The case of the missing data privacy law | Bangkok Post: tech

OPEN Thought

The problem with the computer crime law is not the law itself, but the fact that it was designed as a pair of laws and the thrust of criticism levelled at the law today is really a reflection of the missing data privacy law that was drafted alongside it - the yin to the cyber crime law's yang.

Back in February 2007, I interviewed Nectec deputy director Dr Chadamas Thuvasethakul, who back then had been working on these laws for over 12 years. Back in 1995, the National IT committee set up a committee to draft a series of IT laws. Nectec was the secretariat. By 1998, the committee had identified six urgent cyber laws which were put to the Cabinet of Ministers.

These were electronic transaction law, electronic signatures, data privacy, electronic funds protection, national IT infrastructure and computer crime.

Dr Chadamas said that the intention was to enact a balance of laws to help promote the use of ICT and enable e-Commerce and at the same time enact laws to prevent cyber crime.

The first law to be passed was the electronic transaction law in December 2001.

However, things got bogged down in 2002 when the government decided to focus on civil service reform and, among other things, set up the Ministry of ICT.

My own opinion was that the establishment of the MICT meant the jockey in the driver's seat who had been working on the laws seven years suddenly changed, from Nectec to MICT, and the new hosts had neither the technical knowledge nor conviction to get the laws passed in the way they originally envisioned. There was a lot of tinkering and debate, but it lacked the original Nectec vision.

Later, Dr Rom Hiranpruk, then director of Software Park Thailand, also pointed out the analogy that the Computer Misuse Act was the weapon, but it was the long-forgotten data privacy law that was the shield to protect innocents that was designed along with it.

Back in 2007, the data privacy law was stuck on structural matters. The government could not decide whether the Data Privacy Office, the agency that would oversee the data privacy law, should be an autonomous agency, a part of MICT or a body reporting to the Prime Minister's Office.

Three years later, everyone seems to have forgotten about the data privacy law.

Last week, my piece was on censorship versus freedom of speech in commiseration of the third anniversary of the Computer Misuse Act. What felt painfully obvious to me, but not to any of the distinguished speakers that day, was that many, if not all, of the concerns raised that day could have and should have been addressed in the missing laws to differing degrees.

Many speakers said that the way social media turns idle gossip into publications that are shared all over the world and thus repressing the Internet of ideas becomes an act of repressing freedom of speech. What was freedom of speech, what was libel and slander on the Internet? These questions were being asked, but ultimately, it was a question of what was public and what was private.

A law designed to protect private data would have to set out the definitions of what types of data are out there first. Such a definition - a data dictionary of sorts - would have helped the conversation speed along.

Indeed, would many of the prosecutions currently under way under the Computer Misuse Act be possible if we had a law controlling the capture of screenshots and logs by third parties to whistleblow in the name of, well, that two-letter acronym that had better be left unsaid.

Many complained that the Computer Misuse Act was only used by politicians to persecute those of differing views and was not used to protect. Well, perhaps if we had a Data Privacy Office, we would have a Data Privacy Commission who would be the ones filing lawsuits to protect infringements of privacy and theft of information.

Or take another more recent example, the line of thought that the BlackBerry is a threat to national security because of its watertight encryption and routing of data through data centres in Canada, safely out of Thai jurisdiction.

On the one hand, we have the MICT trying to repress IT contriving with an NTC, which seems to be playing a strangely illogical patriotic tune. But where is the Data Privacy Commissioner to argue that privacy is a right, that encryption is not a crime and perhaps even setting guidelines on anonymity as a right (which would relate to BlackBerry, Skype and other overseas-hosted communication networks).

But perhaps the best example of how this unfinished business is hurting the country is the continued saga of TOT and CAT. Is the role of these state enterprises to be back haul? To invest in and provide unlit fibre infrastructure and passive? Or can they fully compete with the private sector right up to wholesale (and even retail) and bring in a lot of money to the state?

Another related question is the proposed rule to have 3G operators provide free broadband to schools. Where is the holistic picture on how we are going to get schools connected? On the one hand, forcing 3G bidders to give it might sound nice, but do not forget that the 2.6GHz WiMAX or TD-LTE bid will also focus schools in its initial push. Forcing it out of the 3G operators almost immediately destroys the raison d'etre of the mobile wireless broadband reverse auction.

The answer to both those questions would be the missing national information infrastructure law. Having a law and a commission associated with it to define the information infrastructure needs of the country would see the commission help decide on what the role of CAT and ToT should be in the big scheme of things. A clear roadmap and an agency charged with making the roadmap into reality would also help the convoluted concession conversion roadmap that is proving a big headache for 2G operators today.

In too many ways, Thailand has failed to move on from the mid-90s. The merry-go-round at the MICT has not helped.

Some say Thailand is lost. I say we had a pretty good vision by the NITC and a decent draft map laid out back in 1997 by Nectec. The country is lost only because nobody bothered to complete the masterplan and fill in the details in the decade and a half since.