Thailand has finally enacted the Computer Crimes Act (No. 2) B.E. 2560 (A.D. 2017) to amend the Computer Crimes Act B.E. 2550 (A.D. 20107) (“Amended CCA”). It was published in the Royal Gazette on 24th January 2017 and will be effective on and from 24th May 2017.
The Amended CCA covers the following major changes and additions:
NEW MINISTRY IN CHARGE
The Amended CCA changes the ministry in charge from the Ministry of Information and Communications Technology to the new ministry, i.e. the Ministry of Digital Economy and Society.
Any person who sends computer data or electronic mail to another person without allowing the recipient a chance to opt out easily in order that the person may deny the reception or express their intent to not receive the data or electronic mail and such data and electronic mail is found to disturb the recipient, must be subject to a fine not exceeding two hundred thousand baht.
A person who enters false data into a computer system that could cause damage to the public, create panic, or cause harm to public infrastructure, national security, public security or economic security must be subject to a maximum five-year jail term and a maximum one hundred thousand baht fine or both.
Any person who forwards the data described above knowingly of its potential damage will be subject to the same penalties.
Crimes relating to the importation of forged data into a computer system now include the requirement of dishonesty and deceit, and separate penalties have been set for offenses against individuals.
ISP LIABILITY AND SAFE HABOUR
Any service provider who “cooperates, consents or acquiesces” to a computer crime shall face the same penalty as the offender. However, if service providers are able to prove compliance to the procedural rule issued by the Minister regarding the notification and the request for suppression of the dissemination of such data and the removal of such data from a computer system, they shall be exempted from penalty.
MORE POWER OF OFFICIALS
Competent officials under the amended CCA may carry out investigations or confiscations if the crime under the CCA or other criminal offenses was committed using computer systems, computer data, or equipment for storing computer data.
For instance, the competent officials may call for computer traffic data related to communications from a service user via a computer system or from other relevant persons; copy computer data, computer traffic data from a computer system, in which there is a reasonable cause to believe that offenses under the Amended CCA have been committed if that computer is not yet in the possession of the competent official; and seize or attach the suspect computer system for the purpose of obtaining details of an offense and the person who has committed an offense under this Amended CCA.
If there is an action to disseminate computer data which is actionable per the Amended CCA, the competent official with approval from the Minister may file a petition with supporting evidence to the Court of jurisdiction to ask the Court to issue a writ to suppress the dissemination or to remove such computer data from a computer system.
If there is an action to disseminate computer data which is a criminal offense per intellectual property laws or per other laws, the competent official with approval from the Minister may file a petition with supporting evidence to the Court of jurisdiction for the Court to issue a writ to suppress the dissemination or to remove such computer data from a computer system as well, provided that a request has been made by the official in charge of the laws or inquiry official under the Criminal Procedure Code, and such computer data is a breach to the public order or the good morals of the Thai people.
COMPUTER DATA SCREENING COMMITTEE
A Computer Data Screening Committee is established with power to permit officials request a court order to block or destroy any data which is contrary to the stability or good morals of the Thai people.
EXTENSION OF DATA RETENTION PERIOD
The Amended CCA requires a service provider to retain traffic data for not less than 90 days, while in case it is necessary, the competent official may order, on a case-by-case basis, a service provider to retain traffic data longer than 90 days but not to exceed two years.