New regulations on the categorization and obligations of service providers under the Computer Crime Act
On August 13, 2021, the notification of the Ministry of Digital Economy and Society regarding the rules on the storage of computer traffic data by service providers, BE 2564 (2021) (the “Notification”) was published in the Official Gazette of the Government of Thailand to replace the old notification published in 2007.
New category of service providers
Although certain provisions of the notification remain the same or similar to the old notification, the notification mainly develops the categorization of service providers who must store computer traffic data according to the Computer Crime Act, BE 2550 (2007). The new categorizations are as follows:
1. provider of Internet access or communication services to the general public via a computer system, which includes services provided directly or by proxy, as follows:
- telecommunications and broadcasting operator;
- access service provider;
- hospitality service provider;
- in-house coffee service provider;
- online application store service provider; and
- social media service provider, whether or not there is a member system.
2. Data storage service provider as follows:
- content and application service provider;
- provider of cloud computing services to the end user; and
- digital service provider.
Appendix A of the Notice further provides examples for each type of service provider while Appendix B dictates the content and type of computer traffic data that each category of service provider is required to store under the law.
Obligation of service providers
The notification also defines 2 new security measures for all service providers, namely the digital identification process and the access control system.
Digital ID process and access control system
Service providers must organize a digital identification process for all their users in accordance with the standard prescribed by the Electronic Transactions Act, BE 2544 (2001) and stipulates that the identification system must include an administrative safeguard policy, a technical backup policy and backup policies for an access control system, which must include at least the following elements:
- controlling access to data and storage devices;
- specify the credential system data access privilege or approval;
- user access management system;
- prescribe user responsibilities in accessing identification system data; and
- provide means to verify logins that access, modify, delete or transfer identification system data.
The purpose of the above access control system is to protect the reliability of data and personal data of users. Note that this required access control system is essentially the same as the security measures under the notification of the Ministry of Digital Economy and Society concerning personal data security measures, BE 2563 (2020) which currently regulates all data controllers during the transition period. pending the application of the Personal Data Protection Act, BE 2562 (2019).
Computer traffic data storage
In addition to the security measures above, the security measures for the collection of computer traffic data as part of the notification remain the same as the old notification, which include:
- store the data in a form of medium or device that can protect the integrity of the data and identify the person who can access the data;
- have permission levels to access data to protect data integrity and prevent administration from revising stored data;
- appoint staff to coordinate with authority under the Computer Crimes Act; and
- the computer traffic storage system must be able to identify and authenticate the user.
In addition, this notice explicitly states that even if the service provider enters into an agreement with a third party regarding the storage of computer traffic data, the service provider is still required by law to store the data and submit such given to the competent authority. immediately upon request.
The service provider must keep the computer traffic data for at least 90 days, and if requested by the competent authority, the retention period can be extended by 6 months each time, but the total duration must not exceed 2 years.
The notification entered into force on August 14, 2021. There is an exception for Internet cafe service providers and digital service providers who must start storing computer traffic data within one year and 180 days from from the date of entry into force, respectively.