Thailand: New laws in cybersecurity & personal data protection
The Personal Data Protection Act (2019) ('the PDPA') and the Cybersecurity Act (2019) ('the Act') were approved by the National Assembly of Thailand on 28 February 2019. Following this development, both the PDPA and the Act were approved by the King of Thailand, and entered into force with their publication in the Government Gazette on 26 May 2019. John Paul Formichella, Naytiwut Jamallsawat, and Artima Brikshasri, of Blumenthal Richter & Sumet, discuss the key provisions of the PDPA and the Act, and the issues that may arise for entities in terms of compliance with the same.
As Thailand's digital economy and society is rapidly-growing, the Act and the PDPA aim to pave the way when it comes to enforcing legal safeguards. In order to ensure national security in cyberspace, the Act and the PDPA cover both private and public sector databases, as well as the privacy of individual's personal data. According to legislative intent, a strong cybersecurity stance is believed to be a key defence against cyber threats and unauthorised exploitation of networks, systems and technologies, which are often caused by human mistakes or behaviour.
The balance of power under the Act
The operations of several public and private sectors are driven by computer systems, and such organisations in Thailand are digitising these. The information transferred and the communications conducted over such computer systems, especially those of critical infrastructure entities (e.g. public services, national security, transportation, information technology, telecommunications, public health, financial institutions, etc.) affect the maintenance of vital social functions, health, safety, security, and economy. Disruptions to such information or communication systems shall be considered 'cyber threats' that may have serious consequences to citizens, as well as Thailand's national security and economy.
The Act sets out obligations to both Government agencies, and critical infrastructure entities, to draft and implement internal cybersecurity guidelines, according to the policy and action plans issued by the National Cybersecurity Committee ('NCSC'), including a cybersecurity risk assessment plan, and an obligation to notify the NCSC of any cyber threats. The Act defines 'cyber threat' as any illegal actions that use computers, network systems, or programmes to cause an adverse impact to a computer, a computer network, or data.
The Act provides a further definition, and coverage to 'cyber threat,' by broadly categorising cyber threats into the following three levels:
- Non-critical: Any threat that may negatively impact the performance of a Government computer system. Impacting 'performance' is not yet defined, but it will likely be understood as a non-critical service level failure, such as a reduction of processing speeds which can be rectified by a standard maintenance action.
- Critical: Any threat to a Government computer system relating to national infrastructure, national security, the economy, healthcare, international relations, and the functions of the Government, etc., which may cause damage and/or impair a Government computer system.
- Crisis: Any threat greater than a 'critical' level event which may have a widespread impact, such as causing the Government to lose control of a computer system, or an immediate threat to public order, or national security, that could lead to mass destruction, terrorism, war, the overthrow of the Government and/or the monarchy.
The definitions in this regard seem to mainly focus on the impact arising from the threat and its result, rather than the method or source of the action, which may come in any form, such as malware, phishing, or system hacking, etc.
If an official believes that there is a 'critical' level threat, then they would be empowered, subject to judicial permission, to access information and facilities of private entities, including the seizure of computer systems, data, and related equipment to prevent other such cyber threats. On the other hand, in case of a 'crisis' level, which in the opinion of a competent official requires an immediate response, they would be empowered to perform any act warranted as necessary to prevent or mitigate such a threat, without judicial permission. For example, an official is authorised to order a computer owner, possessor, or users relating to a cyber threat to rectify a cyber threat, terminate the use of a computer or computer system, or even enter private entities' property and access data systems, without having to obtain a court order. This 'crisis' level authority is at the centre of debate amongst privacy advocates, and there is suspicion that it could be an authoritative overreach.
Although such concerns are not without merit, it would be remiss for any government to ignore the increasing sophistication of machine learning and the Internet of Things botnets, for example, as challenges to cybersecurity. With the rapid advances in technologies, governments cannot be idle in their protection measures of cyberspace. According to an article dated 10 May 2019 in the Bangkok Post1, a Thai cybersecurity expert warned that Thailand is 'now at considerable risk of seeing people's personal data pilfered.'
To temper such concerns, the Act does require an official to report all information regarding his or her actions immediately to a relevant court. In practice, being able to act without judicial permission under 'crisis' level, which requires an immediate response, seems reasonable in order to prevent an unexpected impact from such a high-level threat. Yet, the freedom to act without judicial permission justifies privacy and legal due process concerns. As discussed herein, the process for reporting to the judiciary, although a form of oversight, is questionable in terms of its adequacy.
