Cyber Security in Thailand

Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority? It is illegal in Thailand to access third party computer data without authorisation according to the Act on Commission Offences Relating to Computer B.E. 2550 (2007) (the “Computer Crime Act”) provided that there is a specific access prevention measure in place. The penalty is imprisonment and/or a fine. The Thai government has recently initiated a digital economy plan in order to promote IT business and the digital environment in Thailand. One of the draft Bills under the digital economy plan is the Computer Crime Amendment Bill. There are certain revisions to the Computer Crime Act, e.g. if the computer data which is accessed without authorisation relates to national security, public security, national economic stability, or public service, the punishment is more severe. Nonetheless, as the Bill was recently approved in principle by the Cabinet in January 2015 and is currently under the consideration of the Council of State, it is subject to change. Therefore, it remains to be seen whether the Bill will be passed in this form. Currently, there is no specific regulation prohibiting storing computer data which has been accessed without authority per se under the Computer Crime Act. Nonetheless, the storing of such data will be deemed as having in your possession an article which has been obtained through illegal means. The data is then subject to search, seizure, and/or detention by the competent officials under court order. Please see further details of the legal search, seizure, and/or detention mechanism in the following section. Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used? If data owners can identify who accessed their data without authority and/or illegally, it is possible to apply for a search, seizure, and/or detention warrant under Thai law. However, there are criteria which must be met in order to apply for a search, seizure, and/or detention warrant. Nonetheless, the final decision rests with the court whether to grant a search, seizure, and/or detention warrant. Practically, there must be a strong prima facie case against the defendant(s) in order for the court to issue a search, seizure, and/or detention warrant. For the benefit of an investigation, in the event that there is reasonable grounds to believe that there is perpetration of an offence under the Computer Crime Act, (e.g. unauthorised access of computer data with a specific access prevention measure in place), the competent official under the Act shall have certain authority, among others, only as necessary to identify the person who has committed the offence and/or how the data was used. For example, to inspect or access computer data which may be used as evidence on a necessity basis. Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process? In the event that a data breach incident is identified and the applicant asks for an investigation to be conducted by the competent officials under the Computer Crime Act, there are certain restrictions on the use of the information or documentation obtained from the investigation. For example, the competent officials are obliged by the law not to disclose or deliver to others the computer data, computer traffic data or data of the users acquired under the investigation. Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information? The investigation and gathering of evidence by the competent officials under the Computer Crime Act, (e.g. getting access to the data or confidential information), is generally confidential. There is no public statement announcing such investigations. The competent officials are also obliged by the law not to disclose or deliver to others the computer data, computer traffic data or data of the users acquired under the investigation. Also, if any person happens to obtain such data from the relevant competent official, he/she is prohibited by law from disclosing such data to others. If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? It is possible to stop the proceedings in Thailand on the basis that the proceedings are not yet final. This will not prevent the plaintiff from commencing proceedings on the same issue in another jurisdiction. Nonetheless, it will also depend on the law of that other jurisdiction whether the case which has already been conducted in Thailand, even though it is not yet final, will be able to be tried again in that jurisdiction. Is there an obligation in your jurisdiction to hold personal information securely? Yes. There are certain security regulations and obligations in Thailand to protect personal information from misuse, interference and loss and from unauthorised access, modification and disclosure. For example, telecommunication operators must provide security measures for personal information both technically and provide security within the organisation of the telecommunications operators. Also, the levels of security measure obligations are more stringent if such personal information is sensitive, e.g. certain personal information as provided in banking and financial institution regulations. Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions? Yes. There are certain sector specific regulations restricting the transfer of information overseas. For example, the credit bureau is prohibited from transferring credit data to foreign jurisdictions. Also, the Personal Data Protection Bill, which was one of the Bills approved in principle by the Cabinet in January 2015 under the government’s digital economy plan, specifies certain restrictions on the transfer of personal data overseas. That is, the transfer shall be in accordance with the rules prescribed by the Personal  Data Protection Committee regarding the protection of personal data sent or transferred abroad, unless certain exceptions apply. Nonetheless, as the Bill is currently under the consideration of the Council of State, it is subject to change. Therefore, it remains to be seen whether the Bill will be passed in this form. Is there a generally applicable obligation to notify data subjects of a data breach in your Jurisdiction? While there is currently no consolidated general data protection law to require notifying the data subject of data breach in Thailand, there are certain sector specific regulations imposing such obligations. For example, telecommunications operators must notify data subjects of the breach without delay. Also, the Personal Data Protection Bill contains an obligation to notify data subjects immediately of any breach of personal data and the remedial plan for the damage arising from such breach of personal data. Again, as the Bill is currently under the consideration of the Council of State, it is subject to change. Therefore, it remains to be seen whether the Bill will be passed in this form. Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction? While there is currently no consolidated general data protection law to require notifying the authorities of a data breach in Thailand, the Personal Data Protection Bill contains an obligation to notify the Personal Data Protection Committee of certain details of such a breach, in the event that the breach affects people in a number exceeding that as prescribed by the Personal Data Protection Committee. Nonetheless, it remains to be seen whether the Bill will be passed in this form. Are there sector specific mandatory data breach notification obligations in your jurisdiction? Yes. As mentioned above, there are certain sector specific mandatory data breach notification obligations in Thailand in connection with electronic payment service providers, telecommunications operators, and the credit bureau.