Contributed By Formichella & Sritawat Attorneys at Law Co., Ltd.
In Thailand, the Notification of Electronic Transaction Commission on the Guideline for Using Cloud Computing (Notification) prescribes the minimum standard of protection relating to technical security, data management and data protection, etc. Under the Notification, cloud computing is defined as the provision of the following three types of service via computer and network:
Financial service operators such as banks, insurance companies, etc, are not subjected to more significant restrictions than other business operators in this regard.
In addition to the minimum standard of protection and security levels prescribed in the Notification, cloud computing services may be regulated by the National Broadcasting and Telecommunications Commission (NBTC) if the telecommunication services are provided by a leased line network that connects users to a cloud computing system. Therefore, a cloud service operator shall be required to apply for a Type I Telecommunication Licence.
In addition to the above, cloud computing operators shall be regarded as service providers and regulated as such under the Notification of the Ministry of Digital Economy and Society on Criteria on Storing Computer Traffic Data of Service Providers (Computer Traffic Data Notification). Therefore, cloud computing service operators shall retain computer traffic data as prescribed in the Computer Traffic Data Notification, including user code, personally identifiable information, service access log, etc. The retention period of computer traffic data is at least 90 days from when such data is input into a computer system. However, the competent official may order a cloud computing service provider to extend the retention period up to two years in the following circumstances:
The collection, disclosure or utilisation of personal data via a cloud computing system shall be strictly subject to legal provisions under the Personal Data Protection Act, B.E. 2562 (2019) (PDPA), as described in detail in 6.1 Core Rules for Individual/Company Data.
Risk and Liability
Other than for its use in financial services, there is no specific law or regulation regarding blockchain in Thailand.
As blockchain technology is used to raise money via the issuance of digital assets (cryptocurrency, digital token, etc) and can be offered for sale to the public (initial coin offering, or ICO), ICOs are regulated under the Emergency Decree on Digital Asset Business B.E. 2561 (2018) (Emergency Decree) and controlled by the Securities and Exchange Commission (SEC). The Emergency Decree prescribes SEC permission must be obtained before the issuance of an ICO to the public; otherwise, there shall be a penalty of imprisonment and/or a fine.
In addition, as blockchain contains computer data, the Computer Crimes Act B.E. 2560 (2017) as amended (CCA) shall apply. The CCA defines computer data as "Data, statements, or sets of instructions contained in a computer system, the output of which may be processed by a computer system including electronic data, according to the Electronic Transactions Acts."
Therefore, a blockchain operator shall be subject to the CCA, so the operation of the blockchain must not commit the following criminal offences:
There is no specific law or regulation on intellectual property infringement, specifically relating to blockchain. If a violation occurs on the blockchain, the liability and penalty shall be according to the general regulations regarding intellectual property (eg, Copyright Act, Patent Act, Trademark Act, etc). Therefore, for intellectual property matters, the laws relating to the specific intellectual property shall apply regardless of the platforms or technology involved. Even though there is no specific intellectual property law pertaining to blockchain, the Intellectual Property Court and its judges are undergoing constant education to learn and understand blockchain technology so that the current intellectual property laws can be effectively enforced.
If personal data is included in a blockchain, the PDPA shall be applied. For example, a blockchain operator, as a data controller, must comply with the following legal grounds for collecting, using or disclosing the personal data:
In addition, any cross-border transfer of the personal data shall be only permitted to destination countries or international organisations that have an adequate level of protection, as further prescribed by the Personal Data Protection Committee (PDPC), unless there is a legal ground to transfer such data (prior consent, public interest, etc).
There is no specific law or requirement regarding service levels on blockchain in Thailand. Therefore, the users and operators of the blockchain must rely on private contract terms and conditions regarding the services and their relevant service levels and applicable penalties and/or damages in case of failure to meet the service levels on the blockchain.
As blockchain technology is considered new in Thailand, there is no specific law or regulation governing jurisdictional issues on blockchain. Damaged parties who reside in Thailand or those who can prove that the offence is committed in Thailand shall be entitled to utilise Thai laws and the available dispute resolution systems in Thailand, including Thai courts and/or arbitration centres. There may be issues relating to the proof of jurisdiction on the blockchain. Not everyone has the resources to access the appropriate tools to obtain the evidence and may not utilise Thai laws and its dispute resolution systems.
Thailand has no specific law or regulation relating to big data, machine learning or artificial intelligence, which are governed by general laws and regulations such as the Civil and Commercial Code, laws regarding intellectual property (eg, Copyright Act, Patent Act), the Computer Crimes Act, and likely the PDPA. This represents a challenge for those involved with these subject matters, as the general laws must be used and applied in a dispute.
Furthermore, Thai laws apply specific requirements – such as insurance, minimum capitalisations or individual licences – on the main business operation alone, without further considering the technology or platform with which the business operates. As a result, business operators are not subject to additional regulations, especially those relating to big data, machine learning or artificial intelligence. Personal data is the only current subject matter in Thailand that has obtained specific regulations (the PDPA), which will apply across all businesses as long as they involve the collection, disclosure and/or utilisation of personal data, although tremendous pushbacks from the local business operators have resulted in delays on the enforcement date.
