Formichella & Sritawat

With changes in Thailand’s law and policy on foreign satellites, and political and legal issues involving restrictions on the export of computer chips for artificial intelligence (for more information please see Thailand’s current AI policy), there is increased interest in building and operating data centers in Thailand. Indeed, Thailand’s well-known “Eastern Economic Corridor”, where auto manufacturers have long operated, is now being further developed to stimulate the construction of data centers. “Data center services” is not explicitly defined under Thailand’s telecommunication law. As per our previous article on Thailand’s telecommunication law , the definition of “telecommunication service” is a service which provides the emission, transmission or reception of signs, signals, writing, digits, images, sounds, codes or intelligence of any nature using Hertzian, wire, optical, electromagnetic, or any other system, or a combination thereof, and shall include the communication satellite service or other business prescribed as telecommunications services by the NBTC but not including sound broadcasting, television broadcasting, and radiocommunication services. The structure and authority of telecommunications law in Thailand grant the regulator authority to determine “other business prescribed as telecommunications services by the NBTC”. Therefore, the legal authority of the National Broadcasting and Telecommunication Commission (NBTC) to determine data centre services as a telecommunication service is granted by the above-referenced statutory language. With such authority, the NBTC created a Type 1 telecommunication license for data centers and has issued multiple licenses accordingly. “Data center services” require a Type 1 license and point to service providers that provide infrastructure such as electricity, security, fire protection, and connectivity to third-party networks. The NBTC data center license terms reference “facilitate cloud solution services”, which is often confused as a licensing requirement for cloud service providers. However, the license requirement is providing a data center solution to a cloud service provider. Under certain conditions, a cloud service provider does not need a license from the NBTC. For more information on this, please see the article Cloud Services & Telecommunication Licensing in Thailand where we discuss cloud services and telecommunications licensing. The above is general information and should not be relied upon as legal advice. Authors: John Formichella and Naytiwut Jamallsawat

There is often confusion surrounding telecommunication licensing and cloud services. The primary reason is there is, in fact, a cloud service license requirement from the National Broadcasting and Telecommunications Commission (NBTC). However, the licensing requirement is obligatory if a cloud service provider (CSP) provides a telecommunications service. The definition of “telecommunication service” is referenced in our article on Thailand’s Telecommunications Business Act. Transmission and connectivity are the primary causes affecting licensing requirements from the NBTC. Regarding CSPs, the NBTC will consider a cloud service as a telecommunication service if the CSP provides connectivity to its cloud. The title of the license itself makes the connectivity requirement essential. The license translation is “cloud services (with the provision or procurement of internet connectivity or other telecommunication services)”. A CSP service without connectivity is a content-based service, not a telecommunication service. As of the writing of this article, there are only four CSPs licensed by the NBTC to provide cloud services. A cloud license (as mentioned above) will require a comprehensive application process, annual reporting requirements, licensing fees, and USO fees. However, a CSP with a license may generate additional revenue from the connectivity services. Without a license, CSPs will put the onus of connectivity on the end-user. For example, companies with licenses to provide internet services will connect a customer and a CSP. The above is for general information purposes only and should not be relied upon as legal advice. Authors: John Formichella & Naytiwut Jamallsawat

The Telecommunications Business Act B.E. 2544 (2001) (“TBA”) provides that a person operating a telecommunications service in Thailand is required to obtain a license. “Telecommunications Service” is defined under the Act on the Organization to Assign Radio Frequency and to Regulate Broadcasting and Telecommunications Services B.E. 2553 (2010) as: “A service which provides the emission, transmission or reception of signs, signals, writing, digits, images, sounds, codes, or intelligence of any nature using Hertzian, wire, optical, electromagnetic, or any other system, or a combination thereof, and shall include satellite communication services or other business prescribed as telecommunications services by the NBTC, but not including sound broadcasting, television broadcasting, and radio communication services.” It’s crucial to understand the distinction: a person is considered operating a “Telecommunications Business” if the nature of the business is to supply Telecommunications Services to other persons. While the definitions are closely related, “Telecommunications Business” has a broader meaning than Telecommunications Service. The regulator must delve into the “nature” of the business to determine if it falls under the category of a Telecommunications Service. A license from the National Broadcasting & Telecommunications Commission (“NBTC”) is mandatory if it is deemed a Telecommunications Business. There are instances where businesses not in the telecommunications sector, such as automotive, may find themselves requiring a telecommunication license. A fundamental principle is that the NBTC, as the regulatory authority, oversees the physical means of transmission and connectivity. Often, software and APIs are questioned as coming under the authority of the NBTC, which is not the case as of the date of this article. Note the