On December 16, 2016, Thailand’s National Legislative Assembly passed draft amendments to the 2007 Computer Crimes Act (the “Act”). When it takes effect, the new Act will broaden the powers and reach of the Ministry of Digital Economy and Society. Competent officials under the Act may carry out investigations or confiscations if the crime (falling under the Computer Crimes Act or other criminal offenses) was committed using computer systems, computer data, or equipment for storing computer data. The Act will also extend the powers of inquiry officials by granting them power to instruct competent officials under the Act without the need for a court order and to carry out any investigation or confiscation process, as listed in the Act.

The following is a brief snapshot of the amendments made to the Act:

• Among the committees appointed under the new Act, a Computer Data Screening Committee will have the power to permit officials to request a court order to block or destroy any data which is contrary to the stability or good morals of the people, even if the data does not violate any criminal laws.
• The Ministry’s powers have been expanded to include offences or acts which relate to “national security, public safety, national economic stability, or the infrastructure for public benefit,” including hacking into systems relating to these broad criteria.
• Crimes relating to the importation of forged data into a computer system now include the requirement of dishonesty and deceit, and separate penalties have been set for offenses against individuals.
• Of particular interest to companies, the new Act will also criminalize the sending of emails or data which cannot be unsubscribed by the recipient and which disturbs the recipient. This can be read as criminalizing spam, which has never previously been included in the Act. However, the definition and criteria for “disturbs” is not stipulated and will be set out in ministerial regulations.
• A service provider may prevent themselves from being deemed criminally liable for crimes committed by an individual using their service by restraining the dissemination of computer data. Importantly, however, the relevant details of these terms will be set out later in regulations to be passed by the Ministry.
• Furthermore, the new Act maintains the previous Act’s requirement to retain general traffic data for not less than 90 days, while the period within which a service provider may be ordered to store traffic data has been extended from one year to two in special cases. But the Act now gives service providers the right to appeal such an order.

The Act is now awaiting royal endorsement and is expected to come into effect later this year.