The interplay between Data Privacy Law and Cybersecurity Laws – Thailand
1. Legal framework
There are differences between ‘cybersecurity,’ ‘data protection,’ and ‘cybercrime’ under Thai law, as follows:
- ‘Cybersecurity’ is defined as any measure or procedure established to prevent, address, or mitigate the risk of cyber threats from inside and outside Thailand, which may affect national security, economic security, martial security, or public order. ‘Cyber threats in this regard refers to any illegal actions that use computers, network systems, or offensive programs to cause or threaten to harm a computer, computer network, or data.
- ‘Data protection refers to protecting an individual’s privacy and personal information from unauthorized processing. ‘Personal information refers to any data of a living person that may be used to identify that person directly or indirectly.
- ‘Cybercrime’ is importing, disseminating, or forwarding any illegal data, electronic data, statements, instructions, or output that may be processed by a computer system in or from a computer system. ‘Illegal data’ in this regard include pornography, gambling, lèse-majesté (i.e., insulting the monarchy), and infringement of intellectual property or national security.
The key statutes that address cyber in Thailand are:
- The Cybersecurity Act BE 2562 (2019).
- the Personal Data Protection Act BE 2562 (2019), and
- the Computer Crime Act BE. 2550 (2007) as amended in 2017.
The Cybersecurity Act applies to both public and private sector entities that:
- Own information and communication infrastructure, which is integral to the maintenance of vital societal functions, otherwise known as critical information infrastructure (CII), and
- Are engaged in the following services:
- National security.
- Material public service.
- Banking and finance.
- Information technology and telecommunications.
- Transportation and logistics.
- Energy and public utilities.
- public health, or
- Other areas that the relevant cybersecurity authority may further prescribe.
2. Initiative-taking cyber compliance
Over time, some industries have developed best practices or standards for initiative-taking cyber compliance. However, any business responsible for information critical to national security and the public interest – such as banking, information technology, telecommunications, and transportation – is considered a critical information infrastructure (CII) entity. A CII entity is subject to cybersecurity measure requirements under the new Cybersecurity Act, published in 2019.
Under the Cybersecurity Act, each CII entity – including government entities and competent regulators – must have in place a code of practice that at least covers the following:
- Cybersecurity risk identification and assessment, performed by either an internal or external independent auditor at least annually (which must be reported to the relevant authority within 30 days); and
- A cyber threat response plan.
In addition to the Cybersecurity Act, a service provider – subject to its obligations under the Computer Crime Act – must use demonstrable ‘best efforts’ to ensure that illegal computer data is not imported, disseminated, or forwarded on its system or network. Furthermore, a service provider may develop and enforce user-protective industry measures. For example, a service provider may set a written policy to which users must agree (like a click agreement), confirming that they will not import, store, or transmit any content that may be regarded as illegal computer data under the Computer Crime Act. If a service provider finds such data on its computer systems or networks, it reserves the right to block, delete or remove such content accordingly. A service provider can also make a complaint form or takedown notice to ensure it is exempt from liabilities for cybercrime offenses that may be committed on its system or network.
Also, suppose a service provider is considered a data controller. In that case, it must have in place appropriate security measures to prevent the unauthorized or unlawful loss, access, use, revision, or disclosure of customers’ personal data on its system or network. Such measures must comply with the minimum standard stipulated by the Personal Data Protection Committee (which still needs to be published). In addition, such measures must be reviewed when necessary or when technology changes to efficiently maintain appropriate security and safety.
As of the date of this writing, governmental entities still need to issue voluntary guidance or similar instruments on the issue of proactive cyber compliance.
Corporate officers and directors have no direct or personal legal duties concerning proactive cyber compliance. However, upon request, such officers and directors must follow the order(s) of, and cooperate with, the relevant authority to benefit cybersecurity and prevent cybercrime and data breaches.
The authorities have vast discretion in considering whether there is a basis to suspect the commission of an offense, as any activity that may cause damage to national security, the economy, or public infrastructure may constitute grounds for the commission of cyber-related crimes.
Companies must ensure that sharing details of actual or potential cybersecurity threats or cyber-intelligence information (relevant to personal data) to other industries or stakeholders is based on either the data subject’s consent or the above legal grounds.
