Legal experts baulk at draft of cyber bill
The cybersecurity draft bill proposed by the National Reforming Steering Assembly (NRSA) gives too much authority to the government to gain access to the computer systems of both private organisations and individuals without a court order in cases of emergency or urgency, legal experts say.
The bill is an amendment to the original version drafted by the Ministry of Digital Economy and Society (DE) and endorsed last year by the cabinet.
There is a provision under Section 44 of the current cybersecurity draft bill that grants authority to officials in cases of emergency that would create “significant damages” without immediate action.
In such cases, the officials have the authority to gain access to information on communications, either by post, telephone, fax, computer, any tool or instrument for electronic media communication or telecommunications, or take any measures for the maintenance of cybersecurity with the approval of the National Cybersecurity Committee (NCSC), and then report the action to the courts.
“The definition of ‘significant damages’ in the draft is too broad and subject to interpretation,” said Dhiraphol Suwanprateep, a partner in the intellectual property practice at Baker McKenzie.
Since the NCSC will have to be changed when its term ends, the standard for significant damages may be inconsistent, depending on the policy of the parties who form the government at the time, he said.
This is markedly different from court systems, Mr Dhiraphol said, where there is a consistent standard that the court has to follow, even when judges change.
Therefore, there should judicial review in every case, even cases that could create “significant damages”. Excluding courts from the process could decrease confidence and trust of the private sector or the opposition.
In emergencies courts are also capable of granting immediate orders.
Mr Dhiraphol said Section 44 also prescribes a penalty for private sector actors who do not comply with official orders.
In case of non-compliance, officials should present the possible infractions for the NCSC to bring to the attention of the appropriate regulators to determine the punishment to the party concerned in accordance with existing laws, notifications or regulations.
“We view that linking of penalty to other regulations is unfair since the companies involved have already complied with relevant regulations,” Mr Dhiraphol said.
When such businesses were established they complied with all the existing regulations in force at that time, including obtaining the relevant licences, which is already a complex and time consuming process.
The government wants to introduce penalties which could result in the revocation of licences obtained following due procedures in the past.
Mr Dhiraphol also said the priority of the NCSC to do is to lay down a defence policy for all government agencies as they are vulnerable to cyberattacks.
Moreover, he said this bill should include protective measures for whistleblowers. People who provide information to the NCSC (for example, notifying them of any suspected cyberattacks) should be protected from repercussions under this bill, such as being fired from the company where illegal conduct is found.
Paiboon Amonpinyokeat, the founder and legal counsellor of P&P Law Firm, said the UK and the US, where there are cybersecurity bills, require court orders before accessing systems.
Cybersecurity drafts should clarify “emergency cases” more clearly, with the inclusion of cyberterrorism, for instance, rather than rely on state judgment without court orders.
Most importantly, Mr Paiboon, who is also a legal expert, said NCSC should be accountable under the balance of powers.