The Computer-Related Crimes Act (CCA) of Thailand came into force in July 2007. It was followed a month later with the publication of a Notification of the Ministry of Information and Communications Technology providing more detail relative to the scope and application of the law.
The law has attracted a certain amount of controversy particularly with regard to freedom of speech issues. That is not the focus of this article. The purpose here is to introduce the basic content of the law and consider what businesses and their staff need to do to comply with its requirements—and, of course, to avoid committing any offenses.
First, a word about context. It is now obvious that the internet is transforming society and the business world to a far greater extent than was imaginable a mere 15 years ago. Gutenberg’s printing press pales in comparison in terms of impact. From a lawyer’s point of view this dramatic online evolution (which is ongoing) creates, at a very high level, two primary areas of concern:
Between these two poles, a vast number of issues stand to be regulated, including such issues as contract, service responsibilities, security, consumer protection and fraud and, of course, jurisdiction. The list is extensive.
In Europe, there is a growing corpus of law aimed at making the internet safe for social interaction and commerce. The CCA in Thailand seems perhaps more stark in terms of its remit because it forms part, for the present, of a smaller body of computer-related law. Its genesis and objectives are however both recognisable and logical.
The key parts of the CCA for the purposes of this article can be broken down as follows:
Foreign entities conducting business in Thailand through local subsidiaries are of course subject to the provisions of the law. And importantly, a content crime does not have to be committed in Thailand to constitute an offence under the CCA. In 2011 a Thai-born U.S. citizen published online, from the U.S., a translation of Thai text that was judged offensive to the Royal Family. On his next visit to Thailand, the U.S. citizen was arrested, charged, and convicted under the CCA. (He subsequently received a Royal pardon.)
Impact of the Law
So what should foreign businesses worry about with regard to the law? Essentially, three things:
In response, prudent managers should consider the following:
Service Provider Requirements
The basic structure of the service provider traffic data retention requirements is as follows:
The regulations are in three parts: the body of the regulatory text and two annexes. First, through Annex A they identify different categories of service providers, offering examples within each category. Then, in Annex B, the regulations set out the particular data that must be retained by the different categories of service providers. The lists of data are extensive but, reportedly, not exhaustive.
Finally, as general provisions, the regulations stipulate arrangements for maintaining the integrity of the data, storing it securely and in a way that makes it readily deliverable to competent officers who require it. They also require the setting of equipment to a single international reference time.
Surprisingly, given the importance of the law, information regarding its application in practice remains somewhat limited. This may be partly due to the fact that, in addition to the Ministry of Information and Communications Technology, a number of different enforcement agencies have been involved in enforcement of the law, including the Technology Crime Suppression Division of the police and the Department of Special Investigation. What is known is that the number of prosecutions for both cybercrime and content offences is growing—confirming both our increasing reliance on the internet and our growing need to know about its regulation as a matter of basic prudent business practice.