According to a recent report, Thailand parliament, which is military-appointed, announced the passing of a controversial cybersecurity law that has bestowed state cyber agencies with sweeping powers.
The law was passed despite concerns from businesses and activists over judicial oversight and potential abuse of power.
The new regulation allows the National Cybersecurity Committee (NCSC) to summon individuals for questioning and enter private property without court orders in case of actual or anticipated “serious cyber threats.”
An additional Cybersecurity Regulating Committee will have far-reaching powers to access computer data and networks, make copies of information, and seize computers or any devices.
Court warrants are not required for those actions in “emergency cases,” and criminal penalties will be imposed for those who do not comply with orders.
Thailand’s military government already censors the internet and often casts criticism as a threat to national security.
The Cybersecurity Act, approved unanimously, is the latest in a wave of new laws being passed in Asian countries. These laws seek to assert government control over the internet.
Civil liberties advocates, internet companies and business groups have protested the legislation, have argued that this would infringe upon peoples’ privacy and the rule of law, and warning compliance burdens could drive foreign businesses out of Thailand.
The military government has pushed for several laws saying that would support the country’s digital economy, including an amendment to the Computer Crime Act in 2017, which has been used to crack down on dissent.
Internet freedom activists have called the legislation a “cyber martial law,” as it encompasses all procedures from everyday encounters of slow internet connections to nationwide attacks on critical infrastructure.
If a cybersecurity situation reached a critical level, the legislation allows the military-led National Security Council to override all procedures with its own law.
Legislators also unanimously passed the Personal Data Protection Act, intended to imitate the European Union’s General Data Protection Regulation (GDPR).
The legislation does not require international firms to store data locally, but businesses have raised concerns about its territorial applicability.
The data protection law, effective after a one-year transition period, will apply not only to companies located in Thailand, but also overseas companies which collect, use, or disclose personal data of subjects in Thailand, specifically for advertisements and “behaviour monitoring.”
A Singapore-based industry group which represents several major technology companies stated that the passing of the law would give authorities ‘sweeping powers’ to monitor online traffic in the name of an emergency or as a preventive measure, potentially compromising private and corporate data.
In a separate letter to the government, the group’s managing director stated that it is unrealistic for anyone regime to aspire to centralize the delivery of privacy protections for the entire world in just one regulator.
Supporters of the laws hailed them as long overdue. Moreover, a chairman of the ad-hoc parliamentary committee that worked on the legislation noted that the two laws are crucial to helping Thailand keep up with neighbours and the world.
