Computer Crimes and Data Protection

LAWPLUS

Computer Crimes and Data Protection

Usa Ua-areetham, Senior Associate

www.lawplusltd.com

Korean-Thai Chamber of Commerce

Legal Seminar

17 November 2017

Holiday Inn Sukhumvit Hotel, Bangkok

https://www.lawplusltd.com/people/usa-ua-areetham/










LAWPLUS

The information provided in this document is general in nature and may not

apply to any specific situation. Specific advice should be sought before

taking any action based on the information provided. Under no

circumstances shall LawPlus Ltd. or any of its directors, partners and

lawyers be liable for any direct or indirect, incidental or consequential loss or

damage that results from the use of or the reliance upon the information

contained in this document. Copyright © 2017 LawPlus Ltd.

LAWPLUS 2

Presentation Topics

• Key Words and Definitions

• Computer Crimes Act B.E. 2550

• Computer Crimes Act (No. 2) B.E. 2560

• Major Principles of the Amended CCA

• Offences and Penalties

• Online Intellectual Property Infringement

• Criminal Liability of Company and Directors under the CCA

• Laws on Data Protection

LAWPLUS 3

Computer Crimes – Key Words and Definitions under the CCA

• Key Words

- computer crime, computer related crime

- cyber crime

- electronic crime

- high tech crime

• Computer System

- devices or set of devices connected and operated by a program or a set of programs

- processing data automatically

• Computer Data

- data, wording, instructions or set of instructions

- in the computer system

- can be processed by computer

- electronic data under law on electronic transactions

• Computer Traffic Data

- data related to communications of the computer system

- showing source and destination, route, date, time, duration, type of communications, etc. of the

computer system

LAWPLUS 4

Computer Crimes – Key Words and Definitions under the CCA

• Internet Service Provider (“ISP”)

- providing service of internet access or other means of communication

- to other persons to communicate through computer systems

- in the name of ISP itself or in the name of or for benefits of another person

User

ISP

• Websites

• E-mail address

• VOIP (Facebook,

Line, WeChat,

Alibaba, eBay, etc.)

User

LAWPLUS 5

Computer Crimes Act B.E. 2550 (A.D. 2007)

• Effective from 19th July 2007

• Criminal liabilities for offences: computer crimes, such as:

- unauthorized access to secured computer system or secured computer data of other

person

- illegally causing damage, change or addition to computer data of other person

- illegally causing disruption or interference with computer system of other person

• Not covered offences committed against national security, national

economic stability or public order or infrastructures

• Not sufficient for preventing offences committed via social media

LAWPLUS 6

Computer Crimes Act (No. 2) B.E. 2560 (A.D. 2017)

• Effective from 24th May 2017

• Amending the CCA and becoming part of the CCA

• Ministry of Digital Economy and Society (“MDES”) is in charge of

enforcement

• New offences introduced:

- sending nuisance e-mail without an “op-out” option

- uploading or sharing computer data likely to cause damage or disruption to national

security, public safety, public infrastructure, national economic stability, public order

- online infringement against intellectual property

- uploading created, edited or modified picture of a dead person likely to cause

disreputation, hatred or shame to his or her parents, spouse or children

- not retaining computer data traffic or user’s information for 2 years as may be ordered by

the competent officer

LAWPLUS 7

Major Principles of the Amended CCA

• Longer imprisonment terms and higher fine amounts for offences related to

national security causing death without intent, etc.

• More powers for competent officer to:

(1) make written inquiry or order person to give statement

(2) order submission of computer data traffic

(3) order service provider to submit computer traffic data or data of user

(4) make copy of computer data or computer traffic data

(5) order submission of computer data or devices

(6) check or access computer system or devices

(7) encode / decrypt computer data

(8) freeze or seize computer system

Powers under (4) to (8) are subject to court approval

• Most offences with a fine penalty

- can be settled with the Settlement Committee

- offences under sections 5, 6, 7, 11, 13 first paragraph, 16/2, 23, 24 and 27

LAWPLUS 8

Major Principles of the Amended CCA

• Settlement Committee

- appointed by MDES

- 3 members

- once a fine for an offence is imposed and the fine is paid, the case is settled

• MDES appoints Computer Data Screening Committees

• Each Computer Data Screening Committee

- has 12 members consisting of 9 members from the public sector and 3 members from

the private sector (human right, mass communication, information technology)