catch-all phrase in the definition of Telecommunication Service, “and shall include satellite communication services or other business prescribed as telecommunications services by the NBTC.” These sixteen words grant the NBTC significant authority. For example, data centers fall under NBTC authority and require a license. However, the NBTC does not consider cloud services as a Telecommunication Service unless the cloud service provides (or bundles) connectivity to the cloud service. The NBTC’s Notification Re: Telecom Network Access and Interconnection B.E. 2556 (2013) (the “Notification”) is a comprehensive document that lays out the duties of licensees who own telecommunications networks. These include allowing other licensees to interconnect with their network on a fair, reasonable, and non-discriminatory basis. Licensees with a network must submit a Reference Interconnection Offer (RIO) along with relevant supporting documentation demonstrating the principle and method for calculating interconnection charges to the NBTC for review. The Notification also provides guidelines for the contractual arrangement and dispute resolution procedures in case network access or interconnection is refused. “Telecommunications Network” means the set of telecommunications equipment directly connected or connected through switching equipment or any other equipment for telecommunications between defined termination points using any wire, radio-frequency spectrum, optical, or any other electromagnetic system or combination thereof. According to the TBA, three types of telecommunications licenses are issued to Thailand operators: Type I, Type II, and Type III. Each license has different requirements, rules, and obligations that reflect the status of the operator. Each type of telecommunications license is further subdivided into either a license to operate a telecommunications service or a license to operate an internet service. The criteria and requirements, however, are the same for both. Therefore, the details below also apply to both types of service. Type I licenses are for telecommunications operators who do not own a Telecommunications Network and whose business does not impact fair competition. When applying for a Type I license, the critical element is that the operator will not own network equipment, as Type I resells the network of Type II or Type III operators. Further, a Type I operator cannot control or operate a Telecommunications Network. The TBA does not impose foreign shareholding restrictions on Type I licensed operators; however, foreign nationals or companies with a majority of foreign shareholders are subject to general laws on foreign business and must obtain a Foreign Business License from the Ministry of Commerce to operate their business. Therefore, it is standard practice for a Type I applicant to apply to the NBTC before applying with the Ministry of Commerce, the issuing agency for a Foreign Business License. The reason is that the Ministry of Commerce will want evidence that the application has the necessary Type I to operate its proposed Telecommunications Business under a Foreign Business License. Type II licenses are granted to operators who, either with or without a Telecommunications Network, provide services (or who lease out their network to operators who provide services) to a limited group of people or services that cause no significant impact on fair competition, the public interest, or consumers. This license type is typically issued to operators who provide services exclusively to large organizations with business operations spread across a wide geographic area. Type II licensed applicants must fulfill all criteria the NBTC prescribes before applying. For example, a call-back/call re-origination service is one example of a Type II licensed business. In addition, the TBA prescribes that Type II licensed operators must be Thai or a company in which Thai nationals hold more than 50% of the total issued shares. Type III licenses are granted to operators who possess Telecommunications Networks or provide services to the general public or services that cause a significant impact on fair competition and the public interest or require special consumer protection by the authorities. Telecommunications Services that fall under a Type III license include public switched telecommunications services, integrated services digital networks, public cellular mobile telephone networks, and public mobile data services. The TBA prescribes that Type III licensed operators must be Thai or a company where Thai shareholders hold more than 50% of the total issued shares. Only operators with Type III licenses may operate a Telecommunications Network to provide international private leased circuit (IPLC) or internet gateway services. In this regard, the Type III licensed operator must also obtain an additional IPLC or IIG license (as the case may be). The NBTC has the authority to issue notifications and further requirements for specific types of services, such as a Type III operator using foreign-owned satellites. Although a Type I licensed operator cannot operate the IPLC or IIG service itself, it may purchase these services from an IPLC/IIG licensed operator and resell them to its customers under its name. Each license type is subject to different regulations and controls over business operations, from license acquisition to operator conduct. Such varying regulations recognize that different licensees possess different types of networks and equipment. Trade competition also plays a factor in an operator’s regulatory oversight level. In summary, the TBA differentiates Telecommunications Business operators by network possession, the purpose of services, and impact on consumers. Furthermore, to help stabilize the various Telecommunications Services operators offer, the regulator imposes different obligations on Telecommunications Business licensees to facilitate network access and encourage freer and fairer competition in the Thai telecoms sector. The above is for general information purposes only and should not be relied upon as legal advice.  

