Any organisation deemed to be a service provider (SP) under the Computer Crime Act 2007 (the "Act") is now required to store all computer traffic data entered into its computer system and surrender it upon request to the relevant authority. The broad definition of an SP under the Act means that this requirement extends to hotels, condominiums, educational institutions, banks and other organisations.
Full Update
The Act was enacted to tackle the growing incidence of computer related crimes and spread of indecent material on the internet. It seeks to protect businesses, online privacy and electronic transactions as well as promote e-commerce.
Competent officials are authorised to inspect computer traffic data and even seize computers on private premises to facilitate criminal investigations. Accordingly, all internet service providers must store computer traffic data for at least 90 days from the date of entry into the computer system. This period may be longer if the competent officer deems it necessary, provided it does not exceed one year.
Who is an SP?
Under the law, the following businesses and institutions are considered SPs:
  • Telecommunications and broadcast carriers
  • Access Service Providers, including providers of internet in offices, educational institutions and government departments
  • Hosting service providers
  • Internet cafes and online game services
Storage requirements
The Act requires SPs to store all computer traffic data. For a company providing internet access this will include user ID, access logs and calling line identification.
Activities triggering data inspections
Under the Act, events that would trigger data inspections are not limited to the usual "cyber crimes" such as hacking, spam and virus attacks, but would also include the following:
  • using forged or false computer data which may cause damage to a third party or to national security, or which is connected to an offence under the Penal Codel;
  • importing any computer data containing pornographic material into a computer system that is publicly accessible;
  • importing data into a computer system which is publicly accessible and which may injure a third party's reputation or may cause embarrassment. This includes blog discussions and content posted on video sharing websites.
Penalties for non-compliance
An SP that fails to store computer traffic data will be fined up to THB 500,000.
If an SP deliberately supports or allows the commission of serious cyber offences, it will be subject to imprisonment of up to five years or a fine of up to THB 100,000 or both.
In light of the new requirements, simply providing internet/email access will render an organisation to be an SP and it is therefore imperative that all such businesses install appropriate systems to monitor computer or internet usage and computer data storage methods.
Moreover, as the scope of prohibited activities is wide under the Act, all such businesses should inform relevant persons such as employees, students or even hotel guests of the new requirements. Guidelines and policies on computer and internet usage which are compliant with the Act should be set up.
For further information, please contact:
Wanchai Raksirivorakul (