Failure of the private sector to comply with certain obligations to report cyber threats to the NCSC, or to provide information or documents that have been specifically requested for a cyber threat investigation, may result in a fine and/or imprisonment. A corporate entity offender, and its directors, managers, or any person responsible for the operation, may also face civil and/or criminal penalties. One point to keep in mind is that information, discovered by an official under such circumstances, may be shared with other Government agencies for prosecution under any applicable laws in areas such as banking, telecommunications, criminal, labour, or the Computer Crime Act (2017), etc. Clearly there is an argument for advocates of due process and privacy, that the Act does not adequately address issues of privacy and warranted search and seizure.
A clear issue with respect to due process is that although judicial review is required, the action of an official under 'critical' level and 'crisis' level is not subject to an adverse hearing. In other words, under such levels an official only needs to report his or her actions, as all are justifiable without an opportunity of a counter party to challenge such claims.
Thus, in our opinion, a clearer definition to 'crisis' level threat, as well as procedural guidelines, is fundamental to balance the interests between national security, privacy, and due process.
Clarity of privacy rights under the PDPA
Privacy rights have become more significant in the digital age. Each person accepts to hand over his or her personal data, either willingly or unwillingly, to other persons or government agencies for several purposes, including convenience, access to platforms, etc. In this regard, Thailand currently provides legal protection to certain types of personal data in specific areas, such as confidentiality under the National Health Act (2007), and the Financial Institution Business Act (2018). However, such limited protections are not sufficient in the view of Thailand's authorities, as personal data is spread through various channels, devices, and platforms. Therefore, the PDPA has been drawn up to directly govern the collection, storage, or use and processing of personal data, as part of the right to privacy prescribed under the Constitution of the Kingdom of Thailand (2017).
The PDPA mostly replicates the EU's General Data Protection Regulation (Regulation (EU) 2016/679). According to the PDPA, the definition of personal data includes any data pertaining to a person, which enables the identification of such a person. The basis of personal data protection is the consent of the data owner. In this regard, a data controller is required to have consent to gather, use, disclose or alter any of the personal data from the data owner, either in writing or via electronic system, unless otherwise permitted by express law. Such consent on the use of personal data may be withdrawn at any time, unless there is a restriction on withdrawal specified by law, or by any contract which is beneficial to the data owner. Two examples of benefits to the data owner would be bank statements (so the data owner is aware of their financial information and status of their bank account) and receiving a debt payment reminder (so late payment and additional interest will not occur).
However, there are exemptions to the consent requirement under certain circumstances. For example, if data needs to be collected in order to evaluate the data owner's work credentials (such as providing an academic certificate), or services (such as a medical licence), or financial information of employees (their salary) which an employer is required to submit to the Social Security Office in order for employees to receive the social security benefits. At this point, it remains to be seen how extensive the authorities will be in interpreting those exemption circumstances, but it is thought that the above examples will be put into practice.
In addition, data owners must be adequately informed of the purposes for which their personal data is collected as a condition to them providing consent. Nevertheless, a data controller does not need to inform details and purposes of data collection to the data owner for his or her consent if he or she already knew the details and purposes of such data collection. The burden of proof in this regard is on the data controller. It follows that such collected personal data can be used or disclosed for approved purposes only. Non-compliance with such obligation would result in an administrative fine at the maximum of THB 1 million (approx. €28,056) Therefore, data controllers should adopt a cautious approach and take measures to inform data owners as to the purpose(s) of data collection under all circumstances.
Further, a data owner can request access to his or her personal data that has been retained by a data controller, subject to the rules of access, which will be later prescribed by further regulation. Any rejection to such a request is allowed only for legitimate purposes, or for the protection of third party rights. The request for such access may affect the personal data of third parties that is retained on the same platform, and also create a burden to the data controller. Therefore, the scope of access should not be too broad or too narrow, so as to have balance between the data owner's privacy rights and the data controller's obligation, as well as the protection of other third parties' personal data.
The Act and the PDPA are very new in Thailand. Subordinate regulations are also in the pipeline to supplement the implementation of the same.