After the Cybersecurity Bill (Bill) was approved "in principle" by the Cabinet in 2015, the Bill was revised by the Ministry of Digital Economy and Society (MDES) and presented for public hearing in March 2018. The Bill provides criteria for maintaining national security, military security, domestic peace, and economic security in the cyber environment, establishes the National Cybersecurity Committee (NCSC) to deal with cyber attacks in Thailand, and prescribes penalties for non-compliance.
In the absence of cybersecurity law in Thailand, the Office of Prime Minister Regulation Regarding the National Cybersecurity Preparation Committee B.E. 2560 (2017) was issued to prepare necessary infrastructure for the development of cybersecurity. Once the Bill becomes effective, this temporary regulation will be automatically repealed.
Key issues under the Bill include:
Broad definition of cybersecurity
Under this Bill, "cybersecurity" is defined as "measures and actions [that are implemented] to protect, prevent, promote in order to handle and solve any cyber attack incidents, particularly those which concern the provision of computer networking service, internet service, telecommunications networking service, satellite services, public infrastructure services, and other important public services, which are networks at national level, for the purpose of prevention of any impact to national security, military security, domestic peace, and economic security."
This definition is very broad. It could be interpreted to mean that any cyber attack against a computer network, computer system, or computer data deemed to affect national security, military security, domestic peace, and economic security (regardless of the scale of the attack or its level of impact) would be subject to this Bill. If this is the case, the Bill is likely to overlap with the Computer Crime Act B.E. 2550 (2007) covering prohibited acts, which includes hacking and cyber attacks. Therefore, the types or "levels" of cyber threats or attacks that will fall under the scope of the Bill remains unclear. The interpretation will also rely on the discretion of the relevant government authorities empowered under the Bill.
Any private organizations are subject to the Bill
Under this Bill, a "private organization" is defined as "an organization established by an assembly of individuals or a juristic body to run a business, whether for-profit or non-profit, and whether registered as a juristic person/entity or not."
In short, every company, branch, or non-profit organization is subject to the Bill, regardless of whether such organization receives any revenue and irrespective of whether it is registered with Thai government.
There are various scenarios in which authorities are empowered to order a private organization to take or refrain from any action, to access information and facilities of a private organization, to order a private organization to provide information/personnel assistance/electronic equipment, to access communication data of a private organization, and/or to summon persons/documents/evidence, with or without court order as dependent on the circumstances.
While revisions to earlier versions of the Bill have resulted in the inclusion of requirements to obtain a court order before government authorities can exercise their rights against private sectors, there are still circumstances in which the relevant government authorities are authorized under the Bill to exercise its powers without a court order. For example, no court order is needed: (1) to order a private organization to take any action to prevent, rectify, or mitigate damage that arose or may arise from a cyber attack which threatens national security; or (2) to access communication data of a private organization in the event of an emergency.
Non-compliance could result in criminal penalties under the Bill, as well as penalties under other laws
If a private organization fails to comply with the Bill, it could be subject to a fine, imprisonment, or both. Non-compliance with the Bill could also result in additional penalties prescribed by other laws under which such non-compliance also constitutes an offense.
The Bill empowers various authorities, (i.e. the Minister of the MDES, the NCSC, the Office of the NCSC, the competent officer(s) specified in the Bill, and other relevant government authorities), to request the cooperation or give an order to a private organization. This could create overlapping power and result in command conflicts in handling a cyber attack which requires a fast and solid response. The Bill should grant power to Thai authorities to act proportionately in response to a particular threat, and to act after having weighed the threat against the individual right to privacy.
After the public hearing process is complete, the Bill will be forwarded to the Cabinet for approval before its submission to the National Legislative Assembly (NLA) for further consideration. Once the NLA endorses the draft law, it will be sent to His Majesty the King for final approval before being published in the Government Gazette.