Thailand’s Digital Law Landscape and What We Can Expect from the New Digital Economy Laws
There is a total of eight new draft laws ( the Digital Laws 4.0) introduced as part of the Thai Government’s new Digital Economy policy platform also known as Thailand 4.0. These include the newly drafted Personal Data Privacy Act together with revisions to the Computer Crimes Act ( CCA), the National Broadcasting and Telecommunications Business Act ( NBTA), and the Electronic Transactions Act. These proposed laws are still in varying stages of progress as they proceed through public hearings and expected enactment through the early part of this year.
Our review covers the current state of Thailand’s digital laws and considers the changes to be implemented by the draft bills and newly enacted laws as part of the Thailand 4.0 Digital Economy policy. ( Note: our discussion of any bills not yet enacted will be based on current drafts available).
The Ministry of Information and Communication Technology ( MICT) was formed in 2002 to centralize oversight and policy leadership over several government agencies including national statistics, software promotion, electronic transactions and e- commerce, postal services, and state- owned telecoms with the intent of providing an avenue for uniform, cooperative and expedited implementation of new digital economic policy across various industries which can benefit from new digital technologies.
The government launched Thailand 4.0 by enacting the Digital Economy Promotion Act which took effect in January 2017. This act closed the MICT and re- placed it with the Ministry of Digital Economy and Society ( MDES). This new MDES will have the same purview of government agencies as did the MICT, but with an expanded policy edict: to address not only “information technology implementation,” but also cover the development of economic and social aspects of digital technologies. The MDES will also include oversight of the new Digital Economy and Society Committee tasked with setting new policy and guidelines under Thailand 4.0, as well as the newly- formed Government Committee for Cyber- Security under the proposed Cybersecurity Act and the newly- revised Computer Crimes Act, both committees to be chaired by the Prime Minister.
Thailand has already passed several laws governing e- Commerce and the security of electronic transactions.
Thailand enacted the Electronic Transactions Act in 2001 which recognized electronic data messages ( such as e- mail) as legally binding for purposes ranging from contractual validity to courtroom evidence. In 2007, the Royal Decree on E- Government Transactions was enacted providing that all government agencies must have security and privacy policies in place to cover all aspects of their electronic services. This was followed by the Royal Decree Governing Control and Su-
pervision of Electronic Payment Service Business ( Electronic Payment Services Decree or EPSD) which went into effect in 2009. The EPSD introduced oversight of the electronic debit service business which, prior to this Royal Decree, was not addressed by any of the financial, credit card, or banking regulations that already existed. In 2010, a new Royal Decree on Security in Electronic Transactions was also enacted. This new law established three levels of security ( High, Intermediate, and Basic) with varying security protocols that must be met by operators according to each level. The new Royal Decree also identifies different business categories and addresses the security level applicable to each group for purposes of compliance with sufficient security protocols in electronic transactions.
New in 2017 are amendments to the Electronic Transactions Act which expand the binding effect of digital communications in transactions and as evidence, particularly to include “automated” electronic communications as binding notwithstand- ing the absence of human involvement – even in the case of two automated systems communicating with each other. It also further clarifies certain aspects of the methods required for verifying electronic communications. Finally, it expands the authority of the Electronic Transaction Development Agency ( ETDA) to initiate policy and oversee implementation of the law with extended powers of investigation, but subject to the continuing oversight of the Electronic Transactions Commission ( ETC).
Also of interest, the amended law grants express authority for the ETC to conduct its meetings electronically.
Presently, Thailand has no definitive law governing cryptocurrency such as Bitcoin. For the time being, the government has been obliged to apply the 70- year- old Exchange Control Act ( ECA) to govern this new crypto- currency technology. The ECA defines “currency” simply as “legal tender.” “Foreign currency” is even more interestingly defined as “legal tender in any country other than Thailand” which is seemingly inapplicable to Bitcoin since it is not associated with any single country. It can be treated as both domestic and foreign tender or neither, depending on the definition and its interpretation.
On December 12, 2013, the Bank of Thailand ( BOT) issued a formal statement concluding that bitcoin operations would not fall under the ECA provided that ( a) foreign currency is not received by any Thai operator in exchange for bitcoins ( regardless of whether the foreign currency is received within or without Thailand); ( b) bitcoins that are sold cannot be exchanged for foreign currency, either in Thailand or outside of Thailand; and ( c) Thai operators must not conduct any activity which will involve the exchange of foreign currency in any way.