- gives approval to the MDES Minister or the competent officer for filing a petition with court

for a takedown notice against computer data which

(1) constitutes a criminal offence under the CCA

(2) may impact national security under the Penal Code (Book 2, Title 1, Chapter 2, Part 1 and Part 1/2)

(3) may constitute a criminal offence related to the public order or the good morals of the peoples

LAWPLUS 9

Offences and Penalties

No. Crimes/Offences Imprisonment Fine (THB)

1 Hacking computer system of another person (Section 5) Not exceeding 6 months

Not exceeding 60,000

2 Disclosing password / security measures of another person in a manner which may cause damage (Section 6)

Not exceeding 1 year Not exceeding 20,000

3 Accessing secured computer data of another person (Section 7) Not exceeding 2 years Not exceeding 40,000

4 Intercepting computer data of another person (Section 8) Not exceeding 3 years Not exceeding 60,000

5 Causing loss or damage to or modifying computer data of another person without authorization (Section 9)

Not exceeding 5 years Not exceeding 100,000

6 Interfering with computer system of another person to cause disruption, delay, obstacle or nuisance (Section 10)

Not exceeding 5 years and / or not exceeding 100,000

7 Sending computer data or e-mail without disclosing source to

cause nuisance to computer system of another person (Section 11, first paragraph)

- and / or not exceeding 100,000

LAWPLUS 10



8 Sending computer data or e-mail to cause nuisance to another

person without an easy “opt out” or “unsubscribe” option (Section 11, second paragraph)


9

Offence under 1, 2, 3, 4, 7 or 8 against computer data or

computer system related national security, public safety, national

economic stability, or public infrastructure (Section 12, first paragraph)

1 to 7 years and 20,000 to 140,000

10 Offence under 9 causing damage to such computer data or computer system (Section 12, second paragraph)

1 to 10 years and 20,000 to 200,000

11 Offence under 5 or 6 against computer data or computer system related to 9 (Section 12, third paragraph)

3 to 15 years and 300,000

12 Offence under 5 or 6 causing injury to another person or damage to property of another person (Section 12/1, first paragraph)

not exceeding 10 years

and not exceeding 200,000

13 Offence under 5 or 6 causing death to another person without intent (Section 12/1, second paragraph)

5 to 20 years and 100,000 to 400,000

LAWPLUS 11



14

Uploading into computer system:- (1) computer data which is

distorted, forged or false which may cause damage to the public;

(2) computer data which is false which may cause damage to

notional security, public safety, national economic stability or

public infrastructure or cause panic to the public; (3) computer

data related to national security or terrorism; (4) computer data

which is obscene accessible by the public; (5) distributing or

sharing computer data under (1) to (4) (Section 14, first paragraph)


15 Offence under 14 against a person (Section 14, second paragraph)


16 Service provider cooperates with, consents to or knowingly allows

offence under 14 in computer system under his control (Section 15)


17 Uploading for public access picture of a person which created,

edited or modified in a manner which may cause disreputation, hatred or shame to that person (Section 16, first paragraph)


18

Not retaining computer traffic data for not less than 90 days from

the date of its entry into computer system or for a longer period

as ordered by the official; not retaining identify data of service

user from commencement of service usage up to 90 days from the end of service usage (Section 26)


LAWPLUS 12

Online Intellectual Property Infringement

• Section 20(3) provides for “takedown” measures against advertising,

offering for sale and selling of counterfeits or pirated goods online or

through e-commerce platforms or social media applications.

• IP owner can ask MDES officer to take action.

• Officer investigates and collects evidence of the offence and asks the

MDES Minister for approval to file a petition with the Court for a takedown

order (in an urgent case the officer can file the petition with the Court

before obtaining approval from the Minister).

• Officer files the petition with the Court.

• Court issues a takedown order for ISP to block the website or remove the

infringing data.

• Failure to comply with the Court order is subject to a fine not exceeding

THB200,000 plus a daily fine not exceeding THB5,000 per day.

LAWPLUS 13

Online Intellectual Property Infringement

IP owner notifies

an officer of the MDES Ministry.

The officer asks

for approval from the Minister.

Minister gives approval.

The officer files a

motion to the court.

The court grants an order.

The officer orders the

services provider to

remove or delete the infringing data.

LAWPLUS 14

Criminal Liabilities of Companies and Directors under the CCA

• Directors have duties to manage company within its objectives and under the

control of its shareholders.

