TMT 2022 Comparisons

Last Updated March 02, 2022

Law and Practice

Authors



Formichella & Sritawat Attorneys at Law Co., Ltd. has been advising international clients on commercial transactions and regulatory matters within the TMT industry for more than 20 years. In addition to data privacy, cybersecurity and TMT/corporate practices, the firm's litigation practice represents international corporations in complex business and commercial disputes within the various courts of Thailand. Formichella & Sritawat regularly advises on current legal structures and the rapid development of the technology and commercial practices and current regulatory frameworks and policies of the government of Thailand. It also specialises in advising clients on regulatory practices and devising tailor-made strategies and solutions that fit each client's circumstances.

In Thailand, the Notification of Electronic Transaction Commission on the Guideline for Using Cloud Computing (Notification) prescribes the minimum standard of protection relating to technical security, data management and data protection, etc. Under the Notification, cloud computing is defined as the provision of the following three types of service via computer and network:

  • infrastructure as a service (IaaS);
  • platform as a service (PaaS); and
  • software as a service (SaaS).

Financial service operators such as banks, insurance companies, etc, are not subjected to more significant restrictions than other business operators in this regard.

In addition to the minimum standard of protection and security levels prescribed in the Notification, cloud computing services may be regulated by the National Broadcasting and Telecommunications Commission (NBTC) if the telecommunication services are provided by a leased line network that connects users to a cloud computing system. Therefore, a cloud service operator shall be required to apply for a Type I Telecommunication Licence.

In addition to the above, cloud computing operators shall be regarded as service providers and regulated as such under the Notification of the Ministry of Digital Economy and Society on Criteria on Storing Computer Traffic Data of Service Providers (Computer Traffic Data Notification). Therefore, cloud computing service operators shall retain computer traffic data as prescribed in the Computer Traffic Data Notification, including user code, personally identifiable information, service access log, etc. The retention period of computer traffic data is at least 90 days from when such data is input into a computer system. However, the competent official may order a cloud computing service provider to extend the retention period up to two years in the following circumstances:

  • if an offence has occurred under the Computer Crimes Act;
  • for national security, terrorism or public disorder concerns regarding the use of computer systems or computer data; or
  • if there are legal requests from an inquiry government officer.

The collection, disclosure or utilisation of personal data via a cloud computing system shall be strictly subject to legal provisions under the Personal Data Protection Act, B.E. 2562 (2019) (PDPA), as described in detail in 6.1 Core Rules for Individual/Company Data.

Risk and Liability

Other than for its use in financial services, there is no specific law or regulation regarding blockchain in Thailand.

As blockchain technology is used to raise money via the issuance of digital assets (cryptocurrency, digital token, etc) and can be offered for sale to the public (initial coin offering, or ICO), ICOs are regulated under the Emergency Decree on Digital Asset Business B.E. 2561 (2018) (Emergency Decree) and controlled by the Securities and Exchange Commission (SEC). The Emergency Decree prescribes SEC permission must be obtained before the issuance of an ICO to the public; otherwise, there shall be a penalty of imprisonment and/or a fine.

In addition, as blockchain contains computer data, the Computer Crimes Act B.E. 2560 (2017) as amended (CCA) shall apply. The CCA defines computer data as "Data, statements, or sets of instructions contained in a computer system, the output of which may be processed by a computer system including electronic data, according to the Electronic Transactions Acts."

Therefore, a blockchain operator shall be subject to the CCA, so the operation of the blockchain must not commit the following criminal offences:

