Back Thailand

Status regarding Budapest Convention

Status regarding Budapest Convention

Status : NA Declarations and reservations : N/A See legal profile

Cybercrime policies/strategies

Thailand’s National Cybersecurity Strategy 2017-2021 recognized that cyber-threats do not affect just one country. The Strategy further argues that combatting cyber-threats and providing cybersecurity requires international cooperation, support for norms and international best practices, as well as the development of strong policies and measures at the national level. One of the key goals listed in the Strategy is preventing and suppressing cybercrime, through a number of approaches (e.g. the development of relevant regulations and laws; promoting cooperation for information exchange, sharing of experiences and best practices with other countries, both bilaterally and with relevant international organizations – e.g. INTERPOL; promoting law enforcement capacity building especially with respect to investigations).

The Office of the National Security Council identifies the following goals when it comes to cybersecurity:

  • Defense: get the means and tools to protect the State from cyber-threats to ensure the networks and data within the country are protected and flexible;
  • Address threats: strengthen State security, and investigate attacks by arresting and prosecuting offenders;
  • Development: the State must support research and development in science and technology, cyber security, and relevant capacity building.

The Ministry of Digital Economy and Society/MDES was established in 2016 (formerly the Ministry of Information and Communication Technology). Its Minister is a member of the National Security Council. The ministry’s mission includes (key points): (1) proposing national policies and laws on digital development, including cybersecurity; (2) managing the country’s statistics system to support decision making (including on cybersecurity). The ministry’s strategic five year plan (2020-2024) can be found here (Thai).

Cybercrime legislation

State of cybercrime legislation

The full legislative package of IT-related laws, regulations, royal decrees and announcements (as of 18 Aug 2019) can be found under the Digital Law Book (Thai). The offences related to cybercrime in Thailand covered by the Telecommunications Business Act B.E. 2544 (2001), its amendment (2006) and the Computer Crime Act June B.E. 2550 (2007) as amended by the Computer Crime Act (No. 2) B.E. 2560 (2017),  and related regulations, ministerial announcements, notifications, and royal decrees. Other laws and regulations may impose additional requirements on parties operating within specific sectors (e.g. telecommunications, banking and finance, healthcare, consumer credit and electronic payment services) – e.g.: Electronic Transactions Act B.E. 2544 (2001), amended by Electronic Transactions Act (No. 2) B.E. 2551 (2008).

The Telecommunications Business Act prohibits the illegal interception, utilisation or disclosure of messages, information and any other data by means of telecommunications.

The Computer Crime Act (CCA 2007) criminalizes several types of conduct, including:

  • the illegal accessing of a computer system that is not intended for use by the person accessing it and for which specific access prevention measures are in place;
  • the illegal disclosure of information about computer system prevention measures in a manner that is likely to cause damage to the system owner;
  • the illegal interception of information or eavesdropping;
  • the illegal damaging, destroying, alteration, changing, or amending of computer data of other people, either in whole or in part;
  • the illegal suspension, delay, hindering or disruption of a computer system to the extent that it fails to operate normally;
  • the sales or distribution of set of instructions developed as a tool designed to do any of the above. (2017)

The Computer Crime Act (No. 2) B.E. 2560 (CCA as amended in 2017) specifies some additional offences, for example:

  • the sending of computer data or electronic mail to another person causing a nuisance to the recipient of such computer data or electronic mail, without a convenient option for the recipient to terminate the reception or to express their intent to refuse the reception or - 
  • the selling or distribution of a set of instructions specifically designed as a tool for the perpetration of an offense related to damaging destroying, altering, changing, or amending computer data of other people with harmful effect on other person or their property.

The CCA as amended in 2017 has been criticised for disproportionate and broad criminalisation of speech.

Certain cyber-activities may also breach laws and regulations specific to the specially regulated sectors.

