Thailand - Updates On The Thai Cybersecurity Bill, The Draft Amendment To The Electronic Transaction Act And The Digital ID Bill.
Legal News & Analysis - Asia Pacific - Thailand - Cybersecurity - Regulatory & Compliance
25 October, 2018
The Ministry of Digital Economy and Society (MDES) has been quite active throughout 2018, having already passed several laws under the digital economy initiatives. While much attention was focused on the Personal Data Protection Bill (click here to read our latest alert), MDES has been similarly committed to advancing other relevant draft laws.
We discuss below three relevant bills/amendments that are currently in the pipeline:
As a recap, the Cybersecurity Bill was approved in principle by the Cabinet in 2015, then revised and presented for public hearing in March 2018. Having since been reviewed and revised by the Council of State, the Bill is now open for another public hearing which is scheduled from 27 September to 12 October 2018.
The current Bill introduces the following concepts:
1. Obligations on critical information infrastructure entities
Certain types of public or private organizations which undertake tasks or provide services in the following aspects could be deemed a "critical information infrastructure entity," which would be subject to specific obligations under the Bill:
- National security;
- Material public service;
- Banking and finance;
- Information technology and telecommunications;
- Transportation and logistics;
- Energy and public utilities;
- Public health;
- Others as prescribed by the National Cybersecurity Committee (NCSC).
Obligations of a "critical information infrastructure entity" include providing a cybersecurity risk assessment plan, setting in place an internal cybersecurity guideline according to the policy and action plan issued by the NCSC, providing information regarding the design and configuration of its information infrastructure or any systems connected to such information infrastructure, providing information on infrastructure operations, providing any other information the NCSC deems necessary for the purpose of maintaining cybersecurity, and notifying the NCSC when any cyber threats occur.
2. Authorized request and access to information and facilities of private entities in the event of cyber threats
In the event of a "cyber threat" or potential occurrence of a "cyber threat" as defined under the Bill, private entities may be subject to the authority of authorized officials. For the purpose of gathering information, analyzing the situation, and assessing the effect of a cyber threat, such officials are authorized to issue a request for a person to provide relevant information, to request certain information, documents, or copies of information or documents which are in the possession of others, and to access to premises upon permission of the property possessor. The person providing the information to authorized officials, if doing so in good faith, shall be protected and not be liable in tort or for breach of any contractual obligations.
In cases where a cyber threat is deemed "severe" in accordance with the criteria under the Bill, the Bill grants additional authority to the Secretary-General of the NCSC for the purpose of preventing or decreasing the risk of such threat. For example, the Secretary-General has the authority to order a computer owner, possessor, or user to conduct a measure to rectify a cyber threat or terminate the use of a computer or computer system. The Secretary-General also has the authority to command competent officials to enter premises, access and make copies of data systems, and confiscate any computers or any others devices for a period not over 30 days without having to obtain a court order.
Non-compliance with certain obligations under the Bill may result in a fine or imprisonment, or both. The Bill also prescribes that directors, managers, or any person responsible for the operation of a juristic person which violates certain provisions may also face the same criminal penalty.
It should be highlighted that juridical overview requirements are removed in this version of the Bill. The previously proposed court order requirements in order to access the information and equipment of other persons have also been removed.
The defined terms under the Bill, such as "cybersecurity," "cyber threat," and "information asset" have very broad definitions. Private entities should carefully assess the scope of power and various obligations prescribed in the Bill.
Draft Amendment to the Electronic Transaction Act
Following the first public hearing held in July 2018, the Ministry of Digital Economy and Society (MDES) has further amended and published an updated Draft Amendment to the Electronic Transaction Act (ETA) (Draft Amendment), which has been reviewed by the Council of State. Public hearing for this Draft Amendment was held between 5 to 20 September 2018.
Key amendments under this Draft Amendment are as follows:
1. More flexible requirements for an e-signature
Under the current ETA, it is difficult in practice to prove the criteria for an e-signature. The Draft Amendment deems an e-signature valid and acceptable if the procedure used to collect the signature can identify the signature owner and demonstrate his or her intention with respect to the message in electronic data. The language of this revision reflects more of the current practice.
2. Explicit recognition of contracts concluded via an automated system
The Draft Amendment defines "automatic electronic data exchange system" ("AEDES") as computer programs, electronic methods, or other automatic methods used for creating actions or responses to electronic data, or any operation on data, wholly or partly, without a natural person's review or interference to each action or response. The Bill recognizes the validity of electronic transactions initiated through AEDES, and also provides a mechanism to protect natural persons from being bound by an automated transaction in the case of a data error sent via a third party AEDES. Therefore, the Draft Amendment should provide greater legal certainty for operators of e-service businesses in Thailand.
3. Broader grounds to regulate operation of e-service businesses and business presence requirements removed
The broader grounds to regulate operation of e-service businesses and the business presence requirements, which were earlier proposed in the July draft amendment, have been removed from this Draft Amendment.
Following the public hearing, the Cybersecurity Bill and the Draft Amendment to the ETA will be further revised by the MDES and submitted to the Cabinet. Once the Cabinet approves them, they will be forwarded to the National Legislative Assembly for endorsement and further processing before being enacted as binding law.
Digital ID Bill
On 11 September 2018, the Proofing and Authentication of Digital Identity Bill (Digital ID Bill) was approved in principle by the Cabinet of Thailand.
The Bill establishes the digital ID system, a secure and trusted system through which members thereof can electronically identify and authenticate end users of their services, by relying on the KYC results of those end-users held by another member of the system. Essentially, the digital ID system provides a route of communication between members in a way that can eliminate the need to repeatedly undertake traditional KYCs.
The Digital ID System is not mandatory, and other means for conducting identity proofing and authentication are not prohibited by this Bill. However, members of the Digital ID System would enjoy certain legal benefits, such as the fact that proofing and authentication conducted in accordance with the Bill would be deemed valid and legally enforceable, and in the case of a dispute, such proofing and authentication would be admissible to the court as evidence.
Digital ID service providers are subject to license and foreign ownership requirements.
For further information, please contact:
Dhiraphol Suwanprateep, Partner, Baker McKenzie