Q4 has shown active developments in regulations around cyberspace and data, with three major pieces of legislation moving forward: the Cybersecurity Bill, Personal Data Protection Bill, and the National Digital Identification Bill. The government is also moving to amend the revenue code to better capture e-commerce taxation. These legislations demonstrate the high priority Thailand places on the digital economy, and their efforts to achieve the vision Thailand 4.0, especially as digital innovation is a key theme for Thailand’s 2019 ASEAN Chairmanship Year. These legislations will require companies to be vigilant in compliance regarding new obligations and rules around data, critical information infrastructure and cybersecurity.
1. National Council for Peace and Order (NCPO) Officially Lifts Ban on Political Parties
In another sign that the much-anticipated and oft-delayed elections could be underway in 2019, the National Council for Peace and Order (NCPO) has lifted its ban on political parties on December 11. The Bangkok Post reports that the NCPO will lift nine key orders restricting political activities, and that it proposed the February 24 election date at a December 7 meeting with political party members, representatives of the National Legislative Assembly (NLA), the Election Commission (EC) and the Constitution Drafting Committee. Two major parties – the Democrats and Pheu Thai – opted out of the meeting.
The February 24 election date must still be officially announced by the EC, which is likely to happen on January 4, two days after a royal decree to hold an election is granted. Though the lifted ban will allow for political campaigning to commence, it remains unclear how freely parties may be able to campaign, particularly if the ban on the gathering of more than 5 people for political purposes remains intact.
2. Cybersecurity Bill
Thailand's Draft Cybersecurity Bill was revised following a public hearing period that ended in October. A first version of the revised bill was released on November 16, 2018, shortly followed by the latest revised version, which was released on December 5, 2018.
The October version of the Draft Cybersecurity Bill drew criticism from several stakeholders, including state agencies, domestic business and foreign businesses operating in Thailand, who shared concerns about the Bill’s potential to create opportunities for abuse of power and data privacy breaches. Criticism of previous drafts of the Cybersecurity Bill included questions of its potential to silence public opinion ahead of the upcoming elections, risks to confidential information and concerns that the Cyber Security Agency (CSA) created by the Cybersecurity Bill would have far-reaching powers. Thailand’s National Cybersecurity Committee and Thailand Information Security Association (TISA) cited concerns that it could have a potentially negative impact on business and privacy. In principle, the Bill is intended to strengthen Thailand’s cybersecurity and protect users and critical information infrastructure (CII). In response to widespread outcry, Prime Minister Prayut Chan-o-cha called for a review of the Bill, which led to the revisions that were released in November and December.
The December revised version does not differ vastly from the October and November versions. While revisions were made to the section on the National Cybersecurity Committee (NCSC), it maintains a powerful NCSC, with slightly reduced capabilities but still with heavy-handed penalties for non-compliance and relatively vague language. Adjustments have been made allowing agencies to appeal requests for information if they are unable to provide information for contractual or legal reasons, and requiring that the secretary-general must file a request in a court of jurisdiction to access data in the case of preventing a cyberattack at the "significant" level of impact. The December version of the Bill is likely to be the final version, as MDES has made it a priority to have the Bill passed by the end of the 2018. It will be key for stakeholders to engage with MDES on the implementation of the Bill to ensure that concerns are addressed.
3. Personal Data Protection Bill
On September 3, the Ministry of Digital Economy and Society (MDES) published a revised version of the Personal Data Protection Bill (PDPB). The Bill regulates cross-border data flows, and addresses disclosure and collection of personal information by data controllers. Revisions from previous versions included added consent exemptions for performing contractual obligations or fulfilling data owner requests before entering into contracts. Several components of the Bill, including revised provisions and entirely new provisions, still limit the ability of data controllers to provide services that meet consumer expectations of timeliness, efficiency, and cost.
On October 30, the Council, in partnership with AsiaDPO, hosted a technical workshop with the MDES and the Electronic Transactions Development Agency (ETDA) within MDES, to discuss the implementation of the revised PDPB. The workshop directly followed a public hearing period for the PDPB, for which the Council submitted joint industry comments for on October 2. The Council also submitted comments on September 28 on a version of the Personal Data Protection Bill released by the Government of on September 3 following a public hearing period on the previous version that ended in May. The Council will continue to follow up with MDES on the implementation of the Bill to ensure that industry concerns are addressed.
