1. Legal Context: Museum & Archive Cloud Data in Thailand

In Thailand, museums, archives, and cultural institutions increasingly store:

• Digitized manuscripts and artifacts
• High-resolution heritage images
• Research databases
• Visitor and donor databases
• Cloud-hosted archival systems

These systems fall under:

Key Laws

• Personal Data Protection Act B.E. 2562 (PDPA)
• Computer Crime Act B.E. 2550 (amended 2017)
• Civil and Commercial Code (tort liability)
• Copyright Act B.E. 2537 (digital reproduction rights)

When a cloud system leak occurs, liability may arise under:

• Data controller negligence (PDPA)
• Unauthorized access/hacking (Computer Crime Act)
• Civil damages for negligence

2. What “Museum Archive Cloud Leakage” Means in Law

A “cloud leakage” in museum/archives typically includes:

Common incidents

• Hack of museum cloud database (artifacts + visitor data)
• Insider copying of digital archives
• Misconfigured cloud storage exposing manuscripts publicly
• Third-party vendor breach (cloud hosting provider)
• Ransomware targeting cultural institutions

Legal classification

Thai law does NOT treat “data” as physical property (important doctrine from Supreme Court).

3. Key Thai Case Laws (Relevant to Data / Archive Leakage Principles)

Case Law 1: Supreme Court No. 5161/2547 (Leading Data Case)

• Held: Data is not “property” under theft law
• Copying data = not theft, because no physical removal occurs

👉 Impact:

• Museum digitized archives cannot be “stolen” in criminal theft sense
• But may still be civil/PDPA violation

Case Law 2: Supreme Court Decision on Document Removal vs Copying (data distinction principle)

• Courts distinguish:
  • Physical document removal = potential theft
  • Digital copying = not theft, but misuse may still be unlawful

👉 Impact for museums:
Cloud leakage of scanned archives is NOT theft, but still actionable under PDPA or Computer Crime Act.

Case Law 3: Supreme Court on Computer Data Unauthorized Access (Computer Crime Act application)

• Unauthorized access to protected computer systems = criminal offense
• Even if no physical damage occurs

👉 Applied principle:
Museum cloud system breach → hacking login credentials = criminal liability

Case Law 4: Civil Liability for Negligent Data Security (Thai tort principle)

• If negligence causes foreseeable damage → compensation required
• Applies to organizations failing security duty

👉 Museum relevance:
Poor cloud security leading to archive leak = civil damages claim by affected individuals or institution

Case Law 5: Employee Misuse of Internal Digital Data (confidentiality breach principle)

• Employees who copy internal digital records violate employer confidentiality duties
• Even if data is not “property”

👉 Museum relevance:
Curators or IT staff leaking artifact database = breach of duty + civil liability + PDPA violation

Case Law 6: Court Interpretation of “Electronic Information as Evidence”

• Thai courts accept electronic data as legal evidence
• But emphasize authenticity + access control integrity

👉 Museum relevance:
If archives are leaked or altered in cloud, authenticity disputes arise in litigation

4. PDPA Enforcement Cases Relevant to Cloud Leakage (Thailand Reality)

While museums are not always explicitly named, real enforcement patterns apply directly.

Case Example A: State Agency Cloud Leak (200,000 people affected)

• Weak passwords + no risk assessment
• Cloud system compromise → dark web leak
• Fine imposed under PDPA

👉 Principle:
Government digital archives (including cultural databases) are fully liable under PDPA

Case Example B: Hospital Cloud/Document Leak Case

• Outsourced data destruction failed
• Sensitive personal data leaked publicly

👉 Principle:
Third-party vendors (cloud providers) do NOT remove liability

Case Example C: Corporate Data Breach (7 million baht fine)

• No DPO + weak security + breach not reported

👉 Principle:
Failure to protect cloud databases = major penalty risk

5. Legal Liability Structure for Museum Cloud Leakage

If a museum archive cloud leaks, liability usually falls into 4 layers:

(A) PDPA Liability

Applies if leaked data includes:

• Visitor records
• Donor identities
• Staff records
• Research participant data

Penalties:

• Administrative fines
• Criminal sanctions (if intentional misuse)

(B) Computer Crime Act Liability

Triggered if:

• Hacking occurs
• Unauthorized access happens
• Malware/ransomware used

(C) Civil Liability

Based on negligence:

• Poor encryption
• No access control
• No cloud audit logs

(D) Contractual Liability

If cloud vendor fails:

• SLA breach
• Data processing agreement violation

6. Key Legal Principles Derived from Thai Law

Principle 1: “Data is not property”

• You cannot steal museum digital archives under theft law

Principle 2: “Security failure = legal fault”

• Liability arises from negligent protection, not loss of possession

Principle 3: “Cloud outsourcing does not transfer liability”

• Museum remains responsible as data controller

Principle 4: “Hacking is criminal regardless of damage size”

• Unauthorized access itself is punishable

Principle 5: “Leakage = multi-layer liability”

• PDPA + civil + criminal laws can apply simultaneously

7. Conclusion

In Thailand, museum/archive cloud leakage claims are not treated as traditional “theft cases”. Instead, they are prosecuted under a hybrid legal system combining PDPA + Computer Crime Act + civil negligence law.

The most important judicial stance (from Supreme Court jurisprudence) is:

Digital archives are not physical property → so “theft” does not apply
BUT unauthorized access + leakage still creates full legal liability