Under the Personal Data Protection Act, the processing of personal data requires the explicit consent of the data subject before or at the time of data collection, unless otherwise permitted, based on the following grounds:
- Archiving historical research or statistical purposes (with appropriate security measures).
- Preventing or suppressing damage to the data subject’s life, body, or health or a third party (vital interests).
- Performing a contract to which the data subject is a party or responding to a data subject’s request before entering into a contract.
- performing a task carried out in the public interest or the exercise of an official right vested in the data controller (usually in the case of public authorities), and
- Acting per the legitimate interests of the data controller or other third parties, but only to the extent that such interests do not override the data subject’s fundamental rights; or comply with a data controller’s legal obligations.
3. Cyber-incident response
Under the Cybersecurity Act, any cyber incident involving information critical to national security and the public interest – such as banking, information technology, telecommunications, and transportation (i.e., critical information infrastructure (CII) information) – is subject to the notification requirement. A ‘cyber incident’ in this regard includes any illegal activity that uses computers, network systems, or offensive programs to cause or threaten to harm a computer, computer network, or data, which may be categorized into three levels of threat, as follows:
- Non-critical: Any threat that may negatively impact the performance of a CII entity’s computer system or services provided by government entities.
- Critical: Any threat to a computer system or computer data that is significantly increased to attack CII relating to national infrastructure, national security, the economy, healthcare, international relations, governmental functions, or similar, where such an attack would impair the provision of CII-related services; and
- Crisis: Any threat more significant than a critical-level event that may have a widespread impact, such as causing the government to lose control of a computer system; or any threat that may lead to mass destruction, terrorism, or the overthrow of the government.
Further details of the above incidents and the preventive and mitigative measures employed for each level of incident will be determined by the National Cyber Security Committee (NCSC).
Personal data breach incidents are subject to the notification requirement under the Personal Data Protection Act. A ‘personal data breach incident’ refers to the unauthorized or unlawful processing (e.g., use, collection, revision, deletion, or disclosure) of personal data of any person without their consent or on a legal basis (please see question 4.5).
The Cybersecurity Act prescribes that any actual or potential cyber threats to CII (at any level) under the responsibility of either public or private entities (‘CII entities’) must be promptly notified to the NCSC and the competent regulators, with no exceptions or safe harbor provided. No specific format and timeframe for notification are prescribed under the Cybersecurity Act. CII entities that suffer from a cyber incident are not obliged to provide services, compensation, or specific information to individuals who are subsequently affected. Any failure of CII entities to report cyber incidents to the NCSC and the competent regulators without reasonable cause shall result in a maximum fine of THB 200,000.
In the case of a cyber incident relating to a breach of an individual’s personal data, the data controller must notify the incident to the Personal Data Protection Office without undue delay and, where feasible, within 72 hours of learning of the breach. In addition, if the incident is considered a severe breach that results in a significant risk to the data subject’s rights, then the matter must be informed of the incident and any remedial measures without delay. Further details of the notification requirement and its exemption will be issued by the Personal Data Protection Committee (PDPC). Where a data processor processes personal data on behalf of a data controller, the Personal Data Protection Act requires only that such data processors inform the data controller of any breach of an individual’s personal data.
Given the relative infancy of the Thai cyber statutes, the requirements for companies to respond to cyber incidents have yet to be specified under the Cybersecurity Act and the Personal Data Protection Act. Therefore, details of such conditions are subject to the subordinances that the relevant authorities will issue in the future.
Subject to the Cybersecurity Act, upon discovering actual or potential cyber threats, CII entities must examine all their information, computer data, computer systems, and surrounding circumstances to assess the level of the cyber threat. After conducting this examination, CII entities must respond to and mitigate discovered cyber threats in compliance with the Code of Practice and inform the NCSC and the competent regulators accordingly. However, further details and requirements of the Code of Practice, including the risk assessment and cyber threat response plan, have yet to be published as of the date of writing (see question 4.1).
