TL:DR #5 Data Control – State versus Private Sector?

The attempt to control the internet by many states has often been presented under the veil of asserted necessity to ‘protect’ citizens against violations of their rights [1]. There are many examples of how individuals and companies can exploit an unregulated economic revolution to maximise profits at the expense of human rights and weaker less dominant parties, most notably following the industrial revolution when a rebalance of rights was required to redress atrocious working conditions, slave and underage labour and unbridled laissez-faireism through the rise of the evil corporation [2]. The internet and the digital revolution have provided another opportunity for dominance by huge powerful enterprises that when unconstrained can accelerate economic growth but with material social damage to employees and wider stakeholders along the way. Facebook [3], Google, Amazon, et al have all been confronted and challenged, but viewed through some lenses, without much vigour or success, and through the strong libertarian lens, unnecessarily so.

If all citizens were governed by fair, honest, ethical, just, upright, honourable, and empathetic rulers, through whichever political systems happen to be in play – democratic, authoritarian, semi-autocratic, or any mix you care to imagine, then there could be a strong degree of trust that rules would be developed in a balanced manner designed to rebalance violations and exploitation and to set down a long-lasting framework for the digital revolution. Unfortunately, as evident from the aggregate poor quality of state management globally of the COVID19 pandemic, it is very apparent that citizens cannot uphold the state or the political and ruling class feeding within its troughs as somehow worthy of an elevated status under which they might come up with ‘great’ rules for managing the digital revolution without embedded self-interest, corruption, exploitation of citizens and using power to remain in power and control so as to maximise the period of time and depth of exploitation possible.

History and the state of current affairs speak for themselves. There are, of course, notable exceptions within this ruling and elite class of some outstanding individuals, but they are prominent and memorable most likely because of their rarity or perhaps because of subjective cynicism applied when viewing the misdemeanours of the persons empowered by the state or themselves to govern citizens.

The fabric of new laws is often now woven from a global fabric or international government organisations, forming committees that encapsulate academia, professionals with state and private sector experience, and a wide range of experts who should be ex

perienced in the effects of implementing laws [4], often choosing to create ‘soft’ law principles first, and then promote adoption amongst states through treaty adoption and localised legislative techniques that will not eliminate the varieties of capitalism, socialism, economics and culture which often differentiate various systems and how laws are implemented and enforced in practice.

Thailand recently attempted to introduce its own Personal and Data Protection Act B.E. 2562 (2019) [5], as a reflection of Europe’s introduction and use of the European General Data Protection Regulations [6]. It is important, before analysing the Thai st

ate’s approach to its power over digital matters, to note that the European Unions GDPR was promoted as being “the toughest privacy and security law in the world”. It is also worth noting that not all countries ‘around the world’ accept the jurisdiction of the European Union to determine how such countries and entities within them manage their affairs unless explicitly consenting through bi- or multi-lateral treaties or specific arrangements and recognition. Therefore, if Thailand chooses to implement ‘tough’ privacy and security laws, any criticisms should be cognisant of the structural flaws in other systems – both in terms of principles of governance, breadth of jurisdictional rights, and fairness of sanctions too.

Thailand had to delay the implementation and effective date of enforcement of the PDPA, to accommodate the clear fact that many companies were unprepared, and that economic harm could be greater than the protection intended under the rules, by virtue of economic circumstance under the pandemic, but also in terms of such unpreparedness.

Unfortunately, other systems of the rule relating to the use of data are in the spotlight in Thailand from intense international and domestic criticism, alleging abuse of legislation such as the “Computer Crime Act B.E. 2650 (2017)” [7]. There is a very interesting article, co-authored by Sinfah Tunsarawuth and Toby Mendell, entitled “Analysis of Computer Crime Act of Thailand” [8] which sets out some of the key controversies relating to the Act and its use in 2010. We can’t say how much of the article is ‘true’ but it certainly seems well researched to our layperson eyes. It should be noted that the power of the Computer Crime Act has continued to be used to date. Much more recently, the powers of the Thai state and its application to media and digital technology are under the spotlight, with a concentration of focus on the publishing and spreading of ‘fake news’ [9] through the implementation of emergency powers that allow imprisonment and fines measured, perhaps somewhat frighteningly, by the extent to which ‘frightening people’ has occurred as a result of the dissemination.

Mathematicians will be very much aware that the capacity in jails would not be able to accommodate the propensity of many to hit the ‘share button’ when they receive news, not perhaps possessing either the know-how or guile to establish if the information is ‘fake’ ‘partly true’ or ‘wholly true’. Whilst some of these emergency powers are implemented to try and prevent the provocation of political unrest, the unfortunate aftermath or by-product, unintended or intended, can be that innocent citizen who upset the ‘wrong people’ may find themselves in hot water, or … a hot and humid jail with frequent outbreaks of COVID19 and limited options to ‘socially distance’ themselves.

