BANGKOK (Reuters) – A proposed cybersecurity law in Thailand would give a new government agency sweeping powers to spy on internet traffic, order the removal of content, or even seize computers without judicial oversight, alarming businesses and activists.
Civil liberties advocates, internet companies and business groups are protesting the planned legislation, saying it sacrifices privacy and the rule of law, according to interviews and documents reviewed by Reuters.
The legislation, likely to gain approval by year-end, is the latest in a wave of new laws in major Asian countries that aim to assert government control over the internet, further undermining the Western ideal of a global network that transcends national borders.
It would grant a newly created National Cybersecurity Committee (NCSC) the authority to access the computers of individuals or private companies, make copies of information, and enter private property without court orders. Criminal penalties would be imposed for those who do not comply.
The NCSC could also summon businesses or individuals for interrogation and force them to hand over information belonging to other parties.
“Cybersecurity policy should be respective of privacy and rule of law,” the US-ASEAN Business Council said in letter to the Thai government that was not released publicly but was obtained by Reuters. “Enforcing cyberspace cannot come at the cost of sacrificing privacy, civil liberties, and rule of law.”
The letter also warned requirements such as forcing companies to alert the agency of cyber threats or even anticipated ones would impose “a very heavy burden” on businesses and should be removed.
Tech giants Google, Apple, Facebook and Amazon are all members of the council.
The Singapore-based industry group Asia Internet Coalition (AIC), which represents the four US giants and seven other major internet companies, also warned the law might drive businesses out of Thailand.
The AIC, in a public statement, cited concerns about government surveillance and criminal liability for defying NCSC orders, among other issues.
Somsak Khaosuwan, Deputy Permanent Secretary of the Ministry of Digital Economy, which is in charge of the law, told Reuters the government is now discussing revisions of the draft and would take the concerns into account.
“The law will conform to international standards… The team working on the law will certainly listen to the issues that have been raised,” Somsak said. “There is nothing scary about it,” he added, declining to elaborate on possible revisions.
The draft law does not contain specific provisions on hot-button issues such as “fake news” or requirements that international tech and social media firms store data locally. Internet companies are currently battling governments over such issues in countries including India, Vietnam and Indonesia.
But the Thai law would grant the new NCSC “sweeping powers, holding a monopoly on all things cyber in the country… without being subject to check and balance, control, or regulation,” said Sutee Tuvirat, a cybersecurity expert with Thailand’s Information Security Association. “If anyone is more powerful than the Prime Minister, this is it.”
Civil rights advocates worry Thailand’s military junta, which actively censors the internet and often casts criticism of the government as a threat to national security, will use the new law to further codify its censorship regime.
The NCSC would be empowered to order removal of “cyber threats” and override other laws when they are in conflict. The latest draft of Thailand’s new Data Protection Law, also expected to be approved this year, correspondingly says it does not apply to “national security agencies,” including the NCSC.
Arthit Suriyawongkul, a civil rights advocate with the Thai Netizen Network, told Reuters the law could readily facilitate censorship. “The law doesn’t categorize data, which may include online content, and does not include protection measures,” he said.
In a joint statement seen by Reuters, the Telecommunications Association of Thailand and the Thai Internet Service Provider Association also said they were concerned about the government’s efforts to “regulate content”.
Data from internet companies shows Thai government requests to take down content or turn over information have ramped up in recent years. A law prohibiting criticism of the monarchy has often been the basis for such requests.
Following the death of revered King Bhumibol Adulyadej in 2016, the government threatened to prosecute Facebook in Thailand if it didn’t comply with content restriction requests.
In the first half of 2018, Facebook restricted 285 pieces of content, almost all of which were alleged to violate local lèse-majesté laws, according to the company’s latest transparency report released on Friday. Facebook restricted 365 pieces of content last year, 10 times the amount in 2014. It also handed over user data to the Thai government for the first time in 2017.
From mid-2014 to the end of 2017, the military government has made 386 requests to Google to remove 9,986 items, almost all of which were identified as government criticism, according to Google’s transparency report.
Google agreed to remove content named in 93% of the requests last year, up from 57% in late 2014.
Facebook declined to comment. It has previously said its general guidelines on receiving government requests to remove content are to determine whether the material violates local laws before restricting access.
Google declined to comment.
(By Patpicha Tanakasempipat; Reporting by Patpicha Tanakasempipat; Editing by Jonathan Weber and Lincoln Feast)