1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
Yes, there are differences between ‘cybersecurity', ‘data protection' and ‘cybercrime' under Thai law, as follows:
- ‘Cybersecurity' is defined as any measure or procedure established to prevent, address or mitigate the risk of cyber threats from both inside and outside Thailand which may affect national security, economic security, martial security or public order. ‘Cyber threats' in this regard refers to any illegal actions that use computers, network systems or offensive programs to cause or threaten to cause an adverse impact on a computer, computer network or data.
- ‘Data protection' refers to the protection of an individual's privacy and personal information from unauthorised processing. ‘Personal information' in this regard refers to any data of a living person that may be used to directly or indirectly identify that person.
- ‘Cybercrime' is defined as the import, dissemination or forwarding of any illegal data, electronic data, statements, instructions or output which may be processed by a computer system in or from a computer system. ‘Illegal data' in this regard includes data relating to pornography, gambling, lèse-majesté (ie, insulting the monarchy), infringement of intellectual property or national security.
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
The key statutes that address cyber in Thailand are:
- the Cybersecurity Act BE 2562 (2019);
- the Personal Data Protection Act BE 2562 (2019); and
- the Computer Crime Act BE. 2550 (2007) as amended in 2017.
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Yes (subject to the Cybersecurity Act). The Cybersecurity Act applies to both public and private sector entities that:
- own information and communication infrastructure which is integral to the maintenance of vital societal functions, otherwise known as critical information infrastructure (CII); and
- are engaged in the following services:
- national security;
- material public service;
- banking and finance;
- information technology and telecommunications;
- transportation and logistics;
- energy and public utilities;
- public health; or
- other areas that may be further prescribed by the relevant cybersecurity authority.
(b) Certain types of information (personal data, health information, financial information, classified information)?
Yes (subject to the Personal Data Protection Act).
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
Yes, the Personal Data Protection Act and the Computer Crime Act have extraterritorial reach. The criterion for the application of the provisions on extraterritorially is based on the nationality of the injured party. For example, the Personal Data Protection Act applies to data controllers, including data processors, outside of Thailand if they process the personal data of data subjects in Thailand and offer goods and services to, or monitor the behaviour of, the data subjects.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
As of the date of writing, no bilateral or multilateral instruments relating to cyber have effect in Thailand.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
The criminal penalties will vary, depending on the seriousness of the cybercrime offence under the Computer Crime Act. Penalties of imprisonment for up to 20 years and/or a fine not exceeding THB 400,000 may be imposed on an offender accordingly.
Regarding the offences of hacking and theft of trade secrets, penalties of imprisonment for up to two years and/or a fine not exceeding THB 40,000 may be imposed in this regard.
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
The Ministry of Digital Economy and Society (MDES) is responsible for enforcing the cyber statutes and regulations. The MDES has authority to establish a specific committee to regulate each cyber statute and regulation, and to impose civil and/or criminal penalties.
Penalties may be imposed on:
- an individual offender;
- a company, including an authorised director (where the offence is caused by the actions of such director); and
- officers and employees (in the event of breach of the scope of their duties).
With regard to extraterritorial reach, please see question 1.4.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
Yes, under the Personal Data Protection Act, private parties have a right of action for breach of their personal information. Initially, private parties may file a complaint against a breach of their personal information and/or non-compliance with the legal obligations of data controllers and data processors (either an individual or corporate entity) – including officers and employees who act on behalf of data controllers or data processors – to the Personal Data Protection Committee (PDPC). The PDPC has the power to amicably settle the dispute and/or issue an order to the offender for rectification within a specified timeframe.
In addition, private parties, as data subjects, have the right to claim for compensation if the data controller and/or data processor either intentionally or through negligence fails to comply with its obligations to protect their privacy – for example, by failing to provide them with details of the purpose of the data collection, the retention period and appropriate security measures. Compensation in this regard includes all necessary expenses incurred by the data subject for the prevention of damages likely to occur, or which were incurred to address damages that have already occurred. The competent court has the authority and discretion to increase the amount of compensation by up to twice the actual damages, as punitive damages.
In addition, such relief or remedy is personally available against individuals (eg, directors, officers and employees) who have directly caused the damage and/or performed any action beyond the scope of their duties that has adversely affected the data subject.
2.3 What defences are available to companies in response to governmental or private enforcement?
Data controllers or data processors seeking to defend themselves, in response to governmental or private enforcement, against offences relating to personal information must provide sufficient evidence to prove that the damage caused to the data subject's personal information was a result of:
- force majeure or the data subject's own acts or omissions; or
- the action being taken in compliance with the order of a government official.