Other relevant documents:

  • Ministerial Notification on the Characteristics and the Method of Sending Data Deemed Not Causing a Disturbance to the Recipient B.E. 2560 (2017): deals with spam email or sending computer data causing a disturbance to the recipient. Continuing to engage in this activity incurs a fine following the second request to be unsubscribed (Law Plus 2017);
  • Ministerial Notification on the Criteria, Duration and Procedure to Stop the Dissemination of Computer Data or the Removal of Computer Data by the Competent Official or the Service Provider: the competent official with approval from the Minister of Ministry of Digital Economy and Society may file a petition with supporting evidence to the Court of jurisdiction for a writ to suppress the dissemination or to remove such computer data from the computer system, which can then be removed/suppressed by the competent officials or by the service provider (Law Plus 2017);
  • For other relevant regulations – see the section on Specialized institutions below.

Substantive law

Computer Crime Act B.E. 2550 (2007) as amended by the Computer Crime Act (No. 2) B.E. 2560 (2017):

  • Sections 5 – 15;
  • Section 19;
  • Section 21 – 24.

Copyright Act B.E. 2537 (1994):

  • Ch. 1, Part 5: Infringement of copyright;
  • Ch. 1, Part 6: Exception of infringement of copyright.

Thailand Criminal Code

  • Ch. 6: Principals and supporters, Section 86: aiding and abetting.

Procedural law

Computer Crime Act B.E. 2550 (2007) as amended by the Computer Crime Act (No. 2) B.E. 2560 (2017) addresses most of the Budapest Convention on Cybercrime’s procedural powers, though there is still room for improvement (for more details – see the LEGAL PROFILE):

  • Section 18 – 20;
  • Section 22;
  • Section 25 – 26.

Safeguards

Section 19 of the Computer Crime Act B.E. 2550 (2007) as amended by the Computer Crime Act (No. 2) B.E. 2560 (2017) requires that before competent officials’ make a request for traffic data, a copy of computer data, or seize a device/computer or computer data for example, they have to:

“file a petition to the court of jurisdiction for a court order to authorize the competent official to take action. The petition must identify a reasonable ground to believe that the person is perpetrating or going to perpetrate an offense, reasons for the exercise of such power, characteristics of the offense, description of the devices used for perpetrating the offense and of the alleged offender, as much as this can be identified. The court should adjudicate urgently such aforementioned petition.

When the court gives permission, and before taking any action according to the court order, the competent official shall submit a copy of the reasonable ground memorandum to show that an authorization under Section 18 (4), (5), (6), (7) and (8), must be employed against the owner or possessor of the computer system, as evidence thereof.”

Thailand Criminal Code: Chapter III – Rights and liberties of the Thai People, Sections 25 – 49, covering non-discrimination, freedom of religion, speech, movement, association and assembly, freedom of mass media, right of privacy, consumer protection, dignity, property, and public health. Many of these rights are strongly challenged by the application of the CCA (2007; 2017) and the Cybersecurity Act B.E. 2562 (2019).

Telecommunications Business Act B.E. 2544 (2001), Chapter V: Rights of service user, Section 50: the National Telecommunications Commission is entrusted with the responsibility to establish measures for user protection concerning personal data, right to privacy and freedom to communicate by means of telecommunications.

Related laws and regulations

Data protection

The Personal Data Protection Act B.E. 2562 (2019) (PDPA) was published on 27 May 2019 (most of the operational provisions, including provisions relating to the rights of a data subject, the obligations of a data controller and the penalties for non-compliance, have become effective on 27 May 2020). The PDPA is under the supervision of the MDES and the main supervising authority of the PDPA is the Office of Data Protection Committee. Other relevant legislation:

In 2018, the Ministry of Commerce’s Department of Intellectual Property signed an MOU with MDES’s Electronic Transactions Development Agency (ETDA) on IP rights management and internet IP protection, which focused on developing a system for proving and analyzing digital evidence, capacity building, and enhancing security and standards. 

An ETDA publication on intellectual property and the use of information technology can be found here (Thai).

The ETDA provides a compilation of relevant legislation on electronic transactions, digital development, related administration, computer crime, cybersecurity, and data protection here (Thai).

