Thai­land’s Dig­i­tal Law Land­scape and What We Can Ex­pect from the New Dig­i­tal Econ­omy Laws

Thai-American Business (T-AB) Magazine - - Content - Writ­ten by: John Fo­tiadis and Pana­gi­o­tis Fo­tiadis

There is a to­tal of eight new draft laws ( the Dig­i­tal Laws 4.0) in­tro­duced as part of the Thai Gov­ern­ment’s new Dig­i­tal Econ­omy pol­icy plat­form also known as Thai­land 4.0. These in­clude the newly drafted Per­sonal Data Pri­vacy Act to­gether with re­vi­sions to the Com­puter Crimes Act ( CCA), the Na­tional Broad­cast­ing and Telecom­mu­ni­ca­tions Busi­ness Act ( NBTA), and the Elec­tronic Trans­ac­tions Act. These pro­posed laws are still in vary­ing stages of progress as they pro­ceed through public hear­ings and ex­pected en­act­ment through the early part of this year.

Our re­view cov­ers the cur­rent state of Thai­land’s dig­i­tal laws and con­sid­ers the changes to be im­ple­mented by the draft bills and newly en­acted laws as part of the Thai­land 4.0 Dig­i­tal Econ­omy pol­icy. ( Note: our dis­cus­sion of any bills not yet en­acted will be based on cur­rent drafts avail­able).


The Min­istry of In­for­ma­tion and Com­mu­ni­ca­tion Tech­nol­ogy ( MICT) was formed in 2002 to cen­tral­ize over­sight and pol­icy lead­er­ship over sev­eral gov­ern­ment agen­cies in­clud­ing na­tional sta­tis­tics, soft­ware pro­mo­tion, elec­tronic trans­ac­tions and e- com­merce, postal ser­vices, and state- owned tele­coms with the in­tent of pro­vid­ing an av­enue for uni­form, co­op­er­a­tive and ex­pe­dited im­ple­men­ta­tion of new dig­i­tal eco­nomic pol­icy across var­i­ous in­dus­tries which can ben­e­fit from new dig­i­tal tech­nolo­gies.

The gov­ern­ment launched Thai­land 4.0 by en­act­ing the Dig­i­tal Econ­omy Pro­mo­tion Act which took ef­fect in Jan­uary 2017. This act closed the MICT and re- placed it with the Min­istry of Dig­i­tal Econ­omy and So­ci­ety ( MDES). This new MDES will have the same purview of gov­ern­ment agen­cies as did the MICT, but with an ex­panded pol­icy edict: to ad­dress not only “in­for­ma­tion tech­nol­ogy im­ple­men­ta­tion,” but also cover the de­vel­op­ment of eco­nomic and so­cial as­pects of dig­i­tal tech­nolo­gies. The MDES will also in­clude over­sight of the new Dig­i­tal Econ­omy and So­ci­ety Com­mit­tee tasked with set­ting new pol­icy and guide­lines un­der Thai­land 4.0, as well as the newly- formed Gov­ern­ment Com­mit­tee for Cy­ber- Se­cu­rity un­der the pro­posed Cy­ber­se­cu­rity Act and the newly- re­vised Com­puter Crimes Act, both com­mit­tees to be chaired by the Prime Min­is­ter.


Thai­land has al­ready passed sev­eral laws gov­ern­ing e- Com­merce and the se­cu­rity of elec­tronic trans­ac­tions.

Thai­land en­acted the Elec­tronic Trans­ac­tions Act in 2001 which rec­og­nized elec­tronic data mes­sages ( such as e- mail) as legally bind­ing for pur­poses rang­ing from con­trac­tual va­lid­ity to court­room ev­i­dence. In 2007, the Royal De­cree on E- Gov­ern­ment Trans­ac­tions was en­acted pro­vid­ing that all gov­ern­ment agen­cies must have se­cu­rity and pri­vacy poli­cies in place to cover all as­pects of their elec­tronic ser­vices. This was fol­lowed by the Royal De­cree Gov­ern­ing Con­trol and Su-

