Cyber Law at Thailand
Thailand has a comprehensive and rapidly evolving cyber law framework, driven by its digital economy ambitions and the increasing sophistication of cyber threats. The landscape is primarily shaped by three major pieces of legislation, along with recent amendments and new regulations.
Here's a detailed overview of cyber law in Thailand:
1. Personal Data Protection Act (PDPA) B.E. 2562 (2019)
This is Thailand's first consolidated and comprehensive data protection law, significantly influenced by the EU's GDPR.
Effective Date: While published in May 2019, its full enforcement was delayed due to COVID-19 and other factors, finally becoming fully effective on June 1, 2022.
Scope: The PDPA regulates the collection, usage, disclosure, and other processing of personal data by private and certain governmental entities. It has extraterritorial effect, applying to foreign-owned entities operating outside Thailand if they collect, use, or disclose personal data of Thai individuals by offering goods or services to them or monitoring their behavior in Thailand for commercial purposes.
Key Principles:
Lawfulness, fairness, and transparency: Data processing must adhere to these principles.
Purpose limitation: Data collected for specific, explicit, and legitimate purposes.
Data minimization: Only adequate, relevant, and necessary data should be collected.
Accuracy: Data must be accurate and kept up to date.
Storage limitation: Data should not be kept longer than necessary for the stated purpose.
Integrity and confidentiality: Appropriate security measures to protect data.
Accountability: Data controllers must be able to demonstrate compliance.
Data Subject Rights: Individuals (data subjects) are granted various rights, including:
Right to access and obtain copies of their personal data.
Right to rectification (correct inaccurate data).
Right to erasure (right to be forgotten) under certain conditions.
Right to restriction of processing.
Right to data portability.
Right to object to processing.
Right to withdraw consent.
Controller and Processor Obligations:
Consent: Generally required for collecting, using, or disclosing personal data, with specific requirements for "sensitive personal data" (e.g., health, racial origin, political opinions, criminal records).
Data Protection Officer (DPO): Obligatory for certain organizations.
Data Breach Notification: Data controllers must notify the Office of the Personal Data Protection Committee (PDPC) within 72 hours of discovering a personal data breach, and notify affected individuals if the breach is likely to result in a high risk to their rights and freedoms.
Cross-border Data Transfers: Restrictions apply, requiring adequate protection or specific legal grounds (e.g., binding corporate rules, standard contractual clauses).
Enforcement Body: The Personal Data Protection Committee (PDPC) is the independent government body responsible for enforcing the PDPA, issuing subordinate regulations, and providing guidance. The PDPC has been taking a more proactive approach in the first half of 2025, increasing enforcement and issuing compliance orders and public warnings.
2. Computer Crime Act (CCA) B.E. 2550 (2007), as amended by B.E. 2560 (2017)
This Act is Thailand's primary legislation for combating cybercrime.
Key Offenses: The CCA criminalizes various computer-related offenses, including:
Unauthorized access to computer systems (hacking).
Illegal interception of computer data.
Illegal interference with data or computer systems (e.g., malware, DoS attacks).
Creating or using malicious software.
Computer-related fraud and forgery.
Importing into a computer system false computer data in a manner that is likely to cause damage to the public, or is related to national security or public order. This specific provision (Section 14) has been particularly controversial and widely criticized for its broad wording and frequent use against freedom of expression and online criticism, often conflated with defamation or lèse-majesté.
Transmission of spam without an easy unsubscribe option.
Offenses related to altered images (e.g., "revenge porn").
Service Provider Liability: Service providers can face criminal penalties if they "cooperate with, consent to, or connive" in certain offenses, placing a burden on them to monitor and remove content when ordered.
Government Powers: The Act grants significant powers to authorities, including the ability to request court orders to block websites or remove content deemed illegal or harmful to national security or public order. A "computer data screening panel" can recommend such actions.
Concerns: The CCA continues to draw criticism from human rights organizations for its broad provisions, which are seen as susceptible to abuse and a tool for restricting digital rights and freedom of expression, leading to self-censorship.
3. National Cybersecurity Act (NCA) B.E. 2562 (2019)
The NCA focuses on cybersecurity measures to protect critical information infrastructure (CII) and prevent major cyber threats.
Objective: To provide a framework for national cybersecurity, preparedness, and response to cyber threats.
Key Bodies:
National Cybersecurity Committee (NCSC): Formulates cybersecurity policies and strategies.
National Cyber Security Agency (NCSA): The operational arm responsible for coordinating and implementing national cybersecurity policies, strategies, and initiatives for both government and private sector CII.
Critical Information Infrastructure (CII): The Act identifies sectors deemed CII (e.g., national security, public services, banking and finance, IT and telecommunications, transportation, energy, public health). Organizations designated as CIIOs are subject to specific obligations.
Obligations on CIIOs:
Categorizing their data/information systems based on cybersecurity objectives (confidentiality, integrity, availability) into low, medium, or high-risk classes.
Implementing baseline cybersecurity measures for each class of system.
Developing cybersecurity risk management plans.
Reporting cyber threats and incidents to the NCSA.
Undergoing cybersecurity audits.
Recent Developments (Effective January 18, 2025): The NCSC released notifications setting cybersecurity requirements for CIIOs, mandating baseline cybersecurity measures and system classification.
4. Recent Developments and Future Trends (2024-2025):
Royal Decree on Measures for the Prevention and Suppression of Technology Crimes (2023, amended 2025): This significant new law grants sweeping powers to a newly formed Cybercrime Prevention and Suppression Operation Center.
Expanded Powers: The Center can investigate, suspend transactions, compel banks and businesses to provide account data, and publish lists of suspected individuals/entities involved in cybercrime.
New Offenses: Introduces criminal offenses targeting data misuse, illegal SIM card trading, and unlawful buying/selling of personal data.
Obligations for Financial Institutions and Digital Asset Businesses: These entities now have expanded proactive obligations to prevent cybercrime, including refusing accounts or suspending services for blacklisted individuals/entities. Digital asset operators are explicitly covered by suspicious transaction reporting regimes.
Increased PDPA Enforcement: The PDPC has shown increased proactivity in the first half of 2025, publishing rulings and orders to enhance data protection and clarify compliance expectations.
Restrictions on Illegal Digital Asset Services (June 2025): The Ministry of Digital Economy and Society (MDES) can now ban internet access to unlicensed offshore digital asset business operators, empowering ISPs and social media platforms to block such services.
New Obligations for Online Marketplaces (Effective Dec 31, 2025): A notification introduces comprehensive operational requirements for digital platform service providers operating as goods marketplaces, focusing on transparency and other obligations.
Cybersecurity Standards for Cloud Systems (2024): Established to provide comprehensive cybersecurity standards for cloud systems used by government agencies, regulators, and CII organizations.
Ongoing Challenges: Despite progress, challenges remain, including a shortage of skilled cybersecurity professionals, the need to integrate existing laws into a more cohesive framework, and balancing security with digital rights.
In essence, Thailand has established a multi-layered cyber law framework. While the PDPA focuses on data privacy and the NCA on national cybersecurity, the CCA remains a key tool for combating cybercrime, albeit one that continues to raise concerns about its potential impact on civil liberties and freedom of expression. The recent emphasis on financial cybercrime and expanded enforcement powers highlights a proactive approach to combating online fraud and illicit financial activities.
RELATED Blog
0 comments