On 23 September 2019, a study launched by Manushya Foundation in collaboration with the Embassy of the Kingdom of the Netherlands in Bangkok, Thai Netizen Network, Access Now, and the International Federation for Human Rights (FIDH) at the Foreign Correspondents Club of Thailand (FCCT), has recommended amendments to Thailand’s current Cybersecurity Act, to assist the country, its institutions, its private entities, and its netizens strengthen and streamline the implementation of the National Cybersecurity Act in line with international human rights standards, promoting a human-centered approach to protect people, while opposing its misuse for the control and surveillance of citizens.
The study launch at the Foreign Correspondents' Club of Thailand on 23 September
The study named "Thailand’s Cybersecurity Act: Towards a Human-Centered Act Protecting Online Freedom and Privacy, While Tackling Cyber Threats" addresses growing concerns over the shrinking of online civic space, as the Act adopted by the Royal Thai Government poses several challenges which could negatively affect civil society, local communities, netizens, and the Information and Communication Technology (ICT) sector.
The main issues with the current Act which have been identified include: its broad scope and definition of terms including national security, economic security, martial security and public order; provisions that fail to accurately identify and address the response to cybersecurity threats; unchecked power of bodies and agencies under the Act; the government control of critical information infrastructure (CII); the lack of accountability through the court system; and the failure to ensure remedies for those wrongly affected by the Act.
While it is important that the Royal Thai Government protects its citizens against Cybersecurity threats, it needs to ensure that individual human rights are upheld. At the launch, Emilie Pradichit, Founder & Director, Manushya Foundation pointed out the necessity for the Study, “There are so many loopholes and gaps in this Act. It gives government the power to misuse it and restrict our freedom of expression online.” She added “Cybersecurity is targeting everyone, not just the government. The Cybersecurity Act should be applied to everyone and it needs to protect us”.
With an insight into the Act, Debbie Stothard, Secretary General, International Federation for Human Rights (FIDH) and Coordinator, ALTSEAN-BURMA stressed, “The rule of law and administration of justice in the case of cyber threats can be achieved in the Thai Cybersecurity Act, only if it respects human rights and does not focus all the power only in the hands of few people that are part of the government.”
Focussing on the risks and challenges in the framework of the Act, Arthit Suriyawongkul, Co-Founder and Coordinator, Thai Netizen Network stated that “The National Cybersecurity Act has three committees to draft policy, implement and oversee the implementation of policy; but overlap in these Committee does not allow for true separation of power.” He further elaborated that “We have already seen violation of digital rights under other Acts such as the Computer Crime Act. Therefore, each Act must have its own individual safeguards, including separate protection of data privacy without having to rely on any other Act.”
Global good practices must be integrated into the Thai Cybersecurity Act, the effect on civil society, netizens and on the businesses was discussed, “The National Cybersecurity Act of Thailand must be centered on individual users, include a cybersecurity regime that is integrated into the system, and based on democratic processes that includes all stakeholders,” said Raman Jit Singh Chima, Asia Policy Director and Senior International Policy Counsel, Access Now “Moreover, in the implementation of the law, Freedom of Expression and privacy should be paramount”.
Providing the private sector perspective, Jeff Paine, Managing Director, Asia Internet Coalition (AIC) highlighted that, "As the economy is becoming more digital, businesses prefer to invest in a country if the law does not have uncertainty and the legal framework is clearly defined. Since the National Cybersecurity Act of Thailand does not provide clear guidelines and criteria, and has a number of broadly defined clauses, it creates uncertainty which can have a negative impact on investments. In many cases such as this, the details of the law are usually developed during the implementation of the law. “
To conclude, talking about the way forward, Klaikong Vaidhyakarn, Member of Parliament, Future Forward Party (FWP) reiterated “The focus of the National Cybersecurity Act of Thailand should not just be to enforce vague terms once a cyberattack has occurred but should also include protection guaranteed in the law.” He added that “The Future Forward Party has a strong intention to amend all laws that could block participation of public in decisions that affect them, including this Act.”
The launch of the Study comes at an important time for individual rights and the digital ecosystem, as with Thailand being the Chair of the ASEAN, any misuse of the Thai Cybersecurity Act could influence other ASEAN countries. Thus, this study is the first of its kind in the ASEAN region and the aim is to help build the discourse on the necessity of applying a human-rights based approach to cybersecurity legislation. Furthermore, this Study is in place to ensure implementation guidelines provided by the Royal Decree in May 2020 does not violate human rights. This also gives an opportunity to engage with a functional National Legislative Assembly for the first time in years since the 2014 military Coup, and to encourage Members of Parliament to propose amendments to the Act under it.