• Directors also have duty of care and other duties set out in the Civil and Commercial

Code (“CCC”).

• Company and its directors are liable under the Act on Offenses of Registered

Partnerships, Limited Liability Partnerships, Limited Companies, Associations and

Foundations B.E. 2499 if directors fail to do their duties under the CCC.

• Fines for criminal offence committed by company apply to both company and its

authorized directors.

• Imprisonment applies to company’s authorized directors.

• When a company is sued, its authorized directors are normally named as co-

defendants with the company.

LAWPLUS 15


• CCA applies to both natural (individual) persons and legal entities (companies,

partnerships, associations, etc.).

• CCA does not have a provision that presumes that directors are criminally liable

jointly with the company.

• Act on Amendments to Laws Related to Criminal Liabilities of Representatives of

Legal Entities B.E. 2560 (“AAL”) is effective from 12th February 2017.

• AAL amended 76 laws to eliminate the assumption that directors, managers or

persons responsible for company business operation are liable jointly with the

company.

• The 76 laws include:

- Act on Offenses of Registered Partnerships, Limited Liability Partnerships, Limited

Companies, Associations and Foundations B.E. 2499

- Immigration Act B.E. 2522

- Consumer Protection Act B.E. 2522

- Factories Act B.E. 2535

- Electronic Transactions Act B.E. 2544

- etc.

LAWPLUS 16


• The CCA is not included in the 76 laws amended by the AAL.

• Directors, managers or persons responsible for company business

operation are liable with the company under the CCA only if the company

committed the offense per their instruction, act or omission.

• Non-executive director not involved with day-to-day operation of the

company is criminally liable with the company only if he or she is involved

with the offence committed by the company.

• The public prosecutor must prove in a criminal case that the company

committed the offence under introduction, act or omission of the director.

LAWPLUS 17

Laws on Data Protection – Several Applicable Laws

• There is no specific law on data protection and data privacy.

• No government authority is established in Thailand to regulate and manage personal

data protection.

• Section 32 of the Constitution B.E. 2560 (2017) require protection of personal data

and data privacy.

“Section 32. A person shall enjoy the rights of privacy, dignity, reputation and family.

An act violating or affecting the right of a person under paragraph one, or an exploitation of

personal information in any manner whatsoever shall not be permitted, except by virtue of a

provision of law enacted only to the extent of necessity of public interest.”

• Section 323 of the Penal Code imposes criminal liabilities on doctors, pharmacists,

nurses, lawyers, auditors, etc. who disclose personal data (private secret) of clients.

• Laws on telecommunications business, banking and financial business, etc. provide

a certain level of protection against unauthorized collection, use, processing,

disclosure and transfer of personal data.

• Collection, processing, use, transfer or disclosure of personal data of another

person without consent can constitute a wrongful act under Section 420 of the CCC:

“Person who, willfully or negligently, unlawfully injures the life, body, health, liberty, property

or any right of another person, is said to commit a wrongful act and is bound to make

compensation.”

LAWPLUS 18

Laws on Data Protection – Draft of Personal Data Protection Act

• Several drafts of Personal Data Protection Act have been prepared since

2009

– to protect personal data given advancement of information and communications

technologies

– to regulate collection, procession, use and disclosure of personal data

– to prevent nuisance and damage to owner of personal data

– to prevent personal data from being commercialized or disclosed without prior consent of

the person

• Latest draft was submitted to the National Legislative Assembly but was

withdrawn on 8th September 2017 mainly because:

– draft did not include sufficient implementation measures

– draft was not endorsed by the Cabinet

– there are sufficient provisions of laws for personal data protection

• No clear indication as to when the draft will be resubmitted to the NLA and

enacted as a law.

LAWPLUS

Unit 1401, 14th Floor, 990 Abdulrahim Place, Rama IV Road, Bangkok 10500, Thailand

Tel. +66 (0)2 636 0662, Fax +66 (0)2 636 0663

Room 517, Yangon International Hotel, No. 330 Corner of Ahlone and Pyay Roads, Dagon Township, Yangon, Myanmar

Tel. +95 9 505 6667 and Tel. +95 92 6111 7006

www.lawplusltd.com

Contacts:

Kowit Somwaiya, Managing Partner [email protected] Prasantaya Bantadtan, Partner [email protected] Naddaporn Suwanvajukkasikij, Partner [email protected]

http://www.lawplusltd.com/

mailto:[email protected]

