DE Ministry giving clear warning for notice and takedown of data breaching national security within 24 hours

On 22 July 2017, the Government Gazette website has published the regulation issued by the Ministry of Digital Economy and Society (DE) concerning the “take down and notice of computer data and the removal of computer data from computer system” and other regulations, altogether fie of them after public consultations had been held on all these laws.  
The notice and take down regulation shall impact freedom to receive online information. Two changes have been applied to the original draft of the regulation, after the public consultation, including (1) the timing for notice and take down for data in breach of Section 14 and (2) additional channels through which the ISPs may challenge the take down instruction if they deem the data is not in breach of the CCA.  
Notice and takedown
Owners of website are required to prepare a takedown notice. ISPs are obliged to prepare a written form of takedown notice in whatever formats, but it has to include the following information.  
1) Name, address, phone number of email of the ISPs their representatives
2) Compliant form which can be used by the internet users to make their complaints. The form must contain the following information; 
– Name and address of the complainant and their signatures or the authorized persons 
– Detail of the offence against CCA’s Section 14 
– Contact information of the ISPs including email, address, phone or fax numbers and others 
– Detail of damage inflicted on other users or persons 
– A certification letter to confirm that the information is true 
 Takedown notice lodged by general users  
If an internet user has found an ISP spread information that violates Section 14 of the CCA, they shall act as the following; 
– Report the case to the police including detail of damage that has been inflicted on the internet user and other persons. Documents to prove the offence against Section 14 and other evidence have to be submitted to the inquiry official or the police.  
– Fill out the complaint form and submit it to the ISPs along with a copy of the report to the police and other incriminating evidence.  
Methods to take down or remove computer data
After receiving the complaint form and other related material, the ISPs have to act as the following; 
– Remove or alter the illegal material to stop its dissemination immediately 
– Prepare a copy of complaint and detail of the complaint and return it to the internet user or the other concerned persons 
The takedown of data has to be carried out as soon as possible, but not beyond the following durations;  
1) Data which constitutes an offence concerning the importation of false or distorted data, per Section 14 (1), has to be removed within seven days since the day the complaint has been received. 
2) Data which constitutes an offence concerning the importation of false information that may cause panic to the public and impairs security, public security, national economic security or public infrastructure serving pubic interest per Section 14 (2) and (3) has to be removed within 24 hours.
3) Data which constitutes an offence concerning the importation of pornographic material per Section 14 (4) has to be removed within three days.  
Challenge
The owners of information removed from the computer system has the right to challenge the takedown notice as follows; 
– Report the case to the police with detail of the information taken down by the ISPs, and damage inflicted on oneself and submit material to prove their ownership of the information and other material that proves that the information is not illegal. 
– Inform the ISPs of detail (no form is prepared) and submit a copy of the report to the police and other evidence 
– After receiving the challenge, the ISPs may cancel the takedown of the information. This is up to the discretion of the ISPs.  
Major recommendations from the public consultations that have been ignored 
The Ministry of Digital Economy and Society (DE) has conducted public consultations of the five regulations hoping to draw out recommendations which can be applied to enhance the draft regulations. Nevertheless, major recommendations have been ignored and not informed the final drafts of the regulations including; 
1) The process to determine which data is illegal as raised by the complainants and the ISPs have still be left with the burden of proof to use their own discretion to determine the legality of the data.  
2) In case the alleged offensive data falls outside capacity of the Thai ISPs to have it removed, i.e. facebook posts, how should the ISPs act in order to avoid being incriminated per Section 15. 
3) The incompatibility of the two principal laws including the CCA and the Ministerial Regulations since the revised version of the CCA stipulates that the ISPs have to retain data within the duration provide for whereas according to the DE regulations, they are obliged to have it removed, as soon as possible, since receiving the takedown notice.
4) According to the public consultation on 23 May 2017, it was recommended that the duration of time for the removal of offensive data should be 20 days based on the verdict of the Supreme Court on Prachatai case. 
5) Government officials or ISPs may invoke this regulation to have undesirable data removed bypassing the judicial review which is required, prior to the blockade of access to information, according to the procedure provided for in the CCA. 
Apart from not reflecting major recommendations made during the public consultation, these regulations impose the takedown period, based on different types of offence especially per Section 14 (2) and (3), which requires that the data has to be taken down within 24 hours. This can be done without any process to determine the legality of the data and as a result, the provision can be abused to mistreat certain individuals or to competitors in the online world.  
What will happen if a takedown notice has been sent to the ISPs, but they have not received it, or if it has arrive on public holidays, will the ISPs be held liable per Section 15 or not? 
Regarding the duration according to the regulations, will they also include just working days or not?  In other countries, the notice and takedown period only covers business days, excluding public holidays, i.e. the US DMCA Law and there the notice and takedown period has to be at least ten days or longer, but not more than 14 working days.