The BOT statement refers only to issues on foreign currency exchange under the ECA-- other aspects of bitcoin use and development such as bitcoin mining and electronic payment processing are excluded from the statement’s purview.
However, the BOT also warned that to the extent bitcoin operations do fall within the ECA’S jurisdiction, a license would be required-- but that no regulatory process existed for granting such a license.
So, the BOT has implicitly taken the position that until the ECA is revised to add “bitcoin or crypto- currency” to its list of “foreign exchange”, bitcoin will not in and of itself be treated as a foreign means of payment.
None of the proposed Thailand 4.0 laws address bitcoin or cryptocurrency.
Thailand has no specific laws addressing financial technologies (‘ fintech’) such as peer- to- peer lending, crowdfunding, etc. Both the Bank of Thailand and the Thai Securities and Exchange Commission ( SEC) have initiated a regulatory ‘ sandbox’ for interested operators. This affords operators a safe environment for testing fintech products and services while cooperating with BOT and SEC to develop how future regulation may be implemented.
None of the proposed Thailand 4.0 laws address any regulation of fintech.
Government control over Thailand telecom services have been consolidated since 2001 under the National Broadcasting and Telecommunications Business Act or NBTA, first under a loosely constituted National Telecommunications Commission ( NTC) and then in 2010 under a stronger independent regulator renamed the National Broadcasting and Telecommunications Commission or NBTC.
As part of the Thailand 4.0 laws, the NBTA is being amended. It will consolidate the two NBTC boards ( one for Broadcasting and one for Telecom) into a single 7- person board. Nominations to the board will be screened by a committee made up of the president of the Supreme Court, the president of the Administrative Court, chairman of the National Anticorruption Commission, the Auditor General, the chairman of the National Human Rights Commission and the governor of the Bank of Thailand. Fourteen candidates will then be passed to the new MDES for final selection and then submitted for approval by the National Senate and the Prime Minister.
The new NBTA amendment also places the NBTC under the supervision of the MDES, once again centralizing control.
The NBTA amendment will also allocate funding from telecom auctions and licensing fees to a special fund from which the NBTC can draw to promote its agenda. The intention is to expedite future spectrum auctions by financially enabling the NBTC to pay compensation to existing licensees in order for the NBTC to reacquire frequencies. The NBTC contemplates doing precisely this in order to reacquire 2600 MHZ spectrum rights previously licensed to MCOT so as to expedite a 5G auction in June, 2017 — making Thailand the first ASEAN nation to adopt 5G.
Voice over IP ( VOIP)
The National Telecommunications Commission issued two notifications governing VOIP services operating within Thailand. The first in 2005 authorized all licensed internet service providers ( ISPS) to offer VOIP services as part of their ISP licensing— except for VOIP services that require new telephone numbers to be assigned. The only requirement was that the ISP notify the appropriate government authority of intention to offer such service. The second in 2007 applied to VOIP using newly- allocated telephone numbers, placing such services within the same application and licensing requirements as fixed line telephone services.
None of the proposed Thailand 4.0 laws address any further regulation of VOIP services.
Data privacy in Thailand had always been implemented through a patchwork of legal provisions incorporated into the laws for various sectors— e. g. financial, health, government, e- commerce, telecom, etc. The only general law providing for data privacy appeared in the Constitution.
The new 2017 Constitution does not change this— incorporating at Section 32 personal data privacy protection effectively identical to what existed in Section 35 of the 2007 Constitution. The 2017 Constitution also provides the same individual right to enforcement of privacy rights under Section 25 as had existed in Section 28 of the 2007 Constitution.
Draft Personal Data Protection Act
The newly proposed Personal Data Protection Act ( PDPA) is scheduled for enactment in the next month, to become legally effective by the beginning of 2018. This would be the first general law applicable to the protection of “personal data” — defined as data which directly or indirectly identifies a particular person.