per­vi­sion of Elec­tronic Pay­ment Ser­vice Busi­ness ( Elec­tronic Pay­ment Ser­vices De­cree or EPSD) which went into ef­fect in 2009. The EPSD in­tro­duced over­sight of the elec­tronic debit ser­vice busi­ness which, prior to this Royal De­cree, was not ad­dressed by any of the fi­nan­cial, credit card, or bank­ing reg­u­la­tions that al­ready ex­isted. In 2010, a new Royal De­cree on Se­cu­rity in Elec­tronic Trans­ac­tions was also en­acted. This new law es­tab­lished three lev­els of se­cu­rity ( High, In­ter­me­di­ate, and Ba­sic) with vary­ing se­cu­rity pro­to­cols that must be met by op­er­a­tors ac­cord­ing to each level. The new Royal De­cree also iden­ti­fies dif­fer­ent busi­ness cat­e­gories and ad­dresses the se­cu­rity level ap­pli­ca­ble to each group for pur­poses of com­pli­ance with suf­fi­cient se­cu­rity pro­to­cols in elec­tronic trans­ac­tions.

New in 2017 are amend­ments to the Elec­tronic Trans­ac­tions Act which ex­pand the bind­ing ef­fect of dig­i­tal com­mu­ni­ca­tions in trans­ac­tions and as ev­i­dence, par­tic­u­larly to in­clude “au­to­mated” elec­tronic com­mu­ni­ca­tions as bind­ing notwith­stand- ing the ab­sence of hu­man in­volve­ment – even in the case of two au­to­mated sys­tems com­mu­ni­cat­ing with each other. It also fur­ther clar­i­fies cer­tain as­pects of the meth­ods re­quired for ver­i­fy­ing elec­tronic com­mu­ni­ca­tions. Fi­nally, it expands the au­thor­ity of the Elec­tronic Trans­ac­tion De­vel­op­ment Agency ( ETDA) to ini­ti­ate pol­icy and over­see im­ple­men­ta­tion of the law with ex­tended pow­ers of in­ves­ti­ga­tion, but sub­ject to the con­tin­u­ing over­sight of the Elec­tronic Trans­ac­tions Com­mis­sion ( ETC).

Also of in­ter­est, the amended law grants ex­press au­thor­ity for the ETC to con­duct its meet­ings elec­tron­i­cally.


Presently, Thai­land has no de­fin­i­tive law gov­ern­ing cryp­tocur­rency such as Bitcoin. For the time be­ing, the gov­ern­ment has been obliged to ap­ply the 70- year- old Ex­change Con­trol Act ( ECA) to govern this new crypto- cur­rency tech­nol­ogy. The ECA de­fines “cur­rency” sim­ply as “le­gal ten­der.” “For­eign cur­rency” is even more in­ter­est­ingly de­fined as “le­gal ten­der in any coun­try other than Thai­land” which is seem­ingly in­ap­pli­ca­ble to Bitcoin since it is not as­so­ci­ated with any sin­gle coun­try. It can be treated as both do­mes­tic and for­eign ten­der or nei­ther, de­pend­ing on the def­i­ni­tion and its in­ter­pre­ta­tion.

On De­cem­ber 12, 2013, the Bank of Thai­land ( BOT) is­sued a for­mal state­ment con­clud­ing that bitcoin op­er­a­tions would not fall un­der the ECA pro­vided that ( a) for­eign cur­rency is not re­ceived by any Thai op­er­a­tor in ex­change for bit­coins ( re­gard­less of whether the for­eign cur­rency is re­ceived within or with­out Thai­land); ( b) bit­coins that are sold can­not be ex­changed for for­eign cur­rency, ei­ther in Thai­land or out­side of Thai­land; and ( c) Thai op­er­a­tors must not con­duct any ac­tiv­ity which will in­volve the ex­change of for­eign cur­rency in any way.

The BOT state­ment refers only to is­sues on for­eign cur­rency ex­change un­der the ECA-- other as­pects of bitcoin use and de­vel­op­ment such as bitcoin min­ing and elec­tronic pay­ment pro­cess­ing are ex­cluded from the state­ment’s purview.

How­ever, the BOT also warned that to the ex­tent bitcoin op­er­a­tions do fall within the ECA’S ju­ris­dic­tion, a li­cense would be re­quired-- but that no reg­u­la­tory process ex­isted for grant­ing such a li­cense.

So, the BOT has im­plic­itly taken the po­si­tion that un­til the ECA is re­vised to add “bitcoin or crypto- cur­rency” to its list of “for­eign ex­change”, bitcoin will not in and of it­self be treated as a for­eign means of pay­ment.

