computer crimes and data protection
TRANSCRIPT
LAWPLUS
Computer Crimes and Data Protection
Usa Ua-areetham, Senior Associate
www.lawplusltd.com
Korean-Thai Chamber of Commerce
Legal Seminar
17 November 2017
Holiday Inn Sukhumvit Hotel, Bangkok
LAWPLUS
The information provided in this document is general in nature and may not
apply to any specific situation. Specific advice should be sought before
taking any action based on the information provided. Under no
circumstances shall LawPlus Ltd. or any of its directors, partners and
lawyers be liable for any direct or indirect, incidental or consequential loss or
damage that results from the use of or the reliance upon the information
contained in this document. Copyright © 2017 LawPlus Ltd.
LAWPLUS 2
Presentation Topics
• Key Words and Definitions
• Computer Crimes Act B.E. 2550
• Computer Crimes Act (No. 2) B.E. 2560
• Major Principles of the Amended CCA
• Offences and Penalties
• Online Intellectual Property Infringement
• Criminal Liability of Company and Directors under the CCA
• Laws on Data Protection
LAWPLUS 3
Computer Crimes – Key Words and Definitions under the CCA
• Key Words
- computer crime, computer related crime
- cyber crime
- electronic crime
- high tech crime
• Computer System
- devices or set of devices connected and operated by a program or a set of programs
- processing data automatically
• Computer Data
- data, wording, instructions or set of instructions
- in the computer system
- can be processed by computer
- electronic data under law on electronic transactions
• Computer Traffic Data
- data related to communications of the computer system
- showing source and destination, route, date, time, duration, type of communications, etc. of the
computer system
LAWPLUS 4
Computer Crimes – Key Words and Definitions under the CCA
• Internet Service Provider (“ISP”)
- providing service of internet access or other means of communication
- to other persons to communicate through computer systems
- in the name of ISP itself or in the name of or for benefits of another person
User
ISP
• Websites
• E-mail address
• VOIP (Facebook,
Line, WeChat,
Alibaba, eBay, etc.)
User
LAWPLUS 5
Computer Crimes Act B.E. 2550 (A.D. 2007)
• Effective from 19th July 2007
• Criminal liabilities for offences: computer crimes, such as:
- unauthorized access to secured computer system or secured computer data of other
person
- illegally causing damage, change or addition to computer data of other person
- illegally causing disruption or interference with computer system of other person
• Not covered offences committed against national security, national
economic stability or public order or infrastructures
• Not sufficient for preventing offences committed via social media
LAWPLUS 6
Computer Crimes Act (No. 2) B.E. 2560 (A.D. 2017)
• Effective from 24th May 2017
• Amending the CCA and becoming part of the CCA
• Ministry of Digital Economy and Society (“MDES”) is in charge of
enforcement
• New offences introduced:
- sending nuisance e-mail without an “op-out” option
- uploading or sharing computer data likely to cause damage or disruption to national
security, public safety, public infrastructure, national economic stability, public order
- online infringement against intellectual property
- uploading created, edited or modified picture of a dead person likely to cause
disreputation, hatred or shame to his or her parents, spouse or children
- not retaining computer data traffic or user’s information for 2 years as may be ordered by
the competent officer
LAWPLUS 7
Major Principles of the Amended CCA
• Longer imprisonment terms and higher fine amounts for offences related to
national security causing death without intent, etc.
