1. LAWPLUS
Computer Crimes and Data Protection
Usa Ua-areetham, Senior Associate
www.lawplusltd.com
Korean-Thai Chamber of Commerce
Legal Seminar
17 November 2017
Holiday Inn Sukhumvit Hotel, Bangkok
3. LAWPLUS 2
Presentation Topics
• Key Words and Definitions
• Computer Crimes Act B.E. 2550
• Computer Crimes Act (No. 2) B.E. 2560
• Major Principles of the Amended CCA
• Offences and Penalties
• Online Intellectual Property Infringement
• Criminal Liability of Company and Directors under the CCA
• Laws on Data Protection
4. LAWPLUS 3
Computer Crimes – Key Words and Definitions under the CCA
• Key Words
- computer crime, computer related crime
- cyber crime
- electronic crime
- high tech crime
• Computer System
- devices or set of devices connected and operated by a program or a set of programs
- processing data automatically
• Computer Data
- data, wording, instructions or set of instructions
- in the computer system
- can be processed by computer
- electronic data under law on electronic transactions
• Computer Traffic Data
- data related to communications of the computer system
- showing source and destination, route, date, time, duration, type of communications, etc. of the
computer system
5. LAWPLUS 4
Computer Crimes – Key Words and Definitions under the CCA
• Internet Service Provider (“ISP”)
- providing service of internet access or other means of communication
- to other persons to communicate through computer systems
- in the name of ISP itself or in the name of or for benefits of another person
User
ISP
• Websites
• E-mail address
• VOIP (Facebook,
Line, WeChat,
Alibaba, eBay,
etc.)
User
6. LAWPLUS 5
Computer Crimes Act B.E. 2550 (A.D. 2007)
• Effective from 19th July 2007
• Criminal liabilities for offences: computer crimes, such as:
- unauthorized access to secured computer system or secured computer data of other
person
- illegally causing damage, change or addition to computer data of other person
- illegally causing disruption or interference with computer system of other person
• Not covered offences committed against national security, national
economic stability or public order or infrastructures
• Not sufficient for preventing offences committed via social media
7. LAWPLUS 6
Computer Crimes Act (No. 2) B.E. 2560 (A.D. 2017)
• Effective from 24th May 2017
• Amending the CCA and becoming part of the CCA
• Ministry of Digital Economy and Society (“MDES”) is in charge of
enforcement
• New offences introduced:
- sending nuisance e-mail without an “op-out” option
- uploading or sharing computer data likely to cause damage or disruption to national
security, public safety, public infrastructure, national economic stability, public order
- online infringement against intellectual property
- uploading created, edited or modified picture of a dead person likely to cause
disreputation, hatred or shame to his or her parents, spouse or children
- not retaining computer data traffic or user’s information for 2 years as may be ordered by
the competent officer
8. LAWPLUS 7
Major Principles of the Amended CCA
• Longer imprisonment terms and higher fine amounts for offences related to
national security causing death without intent, etc.
• More powers for competent officer to:
(1) make written inquiry or order person to give statement
(2) order submission of computer data traffic
(3) order service provider to submit computer traffic data or data of user
(4) make copy of computer data or computer traffic data
(5) order submission of computer data or devices
(6) check or access computer system or devices
(7) encode / decrypt computer data
(8) freeze or seize computer system
Powers under (4) to (8) are subject to court approval
• Most offences with a fine penalty
- can be settled with the Settlement Committee
- offences under sections 5, 6, 7, 11, 13 first paragraph, 16/2, 23, 24 and 27
9. LAWPLUS 8
Major Principles of the Amended CCA
• Settlement Committee
- appointed by MDES
- 3 members
- once a fine for an offence is imposed and the fine is paid, the case is settled
• MDES appoints Computer Data Screening Committees
• Each Computer Data Screening Committee
- has 12 members consisting of 9 members from the public sector and 3 members from
the private sector (human right, mass communication, information technology)
- gives approval to the MDES Minister or the competent officer for filing a petition with court
for a takedown notice against computer data which
(1) constitutes a criminal offence under the CCA
(2) may impact national security under the Penal Code (Book 2, Title 1, Chapter 2, Part 1 and Part 1/2)
(3) may constitute a criminal offence related to the public order or the good morals of the peoples
10. LAWPLUS 9
Offences and Penalties
No. Crimes/Offences Imprisonment Fine (THB)
1 Hacking computer system of another person (Section 5)
Not exceeding 6
months
Not exceeding 60,000
2
Disclosing password / security measures of another person in a