None of the pro­posed Thai­land 4.0 laws ad­dress bitcoin or cryp­tocur­rency.


Thai­land has no spe­cific laws ad­dress­ing fi­nan­cial tech­nolo­gies (‘ fin­tech’) such as peer- to- peer lend­ing, crowd­fund­ing, etc. Both the Bank of Thai­land and the Thai Se­cu­ri­ties and Ex­change Com­mis­sion ( SEC) have ini­ti­ated a reg­u­la­tory ‘ sand­box’ for in­ter­ested op­er­a­tors. This af­fords op­er­a­tors a safe en­vi­ron­ment for test­ing fin­tech prod­ucts and ser­vices while co­op­er­at­ing with BOT and SEC to de­velop how fu­ture reg­u­la­tion may be im­ple­mented.

None of the pro­posed Thai­land 4.0 laws ad­dress any reg­u­la­tion of fin­tech.


Gov­ern­ment con­trol over Thai­land tele­com ser­vices have been con­sol­i­dated since 2001 un­der the Na­tional Broad­cast­ing and Telecom­mu­ni­ca­tions Busi­ness Act or NBTA, first un­der a loosely con­sti­tuted Na­tional Telecom­mu­ni­ca­tions Com­mis­sion ( NTC) and then in 2010 un­der a stronger in­de­pen­dent reg­u­la­tor re­named the Na­tional Broad­cast­ing and Telecom­mu­ni­ca­tions Com­mis­sion or NBTC.

As part of the Thai­land 4.0 laws, the NBTA is be­ing amended. It will con­sol­i­date the two NBTC boards ( one for Broad­cast­ing and one for Tele­com) into a sin­gle 7- per­son board. Nom­i­na­tions to the board will be screened by a com­mit­tee made up of the pres­i­dent of the Supreme Court, the pres­i­dent of the Ad­min­is­tra­tive Court, chair­man of the Na­tional An­ti­cor­rup­tion Com­mis­sion, the Au­di­tor Gen­eral, the chair­man of the Na­tional Hu­man Rights Com­mis­sion and the gov­er­nor of the Bank of Thai­land. Four­teen can­di­dates will then be passed to the new MDES for fi­nal se­lec­tion and then sub­mit­ted for ap­proval by the Na­tional Se­nate and the Prime Min­is­ter.

The new NBTA amend­ment also places the NBTC un­der the su­per­vi­sion of the MDES, once again cen­tral­iz­ing con­trol.

The NBTA amend­ment will also al­lo­cate fund­ing from tele­com auc­tions and li­cens­ing fees to a spe­cial fund from which the NBTC can draw to pro­mote its agenda. The in­ten­tion is to ex­pe­dite fu­ture spec­trum auc­tions by fi­nan­cially en­abling the NBTC to pay com­pen­sa­tion to ex­ist­ing li­censees in or­der for the NBTC to reac­quire fre­quen­cies. The NBTC con­tem­plates do­ing pre­cisely this in or­der to reac­quire 2600 MHZ spec­trum rights pre­vi­ously li­censed to MCOT so as to ex­pe­dite a 5G auc­tion in June, 2017 — mak­ing Thai­land the first ASEAN na­tion to adopt 5G.

Voice over IP ( VOIP)

The Na­tional Telecom­mu­ni­ca­tions Com­mis­sion is­sued two no­ti­fi­ca­tions gov­ern­ing VOIP ser­vices op­er­at­ing within Thai­land. The first in 2005 au­tho­rized all li­censed in­ter­net ser­vice providers ( ISPS) to of­fer VOIP ser­vices as part of their ISP li­cens­ing— ex­cept for VOIP ser­vices that re­quire new tele­phone num­bers to be as­signed. The only re­quire­ment was that the ISP no­tify the ap­pro­pri­ate gov­ern­ment au­thor­ity of in­ten­tion to of­fer such ser­vice. The sec­ond in 2007 ap­plied to VOIP us­ing newly- al­lo­cated tele­phone num­bers, plac­ing such ser­vices within the same ap­pli­ca­tion and li­cens­ing re­quire­ments as fixed line tele­phone ser­vices.

None of the pro­posed Thai­land 4.0 laws ad­dress any fur­ther reg­u­la­tion of VOIP ser­vices.