The telecommunications market in Thailand has liberalized since the passage of the Telecommunications Business Act (TBA) of 2001 (see Thailand’s Telecommunications Business Act). Before 2001, the telecommunications sector in Thailand operated under a concession structure whereby an operator would build, transfer, and operate networks under a specific period with the Government of Thailand. However, the passage of the TBA in 2001 did not result in a wholesale change in telecommunications regulation under the regulator, the National Broadcasting and Telecommunications Commission (NBTC). For example, the NBTC has the statutory authority under the TBA to prescribe a business as a telecommunication service and may determine a business as not being a telecommunication service, such as cloud services (see Cloud Services & Telecommunication Licensing in Thailand). Satellite communication services are defined explicitly as a Telecommunication Business under the TBA. Since 2001 (the year of the TBA), satellite communication services have been provided mainly by a single Thai company. Still, until recently, the NBTC issued a new regulation as a foundation to allow foreign-owned satellites to provide direct services to Thailand. The NBTC Notification on Rules and Licensing Processes to Use Foreign Satellite Channel to Provide Services in Thailand (“Foreign Satellite Notification”) requires an operator using a foreign satellite transponder to provide services in Thailand to request NBTC approval (“Foreign Satellite Approval”) to have a gateway or an uplink station in Thailand for the provision of foreign satellite services. The same rules apply regarding whether a Type I, II, or III license is required. Still, concerning foreign-owned satellites, the above notification adds layers of requirements explicitly targeting services in Thailand by foreign-owned satellites. Under the Foreign Satellite Notification, an operator that wants to use a foreign-owned satellite to provide services in Thailand must have the facility and equipment licenses referenced below. We will not go into specific details of the licensing process, which has many nuances, but will provide some foundational information. As of October 2023, the foundational licensing structure for foreign satellite services in Thailand is (i) Foreign Satellite Approval, (ii) Type 3 Telecommunications Business Licenses for satellite-related services, (iii) License for a radio communication station and use of frequency, and (iv) Approval to obtain, use, trade, import, install telecommunications equipment. The above is for general information purposes only and should not be relied upon as legal advice. Authors: John Formichella & Naytiwut Jamallsawat

The Draft Film and Game Act (Draft FGA) was revealed during public hearings by Thailand’s Department of Cultural Promotion in April 2023.Some online articles refer to the Draft FGA as the “Movies and Games Act,” but the Thai word used for “Film” and “Movies” (Pappayon) has the same meaning. As discussed below, the Draft FGA may undergo substantive revisions due to various criticisms. Thus, this article intends to foreshadow legislative intentions and confirm the Thai government will implement mechanisms to implement a rating system for films and games. For example, the draft legislation strongly emphasizes overseeing and controlling the content of films and games, including their advertisement media. The critical aspects of the Draft FGA are outlined as follows: Content Rating: Films and games intended for release or distribution in Thailand must undergo a content rating process to decide the suitability for the age of audiences. This content rating can be conducted either through self-rating by the creator or by a Content Rating Committee of the Department of Cultural Promotion, Ministry of Culture (CRC). If self-rating, the creator must be registered with a central rating authority. Films and games undergoing self-rating must not include content contrary to public order or good morals or may affect the security and dignity of Thailand. Additionally, it should not affect international affairs or have content prohibited within Thailand. The term “contrary to public order or good morals or may affect the security and dignity of Thailand” is often used in Thai legislation as a catch-all to cover possibilities that cannot be foreseen when the legislation is passed into effective law. Export of films and games created in Thailand to other countries requires permission from the CRC. Advertisement of films and games: The CRC must approve advertising for films and games. If advertisements for films and games are found to have content harmful to Thailand’s stability or dignity, regardless of whether they have been classified, they may be subject to legal action related to computer-related offenses. However, the release of the Draft FGA has drawn sharp criticism, with concerns that it could potentially stifle future creativity and entertainment value in film and game content. Indeed, there are reports that the Draft FGA will be rewritten as it is outdated (as of the date of this article), stifles creativity, etc. According to public reports, the intent to rewrite will focus on support for business operators rather than obstacles to film production or creative works. Nonetheless, the government’s intent to implement a content rating system for games and films in Thailand has not changed. The comments here are for discussion and information purposes only. Nothing here should be or can be relied on as legal advice. If you are legally engaged in a criminal defamation matter, seek counsel from a qualified legal professional.  

Introduction Defamation is something that almost everyone could encounter in Thailand. In this regard, many defamation cases are prosecuted and litigated yearly in Thailand. Indeed, legal commenters regularly comment (and opine) that defamation lawsuits are often intended as a form of strike suits or lawfare. Indeed, according to article19.org, “criminal defamation provisions in Thai law (are) against international human rights standards, highlighting a growing international consensus in favour of the decriminalisation of defamation.” Additionally, as much of communications are now broadcast electronically, the Computer Crimes Act makes it a crime to upload false information that can cause damage to the public. With criminal defamation law and the Computer Crimes Act, it is not difficult to understand the concern with speaking or complaining (at least publicly), even if such a complaint or communication would not be defamatory. The costs and risks of defending against such claims are intimidating, and any rational person will consider the costs versus the benefits. There are defences against defamation accusations, as we will generally cover here. Indeed, in the context of the general sense that influential figures use the courts to intimidate and harass critics, rulings of the Thai Supreme Court in part 5 of this article may surprise the general understanding of criminal defamation law. We are not suggesting that abuse of criminal defamation law does not exist. Instead, we are suggesting there are legal defences