Legislation and regulations

Specialised institutions

  • Ministry of Digital Economy and Society (established in 2016; formerly the Ministry of Information and Communication Technology) has a Crime Prevention and Suppression Technology Division. The Minister is a member of the National Security Council;
  • ICT Law Center: part of the Electronic Transactions Development Agency. One of its goals is to train criminal justice authorities in IT law. Provides a database of the many ICT-related laws;
  • Thai CERT (formerly the Computer Security Coordination Center of Thailand) was under the jurisdiction of the Electronic Transactions Development Agency but is being/was moved under the National Cybersecurity Agency as a result of the Cybersecurity Act B.E. 2562 (2019). ThaiCERT has established international cooperation through the Forum of Incident Response and Security Teams (FIRST) and is a member of the Asia Pacific CERT (APCERT);
  • National Cybersecurity Committee – which includes the PM, Ministers of defence and MDES, police chief, SG of the National Security Council, permanent secretaries for justice and finance. Among its functions: it determines the characteristics of organisations that are included under the classification of Critical Information Infrastructure. There are three levels of cybersecurity threats listed under the Cybersecurity Act B.E. 2562 (2019): non-severe, critical and crisis levels. In the case of a critical threat, the act allows seizure of the computer system or assets without a court order (2020);
  • National Cybersecurity Agency (NCSA): currently the Electronic Transactions Development Agency acts as the NCSA;
  • High Tech Crime Unit of the Royal Thai Police: functions – checking and analyzing electronic data; supporting the collection of evidence relating to commissioned offenses; support in-depth computer technical inspection; investigations; crime prevention; knowledge sharing; maintaining evidence in technology crimes by storing in accordance with international standards; collaborating with other relevant agencies both domestically and abroad; personnel development;
  • Department of Special Investigation (DSI): established in 2002, part of the Ministry of Justice, and one of the few institutions that has the power to initiate criminal investigations other than the police (possibly with the exception of the National Counter Corruption Commission). The DSI can request a Court to issue a warrant to access the accounts, computer, communication instruments or equipment, electric mail, data, or any electronic telecommunications of the suspects for no longer than a 90-days period. The DSI can also operate a sting operation or set up a mobile unit or commando unit if necessary. Jurisdiction (Special Case Investigation Act B.E. 2547): crime prevention, suppression and investigation of specific crimes (e.g. in the areas of Finance and Banking, Intellectual Property Rights, Taxation, Consumer Protection and Environmental, Technology, Cyber or Computer crimes, Corruption in Government Procurement, and other serious crimes that have a seriously negative effect on public peace and order, morale of the people, national security, international relations, and the economic or financial system). The DSI also does investigations involving Transnational and Organized Crimes and other white-collar crimes. Its Bureau of Technology and Cyber Crime is responsible for preventing, suppressing and investigating special crimes; prosecuting offenders for computer and technology-related crimes; collecting, analyzing and providing evidence for case prosecution; planning, managing and coordinating for preventing, suppressing and investigating special cases under responsibility; retaining case evidence and exhibits; and jointly performing/supporting the operation of other related agencies;
  • Technology Crime Suppression Division (Central Investigation Bureau): established in 2009 through a Royal Decree. It has the power and duty to maintain order, prevent and suppress crimes related to technology and carry out investigations under the Criminal Code, Criminal Procedure and other laws relating to computer systems. Organisation: Subdivision 1: Offences with computer systems as targets; Subdivision 2: Use of computers as a criminal tool; Subdivision 3: Importing and distributing false computer data; and the Technology Case Support Group: immediate response and support for computer-related cases;
  • Computer Data Screening Committee: established by the CCA (2017) with the power to permit officials to request a court order to block or destroy any data which is contrary to the public order or good morals of the Thai people. To determine that, the Computer Data Screening Committee must take into account precedent established by prior Supreme Court judgments and the Thai social context. Under the Ministerial Notification on the Appointment of the Settlement Committee under the CCA, the Computer Data Screening Committee will consist of a Chairman and seven committee members, three of whom shall come from relevant private sector in the fields of human rights, public communication, information technology, or other related field (Law Plus 2017);
  • Settlement Committee: has the power to settle a case through the payment of fines for some criminal offenses under the amended CCA (2017) (e.g. the unauthorized access of a computer system; disclosure of preventive measures for accessing a computer system; bringing false information into a computer system). Under this Ministerial Notification on the Appointment of the Settlement Committee under the CCA in case where an offender confesses of a crime against a person and if the injured person agrees to have the case settled by payment of a fine, the Settlement Committee will set the amount of the fine to be paid by the offender considering the severity of the offense, the circumstances of the offense, the damage to society and/or other users of a computer system, behavior of the offender, occupation, size of business and other factors (Law Plus 2017);
  • Action Taskforce for Information Technology Crime Suppression (TACTICS), and 11 operation centres across the country (Bangkok Post, 1 Jan 2019).