Data pri­vacy in Thai­land had al­ways been im­ple­mented through a patch­work of le­gal pro­vi­sions in­cor­po­rated into the laws for var­i­ous sec­tors— e. g. fi­nan­cial, health, gov­ern­ment, e- com­merce, tele­com, etc. The only gen­eral law pro­vid­ing for data pri­vacy ap­peared in the Con­sti­tu­tion.

The new 2017 Con­sti­tu­tion does not change this— in­cor­po­rat­ing at Sec­tion 32 per­sonal data pri­vacy pro­tec­tion ef­fec­tively iden­ti­cal to what ex­isted in Sec­tion 35 of the 2007 Con­sti­tu­tion. The 2017 Con­sti­tu­tion also pro­vides the same in­di­vid­ual right to en­force­ment of pri­vacy rights un­der Sec­tion 25 as had ex­isted in Sec­tion 28 of the 2007 Con­sti­tu­tion.

Draft Per­sonal Data Pro­tec­tion Act

The newly pro­posed Per­sonal Data Pro­tec­tion Act ( PDPA) is sched­uled for en­act­ment in the next month, to be­come legally ef­fec­tive by the be­gin­ning of 2018. This would be the first gen­eral law ap­pli­ca­ble to the pro­tec­tion of “per­sonal data” — de­fined as data which di­rectly or in­di­rectly iden­ti­fies a par­tic­u­lar per­son.

The new PDPA pro­vides much stricter no­tice and con­sent re­quire­ments, se­cu­rity pro­to­cols, and re­stric­tions on the col­lec­tion, use and dis­clo­sure of per­sonal data. The draft law also pro­vides for fines as high as Baht 2 mil­lion and pos­si­ble im­pris­on­ment up to 3 years for vi­o­la­tions of the law. The new law is mod­eled af­ter sim­i­lar Euro­pean laws, and of­fers greater clar­ity as to what is re­quired for proper le­gal con­sent as well as spec­i­fy­ing the rights of data own­ers to re­view, and po­ten­tially with­draw their con­sent for con­tin­u­ing use of their per­sonal data. Tied in with the changes to the Com­puter Crimes Act re­lat­ing to spam, this new law will greatly re­duce the use of per­sonal data for un­in­vited mar­ket­ing.

Fi­nally, the new PDPA does ex­pressly au­tho­rize the trans­fer of per­sonal data across bor­ders with­out any spe­cial con­sent pro­vided it is nec­es­sary to ac­com­plish­ing the ap­proved pur­pose, and is to a coun­try with equal or bet­ter data pro­tec­tion laws.


The Com­puter Crimes Act en­acted in 2007 ( CCA) sought to ad­dress var­i­ous un­law­ful con­duct within the dig­i­tal world from hack­ing to spam and ap­ply rules for In­ter­net Ser­vice Provider ( ISP) li­a­bil­ity in cases of vi­o­la­tions of law oc­cur­ring on the in­ter­net. The CCA has al­ready been amended as part of the Thai­land 4.0 laws; the changes be­come ef­fec­tive on May 24, 2017. Fines and penal­ties un­der the new law re­main the same ex­cept for an in­creased fine for spam.

Changes in ISP Li­a­bil­ity

The CCA de­fines an ISP as ( 1) one who pro­vides in­ter­net ac­cess or com­puter com­mu­ni­ca­tion ser­vices; or ( 2) one who pro­vides com­puter data stor­age.

MICT No­ti­fi­ca­tion ( 2007) ex­panded the def­i­ni­tion of ISP to in­clude ba­si­cally ev­ery­one:

All en­ti­ties within Thai­land which of­fer in­ter­net ac­cess, com­puter com­mu­ni­ca­tion, or data stor­age to their staff ( whether through their own servers or through third party ser­vices).

CCA Sec­tion 15 fur­ther pre­scribes that any ser­vice provider who “in­ten­tion­ally sup­ports or gives con­sent” to the com­mis­sion of the of­fences through com­puter sys­tems un­der his con­trol shall be li­able to the same penalty as the of­fender. How­ever, the MICT never pro­vided guid­ance as to how “in­ten­tional sup­port or con­sent” would be in­ter­preted. This was a prob­lem for com­mer­cial ISPS and public chat fo­rums who could not eas­ily track and/ or quickly re­move un­law­ful con­tent posted by users.

