Two proposed tech-related laws on data protection and cybersecurity are to be endorsed soon and have raised concerns about power being concentrated in an agency and a secretary.
The data protection bill has been revised to replicate many concepts and obligations that are common across global data protection laws, in particular the EU's General Data Protection Regulation (GDPR).
A public hearing on Sept 11 aired concerns that the data protection bill fails to meet GDPR standards and could cause Thailand not to be classified as a "white list country".
Sutee Tuvirat, a committee member of the Thailand Information Security Association (TISA), said his group has doubts about good governance in the regulations and enforcement mechanisms of the Data Protection Agency.
The bill states that the agency is a government body acting as juristic person, not a public agency. It would monopolise data protection operations and handle policymaking, training courses, monitoring and assessment of operations (Section 43).
The Data Protection Agency can hold a stake in or form joint ventures with private-sector actors (Section 44), and the agency can keep revenue without contributing it to the state (Section 45).
Section 88, meanwhile, states that the authority of administrative penalties belongs to the secretary, who also has discretion to issue warnings.
"That means the Data Protection Agency and the secretary become a superpower and monopolise all the data protection operations in Thailand, including making policy, issuing the law, promoting, supporting, as well as enforcing the law," Mr Sutee said.
Importantly, revenue earned by administrative penalties is considered revenue of the agency that need not be contributed to the Finance Ministry.
According to the bill, the Data Protection Committee encompasses a chairman, a vice-chairman (the permanent secretary of the Digital Economy and Society (DE) Ministry) and 14 committee members.
In the temporary provision of the bill, it states that the director of the Electronic Transactions Development Agency (ETDA) acts on behalf of the committee.
Section 90 also states that while the Data Protection Agency is assembled, the ETDA can be a temporary agency. Section 91 states that if the secretary of the Data Protection Agency has yet to be appointed, the ETDA director can act as temporary secretary.
Submission to NLA
After the draft bill was approved by the Council of State, it was forwarded to the cabinet and then to the National Legislative Assembly (NLA) for approval.
Prinya Hom-anek, a cybersecurity expert and chief executive of ACIS Professional Center, said the law is not practical in a real situation, noting that the Data Protection Committee and its agency serve as enforcers rather than regulators.
He said the data protection law should not have jail sentences for criminal penalties in the event that a hacker attacks a service providers and data is leaked or stolen if those service providers made their best effort at protection under limited resources and capabilities.
In the case of an insider threat, whereby former employee uses malicious code to steal data for sale to rival firms, criminal charges are appropriate, Mr Prinya said.
He said data protection is a new area and enforcement should have more of a grace period. As the ETDA prepares to establish the Data Protection Agency, it should have a time frame for transfer of authority.
Dhiraphol Suwanprateep, a partner at Baker McKenzie, said various sections of the bill adopt concepts from the EU's GDPR.
The bill should help align Thailand with certain international standards and ensure better protection of personal data, which is currently misused by some service providers, he said.
Thai businesses thus have a lot more to process and learn as compared with their EU counterparts. Furthermore, certain concepts, when put into practice, may be seen to create too big a burden for data controllers (e.g., in the case of data portability, as data controllers need to be able to transfer personal data to other data controllers, including their competitors).
Under the Thai bill, representatives of data controllers who are not established in Thailand will be subject to unlimited liability, which is not in alignment with GDPR concepts. Overseas data controllers will have a hard time locating representatives in Thailand.
Mr Dhiraphol said punitive damages have been introduced. The court is entitled to specify punitive damages of up to twice the amount of actual damages.
Penalties also include imprisonment. The magnitude of these penalties, particularly when considered in connection with class-action law and extraterritorial application, could bar investment for data analytics business in Thailand and undermine Thailand's digital economy policy.
A few months after the bill becomes effective, business executives could be subject to criminal penalties.
It is advisable for businesses to immediately familiarise themselves with the GDPR and case studies from the EU. This should help to prepare businesses for the Thai bill.
A grace period of 180 days does not give businesses ample time to comply with requirements under the bill, Mr Dhiraphol said, so it's imperative that businesses take as many proactive steps to plan for compliance in advance of the bill's enactment.
Paiboon Amornpinyokiat, founder of the P&P law firm, said 90% of the Data Protection Committee comes from appointments by the prime minister.
The penalties for violating the data protection law range from 1 million to 5 million baht, compared with 200,000 baht for attackers under the Computer Crime Act. The bill also enforces "strict liability" rather than "proof of intention" for the defender.
Abuse concerns
Mr Paiboon said no country in the world lets a single entity oversee digital identity, data protection and cybersecurity all together. His worry is that the Electronic Transactions Development Agency will become too powerful.
"All the new laws need a separation and balance of powers and consistency with each other for practical execution," Mr Paiboon said.
Mr Prinya said the cybersecurity bill as drafted lets the National Cybersecurity Agency serve as a juristic person earning service fees and revenue.
"It is very much a conflict of interest," he said. "How can a regulator be a service operator?"
Moreover, the law would let the National Cybersecurity Agency access other systems in the event of a national security emergency without a court warrant.
Mr Dhiraphol said any cybersecurity law should avoid adopting provisions that would empower officials to access the information and facilities of private agencies without a court order, even in emergency situations, as this would permit such officials to abuse their powers.
DE Minister Pichet Durongaveroj has said the government will not allow the regulator to be an operator, as this would obviously represent a conflict of interest. The plan is for the ETDA to help establish the National Cybersecurity Agency within 180 days, after which time authority will be transferred to the new agency.
Permanent secretary Ajarin Pattanapanchai said the DE Ministry will open a public hearing on the cybersecurity bill after vetting by the Council of State and the NLA.
The bill is to be submitted for cabinet consideration by the end of this month, said ETDA chief executive Surangkana Wayuparb.
Critics say the Data Protection Bill fails to meet GDPR standards established by the EU. APICHIT JINAKUL
