Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Surveillance policy

Lawful Access Powers of Government Agencies

Personal information is generally governed by the Official Information Act, B.E. 2540. State agencies cannot disclose personal information in their control to other state agencies or other persons without getting prior or immediate consent in writing from the person who is the subject except for the following circumstances:1

  • disclosure to State officials in their own agency for the purpose of using it in accordance with the powers and duties of such agency;
  • disclosure for ordinary purposes within the objectives of the provision for such personal information systems;
  • disclosure to State agencies which operate in the field of planning, statistics, or census and have the duty to keep the personal information secret;
  • disclosure for studies and research without mentioning the name or partially revealing the identity of the person to whom the personal information is related;
  • disclosure to the National Archives Division, Fine Arts Department, or other State agencies under section 26 (1) for the purpose of evaluating the value of keeping such information;
  • disclosure to State officials for the purpose of preventing the violation of or non-compliance with the law, conducting investigations and inquiries, or instituting legal actions of any type whatsoever;
  • disclosure necessary for the prevention or elimination of hazards to the life or health of persons; or
  • disclosure to the Court, State officials, State agencies, or persons having the power under the law to make a request for such information.

In an emergency situation that affects or may affect the public order of the people, or endangers the security of the state, or may cause the country or any part of the country to fall into a state of difficulty, or relates to an offence relating to terrorism under the Penal Code, a battle, or a war, the Prime Minister is empowered to declare an emergency situation applicable to the whole Kingdom or some area or locality as necessary for the situation. A Public Administration in Emergency Situation Committee may be set up by the Prime Minister. When a Declaration of Emergency Situation is in place, the powers and duties of a Minister, Ministry or several Ministries shall be temporarily transferred to the Prime Minister.2

In the event of an occurrence that affects internal security but that does not yet require the declaration of a state of emergency, the cabinet can pass a resolution to have the Internal Security Operation Command (ISOC) take responsibility for the prevention, suppression, and mitigation of occurrences that affect internal security.3

Intelligence and Surveillance Oversight

There are five main agencies responsible for intelligence and surveillance services. These are: the National Intelligence Agency, Armed Forces Security Center, Department of Special Investigation, Internal Security Operations Command, and Crime Suppression Division.

These agencies have been working under the broad provision of 'national security' derived from Article 78 in the Constitution, which indicates that state affairs must be administered to secure national security. For instance, the National Intelligence Agency Act B.E. 2528, authorises the National Intelligence Agency to intercept the radio communications of any organisation that might affect national security. There is no limit of access to data by intelligence and surveillance agencies. Most of these agencies are under the supervision of the Prime Minister.

Immigration and Privacy

Generally, a foreign citizen who wishes to enter the Kingdom of Thailand is required to obtain a visa from a Royal Thai Embassy or a Royal Thai Consulate-General in their home country. However, nationals of certain countries do not require visas if they meet visa exemption requirements announced by the Interior Ministry and visit Thailand for the purpose of tourism.4 Some nationals of certain countries may apply for visas upon arrival in Thailand. Applicants must complete the visa application, which requires personal information such as name, birthplace, nationality, marital status, date of birth, permanent address and address in Thailand, occupation, and telephone number and name and address of a local guarantor.

Aliens who are not in Thailand and wish to work in Thailand must contact a Royal Thai Embassy or Consulate in their respective countries for advice and recommendations for being granted a non-immigrant VISA.5 Migrants from Laos, Cambodia, and Myanmar who work in Thailand illegally have, however, been offered a registration and national verification process to apply for a work permit and will be issued migrant ID cards.

Travel and Borders

Every passenger leaving the country will need to fill in a departure card that requires information such as name, sex, date of birth, nationality, passport number, and flight number. The immigration bureau is responsible for border control and serves works with the Royal Thai Police plan, control, examine, recommend, and suggest immigration procedures based on relevant law. The immigration bureau also performs duties according to the Criminal Procedure Law, Immigration Act, Alien Registration Law, Human Trafficking Act, and other related criminal laws.6 There is, however, no provision for privacy rules that apply to immigration procedures.

