Privacy advocates express concerns over Thai cybersecurity law

‘This would give the regime sweeping powers to monitor online traffic’

A new cybersecurity law passed in Thailand is causing concern by giving sweeping new powers to the state.

Rubber-stamped last week, the Cybersecurity Act allows the country’s National Cybersecurity Committee (NCSC) to question individuals and enter private property without a court order in case of “serious cyber threats” – whether actual or anticipated.

Meanwhile, it also allows the authorities to monitor and access private data without a court order, and to seize data and equipment – again without a court order in ‘emergency cases’.

The government has promised that the new law will not be invoked in an arbitrary way and that it won’t be used to regulate social media.

However, Jeff Paine, managing director of the Asia Internet Coalition, says he’s worried about the broad scope of the new law.

“Protecting online security is a top priority, however the law’s ambiguously defined scope, vague language, and lack of safeguards raises serious privacy concerns for both individuals and businesses, especially provisions that allow overreaching authority to search and seize data and electronic equipment without proper legal oversight,” he says.

“This would give the regime sweeping powers to monitor online traffic in the name of an emergency or as a preventive measure, potentially compromising private and corporate data.”

Yingcheep Atchanont, program manager at freedom of expression campaign group iLaw, raises the question of mission creep.

“The initial objective of the law is to prevent technical cyberattack against the system. If it is used that way, I don’t think it is very worrisome,” Atchanont tells The Daily Swig.

“However, we can see the legal interpretation and trend under the military government and believe that if the security sectors need more power to counter online criticisms in the future, it is possible that the power under this act will be claimed as ‘cyber-attack’.”

The move by the Thai government follows a new draft decree in Vietnam that also extends the powers of the security services to examine personal data.

“What’s just happened in Thailand is something that we’ve seen in other countries where it’s just an opportunity for the government to increase their power with minimal safeguards. From what I know and the work we’ve done in Thailand we’re very worried,” Alexandrine Pirlot de Corbion, global south programme lead at Privacy International, tells The Daily Swig.

“There’s an assumption that more monitoring will ultimately lead to more security. But there’s a disconnect between the problem they are trying to tackle and what they are actually doing.”