  • unlawful access to a computer system or computer data that has a specific access prevention measure;
  • unlawful disclosure of a computer system's access prevention measure created by a third party in a manner that may cause damage to such party;
  • unlawful act by electronic means to eavesdrop on a third party's computer data being sent in a computer system that is provided for the public interest or general use;
  • unlawful damage, destruction or amendments of a third party's computer data, either in whole or in part;
  • an unlawful act causing the operation of a third party's computer system to be suspended, delayed, hindered or disrupted to the extent that the computer system fails to operate on a routine basis;
  • sending computer data or electronic mails to others (i) covering up or counterfeiting the source of the data in a manner that disturbs the routine use of others' computer systems, or (ii) without an opt-out clause to allow such person to cancel or deny reception, which is found to disturb the recipient of such data or electronic mails;
  • selling or disseminating instructions explicitly developed for the commission of the six above crimes;
  • importing, disseminating or forwarding the following computer data into the computer system:
    1. forged or deceptive data that may cause damage to the public, and is not a defamation offence under the Thai Criminal Code;
    2. false data that may cause damage to the public (eg, public security, national economic, public infrastructure);
    3. data related to an offence concerning the Kingdom's security or terrorism under the Thai Criminal Code; or
    4. accessible obscene data to the public; and
  • importing a modified image of any person that is likely to impair the reputation of such person.

Intellectual Property

There is no specific law or regulation on intellectual property infringement, specifically relating to blockchain. If a violation occurs on the blockchain, the liability and penalty shall be according to the general regulations regarding intellectual property (eg, Copyright Act, Patent Act, Trademark Act, etc). Therefore, for intellectual property matters, the laws relating to the specific intellectual property shall apply regardless of the platforms or technology involved. Even though there is no specific intellectual property law pertaining to blockchain, the Intellectual Property Court and its judges are undergoing constant education to learn and understand blockchain technology so that the current intellectual property laws can be effectively enforced.

Data Privacy

If personal data is included in a blockchain, the PDPA shall be applied. For example, a blockchain operator, as a data controller, must comply with the following legal grounds for collecting, using or disclosing the personal data:

  • the data owner’s prior consent is obtained;
  • processing is necessary for the performance of a contract;
  • it is essential for compliance with a law to which the data controller is subjected;
  • it is necessary in order to suppress danger to a data owner’s life;
  • it is necessary for the performance of a task carried out in the public interest by the data controller, or the achievement of a purpose relating to public interest research and statistics; or
  • it is necessary for the legitimate interest of the data controller where such interest does not override the data subject's rights.

In addition, any cross-border transfer of the personal data shall be only permitted to destination countries or international organisations that have an adequate level of protection, as further prescribed by the Personal Data Protection Committee (PDPC), unless there is a legal ground to transfer such data (prior consent, public interest, etc).

Service Levels

There is no specific law or requirement regarding service levels on blockchain in Thailand. Therefore, the users and operators of the blockchain must rely on private contract terms and conditions regarding the services and their relevant service levels and applicable penalties and/or damages in case of failure to meet the service levels on the blockchain.

Jurisdictional Issues

As blockchain technology is considered new in Thailand, there is no specific law or regulation governing jurisdictional issues on blockchain. Damaged parties who reside in Thailand or those who can prove that the offence is committed in Thailand shall be entitled to utilise Thai laws and the available dispute resolution systems in Thailand, including Thai courts and/or arbitration centres. There may be issues relating to the proof of jurisdiction on the blockchain. Not everyone has the resources to access the appropriate tools to obtain the evidence and may not utilise Thai laws and its dispute resolution systems.

Thailand has no specific law or regulation relating to big data, machine learning or artificial intelligence, which are governed by general laws and regulations such as the Civil and Commercial Code, laws regarding intellectual property (eg, Copyright Act, Patent Act), the Computer Crimes Act, and likely the PDPA. This represents a challenge for those involved with these subject matters, as the general laws must be used and applied in a dispute.

Furthermore, Thai laws apply specific requirements – such as insurance, minimum capitalisations or individual licences – on the main business operation alone, without further considering the technology or platform with which the business operates. As a result, business operators are not subject to additional regulations, especially those relating to big data, machine learning or artificial intelligence. Personal data is the only current subject matter in Thailand that has obtained specific regulations (the PDPA), which will apply across all businesses as long as they involve the collection, disclosure and/or utilisation of personal data, although tremendous pushbacks from the local business operators have resulted in delays on the enforcement date.

There are no particular restrictions that can affect a project's scope, unless such project involves telecommunication devices or certain illegal activities.