• More powers for competent officer to:
(1) make written inquiry or order person to give statement
(2) order submission of computer data traffic
(3) order service provider to submit computer traffic data or data of user
(4) make copy of computer data or computer traffic data
(5) order submission of computer data or devices
(6) check or access computer system or devices
(7) encode / decrypt computer data
(8) freeze or seize computer system
Powers under (4) to (8) are subject to court approval
• Most offences with a fine penalty
- can be settled with the Settlement Committee
- offences under sections 5, 6, 7, 11, 13 first paragraph, 16/2, 23, 24 and 27
LAWPLUS 8
Major Principles of the Amended CCA
• Settlement Committee
- appointed by MDES
- 3 members
- once a fine for an offence is imposed and the fine is paid, the case is settled
• MDES appoints Computer Data Screening Committees
• Each Computer Data Screening Committee
- has 12 members consisting of 9 members from the public sector and 3 members from
the private sector (human right, mass communication, information technology)
- gives approval to the MDES Minister or the competent officer for filing a petition with court
for a takedown notice against computer data which
(1) constitutes a criminal offence under the CCA
(2) may impact national security under the Penal Code (Book 2, Title 1, Chapter 2, Part 1 and Part 1/2)
(3) may constitute a criminal offence related to the public order or the good morals of the peoples
LAWPLUS 9
Offences and Penalties
No. Crimes/Offences Imprisonment Fine (THB)
1 Hacking computer system of another person (Section 5) Not exceeding 6 months
Not exceeding 60,000
2 Disclosing password / security measures of another person in a manner which may cause damage (Section 6)
Not exceeding 1 year Not exceeding 20,000
3 Accessing secured computer data of another person (Section 7) Not exceeding 2 years Not exceeding 40,000
4 Intercepting computer data of another person (Section 8) Not exceeding 3 years Not exceeding 60,000
5 Causing loss or damage to or modifying computer data of another person without authorization (Section 9)
Not exceeding 5 years Not exceeding 100,000
6 Interfering with computer system of another person to cause disruption, delay, obstacle or nuisance (Section 10)
Not exceeding 5 years and / or not exceeding 100,000
7 Sending computer data or e-mail without disclosing source to
cause nuisance to computer system of another person (Section 11, first paragraph)
- and / or not exceeding 100,000
LAWPLUS 10
Offences and Penalties
No. Crimes/Offences Imprisonment Fine (THB)
8 Sending computer data or e-mail to cause nuisance to another
person without an easy “opt out” or “unsubscribe” option (Section 11, second paragraph)
- and / or not exceeding 200,000
9
Offence under 1, 2, 3, 4, 7 or 8 against computer data or
computer system related national security, public safety, national
economic stability, or public infrastructure (Section 12, first paragraph)
1 to 7 years and 20,000 to 140,000
10 Offence under 9 causing damage to such computer data or computer system (Section 12, second paragraph)
1 to 10 years and 20,000 to 200,000
11 Offence under 5 or 6 against computer data or computer system related to 9 (Section 12, third paragraph)
3 to 15 years and 300,000
12 Offence under 5 or 6 causing injury to another person or damage to property of another person (Section 12/1, first paragraph)
not exceeding 10 years
and not exceeding 200,000
13 Offence under 5 or 6 causing death to another person without intent (Section 12/1, second paragraph)
5 to 20 years and 100,000 to 400,000
LAWPLUS 11
Offences and Penalties
No. Crimes/Offences Imprisonment Fine (THB)
14
Uploading into computer system:- (1) computer data which is
distorted, forged or false which may cause damage to the public;
(2) computer data which is false which may cause damage to
notional security, public safety, national economic stability or
public infrastructure or cause panic to the public; (3) computer
data related to national security or terrorism; (4) computer data
which is obscene accessible by the public; (5) distributing or
sharing computer data under (1) to (4) (Section 14, first paragraph)
Not exceeding 5 years and / or not exceeding 100,000
15 Offence under 14 against a person (Section 14, second paragraph)
Not exceeding 3 years and / or not exceeding 60,000
16 Service provider cooperates with, consents to or knowingly allows
offence under 14 in computer system under his control (Section 15)
Not exceeding 5 years and / or not exceeding 100,000
17 Uploading for public access picture of a person which created,
edited or modified in a manner which may cause disreputation, hatred or shame to that person (Section 16, first paragraph)
Not exceeding 3 years and / or not exceeding 200,000
18
Not retaining computer traffic data for not less than 90 days from
the date of its entry into computer system or for a longer period
as ordered by the official; not retaining identify data of service
user from commencement of service usage up to 90 days from the end of service usage (Section 26)
- and / or not exceeding 500,000
LAWPLUS 12
Online Intellectual Property Infringement
• Section 20(3) provides for “takedown” measures against advertising,
offering for sale and selling of counterfeits or pirated goods online or
through e-commerce platforms or social media applications.
• IP owner can ask MDES officer to take action.
• Officer investigates and collects evidence of the offence and asks the
MDES Minister for approval to file a petition with the Court for a takedown
order (in an urgent case the officer can file the petition with the Court
before obtaining approval from the Minister).
• Officer files the petition with the Court.
• Court issues a takedown order for ISP to block the website or remove the
infringing data.
• Failure to comply with the Court order is subject to a fine not exceeding
THB200,000 plus a daily fine not exceeding THB5,000 per day.
LAWPLUS 13
Online Intellectual Property Infringement
IP owner notifies
an officer of the MDES Ministry.
The officer asks
for approval from the Minister.
Minister gives approval.
The officer files a
motion to the court.
The court grants an order.
The officer orders the
services provider to
remove or delete the infringing data.