Part of the Royal Thai Gov­ern­ment’s vi­sion of Dig­i­tal Thai­land

In the 2012 case of the Of­fice of the Public Pros­e­cu­tor vs. Chi­ranuch Prem­chaiporn, the web­mas­ter for the Prachatai. com public dis­cus­sion fo­rum was found guilty for vi­o­lat­ing CCA Sec­tion 15- not for post­ing un­law­ful con­tent her­self, but for not re­mov­ing un­law­ful con­tent posted by oth­ers.

In its de­ci­sion, the Court fo­cused ex­clu­sively on one post ( Ex­hibit J. 32), which re­mained up for twenty days be­fore fi­nally be­ing re­moved. The Court found that twenty days was beyond what it thought was a “rea­son­able” time for the web­mas­ter to iden­tify and re­move the un­law­ful con­tent in this case. How­ever, rec­og­niz­ing that there were no of­fi­cial guide­lines, the Court sus­pended Ms. Chi­ranuch’s sen­tence.

The CCA Amend­ment now seeks to avoid sim­i­lar con­fu­sion by pro­vid­ing a ‘ safe har­bor’ of guide­lines for ISPS and web­mas­ters to fol­low that will en­ti­tle them to avoid pros­e­cu­tion for con­tent posted by oth­ers. The spe­cific terms defin­ing such ‘ safe har­bor’ will be part of min­is­te­rial reg­u­la­tions to be is­sued in the near fu­ture. Un­til these guide­lines are is­sued, the Chi­ranuch Court’s 20- day max­i­mum for re­mov­ing un­law­ful con­tent re­mains as the only ref­er­ence for ISPS and web­mas­ters to avoid be­ing treated as “in­ten­tion­ally sup­port­ing or con­sent­ing” to the un­law­ful con­tent posted by users.

False Pub­li­ca­tions

The CCA al­ready pro­vided for pros­e­cu­tion of per­sons dig­i­tally pub­lish­ing false in­for­ma­tion. How­ever, the CCA Amend­ment now re­quires “dis­hon­est or de­ceit­ful” in­tent as an el­e­ment in com­mit­ting the crime of pub­lish­ing false data that causes public in­jury.


The orig­i­nal CCA pro­vided only lim­ited pro­tec­tion against un­in­vited dig­i­tal mar­ket­ing or ‘ spam.’ Spam was un­law­ful only if sent anony­mously.

The CCA Amend­ment has added fur­ther re­stric­tions. Spam senders must af­ford re­cip­i­ents an “easy” means for opt­ing out of fu­ture spam. If they don’t or if they ig­nore such no­tice to opt- out, then senders may be li­able for a fine up to Baht 200,000. The law also refers to fu­ture min­is­te­rial reg­u­la­tions that will pro­vide fur­ther de­tail as to what would be deemed “easy” opt- out mech­a­nisms.


Note fur­ther that the CCA al­ways con- tained an ex­trater­ri­to­rial en­force­ment pro­vi­sion at Sec­tion 17, which au­tho­rizes en­force­ment on Thai cit­i­zens op­er­at­ing abroad as well as against for­eign cit­i­zens/ en­ti­ties whose op­er­a­tions abroad have im­pact on Thai­land’s gov­ern­ment or its peo­ple. Thus, for­eign ISPS or for­eign per­sons who vi­o­late the CCA are equally sus­cep­ti­ble to crim­i­nal pros­e­cu­tion in Thai­land.

This has not been changed in the CCA Amend­ment.


In sum, the Thai­land 4.0 laws have taken some sig­nif­i­cant steps to­ward fill­ing in sev­eral gaps and clar­i­fy­ing am­bi­gu­i­ties in Thai­land’s dig­i­tal law land­scapes. Other gaps re­main un­ad­dressed; how­ever, this is to be ex­pected as tech­nol­ogy ad­vances at a faster pace than the laws which govern it. For busi­ness op­er­a­tors in Thai­land, the new laws will com­bine fur­ther re­stric­tions with fur­ther clar­ity. This means work to up­date sys­tems, but with a much clearer ob­jec­tive as to what needs to be done.

John Fo­tiadis is a se­nior mem­ber and Pana­gi­o­tis Fo­tiadis is a re­search as­sis­tant at Ather­ton Co., Ltd. John can be con­tacted at Johnf@ ather­ton­le­gal. com.

Newspapers in English

Newspapers from Thailand

© PressReader. All rights reserved.