The Radio Communications Act (RCA) requires a business operator who performs transactions (such as producing, possessing, trading, importing and exporting) on radio communication equipment to obtain a licence from the NBTC before the commencement of such transaction. Such transactions must be reported to the NBTC or subject to an importation licence obtained from the NBTC. There is a licence exemption for specific radio communication equipment, such as that using Wi-Fi 2.4GHz. The NBTC may also issue a Notification on exemptions on a case-by-case basis.

In addition to the licence requirement, such radio communication equipment must meet the technical and safety standard prescribed by the NBTC. Therefore, each radio communication equipment's technical and safety standard shall be specified in the NBTC Notification.

There is no other law relating to connected devices, especially those relating to machine-to-machine. Communication secrecy and data protection can be governed by the Civil and Commercial Code (under general tort laws), the Computer Crimes Act (if the data is considered computer data), the PDPA (if the data is considered personal data) and the Cyber Security Act (if there is any possible threat that may impact the public, the government, the royal family or national security), all of which provide certain levels of protection to the owner, the data and/or the public. Therefore, the current laws relating to connected devices and the project's scope do not focus directly on the technology but rather on any breaches or illegalities of the operations or transactions. The only restriction that can affect the project's scope is whether or not the project involves any illegal activities.

No specific laws and regulations apply to IT service agreements, and there is currently no particular law or regulation that requires data to be stored locally in Thailand. Nevertheless, industry-specific regulations require some data to be available or processed within Thailand. The banking industry, for example, requires banks to process debit card transaction data and make electronic payment system data available in Thailand.

As there is no direct legal requirement for the terms and conditions in an IT service agreement, the challenge is to establish an agreement with terms and conditions that cover all the necessary elements. The provisions stated therein shall be based on the intention of the parties and the work for hire concept under the Civil and Commercial Code. Except for the specific commercial and technical terms prescribed in the service agreement, the following terms should be noted and stated therein:

  • terms and conditions regarding personal data protection should be prescribed in the service agreement if there are performance results in the collection, use or disclosure of the individual’s personal data;
  • the scope of works must be specified;
  • the timeframe of the services – or milestones – and delivery methods must be specified;
  • there must be a provision regarding the confidential information of the parties, such as trade secrets, know-how methods, etc; and
  • there must be a provision regarding intellectual property, and the ownership thereof must be clearly specified. Under a standard work for hire agreement, the hirer (the customer who hires the service provider) is considered the owner of the work products, but a service agreement can specify the owner of specific intellectual property, so as to protect the ownership of the works and assets.

The PDPA is Thailand's first consolidated data protection law, and was published in the Thai Government Gazette on 27 May 2019. However, based on the Royal Decree on Organisations and Business of which Personal Data Controllers are Exempt from Complying with the Personal Data Protection Act (Royal Decree), the enforcement date has been postponed to 1 June 2022. The Royal Decree lists various types of business that qualify for the enforcement extension, including enterprises in the communication, telecommunication, digital, science, technology, banking, education, industrial and commercial industries.

In addition, the PDPA aims to guarantee protection for individuals and their personal data, and imposes obligations on businesses when collecting, using and disclosing personal data. Further sub-regulations and guidances on the PDPA are now being considered and announced by the data protection authority (ie, the PDPC) once all drafting processes are completed.

Core Rules regarding Data Protection

Definitions

The following definitions are contained with the PDPA:

  • data controller – a natural or legal person who has the power and duties to make decisions regarding collecting, using or disclosing personal data;
  • data processor – a natural or juristic person who operates in relation to the collection, use or disclosure of personal data according to the orders given by or on behalf of a data controller, whereby such person is not the data controller; and
  • personal data – information that directly or indirectly relates to an individual; the PDPA stipulates specific requirements pertaining to certain types of data, and applies to the collection, use or disclosure of personal data.

Scope of the PDPA

The scope of the PDPA is as follows.

