Thailand's new cyber laws - Part 2: Changes to the Computer Crime Act

Originally published at Siam Voices on February 17, 2015 With the passing of eight new draft bills under the banner of "Digital Economy" by the Thai junta cabinet and awaiting approval by the ersatz-parliament, the National Legislative Assembly (NLA), the main focus of criticism is aimed at the cyber security bill and the amendments to the 2007 Computer Crime Act (CCA).

In this part, we take a look at the most crucial changes to the Computer Crime Act.

The old Computer Crime Act was itself a problematic piece of legislation when it was passed in 2007 due to the vague wording of certain sections. Particularly there’s a high legal ambiguity in Article 12.2, which punishes anything that is "likely to damage computer data or a computer system related to the country’s security, public security and economic security or public services" with 3-15 years in prison, and Article 14, which punishes any computer-related act that causes "damage the country's security or causes a public panic" (especially if it is "related with an offense against the Kingdom's security under the Criminal Code") with a maximum of five year in prison.

That led to many cases where people were charged for political expressions made online that were deemed by the authorities as lèse majesté, which almost doubles the potential punishment of the accused (as mentioned in our introduction previously).

Now these two passages has been mashed together into into one Article, which says:

Section 14/1 - Any person committing an offence that involves import to a computer system of false computer data in a manner that is likely to damage the country's security or cause a public panic must be subject to imprisonment for not more than three years or a fine of not more than sixty thousand baht [US$1,843] or both.

Section 14/2 - Any person committing an offence that involves import to a computer system of any computer data related with an offence against the Kingdom's security under the Criminal Code must be subject to imprisonment for not more than five years or a fine of not more than one hundred thousand baht [US$3,070] or both.

It’s not much different than the previous versions in terms of punishment, but the problematic vague wording (e.g. what constitutes "false computer data"?) remains. What's worse is the following Article 15:

Section 15 -  Any service provider intentionally supporting or consenting to an offence under Section 14/1 or Section 14/2 within a computer system under their control must be subject to the same penalty as that imposed upon a person committing an offence under Section 14/1 and Section 14/2.

If any service provider can prove that they follow the instruction to restrain the dissemination of such computer data or destroy such data from a computer system as required by a Minister, the perpetrator is not guilty.

Under the new law, the intermediaries are subject to prosecution as well. Basically, if for example a webmaster has content that's deemed offensive on their site and doesn't remove it, then they can be charged - even if they didn't write it themselves. That’s exactly what happened to Prachatai webmaster Chiranuch Premchaiporn, who was accused of not deleting online comments from her website quickly enough that were deemed lèse majesté. The main problem in this case was how long is too long for somebody not to remove something seemingly offensive. In Chiranuch's case, it seemed the prosecutors more or less expected every webmaster to anticipate it even before the offense happens and to preemptively act against it. She was convicted and given a suspended jail sentence in 2012.

One of the major changes are the amendments to Article 18:

Section 18 of the Computer Crime Act of B.E. 2550 (2007) is added the following provisions as paragraph two and paragraph three:

"For the benefit of investigation and inquiry, in case there is a reasonable cause to believe that there is the perpetration of an offence to computer system, computer data, or any computer data storage devices under any laws, the superior administrative or police official under the Criminal Procedure Code or the competent official under other laws shall perform under this Act only the necessities for the benefits of using as evidences related to the commission of an offence or searching for an offender under the competent authorities indicated in paragraph one, paragraph two and paragraph three. The aforementioned officials shall request the relevant competent official to take action provided that their power of authority is limited under this Act.”

In simple words, authorities still need a court order in order to intercept online communication and it has to be specific. However, as the watchdog organization Thai Netizen Network points out, there's no limitation on how long these interceptions can take as compared to e.g. Article 25 of the 2008 Special Investigation Act, which allows access of 90 days (but permits unlimited extensions).

Also, Article 12 in the new CCA will punish cases which involves hacking of computer systems "that is likely to damage computer data or a computer system related to the country's security, public security and economic security" with up to 15 years in prison.

And finally in this short look, Article 31 already hints at the next part we'll be examining:

Section 31. Nation Cyber Security Committee (NCSC) shall be the central agency to control, monitor and assess operational performance of the competent official under this Act.

In the next part, we will look at the controversial new Cyber Security Bill, which seemingly could allow intrusive actions by the Thai authorities against internet users and the aforementioned National Cyber Security Committee will be an integral part of it.

Translated sections of draft bills by Thai Netizen Network. You can read complete translations here.

THAILAND'S NEW CYBER LAWS: Part 1: Introduction - Part 2: Changes to Computer Crime Act - Part 3: Far-reaching and all-encompassing cyber security