The PDPA is not supposed to be ‘mixed’ up with the issues arising from the Computer Crime Act of the emergency powers recently implemented. It is instead supposed to underpin a framework of coping with a new age of ‘data’ as a store of value and method of extracting value from citizens and the private sector.

What will be most interesting to observe, is to see whether the laws in Europe and reflective laws elsewhere can actually keep up with the evolution of the use of data in society and the business sector. When draftspersons sat down at their laptops to codify provisions on ‘data controllers’ and ‘data processors’, were they imagining that an ‘influencer’ with millions of followers might record thousands of hours of video in which there may be many falsehoods about the ‘products’ they are ‘subliminally’, ‘indirectly’ or ‘directly’ promoting. If an influencer states 100 facts about a hotel, and one falsehood or semi-falsehood, should they be sent to prison? If that same influencer leverages the number of ‘likes’ on a short music video they made dancing in front of a product, without the consent of the followers to be ‘leveraged’, do the followers deserve the protection of the law, and who is going to monitor, supervise and enforce that level of regulation?

In the new digital world, almost everybody is becoming a photographer and and videographer of sorts.

When ‘everybody’ used to trade opinions on their favourite or most disliked coffee shops, restaurants, leisure activities, and politics in a social physical forum, did they do so under the threat of ‘going to jail’ if they uttered a ‘falsehood’ or exaggeration to keep the conversation lively? Now if they do this on the internet, with exposure to more people than traditionally available in person, does the additional strength of their power of representation, the potential damage to a larger group of persons through falsehood or exaggeration to keep the conversation lively? Now if they do this on the internet, with exposure to more people than traditionally available in person, does the additional strength of their power of representation, the potential damage to a larger group of persons through falsehood or misuse of data, mean that the penalties should be exponentially greater?

As you finish reading this article, will you check your Facebook account, check your Timeline on Line, check what has been shared on Linked In, and seriously consider that if you ‘leverage’ the data incorrectly when you share an article amongst Facebook Friends; Line Contacts and Linked In Connections, that you might be imprisoned or heavily fined if you make a mistake? Do you think this is the direction that law and governance should take when thinking about the recent ‘competence’ analysis of the ruling and elite classes?

It will be interesting, to say the least, to see how the tussle of power and control plays out between states and the private sector with regards to the ever increasingly important subject of ‘digital data’. For Hughes Krupica’s team and leadership, we have held the strong belief that information is one of the most powerful global tools aside from weaponry and we treat it seriously, train our team to use it wisely wherever possible, and when we work on transactions and in litigation, our team members are alert to the power of information symmetry and asymmetry, and the human tendency to abuse and manipulate information for gain. Misuse of information cannot be ignored as not serious and damage to individuals and states has historically always needed a regulatory framework to deal with the fact that humans break the rules, betray ethical and social norms, and are natural exploiters. Some of them are in the private sector, some in the public sector. Information or data regulation is therefore critical in how each of our lives will be ‘managed’ and lived from generation to next. When changes to the rules of the information game are made, every citizen, regardless of Nationality, location, and other potentially discriminatory factors, should pay close attention, and where possible play their part in promoting checks and balances.

[1] National Conference of State Legislatures State Laws Related to Digital Privacy (22 July 2021, see: https://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-related-to-internet-privacy.aspx ) last accessed 1 August 2021

[2] Joel Bakan The Corporation: The Pathological Pursuit of Profit and Power (Free Press 2005)

[3] Federation Trade Commission FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook (24 July 2019 see: https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions )

[4] United Nations, United Nations Commission On International Trade Law (UNCITRAL) Working Group IV: Electronic Commerce (see: https://uncitral.un.org/en/working_groups/4/electronic_commerce ) last accessed 1 August 2021

[5] See here for original Thai text: http://www.ratchakitcha.soc.go.th/DATA/PDF/2563/A/037/T_0001.PDF and here for English translation: https://www.dataguidance.com/sites/default/files/entranslation_of_the_personal_data_protection_act_0.pdf

[6] Ben Wolford European Union GDPR.EU What is GDPR, the EU’s new data protection law? (see: https://gdpr.eu/what-is-gdpr/ )

[7] See Thai Text here: and English text here: https://www.mdes.go.th/law/detail/3618-COMPUTER-RELATED-CRIME-ACT-B-E–2550–2007-

[8] Sinfah Tunsarawuth & Toby Mendel Analysis of Computer Crime Act of Thailand (Thainetizen.org May 2010 see: https://thainetizen.org/wp-content/uploads/2010/07/Analysis-of-Computer-Crime-Act-of-Thailand-By-Sinfah-Tunsarawuth-and-Toby-Mendel.pdf ) last accessed 1 August 2021.

[9] Bangkok Post Online Fearmongers targeted under Prayut new order (29 July 2021 see: https://www.bangkokpost.com/thailand/general/2156803/fearmongers-targeted-under-prayut-new-order ) last accessed 1 August 2021

Write a comment