against claims of defamation, whether claimed in bad faith or not. Legal Source of Criminal Defamation The source of defamation law starts at Section 326 of the Thai Penal Code. Under Section 326, whoever imputes to a third person in a manner likely to impair the reputation of another person or to expose such other person to be reputationally damaged is said to commit defamation and shall be punished with imprisonment not exceeding one year or fined not exceeding twenty thousand Baht or both. The information conveyed to the third party must have the nature of ‘harming’ the victim, which means speaking maliciously, making false accusations that cause harm to others, and communicating information to a third party, whether true or false, intended to damage the reputation of the victim, subjecting them to defamation or hatred. Note that we are speaking of criminal defamation herein and the criminal elements of Actus Reus, Mens Rea, and no defence applies. Statutory Defences However, there are defences and consequences to bad faith accusations of defamation enshrined by statute: Section 161/1 of the Thai Criminal Procedure Code provides (translated): ‘In a case filed by a private complainant if it appears to the court—or through examination of evidence called at trial—that the complainant has filed the lawsuit in bad faith or distorted facts to harass or take undue advantage of a defendant, or to procure any advantage to which the complainant is not rightfully entitled, the court shall order dismissal of the case, and forbid the complainant to refile such case again. As stated in paragraph one, filing a lawsuit in bad faith includes incidents where the complainant intentionally violated a final court’s orders or judgments in another criminal case without providing any appropriate reason’. Section 165/2 provides (translated): ‘During the preliminary hearing, the defendant may submit to the court a significant fact or law which may bring the court to the conclusion that the case before it lacks merit, and may include in the submission as persons, documents, or materials to substantiate the defendant’s claims provided in the request. In such a case, the court may call such persons, documents, or materials to provide evidence in its deliberation of the case as necessary and appropriate, and the complainant and the defendant may examine this evidence with the court’s consent. Indeed, if a case is dismissed under the above-referenced Sections, a party has the basis to file a claim for malicious prosecution. Examples of Criminal Defamation Common types of defamation include: Accusing someone of misconduct or dishonesty, such as claiming they accept bribes, are fraudulent, commit crimes, or betray their country. Damaging someone’s reputation regarding personal sexual matters, such as claiming they were pregnant before marriage, have multiple partners, are rapists, perverts, mistresses, or prostitutes. Accusing or implying someone’s work, profession, or business, such as claiming someone is corrupt, selling counterfeit goods, cheating, or abusing power. Questioning someone’s financial credibility, such as claiming they issue bounced checks or have financial problems. Again, the intent of the above examples must be intentionally or criminally negligent to cause reputational harm. The conveyance can be in any form, such as face-to-face conversations, phone calls, video calls, messaging applications like LINE, Facebook Messenger, posting text on Facebook or Instagram, making announcements in various media, publishing in newspapers, giving interviews, writing letters, sending faxes, sign language, hints, gestures, symbols, or any means that enables a third party to receive and understand the communicated information, regardless of the language used. The offence of defamation is completed when the message reaches a third party. Please note that defamation through advertising carries heavier penalties according to the law, as discussed below. According to Section 328 (translated): If the offence of defamation is committed through advertising using documents, drawings, paintings, movies, images, or letters, whether distributed through sound, images, recordings, or writings or by broadcasting or disseminating through other means, the perpetrator shall be punished with imprisonment not exceeding two years and a fine not exceeding two hundred thousand Baht. For example, posting on Facebook, putting up signs or notices, creating drawings, or publishing on social media platforms creating movies publishing on YouTube, broadcasting advertisements on the radio or podcasts, or posting on various online media would be considered defamation through advertising, resulting in heavier penalties. The Thai Judiciary’s Position With the Thai legal system replete with defamation claims, the Thai courts have been instrumental in defining defamation law. For example, a classic court ruling wherein a photo of a person is posted with an English caption and Thai translation, which states that the person owes 15,910 Baht and has not yet paid, is defamatory. Under such a court ruling, it would harm the person’s reputation, subjecting them to defamation or extreme dislike. Even if the accusation is true, it does not exempt the act from being a defamation offence, as there was no defence or other legitimate purpose for the posting. Additionally, the court found that the communication did not serve any public interest. A common reason, or attempted defence, would be that the public interest is served to inform that a person does not pay debts. Still, the courts find that adjudication or disputes over debts are for the courts to determine. Once such communications are posted, the damage to the victim is apparent and not easily recoverable. Further, it is not the realm of private parties to impose judgement or punishment on a debtor but rather the mechanisms of law and legal procedures. However, specific legal provisions provide exemptions from liability (Thai Penal Code Section 329) and exemptions from punishment (Thai Penal Code Section 330) for defamation offences. Section 329 of the Thai Penal Code states that a person, in good faith, expresses any opinion or a statement shall not be guilty of defamation: Through self-justification or defence or to protect a legitimate interest. An official in the exercise of his functions. By way of fair comment on any person or thing subject to public criticism; or By way of a fair report of an open proceeding of any Court or meeting. An example of a successful defence against a defamation claim is a court ruling regarding a defendant who was the managing director of a Thai company. The defendant issued a letter to dismiss an employee from his employment with the company. The letter was witnessed by third parties and contained the following message (translated): ‘I regret that your refusal has left us with no choice but to terminate your employment with the company immediately…Please leave behind all company assets, including keys to desks, doors, or any vehicles in your possession, and any documents and papers related to the company’s business. We want to remind you that any information you acquired during your employment with the company related to the company’s operations, policies, relationships with customers, and customers’ business, is considered confidential.’ The court found that although the text of the letter does not explicitly display good intentions toward the employee plaintiff, the defendant acted in his capacity as a company director. The letter is not evidence of any indication that the defendant is acting dishonestly or that the plaintiff is portrayed as a socially undesirable individual who is revealing the company’s or its clients’ secrets. The text in the letter does not attempt to insinuate or tarnish the plaintiff’s reputation, leading to defamation or vilification. The letter expresses a statement made in good faith, and there is no legal wrongdoing. In the realm of the judiciary, criminal defamation liability is fact-based while adding context, nuance, and analysis of the intent of the case before the court. The Supreme Court of Thailand has issued numerous rulings setting a precedent of defences to criminal defamation claims. For example: A defendant (in a criminal defamation case), the head of a municipal administration organisation, issued a public statement through a distributed letter stating that the plaintiff fabricated a certificate of computer skills training conducted by a subdistrict administrative organisation. Furthermore, the plaintiff used the documents above to apply for a position as a subdistrict employee with a provincial government, even though the subdistrict administrative organisation never provided the plaintiff with any computer training. In this regard, the defendant made a public announcement to ensure that the residents of the subdistrict were informed of the facts regarding the plaintiff’s fabricated computer skills training. Although the defendant’s communication may potentially damage the plaintiff’s reputation, defame, or slander the plaintiff, the defendant’s actions were justified based on the finding that the plaintiff indeed fabricated the certification documents. Therefore, the defendant expressed an opinion or communicated a message to protect a legitimate interest under the principles of fairness. Consequently, the defendant is not guilty of defamation per Article 329 (1) of the Penal Code. Another Supreme Court case where criminal defamation defendants filed a petition with relevant authorities against the plaintiff, alleging that the plaintiff exerted undue influence to manipulate a decision to award a government contract using the plaintiff’s official authority. The Supreme Court found that the fact that the plaintiff did hold a position of authority to appoint the government committee responsible for evaluating the bidding process, as well as being the presiding officer of such committee, created a perception of bias among the general public and that both defendants had been adversely affected by the plaintiff’s actions. The Court ruled that both defendants could express their opinions and present their views to the appropriate and relevant authority, believing the plaintiff’s alleged actions aligned with their allegations. There was a proven legitimate interest, self-defence, or defence of their interests under the principles of fairness and within the boundaries of Section 329(1). The actions of both defendants did not constitute defamation. In another Supreme Court ruling, criminal defamation defendants jointly drafted a message to be published in a newspaper. The message stated that several companies had produced counterfeit rubber shoes using the defendant’s registered trademark. Considering this, it was necessary to take legal action by involving law enforcement officers to apprehend the individuals responsible for these actions. Subsequently, the defendant listed the names of all four suspects (as it was confirmed that law enforcement officers had arrested them for counterfeiting shoes bearing the defendant’s registered trademark). This was done to disseminate the news to prevent others from imitating or counterfeiting. There was no other intention involved. In this regard, the Supreme Court ruled that the defendant intended to defend himself or to protect his interests. Therefore, the defendant is not guilty of defamation. The Court reasoned that Section 329 of the Thai Penal Code exempts actions that do not constitute defamation to ensure that individuals expressing opinions or statements in good faith are not considered defamatory. This allows for criticism of others within the boundaries established by law and for preserving personal or public interests. The scope of permissible objection depends on various factors, including the nature of the offence, the parties involved, the location of the incident, the causal factors, and the surrounding circumstances. Another example of a Supreme Court ruling states that although the words and statements made by the defendant may be seen as an attack on the plaintiff, who is Prime Minister holding the highest executive position in the country and a political leader, it is expected by society at all levels, both domestically and internationally, that the Prime Minister must possess integrity and exhibit transparent behaviour. A Prime Minister’s actions are subject to scrutiny in all legal and moral aspects, including their conduct in society in all circumstances. Public figures, such as a Prime Minister, whose decisions significantly impact the community, are open to legitimate criticism and must accept broad and diverse perspectives. Statute of Limitations for Criminal Defamation In all cases of criminal defamation, whether it is the offence of ordinary defamation, defamation through advertisement, or defamation of a deceased person, the issue is considered compoundable. An injured party must file a complaint or initiate legal proceedings (under most circumstances) within three months of the date they became aware of the defamatory act and identified the person responsible for the offence. If the injured party fails to file a complaint or initiate legal proceedings within the specified time frame, the case shall be deemed time-barred and cannot be pursued. The comments herein are for discussion and information purposes only and are made as of June 2023. Any developments after the aforesaid date are not included herein. Nothing herein should be or can be relied on as legal advice. If you are legally engaged in a criminal defamation matter, seek counsel from a qualified legal professional. Author: M.L. Numlapyos Sritawat

