Thailand’s Cyber Security Act Finally Comes Into Force

On 27 May 2019, the Cyber Security Act of Thailand B.E. 2562 (2019) (“CSA”) was published in the Government Gazette; therefore, it has been in effect since 28 May 2019.

The main objective of the CSA is to secure national security in cyberspace, governing both public and private sector databases and information. Importantly, the National Cyber Security Committee (“NCSC”), chaired by the Prime Minister, will be established to set policies and supervise cyber security under the CSA. The Ministry of Defence and the Ministry of Digital Economy and Society (“MDES”) will be included as ex officio members of the NCSC.

Key provisions of the CSA include the following issues:

• A “cyber threat” is defined as any action or unlawful undertaking using a computer, computer system or undesirable program with an intention to harm the computer system, computer data or any other related data which constitutes an imminent threat to injure or affect the operation of a computer, computer system or other related data.
• A “cyber threat” means any action or unlawful undertaking done using a computer, computer system or undesirable program with an intention to cause harm to the computer system, computer data or other relevant data, and considered as imminent an threat which would cause damage or affect operation of the computer, computer system or other relevant data.
• The CSA categorises cyber threats into three levels: (1) non-severe; (2) severe; and (3) critical. The NCSC has the power to collect information, analyse situations and assess their impacts as a cyber threat to national cyber security.
• In case of severe and critical cyber threats, the NCSC Secretary-General and the NCSC can continuously demand real-time information from parties related to cyber threats, and such parties must cooperate.
• If a cyber threat is critical and an emergency, the NCSC may order the NCSC Secretary-General to prevent, handle and mitigate such critical cyber threat by investigating and entering into premises, accessing information and copying computer programs, testing computers or computer systems, or seizing computers or computer systems suspected to be related to the critical cyber-security threat without first obtaining a prior court order; and then reporting such action to the court afterwards without delay.

The actual implementation of the CSB is yet to be seen and it will take some time for the NCSC and other overseeing agencies to be established.

Further updates on the development of the implementation of this Act and its subordinate legislation and the procedural framework, will be monitored.