In the fourth part of our series examining Thailand's new and controversial cyber laws, we look at the impact it can have on business - and it doesn't necessarily look very profitable.
In the last couple of instalments of this series, we have highlighted the pitfalls, flaws and loopholes of some of the new proposed cyber laws of the Thai military government. Obviously, since this blog mainly focusses on politics and media freedom, we have so far examined the bills with regards to cyber security, surveillance and its implications on censorship, civil liberties and privacy.
However, for some people and entities these aspects are simply not on the top of their priority list - and we’re not talking about the junta this time! No, this time we mean the economic sector. And it is often said from that direction that an effective, stable political situation is preferable - cynics would argue that democratic values are not economic factors.
The main selling point by the current military junta of the new cyber laws is to lay out the legal groundwork to improve the conditions for Thailand’s ”digital economy” and thus position the country more competitively, especially with the ASEAN Economic Community lurking just around the corner. Another objective is to integrate governance and state business better in to the ”digital economy” as well.
And there are some very good reasons to focus on that: With an internet penetration of 35 per cent (roughly 28.3m people) and an even higher percentage of mobile phone users (125 per cent or 84m people, in fact more than the actual Thai population!), there are a lot of opportunities to be made digitally (source and more stats here).
But when you take a closer look at the eight different cyber law bills, there are many passages that also potentially can spell bad business as well. As usual, the devil is in the details.
Let's start off with the Personal Data Protection bill (full translation available here). As the name of the bill implies, it is initially set up to (supposedly) protect personal data of every Thai online user and for that reason a committee overseeing that would also include representatives of three consumer protection NGOs on board. According to Article 7 of the new bill however, they are now gone and have been replaced by the Secretary of the National Security Council instead.
And it doesn't get any better as we encounter yet another example of a typical problem when it comes to Thai legalese:
The draft bill also imposes significant legal burdens on foreign tech companies as responsibility falls solely on the data controller. Such companies would also run a greater risk of being subject to legal action, said Dhiraphol Suwanprateep, a partner at Baker & McKenzie. (...)
He said the bill posed a challenge for the government's digital economy policy, as there is no clear distinction between "personal data processor" and "personal data controller". The draft only identifies a data controller as the person with the authority to control and manage his or her personal information.
"Data processor" typically refers to a third party that processes personal data on behalf of a data controller, Mr Dhiraphol said. In the absence of such identification in the bill, data processors such as internet service providers, web hosting providers, cloud service providers and content hosting platforms could be broadly interpreted as a data controller. (...)
"If there is no separate definition between data controllers and data processors, it will be difficult to enforce the law, as most technology businesses are dwelling on cloud-based services which are physically located outside the country," Mr Dhiraphol said.
"This will not attract foreign investors into Thailand, as stringent legislation would rather hamper businesses' innovative technology instead of promoting Thailand as a digital economy hub for the Asean Economic Community."
"Legal expert shreds data security bill", Bangkok Post, January 26, 2015
Another passage at Article 25 would affect a lot of different sectors as well:
Section 25: Any collection of personal data pertaining to ethnicity, race, political opinions, doctrinal, religious or philosophical beliefs, sexual behaviour, criminal records, health records, or of any data which may upset another person’s or the people’s feelings as prescribed by the Committee, without the consent of the Data Owner or the person(s) concerned, is prohibited, (...)
Following the words of the law, it would make it very difficult to use somebody's yet-to-be-defined "personal information" for any kind of work without their permission. For example, journalists wouldn't be able to use these sources for any critical investigation or marketing campaigns and wouldn't be able to implement social media posts (unless they write some crafty terms of services that nobody reads anyways).
Another crucial point of contention for many critics is the upcoming allocation of new frequency spectrum that would bring 4G mobile connection to Thailand (and hopefully soon and not as drawn-out as the farcical 3G auction was). However...
It also empowers the [Digital Economy Commission chaired by the Prime Minister] to order any private telecommunications operator to act or refraining from acting in any way and also compels companies to provide information on request as well as hand over executives for questioning.
The portfolio of digital economy laws also has a new frequency act that gives the final say in spectrum allocation to the Digital Economy Commission and emancipates the telecommunications regulator, leaving it in charge only of commercial spectrum and imposing strict budget controls on the former autonomous agency. (...)
But while on the one hand [the government] are signalling compromise with the aforementioned committee, the junta are also threatening that 4G will be delayed unless the laws are passed quickly, and of course everyone loves more bandwidth.
"Thai spying law controversy rages on", Telecomasia.net, February 6, 2015
And generally one of the biggest problems is that the cyber law bills are creating a bureaucratic monster:
Paiboon Amornpinyokait, an expert on cyber and computer law, said (...) they gave too much power to the new Ministry of Digital Economy and Society by allowing it to oversee too many areas.
They include areas currently under the jurisdiction of the National Broadcasting and Telecommunications Commission (NBTC) Bill, the Cyber Security Bill, the New Computer Crime Bill, the Personal Data Protection Bill, the Digital Economy Promotion Bill, and the Digital Economy Development Fund Bill.
Paiboon said the bills would result in too much centralised power and will give too much authority to officials or authorities, which could easily lead to abuse of power.
"Digital economy bills 'need to be amended'", The Nation, January 19, 2015
These passages and many other legislative pitfalls that we haven't covered yet show that this is not only a matter of human rights, free speech and personal privacy, but it also could have potentially serious implications for the economy and scare away potential foreign investors.
Just as the military junta tries to fix the economy and could be doing more harm than good, these batch of cyber bills could have the same effect as well if they're not being thoroughly amended or rejected by the junta's ersatz-parliament. As we explain in the next and last past of our series, there is definitely not a lack of criticism from all sides but a severe lack of justification from Thailand's military junta.
THAILAND'S NEW CYBER LAWS: Part 1: Introduction - Part 2: Changes to Computer Crime Act - Part 3: Far-reaching and all-encompassing cyber security - Part 4: Bad for business, too! - Part 5: Admin error