By The Nation
Two crucial cyber-security and data-privacy bills approved by Cabinet earlier this year are all set for enactment by the National Legislative Assembly to ensure that Thailand has sufficient legal safeguards to support the country’s fast-growing digital economy and digital society.
However, the bills still have shortcomings that will pose challenges once they become laws that must be enforced by the authorities, especially with regard to national security and the protection of personal data owned millions of Thais.
For example, the powers of the government’s new data-privacy office to be set up under the proposed law, as well as its secretary-general, are too extensive in terms of forming judgement on criminal offenses punishable by jail terms. Part of the data-privacy bill is based on the European Union’s GDPR (General Data Protection Regulations), but several crucial elements have been watered down to minimise the impact on local businesses that must comply.
Regarding the cyber-security bill, some changes were already made to previous drafts to ensure there would be sufficient checks and balances on executive power when enforcing the proposed law on grounds of national security. In this context, the judiciary will play its role via judges whose opinions are required to endorse the government’s legal counters to threats to national security.
Yet the bill is necessary to ensure the country has preventive and suppressive measures in place to cope with cyber-attacks and other threats to national energy, banking, transportation, government and other public utility infrastructures.
However, there appears to be a less cautious approach in the data-privacy bill concerning the check-and-balance mechanism, even though violators under the proposed law are also subject to criminal punishment. As a result, government officials in charge of the data-privacy bill appear to have too much leeway to make judgements on offences, which could bode ill for the justice system. The shortcoming will likely lead to potential abuses and lack of transparency, since designated government officials are empowered to impose hefty fines on violators, not to mention related jail terms and other criminal punishment.
The data-privacy bill is also expected to help prepare Thai companies that have EU citizens as customers to comply with Europe’s GDPR. Under the GDPR, Thai airlines, hotel chains and other enterprises with EU customers are subject to heavy fines if they are found to have violated the EU law. However, the EU prescribes has no criminal punishment such as jail terms.
Individuals whose personal data are abused have the right under the proposed Thai law to seek compensation of up to Bt5 million from violators such as data controllers and data processors. In addition, violators are also subject to imprisonment for up to one year if convicted on criminal charges. According to the proposed legislation, individuals must give explicit consent before their personal data can be stored and used by data controllers and processors, who are also required to provide specific terms and conditions on data use, printed in reasonably large text. In addition, data owners have the right to be “forgotten” by requesting data controllers and processors to delete their personal data.