4. Draft Digital Identification Bill
On September 11, Thailand’s Cabinet approved a Digital Identification Bill in principle, which would set up a National Digital ID (NDID) platform. Drafters expect the Bill to be passed by the National Assembly quickly and take effect by the middle of 2019. The NDID system under the Bill is intended to facilitate online transactions and enhance stakeholder security, although concerns have been raised about the system’s risks.
For banks, the NDID system under the bill would enable faster customer identify verification by drawing together three parties: an ID provider (IDP), Authoritative Source (AS) and relaying party (RP) to corroborate identification of an end-user. For example, according to the Bangkok Post, a first bank (as the RP) could rely on a second bank (as the IDP) that has already conducted an e-KYC (Know Your Customer) procedure and verified the end-user with backing from a trusted source like the Credit Bureau (as the AS) to release information about the end-user to the first bank for further use. The effect of a faster system under this design would foster growth in digital loans and overall customer bases.
The 12-person working committee that designed the NDID expects the system to benefit public and private stakeholders. According to The Nation, Bill drafter Bhume Bhumiratana stated that as the Bill intends to lower costs for identification authentication, the public may feel more secure in opening accounts and engaging in online transactions, which will also enable the public to collect names, make inquiries or lodge complaints.
However, some have raised questions about the system’s potential for privacy breaches and questions of cybersecurity. As the sole operator, the NDID would face consolidated risk of cybersecurity attack or data breach. Prinya Hom-anek, Secretary-General of the Thailand Information Security Association, said that a single NDID is “not ready to be used on the global level,” and that public services need a high standard of reliable and secure services. Somwang Luangphaiboonsri of the Thailand E-Payment Trade Association said the system should have a trusted global auditor to verify the system and ensure the NDID platform has standards of good governance, transparency and protection of privacy.
The Draft Bill has not been shared with the private sector for public consultation, which is concerning given that most concerns are coming from industry associations.
5. New Revenue Code Amendment to Require E-Payments Disclosures
On December 4, the National Legislative Assembly (NLA) approved a bill amending the Revenue Code Amendment aimed at reducing fraud, investigating tax obligations and effectively capturing tax from e-commerce businesses. Under the new amendment, any financial institution must disclose information to the Revenue Department for customer accounts with over 3000 deposits and money transfers annually of any annual amount, or accounts with more than 400 deposits and money transfers totaling over 2 million THB (roughly US$61,087) annually.
The Revenue Department has developed the amendment to better capture taxes on e-payments, as it previously lacked the necessary information to do so. The Revenue Department currently reports data showing that only 65% of juristic enterprises file tax returns, and that a large number of self-employed individuals do not pay taxes. Deputy Minister of Finance Wisudhi Sripuphan said that the bill amending the Revenue Code is intended to create more sustainable tax collection, and is not solely intended to target online traders. The Deputy Minister also noted that 2.4 million people are not in the tax system.
E-payments organizations in Thailand have expressed concern that the new tax policy could prevent widespread adoption of e-commerce payments and discourage the beneficial transition towards a more cashless society. Merchants who previously only needed to report a summary will now be required to disclose more detailed information to the Revenue Department, which will introduce additional burden. Thus, to avoid this disclosure burden, smaller merchants may prefer to use cash instead of e-payments. This reporting burden also drew comments from within the NLA, with some members stating that their own accounts would require reporting of transactions from meeting allowances and donations to Buddhist temples.
Although the Revenue Code amendment is intended to ensure fair competition and create more convenient and effective tax collection, its effect on e-commerce and e-payments may affect Thailand’s vision to become a cashless society. Thailand has emphasized the benefits of e-payments and has prioritized its goal of becoming a cashless society in its National e-Payments Master Plan and through its PromptPay e-payments system established through public-private partnership. PromptPay services began in 2017 and the service currently has 42.6 million registrants. According to the Bangkok Post, the Bank of Thailand reported 375 trillion THB (about US$ 11.4 trillion) in online transactions in June 2018, which was an increase from 250 trillion THB (US$7.6 trillion) in June 2017.
6. Fintech Law
Thailand’s Fintech Act is on track to be enacted by the end of the year according to industry groups that have been involved in drafting. The Fintech Act, which the Council first covered in 2017 in this update, will include measures on electronic transactions, know-your-customer rules, and due diligence. It will also require the government to provide open data sources to entrepreneurs to support innovation. This work to build the regulatory infrastructure of a digital financial services system will be critical to building a thriving and modern financial ecosystem, which has lately been a priority of the Thai government and especially the Bank of Thailand.
