Legal issues pertaining to personal data protection and mule account liability in emergency decree on measures for the prevention and suppression of technological crimes B.E. 2566

In this era of digitalisation, although technological developments have been harnessed in communication and financial transactions through various platforms, the number of cyber-criminal activities related to technological crime and computer systems is rapidly increasing via cyberspace. Criminals are making use of the gap in cyber systems to deceive the public via technological devices. Moreover, a mule account’ is one of the most popular ways to receive and transfer money from fraud, extortion and other criminal actions to conceal the financial route and disguise the true identity of the criminals. It is noticeable that a mule account is an important tool for operating cybercrime, which is considered a high crime as it can be executed by professional criminals. In this context, the form of deception is improved due to the improvement of technology by criminals. This may cause damage to the economy, security and peace in both the international and domestic arena. According to this independent study on the Emergency Decree on Prevention and Suppression of Technological Crime B.E. 2566, the author found that even though this Emergency Decree is established to combat cyber-criminal activity and protect people from technological crime related to mule account, there is still a need to make amendments because some legal provisions under this law do not cover the challenging issue of cybercrime related to mule account. When government agencies have the authority to access people's personal information, it violates the right to privacy, which is an international human rights principle. Furthermore, a lack of ability to push banks as well as telecommunications companies to take responsibility for damages not only impacts the effectiveness of enforcement but also makes Thailand deny cooperation in transferring personal data related to the prevention and suppression of technological crimes from the EU, the UK and other countries. Due to the of strict privacy protection requirements of foreign countries, it is an obstacle for Thailand to be able to collect evidence, arrest criminals, and investigate the financial trail of mule accounts from governments, police, telecom companies, network operators and banks from the EU, the UK and other countries. Hence, the issue of legal limitations and operational limitations from relevant agencies urgently needs to be addressed in order to facilitate a more efficient process.After studying various concepts and theories, related legal measures and laws of foreign countries, including that of the EU, the UK and Singapore, it is determined that enacting laws regarding the prevention and suppression of technological crimes must be in accordance with the international human rights principles, which are minimum standards of personal data protection. To consider provisions under this Emergency Decree, principles of rights protection will be applied. According to the UK and Singapore laws, banks and telecommunications companies are held for damages because they encourage banks and telecommunications companies to provide strong, appropriate and effective security measures in order to protect against technological crimes. Turning to the Emergency Decree of Thailand, the author believes that it is appropriate to amend and improve provisions under this law by creating international cooperation in exchanging personal data for the preventionand suppression of technological crimes, especially Section 5. From a legal perspective, a set of specific provisions on duties and responsibilities for banks, retail telecommunications networks or SIM card service providers is required in this field in order to be consistent with the guidelines of foreign laws and reach international standards of personal data protection.