In addition, service providers may have liability under the Computer Crime Act for allowing the import, dissemination or forwarding of illegal computer data (eg, pornography, gambling, lèse-majesté, infringement of intellectual property or national security) in or from a computer system on their platforms. ‘Service providers' in this regard include providers of the following services:
- intermediary, routing or transitory communication;
- system catching;
- computer data storage on users' systems or networks;
- information location tools; and
- internet access or any mutual communication through a computer system, either on their own behalf or for the benefit of others.
To avoid such liability, companies should use best efforts to prevent any import, dissemination or forwarding of illegal computer data in or from a computer system; otherwise, they shall be considered an accessory to the offence.
‘Best efforts' in this regard can be used by making available a complaint form or takedown notice that contains specific details (eg, the contact details of the service provider and the complainant, and details of the offence) for users. This allows users to make a complaint to the service provider regarding the discovery or circulation of unlawful data. Upon receipt of a complaint, together with supporting documents or evidence, the service provider must remove or revise such unlawful data and block its dissemination within the following timeframes:
- within seven days of the date of such notice in the case of forged or deceptive data that may cause damage to the public, and where the offence does not involve defamation under the Thai Criminal Code;
- within 24 hours of the date of such notice in the case of false data that may cause damage to the public (eg, public security, national economy or public infrastructure), or data relating to an offence concerning Thailand's security or terrorism under the Thai Criminal Code; and
- within three days of the date of such notice in the case of obscene data accessible to the public.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
Yes, there have been landmark cyber enforcement actions in Thailand. For example, criticising the monarchy is a serious criminal offence in Thailand. In most cases, convictions of those charged with lèse-majesté result in harsh sentences. According to available sources, between 2014 and 2016 the Thai authorities charged at least 68 people with lèse-majesté, mostly for posting or sharing comments online.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
As of the date of writing, there have been no pivotal cyber incidents or events in Thailand.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
Yes, best practices or standards on proactive cyber compliance have been developed over time in certain industries. Any business that is responsible for information which is critical to national security and the public interest – such as banking, information technology, telecommunications and transportation – shall be considered a critical information infrastructure (CII) entity (please see question 1.3) and shall be subject to cybersecurity measure requirements under the new Cybersecurity Act, published in 2019.
Under the Cybersecurity Act, each CII entity – including government entities and competent regulators – must have in place a code of practice that at least covers:
- cybersecurity risk identification and assessment, performed by either an internal or external independent auditor at least annually (which must be reported to the relevant authority within 30 days); and
- a cyber threat response plan.
Additional details and requirements of the Code of Practice – including a risk assessment and a cyber threat response plan – will be further prescribed by the National Cybersecurity Committee in the future. CII entities must further establish monitoring mechanisms for cyber threats and cybersecurity incidents that threaten their CIIs, and participate in cybersecurity testing organised by the government in order to assess and ensure their readiness to respond to cyber threats.
In addition to the Cybersecurity Act, a service provider – subject to its obligations under the Computer Crime Act – generally uses demonstrable ‘best efforts' to ensure that illegal computer data is not imported, disseminated and/or forwarded on its system or network, in order to avoid the commission of an offence under the cyber statutes. A service provider may develop and enforce protective industry measures for users. For example, a service provider may develop a written policy to which users must agree (similar to a click agreement), confirming that they will not import, store or transmit any content that may be regarded as illegal computer data under the Computer Crime Act and relevant laws, such as the Thai Criminal Code. If a service provider finds such data on its computer systems or networks, it reserves the right to block, delete or remove such content accordingly. A service provider can also make available a complaint form or takedown notice, in order to ensure it is exempt from liabilities for cybercrime offences that may be committed on its system or network (as mentioned in question 2.3).
Also, if a service provider is considered a data controller, it must have in place appropriate security measures to prevent the unauthorised or unlawful loss, access, use, revision or disclosure of personal data of customers on its system or network. Such measures must be complied with at the minimum standard stipulated by the Personal Data Protection Committee (which has not yet been published). Such measures must be reviewed when necessary or when the technology changes, in order to efficiently maintain appropriate security and safety.
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
As of the date of writing, governmental entities have not yet issued voluntary guidance or similar instruments on the issue of proactive cyber compliance (as mentioned in question 4.1).
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
Corporate officers and directors have no direct or personal legal duties with respect to proactive cyber compliance. However, upon request, such officers and directors must follow the order(s) of, and cooperate with, the relevant authority for the benefit of cybersecurity and the prevention of cybercrime and data breaches. For example, an authority may request the delivery of service user documents and/or computer traffic data (from either private entities or corporate officers and directors) in order to gather necessary evidence or identify an offender. In this regard, failure to comply with an authority's order may result in imprisonment and/or a fine under the cyber statutes.