There are no particular restrictions that can affect a project's scope, unless such project involves telecommunication devices or certain illegal activities.
The Radio Communications Act (RCA) requires a business operator who performs transactions (such as producing, possessing, trading, importing and exporting) on radio communication equipment to obtain a licence from the NBTC before the commencement of such transaction. Such transactions must be reported to the NBTC or subject to an importation licence obtained from the NBTC. There is a licence exemption for specific radio communication equipment, such as that using Wi-Fi 2.4GHz. The NBTC may also issue a Notification on exemptions on a case-by-case basis.
In addition to the licence requirement, such radio communication equipment must meet the technical and safety standard prescribed by the NBTC. Therefore, each radio communication equipment's technical and safety standard shall be specified in the NBTC Notification.
There is no other law relating to connected devices, especially those relating to machine-to-machine. Communication secrecy and data protection can be governed by the Civil and Commercial Code (under general tort laws), the Computer Crimes Act (if the data is considered computer data), the PDPA (if the data is considered personal data) and the Cyber Security Act (if there is any possible threat that may impact the public, the government, the royal family or national security), all of which provide certain levels of protection to the owner, the data and/or the public. Therefore, the current laws relating to connected devices and the project's scope do not focus directly on the technology but rather on any breaches or illegalities of the operations or transactions. The only restriction that can affect the project's scope is whether or not the project involves any illegal activities.
No specific laws and regulations apply to IT service agreements, and there is currently no particular law or regulation that requires data to be stored locally in Thailand. Nevertheless, industry-specific regulations require some data to be available or processed within Thailand. The banking industry, for example, requires banks to process debit card transaction data and make electronic payment system data available in Thailand.
As there is no direct legal requirement for the terms and conditions in an IT service agreement, the challenge is to establish an agreement with terms and conditions that cover all the necessary elements. The provisions stated therein shall be based on the intention of the parties and the work for hire concept under the Civil and Commercial Code. Except for the specific commercial and technical terms prescribed in the service agreement, the following terms should be noted and stated therein:
The PDPA is Thailand's first consolidated data protection law, and was published in the Thai Government Gazette on 27 May 2019. However, based on the Royal Decree on Organisations and Business of which Personal Data Controllers are Exempt from Complying with the Personal Data Protection Act (Royal Decree), the enforcement date has been postponed to 1 June 2022. The Royal Decree lists various types of business that qualify for the enforcement extension, including enterprises in the communication, telecommunication, digital, science, technology, banking, education, industrial and commercial industries.
In addition, the PDPA aims to guarantee protection for individuals and their personal data, and imposes obligations on businesses when collecting, using and disclosing personal data. Further sub-regulations and guidances on the PDPA are now being considered and announced by the data protection authority (ie, the PDPC) once all drafting processes are completed.
Core Rules regarding Data Protection
The following definitions are contained with the PDPA:
Scope of the PDPA
The scope of the PDPA is as follows.
Distinction between Companies and Individuals
The PDPA regime distinguishes between the data of companies and individuals, prescribing that only individuals’ data is protected thereunder; in other words, a legal entity's data will not be considered personal data and thus falls outside of the scope of the PDPA.
However, data regarding the individuals working in the legal entity (employees, directors, etc) shall be considered personal data and accordingly will fall within the scope of the PDPA. Examples of personal data relating to individuals within a legal entity include an employee or director’s name, address, email address, medical record, salary rate, photos, academic record, etc.
General Processing of Data
Thai data protection law (ie, the PDPA) only protects personal data; in other words, there is no specific law or regulation that applies to data processing. General data processing is determined exclusively based on the contract between the parties. However, if such data contains any personal data, the processor shall be the data processor under the PDPA and must follow the provisions prescribed therein. In addition, the data subject shall have its rights (eg, right to access, right to object and right to be informed) protected under the PDPA.
Processing of Personal Data
The PDPA states that personal data shall not be collected, used or disclosed except in the following circumstances:
In addition, the PDPA states that any collection of personal data relating to racial, ethnic, origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic information or biometric data, or any data that may affect the data subject, is prohibited unless an exemption applies, such as the data subject having provided explicit consent.
Concerning the transfer of personal data, the PDPA states that a data controller shall not collect, use or disclose data, including transferring it to third parties, unless the data subject has provided prior consent or there is a legal basis to allow a data controller to do so (eg, it is in the public interest, there is a legitimate interest or it is necessary for suppressing danger to a data subject's life). Furthermore, any cross-border transfer of personal data will only be permitted to destination countries or international organisations that have an adequate level of protection as prescribed by the PDPC, unless such transfer fulfils the following legal criteria:
In addition, an adequate level of protection has not yet been established or prescribed by the PDPC. Therefore, when establishing a sufficient level of protection and a personal data protection policy, the data controller or data processor is permitted to transfer personal data abroad only with appropriate safeguards in place, and with effective legal remedies that ensure the data subject’s rights.
