Some tweaks made after outcry, but sweeping state powers raise fears of invasion of privacy
NEW cybersecurity and data protection bills are being pushed through with little oversight because of sweeping state powers, warn rights defenders and privacy experts. A core concern is the provision that would allow seizure of computers and servers without a court order. Critics say the bills would give the military regime sweeping powers to monitor and censor political traffic online via the National Cybersecurity Agency.
Prinya Hom-anek, a member of the National Legislative Assembly (NLA) committee vetting the bills, defended the final drafts yesterday following several changes in response to criticisms.
In the final draft of the national cybersecurity bill, which the NLA will consider today or Monday, all orders to search computers and other devices, for example, would require court approval, except in critical cases, he said. Also, orders issued by the National Cybersecurity Agency’s committee would need to be screened by a separate committee, as a checks-and-balance mechanism.
Paiboon Amonpinyokeat, an adviser to the NLA committee, said the bill includes an appeals process for those targeted by cybersecurity agency orders, which would mainly deal with threats to national infrastructure and the public and private sectors. In general, most citizens would not be affected by the legislation except in “certain circumstances”, he said.
The Personal Data Protection Bill has also raised concerns over the composition of the national data protection committee. Six of its eight members will come from the government even though the bill covers data belonging to the private sector and citizens.
In addition, definitions in the bill are broad, giving law enforcers wide leeway for interpretation. As with the national cybersecurity committee, the data protection committee will be required to submit orders to a screening committee before enforcing the law.
Critics have also called for more representatives from the National Human Rights Commission and advocates in consumer protection to sit on the Data Protection Committee, which will be predominantly controlled by government officials.
In sum, critics say the powerful Data Protection Committee should be allowed to operate more independently with representation from a wider group of stakeholders.
The legislation is in some ways similar to the European Union’s General Data Protection Regulations. It is expected to have major impacts due to the rapid growth of Thailand’s digital economy and society, in which a massive amount of personal data is stored and used for mobile and online banking, e-commerce and other services.
Rights groups are also concerned about the potential abuse of personal data for commercial and other undesirable purposes, as data owners are supposed to give their consent before other parties can legally make use of their data.
In addition, data owners should also have the right to prevent others using their data at a later date.
The data protection legislation will take effect a year after being passed by the NLA to allow preparatory work, but the national cybersecurity legislation will take immediate effect.
Arthit Suriyawongkul, of Thai Netizen Network, said the government has given itself sweeping power under the proposed cybersecurity legislation, which allows authorities to issue orders affecting citizens’ rights based merely on suspicion.
The state authority enshrined under the legislation is similar to that given under martial law or a state of emergency, though these normally have a specific timeframe and geographical area of enforcement.