The authorities have very broad discretion in considering whether there is a basis to suspect the commission of an offence, as any activity that may cause damage to national security, the economy or public infrastructure may constitute grounds for the commission of cyber-related offences.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
Currently, there are no special rules, regulations or guidance in the proactive cyber compliance area that specifically apply to public entities.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
Currently, there are no specific laws or regulations relating to sharing details of actual or potential cybersecurity threats or other cyber-intelligence information with industry or other stakeholders in Thailand. However, if such cybersecurity threats or cyber-intelligence information is relevant to personal data, then the Personal Data Protection Act must be taken into consideration.
Under the Personal Data Protection Act, the processing of personal data requires the explicit consent of the data subject prior to or at the time of data collection, unless otherwise permitted based on the following grounds:
- archiving historical research or statistical purposes (with appropriate security measures);
- preventing or suppressing damage to the life, body or health of the data subject or a third party (vital interests);
- performing a contract to which the data subject is a party or responding to a data subject's request prior to entering into a contract;
- performing a task carried out in the public interest or in the exercise of an official right vested in the data controller (usually in the case of public authorities); and
- acting in accordance with the legitimate interests of the data controller or other third parties, but only to the extent that the data subject's fundamental rights are not overridden by such interests; or complying with the legal obligations of a data controller.
Therefore, companies must ensure that the sharing of details of actual or potential cybersecurity threats or cyber-intelligence information (that is relevant to personal data) to other industries or stakeholders is based on either the consent of the data subject or the above legal grounds.
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
Yes. The types of cyber incidents and affected information that are subject to notification requirements are varied, depending on the prescription of each cyber statute.
Under the Cybersecurity Act, any cyber incident involving information that is critical to national security and the public interest – such as banking, information technology, telecommunications and transportation (ie, critical information infrastructure (CII) information) – is subject to the notification requirement. A ‘cyber incident' in this regard includes any illegal action that uses computers, network systems or offensive programs to cause or threaten to cause an adverse impact on a computer, computer network or data, which may be categorised into three levels of threat, as follows:
- Non-critical: Any threat that may negatively impact on the performance of a CII entity's computer system or services provided by government entities;
- Critical: Any threat to a computer system or computer data that is significantly increased with the intention to attack CII relating to national infrastructure, national security, the economy, healthcare, international relations, governmental functions or similar, where such an attack would impair the provision of CII-related services; and
- Crisis: Any threat greater than a critical-level event which may have a widespread impact, such as causing the government to lose control of a computer system; or any threat that may lead to mass destruction, terrorism or the overthrow of the government.
Further details of the above incidents, as well as the preventive and mitigative measures employed for each level of incident, will be determined by the National Cyber Security Committee (NCSC).
Personal data breach incidents are subject to the notification requirement under the Personal Data Protection Act. A ‘personal data breach incident' in this regard refers to the unauthorised or unlawful processing (eg, use, collection, revision, deletion or disclosure) of personal data of any person without his or her consent or a legal basis (please see question 4.5).
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
The Cybersecurity Act prescribes that any actual or potential cyber threats to CII (at any level) under the responsibility of either public or private entities (‘CII entities') must be promptly notified to the NCSC and the competent regulators, with no exceptions or safe harbour provided. Currently, no specific format and timeframe for notification are prescribed under the Cybersecurity Act. CII entities that suffer from a cyber incident are not obliged to provide services, compensation or specific information to individuals who are subsequently affected. Any failure of CII entities to report cyber incidents to the NCSC and the competent regulators, without reasonable cause, shall result in a maximum fine of THB 200,000.
In the case of a cyber incident relating to breach of an individual's personal data, the data controller must notify the incident to the Personal Data Protection Office without undue delay and, where feasible, within 72 hours of learning of the breach. In addition, if the incident is considered a serious breach that results in significant risk to the data subject's rights, then the data subject must be informed of the incident – as well as any remedial measures – without undue delay. Further details of the notification requirement and its exemption will be issued by the Personal Data Protection Committee (PDPC) in the future. Where a data processor processes personal data on behalf of a data controller, the Personal Data Protection Act requires only that such data processor inform the data controller of any breach of an individual's personal data.
5.3 What steps are companies legally required to take in response to cyber incidents?
Given the relative infancy of the Thai cyber statutes, the requirements for companies to respond to cyber incidents have not yet been clearly specified under the Cybersecurity Act and the Personal Data Protection Act. Details of such requirements are subject to the sub-ordinances that will be issued by the relevant authorities in the future.
Subject to the Cybersecurity Act, upon the discovery of actual or potential cyber threats, CII entities must examine all of their information, computer data, computer systems and surrounding circumstances to assess the level of the cyber threat. After conducting this examination, CII entities must respond to and mitigate discovered cyber threats in compliance with the Code of Practice, and inform the NCSC and the competent regulators accordingly. Further details and requirements of the Code of Practice, including the risk assessment and cyber threat response plan, have not yet been published as of the date of writing (see question 4.1).