After passing immigration formalities, airport security staff perform security checks. Carry-on luggage must go through an X-Ray machine. Laptop, jacket, belt, and zip-lock plastic bag containing liquids will be put into a separate tray. The passenger will also be asked to go through the X-Ray machine and metal detector. Any passenger who refuses the luggage or body check and refuses to follow the security measures will not be permitted to board the aircraft.7 There is no policy to search laptops provided that the laptop does not alert the metal detector.

Profiling/Data mining

In Thailand, one of the most significant entities conducting the country's profiling and data mining is the Criminal Records Division of the Royal Thai Police.8

The division undertakes two major duties: personal record check and criminal record elimination. These are conducted under the Official Information Act, B.E.2540 (1997)9 and the Royal Thai Police's regulations. All profiling and data mining are governed accordingly.

A criminal record includes the complete personal record of a person who has faced criminal charges or charges bearing penalties more serious than light punishment, and has been fingerprinted. The criminal record comprises name, family name, ID card number, parents' names, date of birth, record of wrongdoing, and status of criminal case.

All criminal records nationwide will be submitted to the division's database and updated on the fifth day of every month. Neither the general public, nor other organisations are allowed to access the database. Only police officials of the relevant division are able to retrieve the information.

The personal record, which is confidential information according to the law, can only be checked for the purpose of investigating criminal cases, verifying election candidate qualifications, recruiting staff for independent organisations or public entities, or checking the personal records of persons traveling out of the country. The private sector may also request personal record checks for staff recruitment on a case-by-case basis.

Deletion of criminal records can be done under the law and the Royal Thai Police's regulations in cases of, for example, death, cases with final judgment, or cases where the accusations have been withdrawn or the accused has been acquitted. Police officials shall submit the matter, including evidences, to the division for criminal record elimination.
For the private sector, including business organisations, in particular, there is no special law governing profiling or data mining of personal records, which mostly means records of their staff. However, most companies adopt their own code of ethics for using staff personal information. They may share some information that is not individually identified. For example, the human resources department of a company may share with another company for exchange purposes information regarding average staff age or average year of staff working experience.


DNA collection is allowed only when the police need to keep evidence of the suspects that it will be delivered to court. The latest development on DNA collecting came in April 2012, when the Minister of Interior, Chalerm Yoobamrung, initiated an anti-drug prison policy. This policy will be implemented by the Department of Special Investigation (DSI). DSI, in conjunction with the Ministry of Justice, will start to collect inmates' DNA and keep the samples for analysis in case drugs or mobile phones are smuggled into the prison.10

Communications Surveillance and Data Retention

The Thailand Computer Crime Act, B.E.2550 mostly governs the collection of communications information, including both traffic data and content. Apart from the law, the Notification of the Ministry of Information and Communication Technology Re: Criteria concerning Archiving of Computer Traffic Data of Service Provider B.E.2550,11 enforced on August 23, 2008, became another tool for authorities to conduct communications surveillance.

The law requires Internet service providers to archive computer traffic data that can identify users for 90 days or longer. Otherwise, they will be subjected to a fine of THB500,000 (approximately USD15,000). Moreover, those who have archived computer traffic data but fail to present it to state officials when requested will be fined THB200,000 (about USD6,500) with an additional THB5,000(about USD150) per day until they comply.

State officials are authorised to request communications traffic and content in cases where falsified data, untrue information, information related to terrorism, or obscene contents may cause damage to, impacts upon, or panic to others, the general public, or the country's security. However, no regular schedule is specified for routine interception of content by authorities.

Because severe penalties apply to those breaching the law, Internet service providers, as well as webmasters, need to construct a system to screen the information used via the Internet by subscribed users as well as to verify the authentication of the users upon logging into the system.12

Via a court summons, the law also authorised Internet service providers to restrain access to inappropriate information via the Internet.13 However, according to the Thailand Internet Liberty Report 2010,14 blockage or censorship of the Internet in 2010 was different from previous years. During the anti-government protests in 2010, Prime Minister Abhisit Vejjajiva promulgated the Emergency Decree on Government Administration in States of Emergency B.E. 2548 (2005) authorising the Director of the Centre for Resolution of the Emergency Situation (CRES) to shut down any websites without requiring a summons. Thus, in June 2010, the total number of blocked or censored websites rose to 43,000,15 compared to 9,600 in August 2009.