LAWPLUS 14
Criminal Liabilities of Companies and Directors under the CCA
• Directors have duties to manage company within its objectives and under the
control of its shareholders.
• Directors also have duty of care and other duties set out in the Civil and Commercial
Code (“CCC”).
• Company and its directors are liable under the Act on Offenses of Registered
Partnerships, Limited Liability Partnerships, Limited Companies, Associations and
Foundations B.E. 2499 if directors fail to do their duties under the CCC.
• Fines for criminal offence committed by company apply to both company and its
authorized directors.
• Imprisonment applies to company’s authorized directors.
• When a company is sued, its authorized directors are normally named as co-
defendants with the company.
LAWPLUS 15
Criminal Liabilities of Companies and Directors under the CCA
• CCA applies to both natural (individual) persons and legal entities (companies,
partnerships, associations, etc.).
• CCA does not have a provision that presumes that directors are criminally liable
jointly with the company.
• Act on Amendments to Laws Related to Criminal Liabilities of Representatives of
Legal Entities B.E. 2560 (“AAL”) is effective from 12th February 2017.
• AAL amended 76 laws to eliminate the assumption that directors, managers or
persons responsible for company business operation are liable jointly with the
company.
• The 76 laws include:
- Act on Offenses of Registered Partnerships, Limited Liability Partnerships, Limited
Companies, Associations and Foundations B.E. 2499
- Immigration Act B.E. 2522
- Consumer Protection Act B.E. 2522
- Factories Act B.E. 2535
- Electronic Transactions Act B.E. 2544
- etc.
LAWPLUS 16
Criminal Liabilities of Companies and Directors under the CCA
• The CCA is not included in the 76 laws amended by the AAL.
• Directors, managers or persons responsible for company business
operation are liable with the company under the CCA only if the company
committed the offense per their instruction, act or omission.
• Non-executive director not involved with day-to-day operation of the
company is criminally liable with the company only if he or she is involved
with the offence committed by the company.
• The public prosecutor must prove in a criminal case that the company
committed the offence under introduction, act or omission of the director.
LAWPLUS 17
Laws on Data Protection – Several Applicable Laws
• There is no specific law on data protection and data privacy.
• No government authority is established in Thailand to regulate and manage personal
data protection.
• Section 32 of the Constitution B.E. 2560 (2017) require protection of personal data
and data privacy.
“Section 32. A person shall enjoy the rights of privacy, dignity, reputation and family.
An act violating or affecting the right of a person under paragraph one, or an exploitation of
personal information in any manner whatsoever shall not be permitted, except by virtue of a
provision of law enacted only to the extent of necessity of public interest.”
• Section 323 of the Penal Code imposes criminal liabilities on doctors, pharmacists,
nurses, lawyers, auditors, etc. who disclose personal data (private secret) of clients.
• Laws on telecommunications business, banking and financial business, etc. provide
a certain level of protection against unauthorized collection, use, processing,
disclosure and transfer of personal data.
• Collection, processing, use, transfer or disclosure of personal data of another
person without consent can constitute a wrongful act under Section 420 of the CCC:
“Person who, willfully or negligently, unlawfully injures the life, body, health, liberty, property
or any right of another person, is said to commit a wrongful act and is bound to make
compensation.”
LAWPLUS 18
Laws on Data Protection – Draft of Personal Data Protection Act
• Several drafts of Personal Data Protection Act have been prepared since
2009
– to protect personal data given advancement of information and communications
technologies
– to regulate collection, procession, use and disclosure of personal data
– to prevent nuisance and damage to owner of personal data
– to prevent personal data from being commercialized or disclosed without prior consent of
the person
• Latest draft was submitted to the National Legislative Assembly but was
withdrawn on 8th September 2017 mainly because:
– draft did not include sufficient implementation measures
– draft was not endorsed by the Cabinet
– there are sufficient provisions of laws for personal data protection
• No clear indication as to when the draft will be resubmitted to the NLA and
enacted as a law.
LAWPLUS
Unit 1401, 14th Floor, 990 Abdulrahim Place, Rama IV Road, Bangkok 10500, Thailand
Tel. +66 (0)2 636 0662, Fax +66 (0)2 636 0663
Room 517, Yangon International Hotel, No. 330 Corner of Ahlone and Pyay Roads, Dagon Township, Yangon, Myanmar
Tel. +95 9 505 6667 and Tel. +95 92 6111 7006
www.lawplusltd.com
Contacts:
Kowit Somwaiya, Managing Partner [email protected] Prasantaya Bantadtan, Partner [email protected] Naddaporn Suwanvajukkasikij, Partner [email protected]