manner which may cause damage (Section 6)
Not exceeding 1 year Not exceeding 20,000
3 Accessing secured computer data of another person (Section 7) Not exceeding 2 years Not exceeding 40,000
4 Intercepting computer data of another person (Section 8) Not exceeding 3 years Not exceeding 60,000
5 Causing loss or damage to or modifying computer data of another
person without authorization (Section 9)
Not exceeding 5 years Not exceeding 100,000
6
Interfering with computer system of another person to cause
disruption, delay, obstacle or nuisance (Section 10)
Not exceeding 5 years
and / or not exceeding
100,000
7
Sending computer data or e-mail without disclosing source to
cause nuisance to computer system of another person (Section
11, first paragraph)
-
and / or not exceeding
100,000
11. LAWPLUS 10
Offences and Penalties
No. Crimes/Offences Imprisonment Fine (THB)
8
Sending computer data or e-mail to cause nuisance to another
person without an easy “opt out” or “unsubscribe” option (Section
11, second paragraph)
-
and / or not exceeding
200,000
9
Offence under 1, 2, 3, 4, 7 or 8 against computer data or
computer system related national security, public safety, national
economic stability, or public infrastructure (Section 12, first
paragraph)
1 to 7 years and 20,000 to 140,000
10
Offence under 9 causing damage to such computer data or
computer system (Section 12, second paragraph)
1 to 10 years and 20,000 to 200,000
11
Offence under 5 or 6 against computer data or computer system
related to 9 (Section 12, third paragraph)
3 to 15 years and 300,000
12
Offence under 5 or 6 causing injury to another person or damage
to property of another person (Section 12/1, first paragraph)
not exceeding 10
years
and not exceeding
200,000
13
Offence under 5 or 6 causing death to another person without
intent (Section 12/1, second paragraph)
5 to 20 years and 100,000 to 400,000
12. LAWPLUS 11
Offences and Penalties
No. Crimes/Offences Imprisonment Fine (THB)
14
Uploading into computer system:- (1) computer data which is
distorted, forged or false which may cause damage to the public;
(2) computer data which is false which may cause damage to
notional security, public safety, national economic stability or
public infrastructure or cause panic to the public; (3) computer
data related to national security or terrorism; (4) computer data
which is obscene accessible by the public; (5) distributing or
sharing computer data under (1) to (4) (Section 14, first
paragraph)
Not exceeding 5 years
and / or not exceeding
100,000
15
Offence under 14 against a person (Section 14, second
paragraph)
Not exceeding 3 years
and / or not exceeding
60,000
16
Service provider cooperates with, consents to or knowingly allows
offence under 14 in computer system under his control (Section
15)
Not exceeding 5 years
and / or not exceeding
100,000
17
Uploading for public access picture of a person which created,
edited or modified in a manner which may cause disreputation,
hatred or shame to that person (Section 16, first paragraph)
Not exceeding 3 years
and / or not exceeding
200,000
18
Not retaining computer traffic data for not less than 90 days from
the date of its entry into computer system or for a longer period
as ordered by the official; not retaining identify data of service
user from commencement of service usage up to 90 days from
the end of service usage (Section 26)
-
and / or not exceeding
500,000
13. LAWPLUS 12
Online Intellectual Property Infringement
• Section 20(3) provides for “takedown” measures against advertising,
offering for sale and selling of counterfeits or pirated goods online or
through e-commerce platforms or social media applications.
• IP owner can ask MDES officer to take action.
• Officer investigates and collects evidence of the offence and asks the
MDES Minister for approval to file a petition with the Court for a takedown
order (in an urgent case the officer can file the petition with the Court
before obtaining approval from the Minister).
• Officer files the petition with the Court.
• Court issues a takedown order for ISP to block the website or remove the
infringing data.
• Failure to comply with the Court order is subject to a fine not exceeding
THB200,000 plus a daily fine not exceeding THB5,000 per day.
14. LAWPLUS 13
Online Intellectual Property Infringement
IP owner notifies
an officer of the
MDES Ministry.
The officer asks
for approval from
the Minister.
Minister gives
approval.
The officer files a
motion to the
court.
The court grants
an order.
The officer orders the
services provider to
remove or delete the
infringing data.
15. LAWPLUS 14
Criminal Liabilities of Companies and Directors under the CCA
• Directors have duties to manage company within its objectives and under the
control of its shareholders.
• Directors also have duty of care and other duties set out in the Civil and Commercial
Code (“CCC”).
