|ICT Analytical Update | June 13, 2019
Authors: Riley Smith, Ella Duangkaew, Chase Blazek
Thailand's Cybersecurity and Personal Data Protection Acts Published in Government Gazette
On May 27, Thailand published two key pieces of legislation, the Personal Data Protection Act (“PDPA”) and the Cybersecurity Act in the Government Gazette. According to Baker McKenzie, the PDPA defines “personal data” as any data that could be used to directly or indirectly identify a person who is alive, and any use of personal data will require either direct (written) consent or an exemption in line with legitimate interest or legal obligations. Data controllers and data processors which handle personal data will be treated differently, though it is unclear yet to what degree. Extraterritoriality has been held over from previous drafts, so data controllers and data processors which are located outside Thailand will also be subject to PDPA obligations and may be required to designate representatives and data protection officers based in Thailand. Data controllers are also obliged to guarantee the data rights of their users, rights which are delineated here. Compliance will be enforced starting one year from the release data for both PDPA and the Act, which is May 27, 2020. Those firms not in compliance with the PDPA as of May 27, 2020 could be subject to a wide array of punishments, including administrative and criminal penalties, punitive damages, and class action lawsuits.
Also according to Baker McKenzie, the Cybersecurity Act (“the Act”) contains most of the same provisions as the March 11 draft (discussed in the Council’s March 14 Update), including the establishment of a National Cybersecurity Committee (NCSC). There are two cases in which private entities will fall under the Act’s obligations: cases of cyber threats and cases where firms classify as Critical Information Infrastructure Organizations (CII Organizations). Firms must allow authorities to address cyber threats by providing them with access to relevant data and computer systems, permitting them to test these systems or seize digital assets, and permitting them to monitor effected systems and data assets. Authorities don't require court orders for such operations in cases where cyber threats are deemed “critical,” the highest of three threat classification levels, though all investigations are supposed to be limited to directly addressing cyber threats.
CII Organizations include those companies that deal with a wide range of services, including public health, material public services, public utilities and energy providers, telecommunications and information technologies, finance and banking, transportation and logistics, national security, and any other services deemed sensitive by the NCSC. Those companies which qualify as CII Organizations must comply with a minimum set of cybersecurity standards and notify authorities of all cyber threats, as well as provide employee contact information. Similar to PDPA, noncompliance with the Act could result in fines or imprisonment. What’s more, firms regulated by the Act will also be subject to future sub-regulations as dictated by the NCSC. NCSC sub-regulations are projected to be completed within two years of the Act’s publishing date, or May 27, 2021.
The Cybersecurity Act and PDPA are two of the six digital bills designed to implement the Government’s Thailand 4.0 vision – described in the Council’s Febuary 27 Update. However, portions of both bills fall short of this vision. PDPA’s broad definition of “personal data” would apply to a large majority of firms that handle personal data, without accounting for digital context. Moreover, firms which encrypt, anonymize, or pseudonymize personal data will not be exempt from this definition. Extraterritorial jurisdiction for the Personal Data Protection Committee (PDPC) could place onerous financial and logistical burdens on data controllers and data processors which have no physical presence in Thailand. Foreign SMEs may lack the resources and capacity to hire on-the-ground representatives in Thailand, while Thai SMEs (which make up a majority of the Thai market) may struggle to comply with PDPA's extensive regulatory requirements. Though the transition period of one year is longer than was mentioned in previous drafts, it may still be insufficient for firms to make the technological, budgetary, administrative, and human resource changes necessary to comply with the new regulations. And the steep penalties for non-compliance may discourage market entry or encourage market exit for firms with limited resources or those unwilling to risk heavy punishment.
The Cybersecurity Act also includes provisions which may impede the Thailand 4.0 Vision. The criteria for identifying CII Organizations are still too open-ended; it is hard to find an organization that does not offer services in any of these categories – especially the far-reaching “information technology” category – while the prerogative given to NCSC to add categories may exacerbate this predicament. A more manageable classification might include only those entities involved with national infrastructures or directly impacting national security. The prospect of being investigated without a court order could decrease the willingness of businesses to locate proprietary data or computer systems in Thailand. To that end, a clearer definition of what qualifies as a “cyber threat” would make reporting incidents and planning for Government investigations more manageable. The definition of “cybersecurity incident” laid out by the United States’ National Institute of Standards and Technology (NIST) could provide a model for future amendments or sub-regulations of the Act.
These two acts, though intended to protect consumer privacy and improve national data security standards, could actually impede business development and dampen innovation led economic growth, which could hinder Thailand’s attempts to grow beyond middle-income status. Though previously unprotected data will now be protected by law, there are fears that the broad categories and loose requirements on investigative authorities laid out in these acts may allow businesses to be targeted for reasons other than direct cybersecurity concerns. Meanwhile, the lack of clarity on which cyber threats count as “not severe”, “severe”, and “critical” will leave businesses unsure of their compliance obligations and legal standing going forward.