Thailand: Computer Crime Act - Legal Analysis, January 2017
In January 2017, ARTICLE 19 analysed the December 2016 amendment to Thailand’s Computer Crime Act of 2007 (the Amended Act) for its compliance with international freedom of expression standards. The Amended Act is currently awaiting the endorsement of King Maha Vajiralongkorn. ARTICLE 19 has previously reviewed the 2007 Act and called on the Thai Government to amend it.
At the outset, ARTICLE 19 notes that it is possible for Thailand to adequately punish legitimate computer crimes with far fewer offences and much greater protections for free speech. However, as this analysis shows, the Thai authorities not only failed to bring the 2007 Act into full compliance with international human rights standards, but the Amended Act contains several sweeping additions that will only serve to expand powers that have already been aggressively used to limit freedom of speech. In particular, we are concerned that:
- The Amended Act allows the government nearly unfettered authority to restrict free speech, engage in surveillance, conduct warrantless searches of personal data, and undermine freedoms to utilize encryption and anonymity;
- Vaguely-defined enhancements to offences can multiply prison sentences by up to ten or twenty times without any requirement of serious harm;
- The Amended Act criminalises defamation and obscenity, which is ipso facto incompatible with Thailand’s freedom of expression obligations;
- Most of the offences as written amount to strict liability crimes, without clear intentionality requirements;
- The investigatory powers force service providers to retain user data or allow for warrantless access to user communications;
- There are no provisions for a 'public interest' defence that would provide an opportunity for an accused to establish that there was no harm or risk of harm to a legitimate interest in engaging in the proscribed activity, and that the public benefit in the activity outweighed any harm;
- The Amended Act problematically establishes a five-person committee that can obtain court approval to censor content online if it offends public morals. Such a power is exceedingly broad and facially threatens to censor legitimate expression on the basis of its content;
- The Amended Act is rife with broad powers that are susceptible to abuse and could severely punish legitimate political, academic, or social expression.
ARTICLE 19 urges the drafters of the Amended Act and the relevant committees in charge of scrutinising it to address the shortcomings identified above to ensure the compatibility of the Act with international standards of freedom of expression. We stand ready to provide further assistance in this process.
- All offences of the Amended Act should be modified from strict liability offences to clearly include intentionality requirements for “dishonest” intent for their commission and for “serious” harm to result before criminal liability attaches;
- Enhancements to penalties, if included, must be less severe and limited to punishing “serious” harm to computer systems comprising critical infrastructure that is necessary for the public safety;
- Sufficient safeguards should be included for the protection of human rights and specifically reference international standards. In particular, public interest defences should be made available to ensure that legitimate whistleblowers, journalists, researchers, and human rights defenders acting in good faith are not prosecuted under the Amended Act;
- Given the broad powers given to a Competent Official under the Amended Act, the appointment of this function must be amended to include rigorous and transparent procedures and judicial scrutiny;
- Sections 6, 7, 11, 12, 14(2-4), 16, 17, 18(1-3 and 7), 20, 21, 24, and 26 of the Amended Act should be stricken in their entirety;
- Section 8 should be amended to require that interception be done “intentionally” and with “dishonest intent” by technical means, that it apply only to the interception of “non-public” data, and that it be done “without right";
- Sections 9 and 10 should be amended. They should both omit the term “illegally” and include a requirement of “intentionality and without right” and “dishonest intent.” Section 9 should also require “serious harm” before criminal penalties attach. Section 10 should require “serious hindering without right";
- An intentionality requirement must be added to Section 13. Moreover, all paragraphs of Section 13 that cross-reference Section 12 should be stricken and the maximum penalty provision provided in the final paragraph of Section 13 should be omitted;
- Section 14(1) should be amended: it should include intent that the fraudulent data be “considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible";
- Section 15 should be amended to require that aiding and abetting liability only attach where an individual or entity acts intentionally to further the underlying offence. Further, the provision allowing the Minister discretion to exempt a provider from liability should be omitted;
- Section 18(4-6, 8) should be amended to provide explicit due process protections, meaningful judicial oversight, and notice provisions.