Computer Crimes Act – Potential Employer Liability

David Manuel and Lapadrada Chujinda

The Thai Computer Crimes Act (CCA), which came into force in 2007, is broadly written and leaves the Courts with wide discretion to decide whether content posted on the internet or uploaded to any computer system is in breach of the CCA or the Criminal Code on national security grounds. This could have serious implications for US employers in Thailand, who may potentially face charges as a result of employee-produced content using workplace computer systems.

Section 14 of the CCA imposes penalties of up to five years imprisonment and/or a fine of up to Baht 100,000 for offenders who enter any data into a computer system which is an offence relating to national security, and under Section 15 of the CCA, offenders include service providers who deliberately support or allow offending under Section 14 in a computer system that it controls.

The CCA defines service providers much more broadly than the colloquial use of the term commonly applied to information technology. The definition includes anyone who provides internet access or computer communications to other people or provides data storage services to others, which makes any US employer in Thailand that provides its employees with internet access a service provider under the CCA.

The CCA does not provide guidance as to what offences may relate to national security, but recent high profile and controversial cases have seen convictions and prison sentences imposed under Sections 14 and 15 of the CCA on national security grounds, which includes lese majeste offences.

While it seems unlikely that US employers in Thailand would deliberately support data entry on their computer systems that may amount to a national security offence, the scenario where errant employees use work computer systems to post unauthorized non-work material on the internet relating to national security is easier to envisage.

For a conviction under Section 15 of the CCA, the employer’s intentional facilitation of the commission of the offence would need to be established. To date, the CCA has only been used to target employers regarded by the prosecuting authorities as directly complicit in the offending. However, the potential remains under Section 15 of the CCA for the authorities to exercise their discretion to prosecute employers whose computer systems are used by employees to commit an offence under Section 14 of the CCA, in circumstances where the employer’s involvement in the offending is unclear, and would need to be determined at trial.   

The CCA imposes an obligation upon businesses operating in Thailand to keep records of their users' email, chat, internet usage and personal identification for a minimum of 90 days; service providers who do not comply with the data retention requirements themselves face fines of up to Baht 500,000 as a separate offence under the CCA1. While the primary intent of imposing data retention obligations on service providers is so that data can potentially be used by the authorities as evidence of an offence, and although the CCA does not expressly require service providers to “police” their employees’ computer activities for compliance with the CCA, the potential remains under Section 15 of the CCA for a US employer operating in Thailand to be prosecuted as a result of unauthorized employee use of work computer systems.

If the authorities were to prosecute a US employer under CCA Section 15 in connection with an offence committed by its employee under CCA Section 14, a defense based on the US employers’ lack of knowledge and responsibility for its employees’ activities may be diminished by virtue of the employer’s obligation under the CCA to keep records of their employees' email, chat, internet usage and personal identification.

Compliance with the obligation under the CCA to maintain user records makes it relatively straightforward for employers to monitor their employees’ computer use, and the Courts may potentially conclude that it is not tenable for an employer with data retention records of the errant user not to have any awareness of – and by inference an intention to support – the commission of the offence, despite the CCA not imposing a direct obligation on employers to monitor their employees’ use of work computer systems.

Also, offences under the CCA committed by non-Thai nationals outside Thailand can be punished within Thailand if the Thai government or a Thai national are injured and files for punishment of the offender. Although enforcement of these offences may prove problematic, the legislature’s intent to broadly apply the scope of the CCA and provide considerable judicial discretion in its interpretation, is apparent.

There are proposals to amend the CCA, but the current draft broadens the scope still further, so that the a person who administers a computer system and commits certain offences can be liable for penalties up to one and half times higher than offenders who are not computer administrators. Service providers and computer administrators who allow the commission of offences relating to national security, could be penalized the same as other persons committing the same type of offences. However, the draft CCA is controversial and it remains uncertain as to whether it will be enacted.

In light of the above, what measures can and should US companies operating in Thailand take to mitigate the risk of prosecution under the CCA?

Clearly informing employees that work computers and computer systems are for work purposes only should almost certainly be the primary countervailing measure. Apart from any legal considerations, many companies already apply this principle with varying degrees of stringency for reasons of work productivity. Some surveys estimate that non-work-related internet use results in as much as 40% productivity loss. However, in reality total employee adherence to this principle is unlikely to be achieved, and the question of the manner and strictness of employer enforcement need to be considered.

Blocking certain contentious websites at the work intranet level is another option. The difficulty here is in identifying relevant websites as and when they emerge – a major ongoing undertaking which may well prove ineffective.

Active monitoring of employee use of computer systems can also be problematic. Studies have shown that most employees believe that their computer use at work is not being monitored, and that their non-work related use of work computer systems is confidential. If employees are made aware that their private communications are being monitored, it may have a detrimental effect on the work environment.

That the prosecuting authorities have so far exercised their discretion to selectively apply the CCA to prosecute employers against whom there is strong evidence of involvement in offending under the CCA, can give some comfort to US companies operating in general compliance with Thai law, but unmonitored errant use of work computer systems by any employees who commit an offence under the broad provisions of Section 14 of the CCA without the knowledge of their US employer, could still result in the prosecution of US employers and their directors if targeted by the authorities.

1 US employers in Thailand with operations in EU countries may also need to consider any conflict between the obligations under the CCA and EU Data Protection Directive.