characteristics are regarded as “affiliates”:

1.       juristic persons that have shareholder(s)/partner(s) who constitute more than half of the total number of shareholder(s)/partner(s) of each company transacting business together;

2.       juristic persons that have shareholder(s)/partner(s) who own 25% or more of the share capital of one juristic person (Company A) and also own 25% or more of the share capital of another juristic person (Company B) with which Company B is transacting business with Company A;

3.       a juristic person that owns 25% or more of the share capital of another juristic person (again, assuming the juristic persons are engaging in a transaction with each other); or

4.       juristic persons that have the same director(s)/partner(s) (who constitute a majority) with managerial authority. This would imply such persons have authorized director status under a Company Affidavit (for each company interacting in a transaction).

The regulation is relatively new and it remains to be seen as to how it will be administered by the relevant authority but it is to be expected that some creative structuring will result.

This article is for information purposes only and should not be relied upon as legal advice. For more information, please contact John P. Formichella at john@fosrlaw.com