Data law draft raises fears over user privacy | Bangkok Post: tech

Law experts have raised criticisms of Thailand's Data Protection Law draft, saying that there are several issues requiring amendment, especially concerns over abuse of power.

As it stands, the draft does not allow for citizens to sue the Government, and critics also contend that the data privacy committee should be an independent body, not comprised of members of Government authorities.

Thailand is in the final stages of consultation on its draft privacy legislation which has already approved by the Council of State and is being processed to the congress. Also, as an Asean member country, Thailand shares a commitment to harmonise its data protection laws by 2015.

Dhiraphol Suwanprateep, partner at Baker & McKenzie, said Section 5 (2) of the draft makes exception in cases that collect data for personal use, but there is a need to seek approval from data owners when collecting data and to inform them of the purpose of usage.

Furthermore, the law should ensure that data is collected in an appropriate manner, otherwise it would be inadmissible as evidence in court.

However, while there may still be some concerns over this law, it is still necessary as there are numerous data privacy threats in existence, such as the sale of personal information to businesses or criminals.

But the harmonisation of the law is essential for international business, as multinational companies would be unlikely to send transfer data if the destination country does not have equal privacy standards to their own. This would result in Thailand losing business opportunities in business process outsourcing.

Citizens versus Government

Paiboon Amonpinyokeat, founder of the Bangkok-based P&P Law Firm, said there are many concerns with this draft, especially as it does not allow citizens to sue the Government if their privacy is violated.

Paiboon compared this with the UK, US and EU laws, which allow citizens to take legal action if Governments use, reveal or amend their data without permission.

Section 5 of the draft indicates that the law does not cover the Government under the Official Information Act (OIA), which might cover inappropriate use of personal data. This, he said, is contrary to international standards.

In addition, the draft also indicates exceptions for individuals or commercial businesses to collect data for private use or internal business use only. This also contrasts with international principle. And there is no enforcement in the case that violate the Code of Ethics, which also differs from international law.

The law concept refers to other countries' laws, such as PIPEDA (Personal Information Protection and Electronic Document Act) from Canada.

Paiboon suggests that the Government should consider following the model of the UK's Data Protection Act of 1998 or The First Amendment of the USA.

The UK's model covers data privacy from all angles, ranging from daily life to business and Internet use, for example protection from spammers.

Call for independent committee

Paiboon continued that in principle, the data privacy committee should be independent and separate from Government control, as Section 7 of the draft allows the Prime Minister to regulate the committee.

Furthermore, it is suggested that committee members should comprise of law and judgement figures or members of the Office of the Attorney General, and representative from the Human Rights Commission contend this help to protect the abuse of power.

Dhiraphol added that the data privacy committee should be comprised of independent representatives to protect against government abuse of power and help them to use personal data more easily and legally.

This is similar to the view expressed by Sawatree Suksri, of the Criminal Information Law Faculty of Thammasat University, who hosted a seminar titled "Online Watching: What is Random, Who is at Risk?" in conjunction with iLaw and ThaiNetizen.

The concern is that a data privacy committee dominated by Government representatives would focus more on control than protection.

Paiboon continued that, according to Section 19 (4), there can be exceptions to the requirement to secure approval from the data owner to allow for the investigation of a crime. The same section (6), also empowers the data protection committee to announce exceptions in cases when a business cannot audit its data usage.

Section 25-30 relates to further exceptions but Paiboon warns against granting powers that are too broad to the data protection committee in case they are used in an inappropriate manner or result in abuse of power.

Moreover, the power of the data privacy committee in the enforcement of fines or other legal action, as in Section 53 , under normal practice would only be ruled by the court.

Paiboon also raised concerns over problems with the enforcement of this law, because normally other data privacy laws do not allow for the signing of contract agreements, but Section 16 of this draft makes exceptions to this.

Section 30 mentions a "wide range" for Cross Border Data Transfer, but under normal practice this range should be more clearly defined in terms of minimum measurements of data that can be revealed and what can be transmitted on the Internet.

Sniffer increases privacy awareness

Sawatree continued that the ICT ministry plans to use Sniffer to help reduce Internet piracy by identifying suspects through data-interception techniques; although this brings with it worries about the violation of Internet privacy for ordinary users.

There are already many existing threats to data privacy, such as cookies, web trackers, viruses, and so on.

"The important thing is that Thai people are still not aware of how important data privacy is, because when it is compromised, it is not a tangible event like when someone breaks into your house or opens the door without your permission."

Sawatree added that with current overwhelming amounts of data transfer, it is perhaps inevitable that users expose themselves to privacy risks. This can be difficult to control but users should never be complacent because there is a black market to sell personal data.

Unfortunately, Thailand still does not have a data privacy law which at the same time protects against Government abuse of power. A balance needs to be found between identifying threats and intervening against them, while at the same time continuing to protect data privacy.

Raise concerns with Human Rights

Sarinee Achavanuntakul, a Thai-Netizen committee member, said the group will co-ordinate with iLaw to discuss their concerns with National Human Rights Commission of Thailand about the data privacy act draft. Their aim is to create a more independent data privacy committee.

Sarinee says that if there is to be exceptions in this law for national security issues, the Government should clearly define its data-interception policy and clarify which Government agencies are allowed to intervene.

Thongchai Sangsiri, Director, Center for Computer Forensics at the Information Communication Technology ministry, said the in the same seminar that normally, the data privacy law will be issued before the Computer-related Crime Act.

However, in Thailand, the Computer-related Crime Act does not cover enforcement so as not to violate personal data online.

He added: "There is no concrete plan to use Sniffer right now. Only Internet service providers keep log files, as directed by the Computer-related Crime Act."

Surpasorn Rungrojwutikul, Legal Manager at True Corporation, said the National Telecommunication Commission (NTC) licence illustrates the role of the service provider in protecting personal data.

"Currently, when the Government needs us to co-operate in blocking or closing a website, or when it needs the IP address of a user, we will wait for a court order to take action,"she said.