Two- pronged legislation ‘will protect personal data from business misuse’
THE NATIONAL Legislative Assembly yesterday passed the controversial cybersecurity law amid widespread concern that it gives too much power to officials to violate people’s privacy for the sake of national security, though proponents say it will protect online content.
The new cybersecurity legislation mainly focuses on national infrastructure, not online content as feared by some critics, according to the bill’s drafters.
Prinya Hom-anek, of the National Legislative Assembly’s cyber committee, and Paiboon Amornpinyokeat, an adviser, said the legislation is aimed at protecting banking and ATM technology, electricity, waterworks, telecommunication, internet, airport and other public transport and infrastructure.
The new law will not usually affect the general public except those involved in threatening the security of these critical public infrastructures, they insisted.
Prinya and Paiboon said critics had disseminated “misinformation” about the legislation by highlighting the potentially negative consequences on people’s rights and privacy.
In most cases, authorities would be required to seek a court approval to search, spy on or hack computers and networks if they believe critical national infrastructure is at risk of cyberattack.
However, in the event of national emergencies, authorities are empowered to do their work without prior court warrants. National emergencies are clearly defined in the law and include sabotage, they said.
The cybersecurity legislation was passed by the National Legislative Assembly by 133 votes, with 16 members abstaining. NLA members spent more than two hours debating the details. The bill’s final version was vetted by an NLA committee chaired by Sawanee Suwannacheep.
The NLA also approved the Personal Data Protection Bill, which will affect consumers and businesses among others.
Under the latter legislation, all data processors must get explicit consent from owners of all consumer data before they can use their names, photos and other individual data for commercial and other purposes.
For example, online businesses and social media platforms in possession of consumer data will have to comply with the new law.
The legislation also protects data owners. For example, if a bank customer’s personal data is leaked and used by, for example, an insurance company to sell their financial products, the bank could be sued by the owner of that personal data.
Businesses will have one year to prepare for compliance with the |legislation, while the national data protection committee will have to issue regulations to cover specific issues.
In the final version of this bill, the mass media, courts and police are exempted from the data protection law, and so do not need prior consent from data owners to use their personal data.
Overall, the legislation will upgrade the country’s legal framework for international businesses in compliance with the EU’s GDPR, which supporters say will boost foreign business and investor confidence.
Airlines and hotel chains operating in Thailand have many EU customers whose personal data are protected by the EU law, making it is necessary for the country to enact the legislation.