  • Personal scope – the PDPA only protects living individuals and expressly excludes information relating to deceased individuals in the definition of personal data. Furthermore, it does not apply to public authorities that maintain state security, including financial security of the state or public safety, including the duties concerning the prevention and suppression of money laundering, forensic science or cybersecurity.
  • Territorial scope – the PDPA applies to the collection, use or disclosure of personal data by organisations that are in Thailand, regardless of whether such collection, use or disclosure takes place in Thailand or not.
  • Extraterritorial scope – the PDPA applies to data controllers and data processors that are outside of Thailand where the collection, use or disclosure of personal data pertains to data subjects who are in Thailand, where their activities are related to the offering of goods or services to data subjects in Thailand, regardless of whether or not payment is required, or where the data subject’s behaviour is being monitored in Thailand.
  • Material scope – the PDPA defines “personal data” as any information relating to a person that enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons. The PDPA will apply where the personal data is collected, used or disclosed by the data controller and/or data processor, but the following are excluded from the application of the PDPA:
    1. the collection, use or disclosure of personal data by a person who collects such personal data for personal benefit or for the household activity of such person only;
    2. the operations of public authorities that have a duty to maintain state security, including the financial security of the state or public safety, including the responsibilities concerning the prevention and suppression of money laundering, forensic science or cybersecurity, trial and adjudication of courts and work operations of officers in legal proceedings, legal execution, and deposits of property, including work operations following the criminal justice procedure;
    3. the House of Representatives, the Senate and the Parliament, including the committee appointed by the House of Representatives, the Senate or the Parliament, which collects, uses or discloses personal data in accordance with its duties;
    4. data operations undertaken by a credit bureau company and its members, according to the law governing the functions of a credit bureau business; and
    5. certain processing circumstances, including for a person or a juristic person who uses or discloses personal data collected only for the activities of mass media, fine arts or literature, which are only following professional ethics or are for the public interest.

Distinction between Companies and Individuals

The PDPA regime distinguishes between the data of companies and individuals, prescribing that only individuals’ data is protected thereunder; in other words, a legal entity's data will not be considered personal data and thus falls outside of the scope of the PDPA.

However, data regarding the individuals working in the legal entity (employees, directors, etc) shall be considered personal data and accordingly will fall within the scope of the PDPA. Examples of personal data relating to individuals within a legal entity include an employee or director’s name, address, email address, medical record, salary rate, photos, academic record, etc.

General Processing of Data

Thai data protection law (ie, the PDPA) only protects personal data; in other words, there is no specific law or regulation that applies to data processing. General data processing is determined exclusively based on the contract between the parties. However, if such data contains any personal data, the processor shall be the data processor under the PDPA and must follow the provisions prescribed therein. In addition, the data subject shall have its rights (eg, right to access, right to object and right to be informed) protected under the PDPA.

Processing of Personal Data

The PDPA states that personal data shall not be collected, used or disclosed except in the following circumstances:

  • the data subject has provided prior consent;
  • processing is necessary for the performance of a contract;
  • processing is necessary for compliance with a law to which the data controller is subjected;
  • processing is necessary to suppress danger to a data subject’s life;
  • processing is necessary for the performance of a task carried out in the public interest by the data controller, or the achievement of a purpose relating to public interest research and statistics; or
  • processing is necessary for the data controller's legitimate interest where such interest does not override those of the data subject.

In addition, the PDPA states that any collection of personal data relating to racial, ethnic, origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic information or biometric data, or any data that may affect the data subject, is prohibited unless an exemption applies, such as the data subject having provided explicit consent.

Concerning the transfer of personal data, the PDPA states that a data controller shall not collect, use or disclose data, including transferring it to third parties, unless the data subject has provided prior consent or there is a legal basis to allow a data controller to do so (eg, it is in the public interest, there is a legitimate interest or it is necessary for suppressing danger to a data subject's life). Furthermore, any cross-border transfer of personal data will only be permitted to destination countries or international organisations that have an adequate level of protection as prescribed by the PDPC, unless such transfer fulfils the following legal criteria:

  • the consent of the data subject has been obtained;
  • it is necessary to perform any obligation under a contract, or the transfer is at the request of a data subject;
  • it is performed for the significant public interest;
  • the transfer is according to the law; and
  • where it is to prevent or suppress a danger to the life, body or health of the data subject or other persons when the data subject is incapable of giving their consent.