There is no specific law or regulation regarding the monitoring and limiting use by employees of company computer resources. If the employer wants to monitor and limit employees' use of company computer resources, the employer shall be able to do so but within the scope of other general laws, including but not limited to the PDPA (which provides protections to the personal data) or the Constitutional Law (which provides the rights to privacy for all citizens).
However, if such monitoring and limitation (eg, the installation of data loss prevention tools, web traffic monitoring, extensive private email use) result in the collection of certain employees' personal data, the employer shall be regarded as a data controller under the PDPA, according to which the collection, use or disclosure of employees’ personal data can be made only when:
In addition, any collection of personal data relating to racial, ethnic, origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic information or biometric data, or any data that may affect the employees, is prohibited unless an exemption applies, such as the employees' explicit consent has been obtained.
The legislation governing the telecommunications sector includes the Act on the Organisation to Assign Radio Frequency and to Regulate Broadcasting and Telecommunications Services 2010 (NBTC Act) and the Telecommunications Business Act 2001 (TA). The NBTC Act establishes the NBTC as an independent broadcasting and telecommunications business regulator. Subject to supervision by the NBTC, a Telecommunications Committee regulates telecoms business in compliance with the TA, which applies to operators of telecommunications services. "Telecommunications service" is defined as a service that sends, transmits or receives signs, letters, figures, pictures, sounds, codes or anything else made comprehensible by frequency waves, wireless, lighting, electromagnetic systems or any other systems, or other activities prescribed by law to be telecommunications services.
Telecommunications licences are divided into the following three types:
The TA imposes various foreign ownership restrictions for each type of telecoms licence, as follows:
There is a licence fee of THB5,000 for the registration of the licences and an annual licence fee based on income generated during a fiscal year, with the following (progressive) criteria:
Payment must be made within 150 days of the end of the fiscal year; failure to comply will result in a fine of 1.5% monthly interest on the fee arrears. Extra days that do not add up to a month shall be counted as one month.
In addition, every telecommunication service licensee must pay the universal service contribution to the NBTC at the rate of 2.5% of a licensee's total annual income. The payment date of the fee, which shall be by cash or cheque, is within 150 days of a licensee's fiscal year. The NBTC shall issue documents with further details on deductibles and the method of calculation to the licensee upon the grant of the licence.
In Thailand, audio-visual media services (eg, TV and radio) are regulated by the NBTC under the Broadcasting and Television Business Act 2008 (Broadcasting Act). The content of films, videos and their advertising media are also regulated under the Film and Video Act 2008. Therefore, a censorship committee of officials will review, approve or censor the content of films, videos and advertisements, and approve other activities relating to film and video, such as the production or distribution of foreign films in Thailand.
The Broadcasting Act prescribes that there are three types of licences for audio-visual media service, each of which has the following foreign ownership restrictions:
An applicant must be of Thai nationality, shall not be on a probationary period restricting them from using the licence, and cannot have exceeded three years of a licence withdrawal period. The approval process usually takes up to 60 days after submitting all the necessary documents. If approved, the applicant will be granted the right to operate under the express terms of the given licence. A broadcasting schedule may be allocated to other licensed broadcasters under the condition that the broadcaster complies with the rules and regulations prescribed by the NBTC.
The NBTC will grant a seven-year term for sound broadcasting licensees and five years for television broadcasting licensees. Licences may be renewed 90 days before expiry. Licensees must pay annual fees for their respective licences.
The above-mentioned requirements do not apply to video-sharing platform services or over-the-top (OTT) services (eg, on video platforms with user-generated content or videos on demand). According to the NBTC, the scope of what constitutes “broadcasting” will be determined with the goal of regulating OTT Services. OTT operators were informed that they must register themselves with the NBTC and that they would be governed by specific rules and regulations regardless of nationality; however, this attempt was heavily criticised by the public and OTT operators as well as technology-related NGOs, and the NBTC consequently withdrew its requests to OTT operators. No further updates have been issued regarding this matter.
In addition to licensing requirements, foreign operators may be required to have a local office and an authorised executive in Thailand for tax purposes. Furthermore, the telecommunications business is subject to excise tax in addition to corporate income tax. As a result, an excise tax is imposed on telecommunications operators. However, under the current applicable Ministerial Regulation, published on 16 September 2017, the excise tax rate for the telecommunications business is 0%.
There is no specific law or regulation regarding the use of encryption or circumstances when a company is required to use encryption technology. However, under the PDPA, a data controller or a data processor must provide appropriate security measures that meet a minimum standard defined by the PDPC, and must review these measures as necessary. The minimum standard of appropriate security measures (eg, encryption requirement) shall be further prescribed in the supplemental regulation of the PDPA.
The Thai government has not currently adopted any emergency legislation, relief programmes or other initiatives to address the COVID-19 pandemic that are relevant to the TMT sector.