International cooperation

Competent authorities and channels

Legal Framework

There is a large body of relevant legislation and international treaties/agreements supporting international cooperation on criminal matters:

The Act on Mutual Assistance in Criminal Matters B.E. 2535 (1992) provides for international assistance. Section 9 states that assistance can be provided even if Thailand does not share an MLA treaty with the requesting state, based on reciprocity. The request for assistance maybe refused if it affects national sovereignty, security, or other crucial public interests or related to a political office.

 

The Ministerial Regulation B.E. 2537 (1994) covers the transfer of persons in custody to testify in the requesting state, or from the requesting state to Thailand, and the necessary form to use.

 

The Extradition Act B.E. 2551 (2008) empowers the Thai government to extradite fugitives who are alleged or accused of having committed criminal offences, or the defendants for whom the Court has reached a verdict to punish them under treaties; in cases where there are no treaties, through diplomatic channels. It can be applied for offences having a penalty of no less than 1 year of deprivation of liberty (or for those with less than one year as long as they are extraditable offenses – Section 7) and must be a criminal offence in both the requesting and the requested state.

 

In August 2017, US Homeland Security Investigations and Thailand’s DSI signed a Memorandum of Understanding to partner on the investigation of transnational criminal organizations with a nexus between the United States and the Kingdom of Thailand (US Immigration and Customs Enforcement, 2019).

 

Thailand is also a signatory State of some international conventions:

 

Competent authorities and channels

  • Attorney General: or the person designated by him (Chapter 1, Section 6, (Act on Mutual Assistance in Criminal Matters B.E. 2535, 1992/MLA Act) is the central authority for mutual legal assistance on criminal matters and extradition (Extradition Act B.E. 2551, 2008). The Office of the AG has an International Affairs Department. Section 10 (MLA Act)/Section 8 (Extradition Act) states that for states with MLA agreements with Thailand, the request should be submitted directly to the AG. In the case where the requesting state does not have an MLA agreement with Thailand, the request shall be made through the diplomatic channels (i.e. Ministry of Foreign Affairs). Section 8 (MLA Act) adds two more bodies to the mix in the case of requests that may affect: national sovereignty/security, crucial public interests, international relations, political/military offences. In such cases the Central Authority will receive the opinion on the request received/to be made from a Board (i.e. Ministry of Defense, Ministry of Foreign Affairs, the Ministry of Interior, the Ministry of Justice, the Office of the Attorney General, a public prosecutor acting as Secretary of the Board, and other “distinguished people”). In the case where there is a dissent between the Board and the Central Authority’s opinions, the Prime Minister makes the final decision. The Board is also consulted on all domestic and foreign MLAs following the receipt of such a request by the Central Authority. Section 38 MLA Act adds that with respect to domestic MLA requests, the determination of the Central Authority is final “unless otherwise instructed by the Prime Minister”. In conclusion, the main decision-making factors on MLA are: the Attorney General or the person designated by him; the MLA Board and the Prime Minister. However, there are still exceptions, such as in the Treaty between Thailand and USA on Mutual Assistance in Criminal Matters (1986), where the Thai Central Authority is the Minister of Interior or a person designated by him (NB: it is possible that this provision was in place because at the time the Attorney General was under the Ministry of Interior);
  • Ministry of Foreign Affairs: is the central authority for MLA and extradition in the cases where Thailand does not have an agreement in this respect. A directory of its relevant departments is available here;
  • Office of the Electronic Transactions Commission: is under the arm of the Ministry of Digital Economy and Society: Some of its powers/duties are: (a) suggesting policies and designing plans to support and promote electronic transactions; (b) analyzing how to improve and develop the laws, rules, regulations relating to electronic transactions; (c) formulating the requirements, methods, or standards in respect of electronic transactions to ensure the security and credibility of electronic transactions and consistence with international standards; (d) coordinating with agencies or international organizations relating to electronic transactions;
  • Thai CERT (see more above under Specialised institutions).

