The upgraded regulation for the required retention of computer traffic data or log files that reach out to social media has sparked concerns about freedom of expression as it can lead to the unveiling of the identity of users on the platforms.
However, the Digital Economy and Society (DES) Ministry, which enacted the regulation, indicated the move is needed as computer-related crimes have drastically changed over the past 10 years.
On Aug 13, the notification of the DES Ministry regarding criteria for the retention of computer traffic data by service providers was published in the Royal Gazette, effective the following day. It replaced the original notification that was issued in 2007.
The notification was formulated based on the Computer-Related Crime Act's Section 26, which concerns the obligations for service providers to keep computer traffic data. Any service providers who fail to comply with this section could face a fine not exceeding 500,000 baht.
This upgraded version adds two groups of operators who provide people with internet-based services that are obliged to keep log files.
The first group concerns computer software providers, artificial intelligence technology providers, communication-based apps and online app stores.
Examples of this group are App Store, Google Play, Clubhouse and Telegram, according to the notification.
Another group involves social media platforms, such as Facebook, YouTube, Instagram, LinkedIn, Line, MSN Messenger and WhatsApp, the notification indicates.
The original notification concerns only telecom and broadcast carriers, access service providers, hosting service providers and internet shops.
The new legislation is also applied to those who provide computer data retention services for others. They include content and application service providers, digital service providers and cloud service providers.
The notification obliges the service providers to have a proper identification verification system as well as a secure computer traffic data retention approach.
Service providers must keep computer traffic data for not less than 90 days from the date that data entered into computer system. If necessary, officials can order any service provider to maintain computer traffic data for another six months, which can be extendable for six months each time, up until two years.
The service providers are obliged to keep numerous kinds of computer traffic data, including ID of users, users' activities in the system, log-on and log-off, records of attempts to access the system as well as successful and unsuccessful data records, accessed files and kinds and transaction records done in apps.
FREEDOM OF EXPRESSION
Dhiraphol Suwanprateep, partner and head of technology, media and telecom industry group of law firm Baker & McKenzie, said this new regulation can help combat online fake news and misinformation as well as other illegal content such as defamation or hate speech.
This will make social media a safer place for the public in general, he said.
However, this new regulation may substantially diminish freedom of expression, he said.
"As this new regulation will enable the government authorities to identify the publisher and take action against them more easily, the public would be unable to freely express their opinion regarding the situation," said Mr Dhiraphol.
"The government may suppress the public expression by taking action against any person who posts online content that is deemed violating any laws including the Emergency Decree. This may include any news regarding the Covid-19 situation and the vaccination."
Additionally, this new regulation may affect the image of the platform business in Thailand as it will single out Thailand from most other countries.
"For foreign service providers, it is interesting to see whether they will fully comply with these obligations and some of these obligations may conflict with their current norms of practices," said Mr Dhiraphol.
CHANGE OF TECHNOLOGY
Putchapong Nodthaisong, deputy permanent secretary for the DES Ministry, defended the regulation.
"The move is done to handle the rapid change of technology development and covers more new types of service providers," he said.
The regulation is not intended to cause fear for opinion expression, he said.
"People can still criticise the government under the legal framework with fact as long as they do not defame or disseminate fake news," said Mr Putchapong.
Paiboon Amonpinyokeat, a legal expert on cyber laws, who also took part in the drafting of Computer-Related Crime Act, stressed the new regulation is not meant to enable abuse of power or unauthorised access to users' content or bypass the court order.
The regulation expands the scope of service providers who have to provide log files to authorities to track down computer criminals and support the government's digital tax scheme.
The regulation ensures the retention of log files from 90 days to two years that could be used to track down the suspects in the cases involving national security, terrorism and finance.
Additionally, service providers who outsource others to keep log files are required to copy these log files as well.
Morakot Kulthamyothin, president of the Thai Internet Service Provider Association, stressed the new regulation will not pose a major burden on existing internet service providers who have had to keep log files based on obligations in the Computer-Related Crime Act.
But they may have to keep the log files in some particular suspect cases for an extended period or up to two years. The data retention would enable officials to track down perpetrators easier.