The new Computer Crime Act (CCA) could create a financial burden for small and medium-sized companies because the specific requirement for a longer period of online data storage will increase operating expenses, say law experts and leading internet service providers.
The law may also impede foreign investment in data centres and cloud-based services, due to stiffer punishments for breaking the law.
"We urge the new digital economy and society minister to remove the negative effects of the specific detail asking companies to keep a data log for online communications for up to two years," said Dhiraphol Suwanprateep, a partner in the intellectual property practice group of Baker & McKenzie.
He raised doubts about Section 26 of the CCA, which requires service providers to keep a data log for at least 180 days and, where necessary, up to two years.
If the notification under the section applies to small companies, it could create an onerous burden, Mr Dhiraphol said. Large service providers would be less affected because they have bigger and better data storage infrastructure.
Section 15 of the CCA also asks service providers to assume responsibility in instances where they fail to remove inappropriate content within a specified time after receiving a notice from the courts.
In addition, data centres and cloud service providers could also face criminal charges under the CCA, he said.
"If there is this kind of legal restriction, it will block foreign service providers from doing business in Thailand and have a negative impact on Thailand's digital economy and the government's goal to promote the Kingdom as an IT hub in Asean," Mr Dhiraphol said.
Anant Kaewruamvong, president of the Thai Internet Service Provider Association, said his group is less worried about the bill, as the two-year data storage requirement will be imposed on a case-by-case basis, not in general.
Regarding people's privacy and rights concerning personal information, he said a computer data screening committee will be established, comprising nine qualified persons to investigate inappropriate content before submitting the details to the court.
Under the previous bill, state officials and the Ministry of Information and Communication Technology (which has been replaced by the Digital Economy and Society Ministry) were responsible for content blocking before submitting details to the court, without middlemen involved.
"Having outsiders will create a more transparent work process," Mr Anant said.
Somkiat Tangkitvanich, president of the Thailand Development Research Institute, said the bill contained better conditions than the previous one in terms of broader protection for internet users with respect to cyberthreats and spam emails.
But there are concerns about Section 20 in terms of the nine-member committee that will be set up to screen computer information even if it does not violate any law but is considered a breach of public morals.
Mr Somkiat said the "public morals" wording is too broad and should be cut from the draft bill to make it more acceptable and encourage freedom of expression.
Paiboon Amornpinyokeat, an adviser to the CCA committee under the National Legislative Assembly, said the real intention of Section 26 of the draft bill asking service providers to keep data traffic logs for two years is specifically to manage the data traffic of international service providers such as Facebook and Line, which store their data traffic logs outside Thailand.
But the CCA is a Thai law and therefore will be difficult to enforce with international firms, he said.