This article first appeared on Global Legal Insights (2023) Over the past several years, Thailand has been researching, developing, and applying artificial intelligence (AI) and machine learning (ML) in the public and private sectors through international collaborations with AI developers. Thailand is adapting to AI to leverage its benefits in various areas, as demonstrated by its efforts to keep pace with current trends and adapt them for practical purposes. The role of AI has become increasingly common in various sectors. For example, in the financial industry, AI has been employed to analyze customer behavior to recommend appropriate investment and saving options for each customer. Furthermore, as Thailand is one of the global hubs for healthcare services, the health industry has applied AI to analyze and diagnose diseases. For instance, AI is utilized to aid in diagnosing lung disease by detecting abnormalities in chest X-rays and indicating the likelihood of tuberculosis (TB analysis score) during the early symptomatic phase. Additionally, IBM Watson’s AI technology has been employed to analyze cancer treatment. Moreover, the public sector, such as the Revenue Department, has also begun to use AI to analyze tax submissions. After the introduction of AI and ML, big data has been extensively utilized across both large and small organizations in Thailand to facilitate a competitive edge for businesses. Currently, financial institutions are leaders in adopting AI/ML to analyze strategic and non-strategic functions. Financial institutions utilize AI/ML within three primary work groups: customer service, whereby they offer service products that align most effectively with the customers’ requirements; system improvement, wherein they verify the accuracy of documents; and risk management, whereby they evaluate the risk involved in loan provision and detect fraud through intricate forms. In practice, financial institutions will use AI from a third-party service provider. However, financial institutions that wish to use third-party services for essential strategic functions that financial institutions themselves must carry out may not comply with specific regulations. In such cases, financial institutions shall apply for approval or waiver from the Bank of Thailand (BOT) on a case-by-case basis. Nevertheless, the BOT prescribes considerations regarding the usage of AI/ML to be fair, non-discriminatory, accountable, transparent, secure, and reliable. According to the Government Artificial Intelligence Readiness Index 2020, Thailand was ranked 60th due to the need for more AI policies and action plans. In consequence, the Cabinet approved the (Draft) Thailand National AI Strategy and Action Plan (2022–2027) (AI Plan) on 26 July 2022, under the vision “Thailand has an effective ecosystem to promote AI development and application to enhance the economy and quality of life within 2027”. Ownership/protection The status of AI as property or non-property is currently debatable in Thailand. However, the Thai Civil and Commercial Code (CCC) defines “property” as corporeal and incorporeal objects that have value and can be appropriated. Therefore, under Thai law, AI could be classified as property (an incorporeal object) if deemed valuable, and the creator will own an AI algorithm. AI is a property that is protected under intellectual property law. Nonetheless, the Copyright Act B.E.2537 (1994) (CRA) covers computer programs, which it defines as instructions, sets of instructions or any other things used with a computer to operate the computer or generate an output, whatever the computer language is. Therefore, the CRA only protects the source code and not an algorithm. Further, if an employee creates an AI, the employee will generally own the copyright to that AI unless there is a written agreement stating otherwise between the employee and the employer. Regarding protecting AI inventions under the Patent Act B.E.2522 (1979) (PA), it’s important to note that the PA does not protect inventions related to computer programs or scientific and mathematical theories or rules. In academic circles, an “algorithm” is often considered a component of a scientific or mathematical theory. Therefore, the innovation of an AI may not be eligible for protection under the PA. Data is protected under Thailand’s Personal Data Protection Act B.E.2562 (2020) (PDPA). The collection, processing, use, and disclosure of any personal data are subject to the obligations of the PDPA. To collect, process, use, or disclose personal data, the data controller must obtain consent from the data subject or have a legal basis, such as legitimate interests, public task, execution of a contract, etc. Consent must be obtained in writing or electronically, and any fraudulent or misleading practices to obtain such consent are prohibited. The use or disclosure of personal data for purposes other than those initially consented to by the data subject is also prohibited unless permitted by law or the data controller obtains the data subject’s amended consent after informing them of the new purpose. A data subject has the right to withdraw their consent at any time unless restricted by law or an agreement beneficial to the data subject. For example, suppose a personal data controller fails to comply with the provisions of the PDPA. In that case, the data subject may request the deletion, destruction, temporary suspension, or conversion into an anonymous form of their personal data. Board of Directors/Governance There is no explanation for whether AI is harmful or not. However, AI could be defined as property that poses a danger under section 437 of the Civil and Commercial Code (CCC), which prescribes that a person possessing property that poses a danger is responsible for any resulting damages. Moreover, section 85 of the Public Limited Companies Act, B.E. 2535 (1922) (PLCA) prescribes that directors have fiduciary duties and the obligation to perform their responsibilities per the law. Therefore, if any director does any act or omits any action that causes loss to the company, a director will have liability. As companies increasingly incorporate AI and big data into their operations, there are several Thailand corporate governance issues they (directors) need to be aware of, as follows: (1) Data Privacy: Companies must collect data per privacy laws and regulations. The company must be transparent about using personal data and obtain user consent. Thus, a director should be fully aware, or appoint advisors that are fully aware, of how AI collects data, how the data is used, and the security of personal data. (2) Explanation: AI systems have become more complicated, so it can be challenging to understand how they make decisions. Companies must be able to explain how AI systems execute those decisions. (3) Accountability: Companies must be accountable for the decisions made by their AI systems. They need mechanisms to address any adverse consequences or damage resulting from their use, apart from the PLCA and CCC. (4) Cybersecurity: Companies must protect their AI and big data systems from cyber threats. Regulations/government intervention As of April 2023, Thailand does not have specific AI and machine learning laws. However, the critical issues under the AI Plan are as follows: (1) Building a foundation for AI development includes establishing a national database, improving digital infrastructure, and investing in education and research to cultivate AI talent and expertise. (2) Promoting AI adoption in various sectors: The AI plan identifies several sectors where AI can be applied, including healthcare, transportation, agriculture, and manufacturing. The government aims to encourage the adoption of AI in these areas to improve efficiency, productivity, and quality of life. (3) Encouraging innovation and entrepreneurship: The AI plan