Thailand’s Cyber Security Bill Passed

The National Legislative Assembly (“NLA”) passed the Cyber Security Bill of Thailand (“CSB”) on 28 February 2019.  It took less than three hours for the NLA to consider and vote.  The bill has been passed with 133 votes in favour, 0 against and 16 abstentions.  It will be submitted to the King of Thailand for His Royal Signature and then published in the Government Gazette before it comes into force.

The main objective of the CSB is to secure the national security in cyberspace, governing both public and private sector databases and information. Importantly, the National Cyber Security Committee (“NCSC”), chaired by the Prime Minister, will be established to set policies and supervise cyber security under the CSB.  The Minister of Defence and the Ministry of Digital Economy and Society (“MDES”) will be included in the ex officio members of the NCSC.

Under the CSB, a “cyber threat” is defined as any action or unlawful undertaking by using a computer, computer system or undesirable program with an intention to harm the computer system, computer data or any other related data which constitutes an imminent threat to injure or affect the operation of a computer, computer system or other related data. However, the term “other related data” is not defined under the CSB and its interpretation remains unclear.

The CSB categorises cyber threats into three levels: (1) non-severe; (2) severe; and (3) critical. The NCSC has the power to collect information, analyse situations and assess their impacts as a cyber threat to national cyber security.  In case of severe and critical cyber threats, the NCSC Secretary-General and the committee can continuously demand real-time information from parties related to cyber threats, and such parties must cooperate.

If a cyber threat is critical and considered an emergency, the NCSC may order the NCSC Secretary-General to prevent, handle and mitigate such critical cyber threat by investigating and entering into premises, accessing information and copying computer programs, testing computers or computer systems, or seizing computers or computer systems suspected to be related to the critical cyber-security threat without obtaining a prior court order; and report such action to the court afterwards without delay.

The CSB, as approved by the NLA, also imposes penalty on a person who fails to comply with the provisions under the CSB or an order of the NCSC.

The actual implementation of the CSB has not occurred yet, and it will take some time for the NCSC and other overseeing agencies to be established.

Once the CSB is published in the Government Gazette and comes into effect, we will update our readers without delay.