Thailand 4.0: Digital ID, Cybersecurity, and Personal Data Protection Developments

As the Thai government prepares for its Thailand 4.0 economic model with hopes that it will elevate the nation’s status to a high-income country, the Ministry of Digital Economy and Society (MDES) is drafting legislation on several issues that could spur or hinder these efforts. Consequently, firms conducting business in Thailand, whether based within or outside its borders, may need to consider upcoming regulatory obligations and compliance requirements.

As the Thai government prepares for its Thailand 4.0 economic model with hopes that it will elevate the nation’s status to a high-income country, the Ministry of Digital Economy and Society (MDES) is drafting legislation on several issues that could spur or hinder these efforts. Consequently, firms conducting business in Thailand, whether based within or outside its borders, may need to consider upcoming regulatory obligations and compliance requirements.

Digital Identification Bill

The Digital Identification Bill was approved in principle by the Cabinet and is expected to be passed by the National Legislative Assembly (NLA) and take effect by the middle of 2018. Under the proposed legislation, a National Digital Identification (NDID) company will develop an “NDID Platform” that will issue licences to identification providers (IDP) for digital IDs and authenticate citizens’ digital ID, allowing easy and secure digital identification for online transactions.

Facilitating banking transactions by providing an e-Know Your Customer (e-KYC) mechanism is a laudable step forward for Thailand. However, such technology could raise cybersecurity and concerns due to the sensitive data required for authentication, including e-signatures, facial recognition and biometric fingerprint data. Thailand should learn from India’s own system — Aadhaar — which has faced ongoing cybersecurity and privacy issues.

Cybersecurity Bill

The Cybersecurity Bill, expected to be submitted to the Cabinet by this month, defines six sectors as critical information infrastructure that will require enhanced protections (CII): government, defence, telecoms, finance, energy, and utility industries. The law will also create a National Security Agency to oversee the National Cybersecurity Operation Centre and the National Data Protection Agency.

The Electronic Transactions Development Agency (ETDA) will also establish the Cybersecurity Excellence Centre in the Digital Park under the Eastern Economic Corridor, by collaborating with American, Chinese, and Israeli security technology firms. The ETDA has set aside 200 million baht (USD 6.1 million) for a Security Academy that will produce 1 000 skilled cybersecurity workers by next year. Together with the launch of the ASEAN-Japan Cybersecurity Centre on 14 September 2018, Thailand looks set to bolster its cybersecurity capacity.

Personal Data Protection Bill

In early September, the Ministry of Digital Economy and Society also shared the latest draft of the Personal Data Protection Bill (PDPB), which was opened for a public consultation from 5 to 20 September 2018.

In this draft, Thailand has introduced some elements of the EU’s General Data Protection Regulation (GDPR), with the likely goal of receiving a mutual adequacy decision from the EU. Like the GDPR, the bill would apply to all data controllers and processors collecting or processing data that belongs to Thai residents. It also introduces a similar exemption if the collection of the personal data is necessary as part of an agreed contract. Worryingly for businesses, the bill’s implementation period has been halved from one year to 180 days from its publication in the Royal Gazette.

Implications for Industry

Businesses operating in Thailand should evaluate how these bills will impact their operations and develop a strategy to overcome any issues and harness any new opportunities to expand their market share. For example, the Digital Identification Bill, while it may spur the introduction of new fintech and payment services, will require companies to consider how the end-to-end process is aligned with their own e-KYC process. Are there gaps that will need to be addressed? Will the company be able to fulfil all e-KYC requirements?

Additionally, businesses in the sectors defined as critical information infrastructure need to consider additional obligations, such as the need to develop a cybersecurity risk assessment plan, set an internal cybersecurity, and develop a strategy to report security breaches.

Lastly, companies will need to evaluate how their internal processes measure up against the proposed requirements under the Personal Data Protection Bill. For example, companies transferring data of Thai subjects to third party countries will need to review consent requirements. Companies operating outside of Thailand need to remain vigilant given the extra-territorial provision, extending their liability over the management of data of Thai subjects.

The Ministry of Digital Economy and Society has defined new cybersecurity and privacy practices for the private sector. As a result, industry actors should monitor the regulatory landscape to protect their business operations and identify market opportunities.

 

Author: Seha Yatim, Policy Analyst, Access Partnership

Related Articles

Harnessing AI as a Content Moderation Tool

Harnessing AI as a Content Moderation Tool

On 30 May, Access Partnership hosted a webinar on the far-reaching implications of AI-generated content and the platforms that facilitate...

30 May 2023 AI Policy Lab
Access Alert | The Rise of Autonomous Drones: A Game-Changer in Modern Warfare?

Access Alert | The Rise of Autonomous Drones: A Game-Changer in Modern Warfare?

The introduction of autonomous weapon systems, which have gained widespread use and coverage in the Ukraine War, is considered by...

30 May 2023 Opinion
Propelling Indonesia’s digital economy: How Google Play helped Indonesian app developers generate over Rp 1.5 trillion in 2022

Propelling Indonesia’s digital economy: How Google Play helped Indonesian app developers generate over Rp 1.5 trillion in 2022

With over 212 million internet users,[1] Indonesia’s digital economy has seen vigorous growth in the past decade. The country’s digital...

29 May 2023 Opinion
Access Alert | South African communications regulator frees up lower 6GHz band for Wi-Fi services

Access Alert | South African communications regulator frees up lower 6GHz band for Wi-Fi services

On 23 May, the Independent Communications Authority of South Africa (ICASA) published an amendment to Annexure B of the 2015...

26 May 2023 Opinion