7. Marijuana Bill
145 members of the National Legislative Assembly voted to advance the proposed Draft Marijuana Bill at the end of November. A committee has been formed to continue vetting the Bill and is expected to be deliberated over 60 days. The Draft Bill outlines medical and research use of cannabis in both public and private sectors. The Bill also proposes classifying the drug as Category 2 instead of Category 5.
8. Amendment to the Customs Act and New Export Controls for WMD Considered
At the end of September, Thailand held public hearings on a first tranche of amendments to the 2017 Customs Act. The consultation proposes 17 changes to the law, which can be found in the consultation document at this link. Most of these are small changes to processes for quarantine orders, certain goods seizures, freeze orders, clearance and payments of duties, bonded warehouses, transshipment, and violation penalties. More notably, it clearly defines the language on the duty assessment period in Section 19, which had previously seen varying interpretations.
9. Cabinet Proposes Repeal of Existing International and Regional Headquarters Schemes, Introduces International Business Center (IBC) Scheme
The Cabinet, on October 9, introduced the single International Business Center (IBC) scheme to replace the Regional Operating Headquarters (ROH) I and II, International Headquarters (IHQ) and Treasury Center (TC), and International Trading Center (ITC) regimes. A summary from EY reports that entities that have already been granted tax, customs and employment incentives under the existing regimes will remain eligible until the expiration of any current status, but ROH I status, will end at the end of accounting year 2020. ROH and IHQ/TC entities can convert to IBC. The new IBC scheme will have new conditions, with details expected to be released shortly, following its consideration by the Council of State and National Legislative Assembly.
An analysis from Baker Mackenzie found that the new IBC scheme may not be as beneficial overall in comparison to the existing IHQ scheme, but has several new tax incentives, including, but not limited to, reduced corporate income tax (CIT) rates and exemption on CIT for dividend received from affiliates. New applicants for the IBC scheme will also be subject to meeting a new criteria, which includes minimum expenditure of at least 60 million Baht in each accounting period, which existing ROHs and IHQs would be exempt from should they wish to covert to IBCs.
The proposed IBC scheme regime is part of Thailand’s 2017 commitment to the G20/Organisation for Economic Cooperation and Development’s (OECD) Inclusive Framework of Base Erosion and Profit Shifting (BEPS) standards. Reviewing harmful tax practices is part of Thailand’s commitment to the four minimum standards of the G20/OECD Inclusive Framework of BEPS (Action 5).
10. Evolving Outsourcing Regulations
On October 1, Thailand’s Capital Market Supervisory Board (CMSB) issued a new outsourcing regulation that greatly reduces regulatory burden for securities companies. Unlike the previous regulation, which requires securities companies to obtain approval from the Office of the Securities and Exchange Commission (Office of the SEC) prior to outsourcing, now companies only need to notify Office of the SEC within 15 days after they outsource business functions to external providers.
Under the new, more lenient regulation, a securities company may outsource any of its functions if they meet two requirements: (1) the company may not reduce itself to an empty shell and (2) if the outsourced function is a central utility function, the company may only outsource to a provider who has been approved by the Office of the SEC. There is no clear definition under this regulation as to what is considered a “central utility function.” However, the Office of the SEC commented in a public hearing document that fund service platform function and electronic payment for a settlement of securities and derivatives may constitute central utility function. The regulation also stipulates requisite provisions which an outsourcing agreement must contain. A sub-outsourcing arrangement is also permissible provided that the securities company consents to the arrangement and the arrangement contains the same requisite contents that was agreed upon between the securities company and the principal external provider. The SEC is authorized to issue further guidance on the regulation so clarification on some points may emerge in the future.
11. Cigarette Tax Considered
The Ministry of Public Health proposed a cigarette tax of 1-2 baht per packet that is intended to raise revenue for the Health Insurance Fund and to dissuade the purchase of cigarettes. However, in a public response to this proposal, the Ministry of Finance, which would oversee implementing the tax, said that it was not aware of the proposal prior to the Ministry of Public Health’s announcement, and that such a tax proposal might be inconsistent with Thailand’s tax laws. Given the above, the proposal still has a way to go if it were to be implemented.
According to the Bangkok Post, Minister of Finance Apisak Tantivorawong said he had not been notified of the proposed tax increase, and that “such a law cannot be drafted until it is assessed to be in accordance with the Fiscal Discipline Act.” Director General of the Excise Department Patchara Anuntasilpa also said that he was also not aware of the proposed cigarette tax increase. In addition, the Ministry of Public Health has thus far not been able to offer much clarity on the proposed tax increase, particularly its development and implementation timeline.