Bangkok, Thailand – Thailand is expected to soon pass a new cybersecurity law which will create a government agency with sweeping powers of search and seizure, triggering concerns for freedom of expression and data security among civil society and business groups as elections loom.
But experts involved in drafting the bill say they have taken their worries into consideration.
“The draft law was criticised for giving too much power to one person,” said Bhume Bhumiratana, one of the seven cybersecurity experts on the bill’s preparation team.
“We’ve reworked the draft to move that power over to a committee,” added Bhume, an adviser to the Thai Ministry of Digital Economy and Society.
“The ability to seize data has been changed to now require a court warrant. The scope of the law itself has been changed from broad language to focus on protecting critical information infrastructure like servers and fibre optic cables.”
The National Cybersecurity Committee will be established once the legislation is passed – expected as soon as this month.
It’s believed that it will consist of up to 15 members, including the prime minister and the deputy prime minister, and will only be able to seize computers and data without a court warrant in the case of an emergency.
But what constitutes an emergency is the sticking point.
“It’s likely that every cyber-threat will be considered an emergency, making a court order irrelevant,” said Arthit Suriyawongkul, coordinator at Thai Netizen Network – a digital rights and civil liberties group based in the capital, Bangkok.
The Cybersecurity bill was first drawn up in 2015 following the previous year’s military coup that brought the National Council for Peace and Order (NCPO) to power. It was shelved until Thailand’s rubber-stamp parliament made amendments in 2016 to strengthen the existing law relating to online activity, the Computer Crimes Act.
The government maintains the two pieces of legislation are a tool of law enforcement and regulatory control, and necessary as the country gears up for long-delayed elections on March 24.
With King Maha Vajiralonkorn’s coronation due to take place in May, there were concerns the military government might push the vote back again, after postponing the polls four times over the past five years. The last coronation took place 69 years ago for the late King Bhumibol Adulyadej.
But with the March 24 date announced earlier week, the cybersecurity bill is expected to become law before Thai voters go to the polls.
“We’re not saying we don’t want this law,” said Arthit at Thai Netizen Network. “The question is more about accountability and transparency.
“In the past five years, there’s been an abuse of power. If you talk about the monarchy or the NCPO online they count that as a cyber-threat.”
In its World Report 2019, Human Rights Watch called on the NCPO to stop suppressing fundamental freedoms in Thailand.
The global human rights group noted that hundreds of activists and dissidents had faced criminal charges such as sedition, computer crimes and “lese majeste”, Thailand’s royal insult law under the military-backed government.
Former Thai diplomat and writer Pavin Chachavalpongpun said the NCPO used lese majeste to silence those critical of monarchy and military relations.
Pavin himself has had his passport revoked. And the NCPO even ordered Thai Facebook users not to share his posts.
“The new king doesn’t want more lese-majeste cases, so there’s been a significant drop in the last year. The palace wants cyber-laws to be used instead,” he said.
Following the death of King Bhumibol in 2016, the NCPO threatened legal action against Facebook if it did not remove content it said was in violation of lese majeste.
According to Facebook, it only complied with one 2017 request for user data from Thailand’s military government. In 2018, it restricted 285 posts deemed in violation of the same law.
Google meanwhile said the NCPO made requests to remove 9,986 items identified as critical of the government in 2017 and complied with 93 percent of requests made.
The industry association group Asia Internet Coalition, which represents Facebook, Google and other tech companies, wrote a letter to Thailand’s Ministry of Digital Economy and Society expressing its misgivings about the law.
The group added that a data protection bill, also before parliament alongside its cybersecurity counterpart, does not meet international standards on data privacy.
Even those who know the legislation well have concerns.
“Data protection won’t be enforced fairly,” Bhume said. “It will cover most businesses but has exemptions for several government agencies,” he added.
“Everyone who collects data has a responsibility to protect its users. When a data breach happens, a business may face a fine or pay costs to the victims.”
Still, few Thais are aware of the impending changes to the cybersecurity and data protection laws.
Bhume blames “misinformed” people in the government for wanting to treat cyber-threats as national security incidents, and for ratcheting up fear in the media about the need for a cyber-warfare unit to defend Thailand from attacks.
“Why the need to seize data? If the goal is to get security stronger then all you need is collaboration and cooperation between the public and private sectors,” he said.
He insists there will still be room for discussion, and even amendment, after it has passed.
With political parties gearing up for the election, and continuing doubts about whether the vote will really be free and fair, Pavin has more immediate concerns.
“I think with the election coming, this [law] could be used for political purposes to go after critics of the NCPO,” he said.