On 18 July 2007 a new law became effective in Thailand known as the Computer-Related Crime Act B.E. 2550 (A.D. 2007). The law, specifying criminal penalties for computer misuse, is similar to computer crime act (“CCA”) legislation in other countries. However, the CCA in Thailand goes substantively further, specifying all businesses that provide Internet access or Internet-related content to their employees or customers must maintain evidence that authenticates online activity to an individual. In addition, businesses must retain and maintain those records for not less than 90 days. There are criminal penalties, including prison and fines, for noncompliance.
On 21 August 2007, as authorized by the Thai CCA, the Ministry of ICT (MICT) issued a Notification on Criteria Concerning Archiving of Computer Traffic Data of Service Providers B.E. 2550 (“Archiving Notification”) that provided addition technical clarifications to the Thai CCA including specifying various classes of Internet service and content providers and giving examples of the archiving required based on classification.
The MICT Archiving Notification was published in the Official Thai Government Gazette on 23 August 2007 with effective dates of::
- 22 September 2007 for Service Providers under Archiving Notification Clause 5(1)(A)
- 19 February 2008 for Public Network Service Providers or ISP under Clause 5(1) (B)
- 23 August 2008 for other Service Providers
Similar to “cyber laws” in other countries, the Thai law prohibits and provides criminal penalties for the unauthorized access, interception and “spoofing” of computer systems and their emails and other data. Section 26 of the Thai law goes a step further in requiring a broad range of parties denominated as “service providers” which is further defined by the Archiving Notification to include any person who provides Internet access to another, to record and maintain “traffic data” (defined to include “any data relating to communication by means of a computer system, indicating the communication's origin, destination, route, time, date, size, duration, type of underlying service, or other information relating to communication of such a computer system, based on MICT classification of the service provider) and maintain that record for 90 days (longer, if competent officials request). The intent is to provide law enforcement officials with forensic evidence to protect the public from computer related crimes.
The CCA in Thailand is quite interesting because the law criminalizes non-compliance with routine computer and network system administration functions, something I am not aware of in any other country. Please post a comment, or contact me directly, if you know of a similar law in another country.
More...
08-09-2008
