Local internet service providers (ISP) and foreign social networking companies will be exempt from liability for illegal content under Thailand's new Computer Crime Act 2017, says a legal expert.
The new Computer Crime Act, which goes into effect today, does not have a mandate to impose punishments on ISPs and social media firms if they cooperate in removing illicit content from their sites upon receiving a court order, said Paiboon Amonpinyokeat, one of the authors of the draft ministerial notifications under the Computer Crime Act.
The draft ministerial notifications will become law 60 days after the Computer Crime Act becomes effective.
There are drafts for five ministerial notifications under the act. The first regards the exemption of internet service provider liability, the procedures for notification and the suppression of dissemination and removal of computer data from the computer system.
The second covers regulations governing spam, including the provision that service providers have an opt-out feature for it. Otherwise, they will be fined 200,000 baht for each message received without the recipient's consent.
The third covers the criteria, duration and procedures to stop the dissemination or the removal of computer data for the competent official or service provider.
The fourth regards the appointment of a settlement committee under the Computer Crime Act, which is to allow for the resolution of some small violations through the payment of fines. This will help keep a number of computer crime cases from going to court.
The fifth covers the appointment of a content filtering committee.
Mr Paiboon said internet service providers, including Facebook and YouTube, that have removed unlawful content upon notification will not be guilty in the eyes of the law. But they need to remove the illegal content within a predetermined period.
Dhiraphol Suwanprateep, a partner for the Intellectual Property Practice Group of Baker & McKenzie Ltd, said the maximum period for service providers to take down illegal content from their computer systems should be 5-7 days (instead of three days as appears in the current draft) upon receipt of the notice.
Furthermore, Mr Dhiraphol said this draft notification prescribes that, upon receiving notice, the service providers have to "delete" or amend/revise illegal data to stop dissemination immediately.
With regards to the word "delete", technical difficulties faced by service providers should be taken into account, he said. It is debatable whether the service provider can actually and/or technically delete the whole set of illegal content as sometimes there is cache data left in the system.
Mr Dhiraphol said that concerns over the draft ministerial notification, re the Criteria Duration, and Procedure to Stop the Dissemination or the Removal of Computer Data for the Competent Official or the Service Provider, are that in some cases (e.g. websites and content providers), there should be notification and removal procedures.
But in certain cases such as cloud computing and data centres, it would be impractical for service providers to take down content that has been designated by users/officials as illegal. This is because in order to remove illegal content/data, service providers need to know the "exact" location of such illegal computer data and have control over it.
But Mr Dhiraphol said certain service providers, especially cloud service providers, do not know have such knowledge or control over the related data.
Cloud computing firms have a business model based on trust, in that customers want assurances that service providers do not know the content they are uploading to the cloud.
He said data is normally encrypted and segregated without service providers even knowing what and where the illegal content is in the system. As such, the business operations of cloud providers make it impractical to delete and/or remove illegal content.
Mr Dhiraphol also turned his attention to the draft ministerial notification, re the Appointment of the Settlement Committee under the Computer Crime Act, in cases where an offender is a juristic person. Under the current draft, directors, managers or persons responsible for the operations of such a juristic person will also be subject to fines.
"The law should not punish people just because they hold a particular position in a company if they did not know of such illegal acts," he said.
Mr Dhiraphol said this draft notification should be revised in a similar way to the recent Act Amending the Criminal Liability for Representatives of Juristic Person 2017, which was drafted in accordance with the Constitutional Court's rulings, saying that representatives of juristic persons are presumed innocent, unless it is proven that their actions or omissions caused the juristic person to commit the offence.
In terms of regulating spam, under the current draft, once consent is obtained from recipients, the sender will no longer be viewed as having caused a disturbance, he said. Therefore, Mr Dhiraphol said a public hearing would be needed to provide clarity on this point.
Pawoot Pongvitayapanu, president of the Thai E-Commerce Association, said policymakers should prioritise which content they want to be removed immediately.