Companies that are considered data controllers must respond to cyber incidents (eg, unauthorised or unlawful loss, access, use, revision or disclosure of personal data) in compliance with the appropriate security measures. The security measures in this regard must be complied with at the minimum standards stipulated by the PDPC (which have not yet been published).
Under the Computer Crime Act, a company that is a service provider must remove or revise any unlawful data (eg, pornography, gambling, lèse-majesté, infringement of intellectual property or national security) on its platform or system, and block its circulation within a specified timeframe upon receiving a complaint from users. In addition, a service provider must delete or block the dissemination of unlawful computer data or websites as requested by the PDPC.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
As corporate officers and directors perform their duties for and on behalf of companies, no specific duties relating to cyber-incident response have been imposed on corporate officers and directors.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
Thailand has no specific laws or regulations on cyber-incident insurance policies. Therefore, based on the current cyber statutes, companies are not required to maintain cyber-incident insurance policies.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
As Thailand's digital economy and society are growing rapidly, cyber statutes have recently been published and updated to introduce and enforce new legal safeguards. These safeguards aim to ensure national security in cyberspace and cover both private and public sector databases, as well as the privacy of individuals' personal data. The cyber statutes highlight the importance of a strong cybersecurity stance as a key defence against cyber threats and the unauthorised exploitation of networks, systems and technologies, which are mostly caused by human actions.
As the Thai cyber statutes are relatively new, however, further rules and procedures on their implementation have not yet been clearly prescribed; so for the time being, this has mainly been left to the discretion of the responsible authorities. Subordinate regulations are in the pipeline to supplement the implementation of the cyber statutes. For example, subject to the Personal Data Protection Act, guidelines on the minimum security measures that a data controller must implement in its business – including a requirement on cross-border data transfers – will be further published by the Personal Data Protection Committee. In the case of the Cybersecurity Act, the scope of cyber threat levels and the response plan of critical information infrastructure entities for each level will be prescribed by the National Cyber Security Committee in the future.
As the prescriptions of the responsible authorities will likely affect the operation of businesses in several sectors (eg, banking, information technology, telecommunications, transportation), affected companies would be well advised to follow up regularly on the forthcoming prescriptions, in order to ensure compliance with legal requirements and avoid the imposition of penalties.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
We believe that the top three cyber-related problems or challenges in Thailand are as follows.
Implementation of the Personal Data Protection Act: Companies that are data controllers were given only a one-year grace period – from the date of first publication until the effective date of the Personal Data Protection Act, on 27 May 2020 – to establish or revise their privacy policies and internal systems to comply with the act's requirements. However, these requirements remain unclear, as no further details on the implementation of the cyber statutes have been issued. Companies must therefore spend time and effort monitoring forthcoming privacy requirements, which will be further prescribed under the Personal Data Protection Act in the future (although no specific timelines have been indicated in this regard). Therefore, any privacy policies and internal systems that have already been adopted will be subject to further revision as and when such requirements are updated – a process which will doubtless be time consuming and cost intensive, and which may affect the operation of their businesses. Failure to comply with such requirements (either intentionally or through negligence) may also result in the imposition of penalties such as imprisonment or fines under the act.
With regard to the implementation of the Personal Data Protection Act, therefore, companies should regularly follow up on all future requirements introduced in relation to personal data protection. A preliminary meeting with the Personal Data Protection Committee at the Ministry of Digital Economy and Society should also be considered, to gain a better understanding of the implementation of the act and guidelines.
Lack of security awareness: The introduction of new technology (eg, smart devices, electronic payment systems, robots, embedded Internet of Things technology, big data, analytics) in businesses within a short timeframe may present major cybersecurity challenges, especially for small companies. Such companies may lack the appropriate security measures and skilled professionals to handle their new technologies, and may underestimate the risk of being targeted by cyber-attacks due to the size of their businesses. According to the Electronic Transactions Development Agency, about 87% of companies in 2015 experienced data or monetary loss due to cyber-attacks, which can debilitate companies' business security and erode customer trust.
Companies should therefore take cybersecurity into consideration at all stages of their organisational planning, software design and network set-up. Companies, as well as their responsible personnel, must identify and examine potential cyber incidents that may affect their businesses. Appropriate and effective security measures – specified either by the companies themselves or by the cyber statutes – must then be implemented, to prevent and mitigate such incidents, and support the technology transformation of such businesses.
Cloud computing attacks: The increased use of cloud computing is resulting in the increased involvement of both national and international third-party vendors of software and services. In this regard, company data – including that of their customers – may be at risk of unauthorised use, access and disclosure.
Companies should address this issue by strengthening their internal security measures and authentication procedures. The number of personnel who can access data should be limited. In the case of agreements with third-party vendors, companies must ensure that the security measures of such vendors meet the minimum requirements as generally implemented within their business, including any legal requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.