ASEAN has a problem as far as personal data protection goes, and at the bottom of this rung sits Thailand. In a study of privacy and surveillance of 47 countries – four of which are ASEAN - by British tech website Comparitech, Thailand was ranked the fourth-worst country in terms of protecting the personal data of its citizens, just in front of such countries as China (worst), Russia (second worst), and India (third worst).
Other ASEAN countries included in the study were Malaysia (43rd place), Singapore (42nd place), and Philippines (39th place). The top five countries were Ireland (1st place), France (2nd place), Portugal (3rd place), Denmark (4th place), and Malta (5th place).
It is important to note that Comparitech’s study was possibly conducted before Thailand’s general election in March. The reason for this is because most of the study’s notes on Thailand says the country is under martial law.
For example, the study states that due to the martial law “which is still in practice today” the military is allowed to intercept any message, letter, telegraph, package, parcel or other things transmitting within the area under the Martial Law. This may have affected Thailand’s score.
Nevertheless, there are also current and new developments which may still hinder Thailand’s ability to obtain a higher score.
Only awhile ago on 9 October, it was reported that the Thai government had requested all coffee shops, including small mom-and-pop operators, to keep traffic data of customers using their Wi-Fi for 90 days and to provide that information if required. The government says this is necessary to deter crimes and track suspects but concerns have been raised that it would drive away customers worried about privacy and misuse of the data collected. Comparitech acknowledged that this development was “post-study”.
Earlier, in September, Thailand’s Special Branch Bureau issued a nationwide order to universities requesting they provide "intelligence" on Muslim students and their activities in school. Police spokesman Krissana Pattanacharoen told international media that this order was based on "security" concerns.
As expected, the news sparked immediate outrage from the community, and soon after, the Muslim Students Federation of Thailand called for parliament to "cancel" the request. It goes without saying that if carried through, this would also affect Thailand’s score for personal data protection.
As of 28 May this year, the Personal Data Protection Act (PDPA) came into force. The law coming into effect gained Thailand some points as far as personal data protection goes, nevertheless there were a few points made regarding the law.
The first was that in certain cases, there would be sectoral laws that would allow for access to personal data. For example, the Anti-money Laundering Law requires the mandatory reporting of certain transactions.
Another point is that while the law has come into force, the Thai government has allowed for a 1-year grace period and people will be given this time to adjust to the new laws.
“But once the law is officially implemented and in force it should be much more effective in protecting data, as the safeguards are much stricter and clearer,” said Comparitech.
Another law that was mentioned was Thailand’s Cybersecurity Act which came into effect earlier this year. Critics have long been against the Cybersecurity Act due to its broad interpretation, saying that how it is worded appears to give the government very broad powers to monitor internet use, censor content and even seize property without court orders. Declaring a “national emergency” is considered enough due process to do these things according to the Act.
Under the Act, in the event of a Cyber Threat, the relevant authorities may request cooperation from or order private organisations to perform various actions, such as (i) providing access to relevant computer data or a computer system, or other information related to the computer system only to the extent it is necessary to prevent Cyber Threats, (ii) monitoring the computer or computer system; (iii) allowing officials to test the operation of the computer or computer system, or seize or freeze a computer, a computer system, or any equipment.
Meanwhile, Cyber Threats is merely defined as any action or unlawful undertaking done using a computer, computer system, or undesirable program with an intention to cause harm to the computer system, computer data, or other relevant data, and includes imminent threats which would cause damage or affect operation of the computer, computer system, or other relevant data.
It is understandable that the Thai government would want to ensure cybersecurity especially in the face of ever-evolving cyber threats. On top of this, the government has taken measures to ensure more personal data protection. Nonetheless, Comparitech’s study proves that Thailand needs to improve as far as personal data protection goes and it would be nice to see more measures taken to ensure such improvement occurs soon.