In addition, an adequate level of protection has not yet been established or prescribed by the PDPC. Therefore, when establishing a sufficient level of protection and a personal data protection policy, the data controller or data processor is permitted to transfer personal data abroad only with appropriate safeguards in place, and with effective legal remedies that ensure the data subject’s rights.

There is no specific law or regulation regarding the monitoring and limiting use by employees of company computer resources. If the employer wants to monitor and limit employees' use of company computer resources, the employer shall be able to do so but within the scope of other general laws, including but not limited to the PDPA (which provides protections to the personal data) or the Constitutional Law (which provides the rights to privacy for all citizens).

However, if such monitoring and limitation (eg, the installation of data loss prevention tools, web traffic monitoring, extensive private email use) result in the collection of certain employees' personal data, the employer shall be regarded as a data controller under the PDPA, according to which the collection, use or disclosure of employees’ personal data can be made only when:

  • prior consent is obtained from employees;
  • it is necessary to perform any obligation under a contract, or the transfer is at the request of employees;
  • it is performed for the significant public interest;
  • the transfer is according to the law; and
  • it is to prevent or suppress a danger to the life, body or health of employees or other persons when the employees are incapable of giving their consent.

In addition, any collection of personal data relating to racial, ethnic, origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic information or biometric data, or any data that may affect the employees, is prohibited unless an exemption applies, such as the employees' explicit consent has been obtained.

The legislation governing the telecommunications sector includes the Act on the Organisation to Assign Radio Frequency and to Regulate Broadcasting and Telecommunications Services 2010 (NBTC Act) and the Telecommunications Business Act 2001 (TA). The NBTC Act establishes the NBTC as an independent broadcasting and telecommunications business regulator. Subject to supervision by the NBTC, a Telecommunications Committee regulates telecoms business in compliance with the TA, which applies to operators of telecommunications services. "Telecommunications service" is defined as a service that sends, transmits or receives signs, letters, figures, pictures, sounds, codes or anything else made comprehensible by frequency waves, wireless, lighting, electromagnetic systems or any other systems, or other activities prescribed by law to be telecommunications services.

Telecommunications licences are divided into the following three types:

  • Type 1 licence, for telecommunications business operators who provide telecommunications services without operating a telecommunications network;
  • Type 2 licence, for operators who provide services to a specific group of customers with or without operating a telecommunications network; and
  • Type 3 licence for operators who operate a network providing services to the general public.

The TA imposes various foreign ownership restrictions for each type of telecoms licence, as follows:

  • Type 1 licence – no ownership restrictions apply, so operators with a Type 1 licence are only subject to the Foreign Business Act, and a foreign business licence is required;
  • Type 2 licence – foreign ownership is limited to 49% of the total shares; thus, a Type 2 licence holder may only have up to 49% of its shares held by non-Thai shareholders; and
  • Type 3 licence – the restrictions for Type 3 licence holders are the same as for Type 2 licence holders.

There is a licence fee of THB5,000 for the registration of the licences and an annual licence fee based on income generated during a fiscal year, with the following (progressive) criteria:

  • 0.25% of income from THB0 to THB100 million;
  • 0.5% of income from THB100 million to THB500 million;
  • 1% of income from THB500 million to THB1 billion; and
  • 1.5% of income over THB1 billion.

Payment must be made within 150 days of the end of the fiscal year; failure to comply will result in a fine of 1.5% monthly interest on the fee arrears. Extra days that do not add up to a month shall be counted as one month.

In addition, every telecommunication service licensee must pay the universal service contribution to the NBTC at the rate of 2.5% of a licensee's total annual income. The payment date of the fee, which shall be by cash or cheque, is within 150 days of a licensee's fiscal year. The NBTC shall issue documents with further details on deductibles and the method of calculation to the licensee upon the grant of the licence.