Companies considered data controllers must respond to cyber incidents (e.g., unauthorized or unlawful loss, access, use, revision, or disclosure of personal data) in compliance with the appropriate security measures. The security measures in this regard must comply with the minimum standards stipulated by the PDPC (which still need to be published).
Under the Computer Crime Act, a service provider company must remove or revise any unlawful data (e.g., pornography, gambling, lèse-majesté, infringement of intellectual property, or national security) on its platform or system. A service provider must block its circulation within a specified timeframe upon receiving a user complaint. In addition, a service provider must delete or block the dissemination of unlawful computer data or websites as requested by the PDPC.
4. Trends and predictions
As Thailand’s digital economy and society are increasing, cyber statutes have recently been published and updated to introduce and enforce new legal safeguards. These safeguards aim to ensure national security in cyberspace and cover private and public sector databases and individuals’ personal data privacy. In addition, the cyber statutes highlight the importance of a robust cybersecurity stance as a critical defense against cyber threats and the unauthorized exploitation of networks, systems, and technologies, mainly caused by human actions.
As the Thai cyber statutes are relatively new, however, further rules and procedures for their implementation have yet to be prescribed; for the time being, this has mainly been left to the discretion of the responsible authorities. Nevertheless, subordinate regulations are in the pipeline to supplement the implementation of cyber statutes. For example, subject to the Personal Data Protection Act, guidelines on the minimum-security measures that a data controller must implement in its business – including a requirement on cross-border data transfers – will be further published by the Personal Data Protection Committee. In addition, in the case of the Cybersecurity Act, the scope of cyber threat levels and the response plan of critical information infrastructure entities for each level will be prescribed by the National Cyber Security Committee in the future.
As the requirements of responsible authorities will likely affect the operations in several sectors (e.g., banking, information technology, telecommunications, transportation), affected companies would be well advised to follow up regularly to ensure compliance with legal requirements and avoid the imposition of penalties.
5. What to watch out for
We believe that Thailand’s top three cyber-related problems or challenges are as follows:
Implementation of the Personal Data Protection Act: Companies must spend time and effort monitoring forthcoming privacy requirements, which will be further prescribed under the Personal Data Protection Act in the future (although no specific timelines have been indicated in this regard). Therefore, privacy policies that have been adopted will be subject to further revision as and when such requirements are updated. It is a time-consuming and cost-intensive process that may affect their business operation. In addition, failure to comply with such requirements (either intentionally or through negligence) may result in penalties such as imprisonment or fines.
Concerning implementing the Personal Data Protection Act, companies should regularly follow up on all future requirements introduced concerning personal data protection. In addition, a preliminary meeting with the Personal Data Protection Committee at the Ministry of Digital Economy and Society should also be considered better to understand the implementation of the act and guidelines.
Lack of security awareness: The introduction of new technology (e.g., smart devices, electronic payment systems, robots, embedded Internet of Things technology, big data, analytics) in businesses within a short timeframe may present significant cybersecurity challenges, especially for small companies. Companies may need more security measures and skilled professionals to handle their new technologies. In addition, they may need to be more aware of the risk of being targeted by cyber-attacks due to the size of their businesses. According to the Electronic Transactions Development Agency, about 87% of companies in 2015 experienced data or monetary loss due to cyber-attacks, which can debilitate companies’ business security and erode customer trust.
Companies should consider cybersecurity at all stages of their organizational planning, software design, and network set-up. But, first, companies and their responsible personnel must identify and examine potential cyber incidents that may affect their businesses. Appropriate and effective security measures – specified either by the companies themselves or by the cyber statutes – must then be implemented to prevent and mitigate such incidents and support the technological transformation of such businesses.
Cloud computing attacks: The increased use of cloud computing results in increased involvement of national and international third-party software and services vendors. In this regard, company data – including their customers – may be at risk for unauthorized use, access, and disclosure.
Companies should address this issue by strengthening their internal security and authentication procedures. In addition, the number of personnel who can access data should be limited. Finally, in the case of agreements with third-party vendors, companies must ensure that the security measures of such vendors meet the minimum requirements as generally implemented within their business, including any legal requirements.
The material herein is for general purposes only and should not be relied upon as legal advice.
© Formichella & Sritawat