BANGKOK (Reuters) – Thailand’s military-appointed parliament on Thursday passed a controversial cybersecurity law that gives sweeping powers to state cyber agencies, despite concerns from businesses and activists over judicial oversight and potential abuse of power.
The Cybersecurity Act, approved unanimously, is the latest in a wave of new laws in Asian countries that assert government control over the internet.
Civil liberties advocates, internet companies and business groups have protested the legislation, saying it would sacrifice privacy and the rule of law, and warning compliance burdens could drive foreign businesses out of Thailand.
The military government has pushed for several laws it said would support the country’s digital economy, including an amendment to the Computer Crime Act in 2017, which has been used to crack down on dissent.
Internet freedom activists have called the legislation a “cyber martial law,” as it encompasses all procedures from everyday encounters of slow internet connections to nationwide attacks on critical infrastructure.
If a cybersecurity situation reached a critical level, the legislation allows the military-led National Security Council to override all procedures with its own law.
“Despite some wording improvements, the contentious issues are all still there,” Arthit Suriyawongkul, an advocate with the Thai Netizen Network, told Reuters.
The law allows the National Cybersecurity Committee (NCSC) to summon individuals for questioning and enter private property without court orders in case of actual or anticipated “serious cyber threats.”
An additional Cybersecurity Regulating Committee will have sweeping powers to access computer data and networks, make copies of information, and seize computers or any devices.
Court warrants are not required for those actions in “emergency cases,” and criminal penalties will be imposed for those who do not comply with orders.
The Asia Internet Coalition (AIC), a Singapore-based industry group which represents U.S. giants Google and Facebook, and nine other major technology companies, said it was “deeply disappointed” the law was passed.
“This would give the regime sweeping powers to monitor online traffic in the name of an emergency or as a preventive measure, potentially compromising private and corporate data,” said Jeff Paine, the group’s managing director, in a statement.
Legislators also unanimously passed the Personal Data Protection Act, intended to imitate the European Union’s General Data Protection Regulation (GDPR).
The legislation does not require international firms to store data locally, but businesses have raised concerns about its territorial applicability.
The data protection law, effective after a one-year transition period, will apply not only to companies located in Thailand, but also overseas companies which collect, use, or disclose personal data of subjects in Thailand, specifically for advertisements and “behavior monitoring.”
Supporters of the laws hailed them as long overdue.
“The two laws are crucial to help Thailand keep up with neighbors and the world,” said Saowanee Suwannacheep, a chairman of the ad-hoc parliamentary committee that worked on the legislation.