In Thailand, audio-visual media services (eg, TV and radio) are regulated by the NBTC under the Broadcasting and Television Business Act 2008 (Broadcasting Act). The content of films, videos and their advertising media are also regulated under the Film and Video Act 2008. Therefore, a censorship committee of officials will review, approve or censor the content of films, videos and advertisements, and approve other activities relating to film and video, such as the production or distribution of foreign films in Thailand.

The Broadcasting Act prescribes that there are three types of licences for audio-visual media service, each of which has the following foreign ownership restrictions:

  • a licence to operate public services (where the main objective is to provide public services) – this licence is only available to government entities and specific associations, charities, foundations and educational institutions, and not to private sector operators;
  • a licence to operate community services (where the objective of the business is to provide a public service that meets the needs of the community or locality receiving the services) – this licence is only available to government entities and specific associations, charities, foundations and educational institutions, and not to private sector operators; and
  • licenses to operate business services (where the main objective is to generate profit) are subdivided into three classes: national, regional and local. Foreign ownership is limited to 25%. The foreign ownership restriction under this sector-specific law applies above the general Foreign Business Act; thus, the holder of such licence may only have up to 25% of its shares held by non-Thai shareholders.

An applicant must be of Thai nationality, shall not be on a probationary period restricting them from using the licence, and cannot have exceeded three years of a licence withdrawal period. The approval process usually takes up to 60 days after submitting all the necessary documents. If approved, the applicant will be granted the right to operate under the express terms of the given licence. A broadcasting schedule may be allocated to other licensed broadcasters under the condition that the broadcaster complies with the rules and regulations prescribed by the NBTC.

The NBTC will grant a seven-year term for sound broadcasting licensees and five years for television broadcasting licensees. Licences may be renewed 90 days before expiry. Licensees must pay annual fees for their respective licences.

The above-mentioned requirements do not apply to video-sharing platform services or over-the-top (OTT) services (eg, on video platforms with user-generated content or videos on demand). According to the NBTC, the scope of what constitutes “broadcasting” will be determined with the goal of regulating OTT Services. OTT operators were informed that they must register themselves with the NBTC and that they would be governed by specific rules and regulations regardless of nationality; however, this attempt was heavily criticised by the public and OTT operators as well as technology-related NGOs, and the NBTC consequently withdrew its requests to OTT operators. No further updates have been issued regarding this matter.

In addition to licensing requirements, foreign operators may be required to have a local office and an authorised executive in Thailand for tax purposes. Furthermore, the telecommunications business is subject to excise tax in addition to corporate income tax. As a result, an excise tax is imposed on telecommunications operators. However, under the current applicable Ministerial Regulation, published on 16 September 2017, the excise tax rate for the telecommunications business is 0%.

There is no specific law or regulation regarding the use of encryption or circumstances when a company is required to use encryption technology. However, under the PDPA, a data controller or a data processor must provide appropriate security measures that meet a minimum standard defined by the PDPC, and must review these measures as necessary. The minimum standard of appropriate security measures (eg, encryption requirement) shall be further prescribed in the supplemental regulation of the PDPA.

The Thai government has not currently adopted any emergency legislation, relief programmes or other initiatives to address the COVID-19 pandemic that are relevant to the TMT sector.

Formichella & Sritawat Attorneys at Law Co., Ltd.

399, Interchange 21 Building
23rd Fl., Unit 3
Sukhumvit Road
Klongtoey-Nua, Wattana
Bangkok 10110
Thailand

+66 2 107 1882

info@fosrlaw.com www.fosrlaw.com
Author Business Card

Law and Practice in Thailand

Authors



Formichella & Sritawat Attorneys at Law Co., Ltd. has been advising international clients on commercial transactions and regulatory matters within the TMT industry for more than 20 years. In addition to data privacy, cybersecurity and TMT/corporate practices, the firm's litigation practice represents international corporations in complex business and commercial disputes within the various courts of Thailand. Formichella & Sritawat regularly advises on current legal structures and the rapid development of the technology and commercial practices and current regulatory frameworks and policies of the government of Thailand. It also specialises in advising clients on regulatory practices and devising tailor-made strategies and solutions that fit each client's circumstances.