seeks to foster a culture of innovation and entrepreneurship in AI by providing support for startups, creating incentives for investment, and promoting collaboration between the public and private sectors. Ensuring ethical and responsible use of AI: The AI plan acknowledges the potential risks and challenges and emphasizes the need for moral and accountable development and deployment of AI technologies. Overall, the AI Plan seeks to position the country as a leader in AI development and adoption, focusing on leveraging AI to drive economic growth and improve the quality of life for its citizens. The approach that businesses must manage risks and potential liabilities is that they must determine which risks could significantly harm the organization’s business strategy or operations. Managing such risks involves monitoring internal and external operating and regulatory environments to identify any alterations to the underlying risk landscape and guarantee that the framework is still appropriate. AI in the workplace The advancement of technology leads to the various uses of AI in the workplace. AI has the potential to increase profits in many businesses. Moreover, AI can analyze customers’ needs from an information base, and the company will use those databases to respond to customers’ needs. Nonetheless, there are some concerns about AI replacing humans. A business can use AI-powered automation in numerous ways, such as automating repetitive tasks, analyzing large amounts of data mentioned above, and making decisions based on that data. For example, some manufacturing industries in Thailand use robots to automate tasks such as assembly, welding, and packaging. Chatbots automate customer interactions in the customer service industry and provide quick and accurate responses to common inquiries without violating labor law. According to Section 121 of the Labor Protection Act B.E. 2541, companies must compensate employees who have terminated an employment contract due to implementing machine automation to replace a worker. This obligation extends to machines such as chatbots or restaurant robots used for service. Companies must recognize and adhere to this legal requirement as Thailand has a Labour Relations Board that aggrieved employees may file complaints. To address this issue, the AI Plan urges governments, businesses, and individuals to work together to develop strategies to help displaced workers. However, they must be aware that according to the guiding principle of AI set forth by the Berkman Klein Center for Internet and Society, the objective of creating AI is to support and promote human values. Therefore, AI technology must refrain from supplanting human workers. Civil liability There are no specific laws regarding AI civil liabilities in Thailand at the time of this paper. Nonetheless, AI technology may be considered as property that poses a danger under section 437 of the CCC, whereby any individual who owns or controls a property which poses a threat is responsible for any resulting damages. As an illustration, in cases involving smart cars (i.e., advanced driver assistance systems), the burden of proof is placed upon the owner or controller. It is important to note that this differs from general civil cases under the Civil Procedure Code, wherein the plaintiff bears the onus of providing evidence of wrongdoing on the part of the disputant. Another point that must be considered is whether the controller or owner would be liable under this provision if the damages are caused by an error in the AI system itself, such as a glitch or autonomous decision-making, without any involvement from the controller or owner. Currently, there are no court decisions regarding damage caused by this type of incident as force majeure. Therefore, if the controller or owner can prove that the injuries were caused by force majeure, they will not be liable for the damage. However, the burden of proof is on the controller or owner. According to the Product Liability Act B.E.2551 (2008) (PL), AI may be considered unsafe goods resulting by design. “Goods” is all property produced or imported for sale, including agricultural products and electricity. Therefore, if AI is a tangible asset, movable, and not permanent, AI will be under this law, such as robots, drones, and cars. Other elements of AI, such as algorithms and source code, are not within the scope of enforcement under the PL. A violation under the PL includes determining compensation for the injured party, which may consist of double damages for actual damages or compensation for emotional injuries that the CCC does not provide. In addition, an agreement between a business and a customer to limit or exempt liability for damages resulting from the use of AI cannot be enforced. If there is such an agreement, the agreement shall be voided and unenforceable under PL. Criminal Issues As of this paper’s date, no specific criminal laws are related to AI. In addition, there is no supreme court decision to clarify the definition of AI. However, the Criminal Code can apply to an incident where an AI robot or system commits a crime. It is necessary to examine whether the owner or controller of AI intended to commit a criminal offense or acted negligently. If it is proven that the owner or controller of an AI had the intention to commit a crime or acted negligently, they will be held liable for any offense caused by the AI. Further, suppose an AI is compelling others to commit a crime. In that case, the AI may be considered a tool used to commit the crime, and the owner or controller of the AI may be held liable for the offense only if it is proven that they intended to commit the crime. Discrimination and bias As of the date of this paper, no specific laws in Thailand address the issue of bias in AI systems. However, some laws and regulations may apply to AI systems that produce biased results, particularly those that impact individuals’ rights and freedoms are as follows: (1) PDPA: PDPA regulates the collection, use, and disclosure of personal data in Thailand. If an AI system collects and uses personal data in a way that results in biased outcomes, we believe it could violate the PDPA and anti-discrimination law and policy. (2) Computer-Related Crime Act B.E.2550 (2007) and its amendments (CCA): Under the CCA, computer-related offenses in Thailand, as well as unauthorized access to computer systems and data, have criminal consequences. If an AI system is used to cause harm, damage, or discriminate against individuals intentionally, it could be considered a computer-related offense under this law. National security and military As of the date of this paper, Thailand has no specific laws and regulations regarding AI under national security laws. However, it is anticipated that the AI Plan will achieve the following objectives: They are generating employment opportunities in digital technology and AI. It enhances the Gross Domestic Product (GDP) by creating additional value in the manufacturing and service industries via AI. It enables access to public services that AI facilitates. They are augmenting human capability in digital technology and AI. In a national security