The new PDPA provides much stricter notice and consent requirements, security protocols, and restrictions on the collection, use and disclosure of personal data. The draft law also provides for fines as high as Baht 2 million and possible imprisonment up to 3 years for violations of the law. The new law is modeled after similar European laws, and offers greater clarity as to what is required for proper legal consent as well as specifying the rights of data owners to review, and potentially withdraw their consent for continuing use of their personal data. Tied in with the changes to the Computer Crimes Act relating to spam, this new law will greatly reduce the use of personal data for uninvited marketing.
Finally, the new PDPA does expressly authorize the transfer of personal data across borders without any special consent provided it is necessary to accomplishing the approved purpose, and is to a country with equal or better data protection laws.
The Computer Crimes Act enacted in 2007 ( CCA) sought to address various unlawful conduct within the digital world from hacking to spam and apply rules for Internet Service Provider ( ISP) liability in cases of violations of law occurring on the internet. The CCA has already been amended as part of the Thailand 4.0 laws; the changes become effective on May 24, 2017. Fines and penalties under the new law remain the same except for an increased fine for spam.
Changes in ISP Liability
The CCA defines an ISP as ( 1) one who provides internet access or computer communication services; or ( 2) one who provides computer data storage.
MICT Notification ( 2007) expanded the definition of ISP to include basically everyone:
All entities within Thailand which offer internet access, computer communication, or data storage to their staff ( whether through their own servers or through third party services).
CCA Section 15 further prescribes that any service provider who “intentionally supports or gives consent” to the commission of the offences through computer systems under his control shall be liable to the same penalty as the offender. However, the MICT never provided guidance as to how “intentional support or consent” would be interpreted. This was a problem for commercial ISPS and public chat forums who could not easily track and/ or quickly remove unlawful content posted by users.
Part of the Royal Thai Government’s vision of Digital Thailand
In the 2012 case of the Office of the Public Prosecutor vs. Chiranuch Premchaiporn, the webmaster for the Prachatai. com public discussion forum was found guilty for violating CCA Section 15- not for posting unlawful content herself, but for not removing unlawful content posted by others.
In its decision, the Court focused exclusively on one post ( Exhibit J. 32), which remained up for twenty days before finally being removed. The Court found that twenty days was beyond what it thought was a “reasonable” time for the webmaster to identify and remove the unlawful content in this case. However, recognizing that there were no official guidelines, the Court suspended Ms. Chiranuch’s sentence.
The CCA Amendment now seeks to avoid similar confusion by providing a ‘ safe harbor’ of guidelines for ISPS and webmasters to follow that will entitle them to avoid prosecution for content posted by others. The specific terms defining such ‘ safe harbor’ will be part of ministerial regulations to be issued in the near future. Until these guidelines are issued, the Chiranuch Court’s 20- day maximum for removing unlawful content remains as the only reference for ISPS and webmasters to avoid being treated as “intentionally supporting or consenting” to the unlawful content posted by users.
The CCA already provided for prosecution of persons digitally publishing false information. However, the CCA Amendment now requires “dishonest or deceitful” intent as an element in committing the crime of publishing false data that causes public injury.
The original CCA provided only limited protection against uninvited digital marketing or ‘ spam.’ Spam was unlawful only if sent anonymously.
The CCA Amendment has added further restrictions. Spam senders must afford recipients an “easy” means for opting out of future spam. If they don’t or if they ignore such notice to opt- out, then senders may be liable for a fine up to Baht 200,000. The law also refers to future ministerial regulations that will provide further detail as to what would be deemed “easy” opt- out mechanisms.
Note further that the CCA always con- tained an extraterritorial enforcement provision at Section 17, which authorizes enforcement on Thai citizens operating abroad as well as against foreign citizens/ entities whose operations abroad have impact on Thailand’s government or its people. Thus, foreign ISPS or foreign persons who violate the CCA are equally susceptible to criminal prosecution in Thailand.
This has not been changed in the CCA Amendment.
In sum, the Thailand 4.0 laws have taken some significant steps toward filling in several gaps and clarifying ambiguities in Thailand’s digital law landscapes. Other gaps remain unaddressed; however, this is to be expected as technology advances at a faster pace than the laws which govern it. For business operators in Thailand, the new laws will combine further restrictions with further clarity. This means work to update systems, but with a much clearer objective as to what needs to be done.
John Fotiadis is a senior member and Panagiotis Fotiadis is a research assistant at Atherton Co., Ltd. John can be contacted at Johnf@ athertonlegal. com.