Visual surveillance

CCTV is primarily installed by private sector operators such as banks, hotels, department stores, convenience stores, and large corporations. There is only one legal requirement so far under the ministerial regulation on the licensing and operation of video in shops (for game shops and Internet caf s), which is to install at least one CCTV camera in the establishment if there are more than 15 computers.16

In certain public areas such as airports and government agencies, CCTV has been installed. However, not all government agencies have CCTV as there is no legal requirement. Certain cities, such as Bangkok, and the southern border provinces where insurgencies are taking place, have also been equipped with CCTV. Security cameras were installed in parts of Bangkok in 2007 after the capital suffered nine bomb explosions during the New Year 2007 celebrations.17 During the bombings there were only about 100 cameras in use, prompting a call for more to be installed.18 Now, in Bangkok alone, there are more than 10,000 CCTV cameras19, installed for traffic monitoring and security purposes. The cameras installed in high-traffic areas are very capable; they can capture sharp pictures of vehicle number plates. In the five southern cities, the cameras are fewer; it is reported that 3,500 have been installed.20

There is no law and regulations governing the use of CCTV or how to obtain footage if requested.

Restrictions on internet use, cybercafés

Although there is no explicit law governing internet users' information, the Thailand Computer Crime Act, B.E. 2550 (2007) and Notification of Ministry of Information and Communication Technology, Re: Criteria concerning Archiving of Computer Traffic Data of Service Provider B.E. 2550, require Internet café operators and online game service providers to collect customer information. The collected information may be used in evidence, and to issue notices to, or trace and investigate wrong doers. Collected information can include personally identifiable information, starting and ending times of service use, and IP (Internet Protocol) address.21

In cases where business operators fail to present the said information as required, they will be fined up to THB200,000 (USD6,500) as well as up to THB5,000 (USD150) daily until they comply.

The benefit of the aforementioned data collection was apparent in the "Nigerian Gang 419" case in 2008, in which the victims were deceived into transferring money to the wrongdoers in exchange for a $1million reward.22

Nevertheless, according to a research survey,23 no strict enforcement of the law has been experienced by any Internet café operators or online game service providers in Thailand. Most of the probes have been done in the area of checking the ages of users. Some Internet café operators, which tend to choose locations near educational institutes, collect customer information such as names. However, most online game service providers do not.

Cyber security

The Ministry of Information and Communications Technology (MICT) is responsible for ICT policy and oversight across the country. An Internet filtering regime began in Thailand in 2002 with the establishment of a filtering unit within the MICT called the Cyber Inspector. The Cyber Inspector focused its filtering activity on issues such as pornography, negative comments about the monarchy, gambling, terrorism, and separatist movements.24

However, its existence and role were widely questioned by the public as the legal grounds for filtering were lacking. The legalisation of Internet filtering began in 2007 with the enactment of the controversial Computer Crime, which delegated full authority to state officials in surveillance, censorship, and control of Internet information and communication. For instance, Section 18 of this law authorised designated competent officials to:

  • summon an alleged party to appear, report, or send documents, information, or evidence;
  • request computer-based traffic information and other information that concerns Internet users from service providers and parties involved;
  • duplicate computer information and computer-based traffic information;
  • decrypt, censor, and access computer systems, computer information, computer-based traffic information, or equipment used to store computer information; and/or
  • confiscate or "freeze" any computer system.25

The Computer-related Offences Act requires all service providers   ISPs, OSPs, webmasters, Web moderators, and Internet cafés to keep a log file of their users including IP addresses for 90 days.26

Government officials certainly have the power to investigate the computer information and traffic as authorised by Computer Crime Act. The limit and means to get access to information have not, however, been set out in the law.