Jurisprudence/case law

Office of the Special Prosecutor v. Nopawan (Bento) (2013): defendant (Nopawan) was arrested in 2009 and accused of disseminating a message that defamed and insulted the Queen and the Heir Apparent on a webboard under the pseudonym 'Bento'. The defendant denied all charges. The Court of the First Instance dismissed the charge given that there was no eye witness to see the defendant posting the message. The Court decided that the IP Address was not sufficient to identify the real user. Later, the Court of Appeal reversed the judgement of the lower court, giving the defendant 5 years in prison based on the Constitution Ch. II: The King, Section 6, Article 112 of the Criminal Code (lèse-majesté) and Section 14.5 of Computer Crime Act of 2550 BE (dissemination of problematic information via computer systems).

Ministry of Information and Communication Technology v Katha (2014): Mr. Katha (broker) posted some messages on a webboard that caused stock prices to fall. He was charged on two counts of posting false statements that caused panic among the public and compromised national security under the Computer Crime Act Section 14(2) and was sentenced to two years and eight months prison time by the Court of Appeal.

Military prosecution: Tara (2017): defendant created a website and uploaded links to audio files that were deemed as constituting lèse-majesté. He was arrested in 2015, charged and tried by a military court (country was under direct military rule 2014-2019) under the Criminal Code Section 112 and Computer-related Crimes Act Section 14(1), (3) and (5). He initially denied all charges and stated that he created a website about health issues to earn advertising revenue. He uploaded the links on his website because there was content about healthcare in the audio clips and he did not listen to all the audio clips before uploading them. The defendant confessed to the charges to get a reduced sentence of 20 years.

Technology Crime Suppression Division v Pruetnarin (2014): was accused for posting 9 messages via 3 Facebook accounts in violation of Article 112 of the Criminal Code. The defense claimed entrapment in that intelligence services tried to ‘friend’ the defendant online and incite him to post lèse-majesté messages. The Court sentenced him to 3 years for each count and under Computer Crime Act of 2550 BE Section 14(3) for 4 months for each count. His sentence was later mitigated to 15 years following his guilty plea. In other cases, the court considered Article 112 and Computer Crime Act as one act, so the court would punish the defendant only under Article 112 which carries the severest penalty. In this case, the court sentenced using Article 112 separate from Computer Crime Act, causing the defendant to receive a more severe penalty.

Thai Phuketwan Journalists Acquitted of Defaming Navy (2015): A court in the southern Thai island of Phuket acquitted two journalists of accused of defaming the navy and breaching the Computer Crimes Act. The journalists faced possible jail time for a line in a 2013 article on human trafficking. The excerpt, from the Reuters news agency, quoted an unnamed smuggler saying Thai naval forces made money from turning a blind eye to trafficking.

Thai court to hear first royal insult case under new king (2017): A Thai court agreed on 10 February 2017 to put a prominent activist on trial for insulting the monarchy after he shared a BBC Thai-language profile of the new king (which some said was offensive) on Facebook.

Operation Blackwrist (2019): this child exploitation operation was launched by INTERPOL in 2017 following the discovery of material depicting the abuse of 11 boys, all under 13 years old. The material, first identified on the Darkweb, originated from a subscription-based website with nearly 63,000 users worldwide. For years the site had published new material weekly, with the abuser taking great care to avoid detection, often masking the children and leaving very few visual or audio clues. Homeland Security Investigations (HSI) Bangkok and HSI Indianapolis partnered with INTERPOL, DSI and other law enforcement agencies to pursue any investigative leads with a potential nexus to the United States. On January 16, 2018, HSI Bangkok assisted Thai authorities with the execution of search and arrest warrants leading to an arrest and the rescue of 5 victims.

Rex Mundi Operation: A 25-year-old FR coder was arrested on 18 May 2018 by the Royal Thai Police based on a French international arrest warrant for the implementation of a cyber-attack with ransom against a British-based company. The arrest was the eighth in an international operation supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT) which was established in 2017.

Sources and links

News

Reports and research

Print Thailand
Tools on Cybercrime & Electronic Evidence Empowering You!

These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe. 

Contribute

  Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?

  Share this information with us helping to keep this platform up to date.

Useful links