Bangkok city skyline downtown and clouds at sunset showing impact of new Thailand cybersecurity law
Does the New Thailand Cybersecurity Law Go Too Far?

Does the New Thailand Cybersecurity Law Go Too Far?

A new Thailand cybersecurity law went into effect recently, and is controversial more for what it doesn’t specify than what it does. As it is worded, it appears to give the Thai government very broad powers to monitor internet use, censor content and even seize property without court orders. Declaring a “national emergency” is considered enough due process to do these things according to this cybersecurity bill.

The new law follows a pattern of highly restrictive internet policies across the countries of Southeast Asia. The wording of the Cyber Security Act initially appears more reactive than the aggressive political censorship policies of neighbors such as Vietnam and Malaysia, with few specific off-limits subjects or activities named. The government’s established history in this area gives critics reason to believe that the new Thailand cybersecurity law could end up being used as a tool of repression, however.

Unique Thai law

The foreign perception of Thailand has typically been that it is a friendly and welcoming place with an established tradition of democratic government. However, the country has had some of the world’s strongest (and most vigorously enforced) “lèse majesté” laws on its books since 1908. Though the Thai monarchy has played only a symbolic role in governance for decades, any criticism of it can bring years of imprisonment.

The country has typically experienced “scope creep” of these laws to cover subjects tangentially related to the monarchy at times, and even to government figures that are not part of the monarchy. The Thai courts have established that a claim of defamation is sufficient for sentencing without having to prove intent.

At the moment, Thailand is ruled by a military junta that took power in a 2014 coup through the National Legislative Assembly. Elections are currently slated for March 24, but have been scheduled and then postponed by the junta several times previously. The junta has been unusually harsh about prosecuting lèse majesté cases, allowing them to be handled by a military court and conducting some in secret trials. Device seizure has also been common in these cases, with the government claiming they need to be searched for evidence. And in 2017 the junta decreed that simply viewing materials critical of the monarchy is a crime, and banners in the cities warn that “liking” or sharing a social media story is grounds for imprisonment.

Troubling precedents

The Thai government takes these defamation cases seriously, sometimes to the point of absurdity. An “Office of Prevention and Suppression of Information Technology Crimes” maintains a “war room” appointed to continually monitor online traffic for any potentially relevant disparaging comments, and blocks access to tens of thousands of sites. This extends beyond national borders – the country has shown a willingness to blacklist foreigners and ambush them with arrests and lengthy prison sentences upon arrival.

Such was the case of Harry Nicolaides, an Australian citizen who self-published a novel in 2005 that contained a single paragraph discussing the romantic life of a fictional Thai prince. Though the novel sold a mere seven copies, the Thai government was waiting for Nicolaides when he arrived at Bangkok’s airport in 2008 on a transfer to a flight to Australia. He was sentenced to the minimum of three years in prison, though was pardoned after serving one month. Amnesty International considers anyone being held due to Thai lèse majesté law violations to be a political prisoner.

News reporting on factual matters that cast the Thai government in a negative light have also gotten journalists in trouble in the country a number of times. For example, ABC’s entire Bangkok bureau was banned from the country in 2010 for reporting on military crackdowns on protests that resulted in deaths.

Public response to the Thailand cybersecurity law

Given all of this, there is legitimate basis for concern about how this vaguely-worded Thailand cybersecurity law will be applied. Much will depend on the elections going forward as planned in March and their results. However, as long as the military junta holds power this supposed cybersecurity act would appear to be a means to simply further consolidate that power and crack down on dissidents under the ruse of national security concerns.

Concerns about the new Thailand cybersecurity law extend beyond political and freedom of speech issues. Companies have legitimate reason to worry that the government will have unfettered sweeping access to any data stored in or passing through the country. The Asia Internet Coalition, a regional lobbying group composed of tech heavyweights such as Apple and Google, released a statement to this effect criticizing the controversial cybersecurity policy.

The new Thailand cybersecurity law also gives the Secretary-General of the National Cybersecurity Committee the power to enter premises and seize hardware from any company without a court order simply by declaring that there is a “severe cyber threat.” Companies that have a physical presence in Thailand could thus face unexpected and rather sudden disruptions. Management and ownership figures are also subject to potential jail time for non-compliance.

Companies doing business in Thailand may now be facing a regulatory and compliance nightmare similar to the ones seen in China, under its similarly broad and vaguely-worded Cyber Security Law that was passed in 2017. Common issues there include intrusive on-site inspections, government seizure of sensitive customer data and intellectual property, and continual screening of data and company materials to ensure they do not run afoul of the government’s censorship policies. Some companies also face potential public relations issues outside of Thailand for willingly complying with such onerous and politically charged laws.

The new Thailand cybersecurity law also has a component called the Personal Data Protection Act, which is something of a GDPR-lite measure. This will go into effect in March of 2020 and will not require companies doing business in Thailand to store customer data locally, but will subject all such data to similar personal information handling and security regulations.

Moving forward

Right now, concern about the application of the new Thailand cybersecurity law is speculative. There is very good reason for concerned speculation, however, judging by both recent Thai government history and patterns across Southeast Asia as a whole. Companies doing business in the country will at minimum need to account for the new data protection terms coming online in 2020, but may also face significant and immediate added compliance costs and public relations challenges.