sense, in preceding years, there have been contentious matters concerning the transparency of employing software applications known as Pegasus, which originates from Israel. The Thai government used this application to monitor the activities of both anti-government groups and journalists. Numerous scholars and educators have extensively deliberated on the matter, concluding that the conduct mentioned above conflicts with the fundamental tenets espoused by the PDPA, the CCA, the Cybersecurity Act, and the violation of rights and freedom under the Constitution. Thus, a pressing need for a legal framework to govern and regulate the utilization of AI from an organic law perspective is possible. Conclusion The laws and regulations related to AI in Thailand are insufficient, which may pose challenges for parties in the event of an AI-related dispute that goes to court. However, it should be noted that specific sectors, such as banking and insurance, have particular guidelines that acknowledge AI use. Furthermore, lawmakers need to consider expanding the scope of AI regulation beyond these specific sectors to ensure the technology is used responsibly and ethically across all industries. By implementing clear legal frameworks and guidelines, Thailand can create an environment that fosters innovation while ensuring that AI is developed and deployed to benefit society. For further inquiries, please contact John Formichella or Naytiwut Jamallsawat at [email protected]  

The Legitimate Interest Rule, the Exception to the Rule, and the Exception to the Exception. This intricate web of legal concepts is not just a mere set of rules but a challenge that engages legal professionals in the field of data privacy compliance. Statutes often include rules, exceptions to those rules, and even exceptions to the exceptions. This type of legal structure is seen in various legal systems, such as British nationality laws, U.S. Securities and Exchange compliance codes, and the well-known United States Tax Code. As a Data Controller, your role is pivotal under the Personal Data Protection Act (PDPA). For example, breach notification obligations, which you can read about here. Section 19 obligates you not to collect, use, or disclose Personal Data unless a Data Subject has given prior consent, a reasonably straightforward foundation to data privacy law. Understanding the Legitimate Interest Rule and its exceptions is crucial to your responsibility. However, under Section 24 of the PDPA, there is an exception to Section 19 (actually six exceptions) that is often cited (Section 24 (5)), under which no consent of a Data Subject is required if “there is a legitimate interest of the Data Controller or any other Persons…. except where the fundamental rights of the Data Subject override such interests…. As you can see, within Section 24 (5) of the PDPA there is an exception to the exception to Section 19. Section 32 of the PDPA buttresses the consent exception to Section 19 via Section 24, giving a Data Subject the right to object to the collection, use, or disclosure of Personal Data if a Data Controller exercises the consent exception under Section 24 (5) unless the Data Controller can “prove” that collection, use, or disclosure without consent is based on compelling legitimate purposes. What is a “legitimate” interest under the PDPA? First, via Section 24 and Section 32, the burden to prove a legitimate interest will ultimately be on the Data Controller. This process, though challenging, is designed to ensure that Data Controllers are confident and prepared to justify their actions under the PDPA. As is expected with flexible language in the PDPA, legitimate purposes will depend on purpose, necessity, and balancing interests. Take, for example, the use of CCTV at a bank. It is reasonable that a retail bank has a legitimate interest in protecting its customers and employees and ensuring the security of its premises. The purpose of CCTV has been established, and thus necessity and balancing need to be further addressed by a Data Controller. For example, if there was an attempted robbery at a retail bank, and local police, after reviewing CCTV footage, cannot identify the alleged perpetrator. In such a case, it is arguable the bank may need to release such footage to the public to help identify the perpetrator. This is a necessary consideration. As to balancing interests, the Data Controller (presumably a bank) will need to consider whether innocent customers captured on the CCTV footage may be blurred without impacting the image quality of the perpetrator. Depending on the quality of the CCTV footage, the balance of interests may favor the Data Controller not blurring images of innocent bystanders. Alternatively, the Data Controller could place signs notifying customers that CCTV is operating and provide information on how their personal data will be processed. This way, customers know they may be captured by the CCTV, and their personal data may be used in an investigation to identify the alleged perpetrator. Since this processing would not cause unwarranted harm to customers, their interests are balanced with the Data Controller’s legitimate interests. For more articles on Thailand’s laws on data privacy, technology, and telecommunications, please see the Fosrlaw Blog.  

With all the discussions regarding regulating digital platforms, we think it is time to address some safe harbour protections for social media platforms under Thai law.This article is certainly not exhaustive and is intended to give the reader a sense of such protections in Thailand. Our contact information is below for any specific situation you may be experiencing. According to the Bangkok Post, Thailand “is among global leaders in time spent on social media and number of users of Facebook, YouTube, TikTok, and e-commerce” Amongst the ever-expanding regulation of social media and e-commerce in Thailand, which can include criminal liability, there is also the issue of copyright violations. Social media platforms invest significant resources in the issue of copyright violations. According to the website statista.com, YouTube alone dealt with nearly a billion claims in the first six months of 2023. Under Thailand’s Copyright Act B.E. 2537 (1994) (“TCA”), a service provider is exempted from liability for copyright infringement (“Safe Harbour Protections”) if a service provider fits within the definition of 4 categories, which are (i) intermediary service providers, (ii) caching service providers, (iii) hosting service providers, and (iv) search engine providers. There are further qualifications to qualify for Safe Harbour Protections. For example, an “intermediary service provider” will have such protections if it possesses specific characteristics, such as not initiating computer data transmission, establishing and declaring a policy of terminating and stopping service to users who repeatedly infringe copyrights, etc. If an intermediary service provider satisfies such characteristics, it will be protected under the Safe Harbour Protection of the TCA. The comments here are for general information purposes only. Nothing here should be or can be relied on as legal advice.