Draft Cybercrime Bill (15 Nov 06)

March 8, 2007

[ร่าง พ.ร.บ. ฉบับภาษาไทย]

Memorandum of the Principles and Reasons
Supporting the Computer-Related Offence Commission Bill

Principles

There shall be a law governing the perpetration of computer-related offences.

Reasons

Today a computer system is essential to business operations and the human way of life, as such, if any person commits an act that disables the working of a computer system according to the pre-determined instructions or that causes a working error – a deviation from that required by the pre-determined instructions or that resorts to any means to illegally know of, correct or destroy a third party’s data contained in a computer system or that uses a computer system to disseminate false or pornographic computer data, then that act will damage and affect the country’s economy, society and security including people’s peace and good morals. Therefore, it is deemed appropriate to stipulate measures aimed at preventing and suppressing such acts. Hence the enactment of this Act.

The Computer-Related Offences Commission Bill B.E…

As it is deemed appropriate to enact a law governing the commission of a computer-related offence.

This Act contains certain provisions governing the restrictions of an individual’s rights and freedom permissible by Section 29, together with Sections 31, 37, 39, 48 and 50 of the Kingdom of Thailand’s Constitution by virtue of legal provisions.

Section 1

This Act shall be called the “Computer-Related Offences Commission Act B.E…..”.

Section 2

This Act shall be enforceable from the day following the date of its publication in the Government Gazette.

Section 3 In this Act,

“Computer System” means a piece of equipment or sets of equipment units, whose function is integrated together, for which sets of instructions and working principles enable it or them to perform the duty of processing data automatically.

“Computer Data” means data, statements or sets of instructions contained in a computer system, the output of which may be processed by a computer system

“Computer Traffic Data” means data related to computer system-based communications showing sources of origin, starting points, destinations, routes, time, dates, volumes, time periods, types of services or others related to that computer system’s communications.

“Service Provider” shall mean:

(1) A person who provides service to the public with respect to access to the Internet or other mutual communication via a computer system, whether on their own behalf, or in the name of, or for the benefit of, another person

(2) A person who provides services with respect to the storage of computer data for the benefit of the person under (1)

“Service User” means a person who uses the services provided by a service provider, with or without fee

“Competent Official” means a person appointed by a Minister to perform duties under this Act.

“Minister” means a Minister who has responsibility and control for the execution of this Act.

Section 4

The Minister of Information and Communications Technology shall have responsibility and control for the execution of this Act and shall have the authority to issue a Ministerial Rule for the purpose of the execution of this Act

A Ministerial Rule shall be enforceable upon its publication in the Government Gazette.

Chapter 1
Computer-Related Offences

Section 5

Any person accessing a computer system for which a specific access prevention measure that is not intended for their use is available shall be subject to imprisonment for no longer than one month or a fine of not more than one thousand baht or both; the offence under paragraph one shall be a compoundable offence.

Section 6

If any person knowing of a measure to prevent access to a computer system specifically created by a third party discloses that measure in a manner that is likely to cause damage to the third party, then they shall be subject to imprisonment for no longer than six months or a fine of not more than ten thousand baht or both.

Section 7

If any person accesses computer data, for which there is a specific access prevention measure not intended for their own use available, then he or she shall be subject to imprisonment for no longer than one year or a fine of not more than twenty thousand baht or both; the offence under paragraph one shall be a compoundable offence.

Section 8

Any person who commits any act by electronic means to eavesdrop a third party’s computer data in process of being sent in a computer system and not intended for the public interest or general people’s use shall be subject to imprisonment for no longer than three years or a fine of not more than sixty thousand baht or both.

The provisions under paragraph one shall not apply to the eavesdropping of computer data according to a computer data owner’s specific instructions.

Section 9

Any person who illegally damages, destroys, corrects, changes or amends a third party’s computer data, either in whole or in part, shall be subject to imprisonment for no longer than five years or a fine of not more than one hundred thousand baht or both; the offence under paragraph one shall be a compoundable offence.

Section 10

Any person who commits any act that causes the working of a third party’s computer system to be suspended, delayed, hindered or disrupted to the extent that the computer system fails to operate normally shall be subject to imprisonment for no longer than five years or a fine of not more than one hundred thousand baht or both.

Section 11

The perpetration of an offence under Section 9 or Section 10 that:

(1) causes damage, whether it be immediate or subsequent and whether it be synchronous to the public’s computer data shall be subject to imprisonment for one to ten years or a fine of twenty thousand to two hundred thousand baht or more, or both;

(2) is an act that is likely to damage computer data or a computer system related to the country’s security, public security and economic security or public services or is an act against computer data or a computer system available for public use shall be subject to imprisonment from three years up to fifteen years and a fine of sixty thousand baht up to three hundred thousand baht.