• Company and its directors are liable under the Act on Offenses of Registered
Partnerships, Limited Liability Partnerships, Limited Companies, Associations and
Foundations B.E. 2499 if directors fail to do their duties under the CCC.
• Fines for criminal offence committed by company apply to both company and its
authorized directors.
• Imprisonment applies to company’s authorized directors.
• When a company is sued, its authorized directors are normally named as co-
defendants with the company.
16. LAWPLUS 15
Criminal Liabilities of Companies and Directors under the CCA
• CCA applies to both natural (individual) persons and legal entities (companies,
partnerships, associations, etc.).
• CCA does not have a provision that presumes that directors are criminally liable
jointly with the company.
• Act on Amendments to Laws Related to Criminal Liabilities of Representatives of
Legal Entities B.E. 2560 (“AAL”) is effective from 12th February 2017.
• AAL amended 76 laws to eliminate the assumption that directors, managers or
persons responsible for company business operation are liable jointly with the
company.
• The 76 laws include:
- Act on Offenses of Registered Partnerships, Limited Liability Partnerships, Limited
Companies, Associations and Foundations B.E. 2499
- Immigration Act B.E. 2522
- Consumer Protection Act B.E. 2522
- Factories Act B.E. 2535
- Electronic Transactions Act B.E. 2544
- etc.
17. LAWPLUS 16
Criminal Liabilities of Companies and Directors under the CCA
• The CCA is not included in the 76 laws amended by the AAL.
• Directors, managers or persons responsible for company business
operation are liable with the company under the CCA only if the company
committed the offense per their instruction, act or omission.
• Non-executive director not involved with day-to-day operation of the
company is criminally liable with the company only if he or she is involved
with the offence committed by the company.
• The public prosecutor must prove in a criminal case that the company
committed the offence under introduction, act or omission of the director.
18. LAWPLUS 17
Laws on Data Protection – Several Applicable Laws
• There is no specific law on data protection and data privacy.
• No government authority is established in Thailand to regulate and manage personal
data protection.
• Section 32 of the Constitution B.E. 2560 (2017) require protection of personal data
and data privacy.
“Section 32. A person shall enjoy the rights of privacy, dignity, reputation and family.
An act violating or affecting the right of a person under paragraph one, or an exploitation of
personal information in any manner whatsoever shall not be permitted, except by virtue of a
provision of law enacted only to the extent of necessity of public interest.”
• Section 323 of the Penal Code imposes criminal liabilities on doctors, pharmacists,
nurses, lawyers, auditors, etc. who disclose personal data (private secret) of clients.
• Laws on telecommunications business, banking and financial business, etc. provide
a certain level of protection against unauthorized collection, use, processing,
disclosure and transfer of personal data.
• Collection, processing, use, transfer or disclosure of personal data of another
person without consent can constitute a wrongful act under Section 420 of the CCC:
“Person who, willfully or negligently, unlawfully injures the life, body, health, liberty, property
or any right of another person, is said to commit a wrongful act and is bound to make
compensation.”
19. LAWPLUS 18
Laws on Data Protection – Draft of Personal Data Protection Act
• Several drafts of Personal Data Protection Act have been prepared since
2009
– to protect personal data given advancement of information and communications
technologies
– to regulate collection, procession, use and disclosure of personal data
– to prevent nuisance and damage to owner of personal data
– to prevent personal data from being commercialized or disclosed without prior consent of
the person
• Latest draft was submitted to the National Legislative Assembly but was
withdrawn on 8th September 2017 mainly because:
– draft did not include sufficient implementation measures
– draft was not endorsed by the Cabinet
– there are sufficient provisions of laws for personal data protection
• No clear indication as to when the draft will be resubmitted to the NLA and
enacted as a law.
20. LAWPLUS
Unit 1401, 14th Floor, 990 Abdulrahim Place, Rama IV Road, Bangkok 10500, Thailand
Tel. +66 (0)2 636 0662, Fax +66 (0)2 636 0663
Room 517, Yangon International Hotel, No. 330 Corner of Ahlone and Pyay Roads, Dagon Township, Yangon, Myanmar
Tel. +95 9 505 6667 and Tel. +95 92 6111 7006
www.lawplusltd.com
Contacts:
Kowit Somwaiya, Managing Partner
kowit.somwaiya@lawplusltd.com
Prasantaya Bantadtan, Partner
prasantaya.bantadtan@lawplusltd.com
Naddaporn Suwanvajukkasikij, Partner
naddaporn.suwanvajukkasikij@lawplusltd.com