|
|
| • EXCH RATES |
|
Baht/$ 33.60/68 (Bid/Ask)
|
GOLD |
13,350
+ 300
|
|
CORPORATE COUNSELLOR
TILLEKE & GIBBINS
On July 19, 2007, Thailand's new Computer Crimes Act (CCA) took effect. CCA Section 26 made data retention mandatory for all service providers, who would be required to keep records of their users' e-mail, chat, internet usage and personal identification for a minimum of 90 days. The details of this mandatory data retention were left to the Information and Communication Technology (ICT) Ministry.
On Aug 23, 2007, the ICT Ministry issued a Notification detailing the data records to be retained as well as explaining which service providers are affected. The requirements will become universally effective on Aug 24, 2008.
Under the CCA, Section 3 and the Notification, a service provider is defined as either (a) a person who provides internet access or computer communications to other persons, or (b) a person who provides data storage services to another person.
At first blush, the definition of service provider appears intended to apply to operators of internet or e-mail services to third parties. However, the ministry is taking a very broad interpretation of the phrase "other persons" to include services rendered by an operator to its own staff/representatives.
Based on such interpretation, the ministry is stating that all entities within Thailand that offer internet access, computer communication, or data storage to their staff fall within the CCA's data retention requirements. This is to say that nearly any party that uses a computer is required to log all data traffic and maintain personal data identifying users for 90 days or be subject to a criminal fine of up to 500,000 baht. Yet there is no similar requirement under Thai law for private operators to maintain logs of telephone or facsimile usage.
Due to the ministry's expanded interpretation of service providers, many people may still believe that the data retention requirements apply only to public service providers. This may prove to be a costly error.
Section 29 of the Constitution requires that any newly enacted laws that restrict the rights and liberties of persons must be of general application and contain a reference to the relevant provision of the Constitution. By way of example, the recently enacted Life Insurance Act No. 2 (2008) clearly provides in its introduction that it limits personal rights and freedoms allowed by Sections 29, 34, 41, 43 and 45 of the Constitution of Thailand. The CCA has no such provision.
In the Constitution Court Ruling No. 13-14/2541 (1998), a proposed draft of the State Enterprises Labour Relations Act was determined to be invalid because it failed to provide a similar reference in limiting personal rights protected by the Constitution. Here, a legal question exists whether the CCA also limits the privacy rights of persons under the Constitution. However, the broad interpretation assigned to it by the ICT Ministry makes the potential intrusion into personal privacy significant and thus more likely to be subject to allegations of being unconstitutional.
Under US, UK and EU laws, there is no enforcement of data retention to the extent suggested by the ICT Ministry's new Notification. Current US law only provides for data preservation as opposed to data retention. This means that ISPs need only preserve data once they have been formally requested to do so by government enforcement authorities in a particular investigation. The US has no universal requirement for all operators to maintain such records. Attempts to introduce mandatory data retention laws in the US have been opposed by public advocates who fear government invasion of privacy.
Even under EU and UK laws where data retention is mandated, such laws are limited to public service providers only, i.e. entities that provide services to the general public, and not to every entity that uses the internet or provides e-mail in its business operations.
It is also noteworthy that the CCA provides expressly in Section 17 that the law has extraterritorial application to (a) any Thai citizen operating outside Thailand, and (b) any non-Thai citizen who operates outside of Thailand but whose conduct affects either the Thai government or any person within Thailand. By implication therefore, even foreign operators that are subject to the CCA by virtue of its extraterritorial application are equally liable to the ICT Ministry's expansive data retention requirements.
In sum, if the ministry enforces the data retention requirements as it intends, Thailand will have one of the most expansive mandatory data retention requirements in the entire world.
Written by John Fotiadis, Consultant, and Yingyong Karnchanapayap, Attorney, Commercial Department, Tilleke & Gibbins International Ltd. Please send comments or suggestions to Marilyn Tinnakul at marilyn.t@tillekeandgibbins.com
Prev
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Next
