On 24 January 2017, amendments to the Computer Crimes Act B.E 2550 were enacted as the Computer Crimes Act No.2 B.E.2560 (2017) (the “Act”) and will officially come into force 120 days thereafter. When the Act becomes law, it will confer the government with broad authority to delve into private digital information, as well as monitor, investigate and accumulate data.
In September 2016, the Ministry of Digital Economy and Society took over all responsibilities from the Ministry of Information and Communication Technology. As such, in order to harmonize with the amendment of the ministry, the Minister in charge and the control of execution of this Act has been amended as listed in section 4 (from Minister of Information Technology and Commerce to Minister of Digital Economy and Society). The amended section will also authorize the Minister in charge to appoint officers and issue ministerial regulations and notifications for the execution of this Act.
Some of the more notable provisions under the Act are as follows:
- A new provision has been added to section 11 of the Act to stipulate the offence and liability of sending computer data or electronic mail to another person so as to cause interference to the receiver without offering an opportunity to unsubscribe or a request to unsubscribe to the computer data, which is commonly known as “spam”. The definition and criteria for the word “irritation” is not stipulated in the Act, but it is anticipated that it will be set forth in ministerial regulations subsequently.
- Under the Act’s newly amended section 14, the scope of the offence relating to the importation of false data into a computer system that could cause damage to the public has been expanded so that it can include matters which could create panic or harm to public infrastructure, national security, public security or economic security. This amendment has been widely criticized due to its ambiguity which leaves it too open to different interpretations and potential misuse for political
- The offence for service providers who consent to an offence stipulated under section 14 of the Act has been expanded under section 15 in order to include those who cooperate or conspire in relation to such offence. However, this section does allow for service providers who comply with a Minister‘s request to be exempted from criminal liability, but in order to obtain such exemption, the burden of proof is reversed onto the service provider.
- A new section 16 of the Act increases criminal liability for the offence of importation of computer data which resembles the image of another person into a publicly accessible computer system and the image created by electronic means impairs the reputation of such person or exposes them to hatred or contempt, in which case the offender will face imprisonment for up to 3 years and a fine up to 200,000 baht, or both. This section 16 also expands the scope of the commission of such offence to include those who make images of a deceased person so as to impair the reputation of such person’s parents, spouse or children or to expose them to hatred or contempt.
- Sections 18 and 19 of the Act broadly expand the investigation and data accumulation powers of the authorities. These sections allow officials access to data of service providers in order to collect evidence for the purpose of investigations and inquiries. Furthermore, the authorities are also allowed to seize or copy computer data or computer storage devices, including decrypted and encrypted computer systems, encrypted data or data of any person (with the prior approval of the Court, having filed a motion; such motion should have reasonable grounds to believe that the person has committed or has attempted to commit an offence under the Act.)
- Under Section 20 of the Act, a Computer Data Screening Committee is established, which comprises a panel of 9 members appointed by the Minister, 3 of whom are from the private sector. The panel is empowered to permit competent officials to lodge motions for court orders to block or remove computer data that is deemed to be contrary to public order and good morals, even if such data is not deemed to be illegal.
- A new amendment to section 26 of the Act partially continues the requirements under the previous act, by continuing the 90 day or longer period for which service providers are required to maintain traffic data in general cases. For particular cases, however, service providers may be ordered to maintain traffic data for up to 2 years, which is 1 year longer than the previous requirement.
It is hoped that the Act will better equip the authorities in their war against cyber crime, without overly broad use or for political reasons.