Thailand 4.0: Digital ID, Cybersecurity, and Personal Data Protection Developments

As the Thai government prepares for its Thailand 4.0 economic model with hopes that it will elevate the nation’s status to a high-income country, the Ministry of Digital Economy and Society (MDES) is drafting legislation on several issues that could spur or hinder these efforts. Consequently, firms conducting business in Thailand, whether based within or outside its borders, may need to consider upcoming regulatory obligations and compliance requirements.

As the Thai government prepares for its Thailand 4.0 economic model with hopes that it will elevate the nation’s status to a high-income country, the Ministry of Digital Economy and Society (MDES) is drafting legislation on several issues that could spur or hinder these efforts. Consequently, firms conducting business in Thailand, whether based within or outside its borders, may need to consider upcoming regulatory obligations and compliance requirements.

Digital Identification Bill

The Digital Identification Bill was approved in principle by the Cabinet and is expected to be passed by the National Legislative Assembly (NLA) and take effect by the middle of 2018. Under the proposed legislation, a National Digital Identification (NDID) company will develop an “NDID Platform” that will issue licences to identification providers (IDP) for digital IDs and authenticate citizens’ digital ID, allowing easy and secure digital identification for online transactions.

Facilitating banking transactions by providing an e-Know Your Customer (e-KYC) mechanism is a laudable step forward for Thailand. However, such technology could raise cybersecurity and concerns due to the sensitive data required for authentication, including e-signatures, facial recognition and biometric fingerprint data. Thailand should learn from India’s own system — Aadhaar — which has faced ongoing cybersecurity and privacy issues.

Cybersecurity Bill

The Cybersecurity Bill, expected to be submitted to the Cabinet by this month, defines six sectors as critical information infrastructure that will require enhanced protections (CII): government, defence, telecoms, finance, energy, and utility industries. The law will also create a National Security Agency to oversee the National Cybersecurity Operation Centre and the National Data Protection Agency.

The Electronic Transactions Development Agency (ETDA) will also establish the Cybersecurity Excellence Centre in the Digital Park under the Eastern Economic Corridor, by collaborating with American, Chinese, and Israeli security technology firms. The ETDA has set aside 200 million baht (USD 6.1 million) for a Security Academy that will produce 1 000 skilled cybersecurity workers by next year. Together with the launch of the ASEAN-Japan Cybersecurity Centre on 14 September 2018, Thailand looks set to bolster its cybersecurity capacity.

Personal Data Protection Bill

In early September, the Ministry of Digital Economy and Society also shared the latest draft of the Personal Data Protection Bill (PDPB), which was opened for a public consultation from 5 to 20 September 2018.

In this draft, Thailand has introduced some elements of the EU’s General Data Protection Regulation (GDPR), with the likely goal of receiving a mutual adequacy decision from the EU. Like the GDPR, the bill would apply to all data controllers and processors collecting or processing data that belongs to Thai residents. It also introduces a similar exemption if the collection of the personal data is necessary as part of an agreed contract. Worryingly for businesses, the bill’s implementation period has been halved from one year to 180 days from its publication in the Royal Gazette.

Implications for Industry

Businesses operating in Thailand should evaluate how these bills will impact their operations and develop a strategy to overcome any issues and harness any new opportunities to expand their market share. For example, the Digital Identification Bill, while it may spur the introduction of new fintech and payment services, will require companies to consider how the end-to-end process is aligned with their own e-KYC process. Are there gaps that will need to be addressed? Will the company be able to fulfil all e-KYC requirements?

Additionally, businesses in the sectors defined as critical information infrastructure need to consider additional obligations, such as the need to develop a cybersecurity risk assessment plan, set an internal cybersecurity, and develop a strategy to report security breaches.

Lastly, companies will need to evaluate how their internal processes measure up against the proposed requirements under the Personal Data Protection Bill. For example, companies transferring data of Thai subjects to third party countries will need to review consent requirements. Companies operating outside of Thailand need to remain vigilant given the extra-territorial provision, extending their liability over the management of data of Thai subjects.

The Ministry of Digital Economy and Society has defined new cybersecurity and privacy practices for the private sector. As a result, industry actors should monitor the regulatory landscape to protect their business operations and identify market opportunities.

 

Author: Seha Yatim, Policy Analyst, Access Partnership

Related Articles

Access Alert | Canada’s Public Consultation on a Modern Regulatory Framework for Space

Access Alert | Canada’s Public Consultation on a Modern Regulatory Framework for Space

The Canadian Space Agency (CSA) has launched a public consultation on various aspects of the Canadian national space regulatory framework....

1 Feb 2023 Opinion
Brazil and the Future of Democracy in the Age of Disinformation

Brazil and the Future of Democracy in the Age of Disinformation

Fake news is far from new. That said, digital tools such as social media and online bots have changed the...

25 Jan 2023 Opinion
GDPR: Is it still fit for purpose? 

GDPR: Is it still fit for purpose? 

The EU’s landmark General Data Protection Regulation (GDPR) has fundamentally changed how personal privacy is respected and protected. However, cracks...

25 Jan 2023 Opinion
Access Alert | Environmental Footprint and Data Collection by ARCEP

Access Alert | Environmental Footprint and Data Collection by ARCEP

The impact of the deployment of electronic communications networks, mass production of terminals, operation of data centres, and ever-expanding data...

23 Jan 2023 Opinion