The commission of an offence under (2) that causes damage to people’s body or life shall be subject to capital punishment, life-time imprisonment or imprisonment from ten years up to twenty years.

Section 12

Any person who sells or disseminates sets of instructions developed as a tool used in committing an offence under Section 5, Section 6, Section 7, Section 8, Section 9 or Section 10 shall be subject to imprisonment for no greater than one year or a fine of not greater than twenty thousand baht, or both.

Section 13

If any person commits any of the following acts:

(1) that involves access to a computer system for acquiring computer data in a manner that causes a third party to believe that that computer data belongs to a third party or is prepared by a third party in a manner that is likely to cause damage to that third party or the public;

(2) that involves access to a computer system for acquiring false computer data in a manner that is likely to damage the country’s security or to cause a public panic;

(3) that involves access to a computer system for acquiring any computer data related with an offence against the Kingdom’s security under the Criminal Code and being publicly accessible;

(4) that involves access to a computer system for acquiring any computer data of a pornographic nature that is publicly accessible;

(5) that involves the dissemination or re-sending of computer data already known to be computer data under (1) (2) (3) or (4), in which case imprisonment for no longer than five years or a fine of not more than one hundred thousand baht, or both shall be imposed

If pornographic computer data under (4) displays a picture of a person aged less than eighteen years old, imprisonment from two years up to five years or a fine of forty thousand up to one hundred thousand baht, or both shall be imposed.

Section 14

Any service provider knowing of the perpetrating of an offence under Section 13 within a computer system under their control but failing to delete immediately the computer data contained therein shall be subject to the same penalty as that imposed upon a person committing an offence under Section 13.

Section 15

Any person, who accesses a computer system, to acquire computer data in which there appears a third party’s picture created, edited, added or adapted by electronic means or otherwise in a manner that is likely to impair that third party’s reputation or causes that third party to be isolated, disgusted or embarrassed, shall be subject to imprisonment for no longer than three years or a fine of not more than sixty thousand baht, or both.

An offence under paragraph one shall be a compoundable offence.

If a party injured by an offence under paragraph one has died before filing a complaint, then their parents, spouse or children may file a complaint and shall be deemed to be the injured party.

Chapter 2
Competent Officials

Section 16

If there is reasonable cause to believe that there is the perpetration of an offence under this Act, then a relevant competent official shall have the following authority to:

(1) instruct a person who possesses or controls computer data or computer data storage equipment to deliver to the relevant competent official the computer data or the equipment pieces necessary to identify the person who has committed an offence;

(2) copy computer data from a computer system, in which there is a reasonable cause to believe that offences under this Act have been committed;

(3) inspect or access a computer system, computer data, computer traffic data or computer data storage equipment belonging to any person that is evidence of, or may be used as evidence related to, the commission of an offence or used in identifying a person who has committed an offence, and if necessary, instruct that person to send the relevant computer data to all necessary extent as well;

(4) decrypt any person’s computer data or instruct any person related to the encryption of computer data to decode the computer data or cooperate with a relevant competent official in decrypting;

(5) call for computer traffic data related to communications from a service user via a computer system or from other relevant persons, exclusive of the contents of the data mutually communicated between persons;

(6) instruct a service provider to deliver to a relevant competent official service users-related data that must be stored under Section 24 or that is in the possession or under the control of a service provider;

(7) seize or attach the suspect computer system for the purpose of obtaining details of an offence and the person who has committed an offence under this Act;

(8) issue an inquiry letter to any person related to the commission of an offence under this Act or summon them to give statements, forward written explanations or any other documents, data or evidence in an understandable form.

Section 17

Regarding the seizure or the attachment under Section 16 (3), a relevant competent official must issue a letter of seizure or attachment to the person who owns or possesses that computer system as evidence. This is provided, however, that the seizure or attachment shall not last for longer than thirty days. If the seizure or the attachment requires a longer time period, a petition shall be filed with a criminal court for the extension of the seizure or attachment time period. However, the court may allow a single or several time extensions, however altogether for no longer than sixty days. When that seizure or attachment is no longer necessary or upon its expiry date, a competent official must immediately return the computer system that was seized or withdraw the attachment.

The letter of seizure or attachment under paragraph one shall be in accordance with a Ministerial Rule.

Section 18

A relevant competent official shall exercise the authority under Section 16 only to the necessary extent for the purpose of preventing and suppressing an offence under this Act. The copying of computer data under Section 16 (2) shall be done only when there is a reasonable ground to believe that an offence under Section 9 has been committed and in a manner that does not present an unnecessary obstacle to the operation of a business by the person who owns or possesses the computer data.

