Thailand 4.0: Digital ID, Cybersecurity, and Personal Data Protection Developments

Posted on 24th October 2018

As the Thai government prepares for its Thailand 4.0 economic model with hopes that it will elevate the nation’s status to a high-income country, the Ministry of Digital Economy and Society (MDES) is drafting legislation on several issues that could spur or hinder these efforts. Consequently, firms conducting business in Thailand, whether based within or outside its borders, may need to consider upcoming regulatory obligations and compliance requirements.

Digital Identification Bill

The Digital Identification Bill was approved in principle by the Cabinet and is expected to be passed by the National Legislative Assembly (NLA) and take effect by the middle of 2018. Under the proposed legislation, a National Digital Identification (NDID) company will develop an “NDID Platform” that will issue licences to identification providers (IDP) for digital IDs and authenticate citizens’ digital ID, allowing easy and secure digital identification for online transactions.

Facilitating banking transactions by providing an e-Know Your Customer (e-KYC) mechanism is a laudable step forward for Thailand. However, such technology could raise cybersecurity and concerns due to the sensitive data required for authentication, including e-signatures, facial recognition and biometric fingerprint data. Thailand should learn from India’s own system — Aadhaar — which has faced ongoing cybersecurity and privacy issues.

Cybersecurity Bill

The Cybersecurity Bill, expected to be submitted to the Cabinet by this month, defines six sectors as critical information infrastructure that will require enhanced protections (CII): government, defence, telecoms, finance, energy, and utility industries. The law will also create a National Security Agency to oversee the National Cybersecurity Operation Centre and the National Data Protection Agency.

The Electronic Transactions Development Agency (ETDA) will also establish the Cybersecurity Excellence Centre in the Digital Park under the Eastern Economic Corridor, by collaborating with American, Chinese, and Israeli security technology firms. The ETDA has set aside 200 million baht (USD 6.1 million) for a Security Academy that will produce 1 000 skilled cybersecurity workers by next year. Together with the launch of the ASEAN-Japan Cybersecurity Centre on 14 September 2018, Thailand looks set to bolster its cybersecurity capacity.

Personal Data Protection Bill

In early September, the Ministry of Digital Economy and Society also shared the latest draft of the Personal Data Protection Bill (PDPB), which was opened for a public consultation from 5 to 20 September 2018.

In this draft, Thailand has introduced some elements of the EU’s General Data Protection Regulation (GDPR), with the likely goal of receiving a mutual adequacy decision from the EU. Like the GDPR, the bill would apply to all data controllers and processors collecting or processing data that belongs to Thai residents. It also introduces a similar exemption if the collection of the personal data is necessary as part of an agreed contract. Worryingly for businesses, the bill’s implementation period has been halved from one year to 180 days from its publication in the Royal Gazette.

Implications for Industry

Businesses operating in Thailand should evaluate how these bills will impact their operations and develop a strategy to overcome any issues and harness any new opportunities to expand their market share. For example, the Digital Identification Bill, while it may spur the introduction of new fintech and payment services, will require companies to consider how the end-to-end process is aligned with their own e-KYC process. Are there gaps that will need to be addressed? Will the company be able to fulfil all e-KYC requirements?

Additionally, businesses in the sectors defined as critical information infrastructure need to consider additional obligations, such as the need to develop a cybersecurity risk assessment plan, set an internal cybersecurity, and develop a strategy to report security breaches.

Lastly, companies will need to evaluate how their internal processes measure up against the proposed requirements under the Personal Data Protection Bill. For example, companies transferring data of Thai subjects to third party countries will need to review consent requirements. Companies operating outside of Thailand need to remain vigilant given the extra-territorial provision, extending their liability over the management of data of Thai subjects.

The Ministry of Digital Economy and Society has defined new cybersecurity and privacy practices for the private sector. As a result, industry actors should monitor the regulatory landscape to protect their business operations and identify market opportunities.


Author: Seha Yatim, Policy Analyst, Access Partnership

Back to document archive