Significant regulatory change for service providers on storing computer traffic data – Lexology

The Notification of Ministry of Digital Economy and Society Re: Criteria on Storing Computer Traffic Data of Service Providers B.E. 2564 (2021) (the “New Notification”) has been issued to replace the previous Notification of Ministry of Information and Communication Technology Re: Criteria on Storing Computer Traffic Data of Service Providers B.E. 2550 (2007) (the “Previous Notification”). This New Notification has become effective on 14 August 2021 and significantly changes the regulatory obligations with respect to the retention of computer traffic data applied to service providers.

Summary of the key changes are as follows.

1. Additional and updated service providers subject to the New Notification

In this New Notification, the categories of regulated service providers have been expanded significantly. The current regulated categories of service providers are updated to cover new services, whilst the New Notification also regulates new categories of service providers. Please see a summary of the regulated service providers in the table below.

2. Additional obligations on verification and authentication system, data retention and CCTV

The Previous Notification broadly addresses verification and authentication requirements. However, the New Notification further specifies the user verification and authentication requirements. The user verification and authentication system shall be in accordance with standards specified in the Electronic Transactions Act B.E. 2544.

The service provider shall also provide security measures for storing the computer traffic data, as follows:

• store the computer traffic data in media, computer equipment or a computer system that can maintain the integrity and authentication of users;
• set up an access control system for the computer traffic data;
•  assign a person who coordinates with the MDES official;
•  the stored computer traffic data must be able to identify and authenticate individual users (e.g., indicating proxy server, network address translation, proxy cache, cache engine, free internet; or Wi-Fi hotspot).

The types of computer traffic data required for each category of service providers has also changed. Each category should further check the applicable requirements.

Under the New Notification, there are new obligations for restaurants or any businesses that offer internet as additional services for customers, such businesses must install CCTV to record user access details, prepare a user log detailing user access each day, and carry out an activity that can identify the identity of the users.

3. Change of data retention period

The New Notification also changes the retention period. In general, the service provider shall store computer traffic data for at least 90 days from the date when such data is input into a computer system. However, if (a) there is reasonable cause to believe that there are offences under the Computer Crime Act; (b) for the purposes of collecting information and evidence on the offences relating to national security, terrorism, or public disorder concerning the use of computer system or computer data; or (c) there are requests from an inquiry officer, the competent official may order the service provider to extend the computer traffic data retention period for a maximum of 6 months consecutively, but not exceeding 2 years in total.

4. Third party service providers must comply with the requirements under the New Notification

Under the New Notification, third party service providers, e.g. cloud service providers, that are engaged by a regulated service provider to store computer traffic data must store, make a copy, keep the computer traffic data, and deliver such computer traffic data to the authorities upon request. Such computer traffic data must be able to identify and authenticate the identity of users as prescribed under the New Notification.

There are other new concepts and requirements under the New Notification, e.g. AI, social media, offshore service providers.

We would like to take this opportunity to highlight that there are significant changes that would likely impact the operation of service providers. The technical requirements of which are quite complex and detailed. Thus, it is imperative that business operators revisit the current practice and are ready for compliance. In terms of enforcement, it remains to be seen how the New Notification could impact offshore service providers as certain names of offshore service providers, e.g. App Store, Google Play, Chatbot, Clubhouse, Telegram, Facebook, YouTube, Instagram, LinkedIn, Line, MSN Messenger, WhatsApp, are specified in the New Notification.