When a relevant competent official has acted as under Section 16 (3) or (5), the details concerning actions to be taken and the reasons behind such actions must be recorded and then be reported to a provincial court with jurisdiction or a criminal court within twenty-four hours from the starting time of the action. If the court deems that that any action is contradictory to paragraph one or paragraph two, the court shall order that the action be suspended.

Section 19

If a relevant competent official found that any computer data contains undesirable sets of instructions, a relevant competent official with the authority to prohibit the sale or dissemination of such, may instruct the person who owns or possesses the computer data to suspend the use of, destroy or correct the computer data therein, or to impose a condition with respect to the use, possession or dissemination of the undesirable sets of instructions.

The undesirable sets of instructions under paragraph one shall mean to include sets of instructions that cause computer data, a computer system or other instruction sets to be damaged, destroyed, corrected, changed, added, interrupted or, fail to perform according to pre-determined instructions or otherwise as required by a relevant Ministerial Rule, with the exception of sets of instructions aimed at preventing or correcting the foregoing sets of instructions as required by a Minister and published in the Government Gazette.

Section 20

A relevant competent official shall not disclose or deliver computer data, computer traffic data or service users’ data acquired under Section 16 to any person.

The provisions under paragraph one shall not apply to any actions performed for the benefit of lodging a lawsuit against a person who has committed an offence under this Act or for the benefit of lodging a lawsuit against a relevant competent official on the grounds of their abuse of authority or for action taken according to a court’s trial-related instruction.

In the case where a law empowers a person to summon documentary evidence or data or summon any person to give statements for the purposes of legal proceedings and that such is not the case under paragraph two, that law shall not apply to the data acquired by a relevant competent official under Section 16 and delivered to the competent official, as the case may be.

Any competent official who violates paragraph one must be subject to imprisonment for no longer than two years or a fine of not more than forty thousand baht, or both.

Section 21

Any competent official who commits an act of negligence that causes a third party to know of computer data, computer traffic data or a service user’s data acquired under Section 16 must be subject to imprisonment for no longer than one year or a fine of not more than twenty thousand baht, or both.

Section 22

Any person knowing of computer data, computer traffic data or a service user’s data acquired by a relevant competent official under Section 16 and disclosing it to a third party shall be subject to imprisonment for no longer than two years or a fine of not more than forty thousand baht, or both.

Section 23

Computer data, computer traffic data or a service user’s data acquired through the perpetration of an offence under Section 20 or Section 21 or Section 23 shall not be admissible as evidence for taking any action that is harmful to the person who owns or possesses the data

Section 24

A service provider must store computer traffic data for at least thirty days from the date on which the data is input into a computer system. However, if necessary, a relevant competent official may instruct a service provider to store data for a period of longer than thirty days but not exceeding ninety days on a special case by case basis or on a temporary basis.

If a service provider enters into an agreement to provide service to a service user, the service provider shall retain details of the agreement for a period of at least thirty days after the date on which the agreement expires.

The types of service provider to whom the provisions under paragraph one shall apply and the timing of this application shall be established by a Minister and published in the Government Gazette.

A service provider who fails to comply with this Section must be subject to a fine of not greater than five hundred thousand baht.

Section 25

If any person obstructs the performance of duties by a relevant competent official or fails to comply with the instructions of a relevant competent official under Section 16 or Section 19 or fails to comply with the conditions imposed by a relevant competent official under Section 19, then a relevant competent official granted such power shall instruct that person to pay an administrative fine of not more than two hundred thousand baht and a further daily fine of not more than five thousand baht until the relevant corrective action has been taken.

If the person instructed to pay the administrative fine under paragraph one does not pay the fine, then the provisions governing administrative enforcement under the law governing administrative state service-related procedures shall apply mutatis mutandis.

When the person who is instructed to pay the fine has paid the administrative fine, the right over a criminal lawsuit shall be extinguished.

Section 26

Regarding the appointment of a competent official under this Act, a Minister shall appoint such person from among state officers with a knowledge of, and expertise in, computer systems and who has undergone the training course required by a Minister.

Section 27

In the performance of duties, a relevant competent official must produce an identity card to a relevant person.

The identity card shall be as per the form required by a Minister and published in the Government Gazette.

Section 28

In performing the duties under this Act, the competent official required by a Minister shall be an administrative officer or senior police officer under the Criminal Procedure Code.

In arresting, controlling, searching, investigating, and filing a lawsuit against a person who commits an offence under this Act, and for what is within the authority of an administrative officer or a police officer, or an administrative officer or a senior police officer, or an inquiry officer under the Criminal Procedure Code, the administrative officer or the police officer, the administrative officer or the senior police officer or the inquiry officer shall take action only upon the request of a relevant competent official under this Act. The Prime Minister is in charge of the Royal Thai Police Headquarters and with a Minister shall have a joint authority to establish a regulation with respect to the means and action-related procedures under paragraph two.