The Thailand Personal Data Protection Act: What We Know So Far
Thailand is the latest country to take definitive steps towards the adoption of data protection legislation. The European Union’s General Data Protection Regulation (GDPR) created a ripple effect across the world, with governments pushing for new data protection regulations that will both protect their own data subjects and bring their legislation up-to-date with the new international standard set by the GDPR.
After nearly twenty years in the making, the Thailand Personal Data Protection Act (PDPA) was finally approved by the National Legislative Assembly on 28 February 2019. The Act must now receive a royal endorsement, after which it will be published in the Government Gazette and passed into law. The Act will come into force one year after the date of its publication in the Government Gazette.
While the Thai constitution recognizes the right to privacy and previous sector-specific regulations existed, the PDPA will be the first Thai law to govern data protection in a broad sense. The PDPA used the GDPR as a blueprint, adopting some of the European regulation’s most well-known provisions and adapting them to the local context. Let’s have a look at what we know about it so far from the latest available draft of the law.
Personal information and PDPA applicability
The PDPA’s aim is to restrict the gathering, use, transfer and disclosure of Thai data subjects’ personal information by data controllers and processors. Personal data is defined as any information that can be used to identify a person, whether directly or indirectly. It explicitly excludes two types of data: a deceased individual’s personal information and business data such as business contact details, title or address.
There are also special categories of sensitive data that cover information relating to race, ethnicity, sexuality, political, religious or philosophical beliefs, health data, criminal records, trade union membership, genetic and biometric data, which companies are prohibited from collecting without the express consent of data subjects, except under certain exceptions such as where it is required by law or a medical emergency.
Most organizations doing business in Thailand whether onshore or offshore will have to comply with the PDPA. Just like the GDPR, the PDPA has an extraterritorial reach. Whether they have offices in the country or not, companies offering goods and services to Thai data subjects or monitoring any behavior that takes place within Thailand will need to comply with the PDPA and appoint a local representative.
Thai data subjects’ rights
Once the PDPA comes into force, Thai data subjects will have the right to request access to their personal information or, in the event that the data controller is non-compliant with the PDPA, that their personal data be deleted, destroyed or anonymized. They will also have the right to data portability.
Data controllers must obtain consent for personal data processing. These requests must be phrased clearly and not deceive or mislead data subjects. Consent must be given in writing or through electronic means unless it is impossible by its nature. Consent can be foregone in certain situations such as in case of legitimate reasons, public interest or the performance of contractual obligations.
When it comes to minors, the PDPA requires parental consent for data subjects under 10 years old and in certain cases for minors over 10 years old as well.
Data Protection Officers
Data controllers and data processors must appoint a data protection officer if their core activities relate to the collection, use or transfer of sensitive personal data or if they possess personal data on a large scale that requires regular monitoring.
The enforcement of the PDPA will fall under the jurisdiction of a Personal Data Protection Committee that will be established specifically for this purpose. Noncompliance with the PDPA can lead to both civil and criminal liabilities.
Cross-border personal data transfers
Personal data can only be transferred to another country if its data protection measures comply with a set of guidelines to be defined by the Personal Data Protection Committee after its establishment.
There are a number of exceptions. Organizations can transfer data to other countries if they obtain prior consent from data subjects or if the transfer is in accordance with any applicable law or otherwise prescribed by ministerial regulation. Alternatively, transfers are allowed if there is a preexistent contract between the data subject and the data controller that allows it or the transfer is in the interest of the data subject who is incapable of giving consent.
The PDPA encompasses some of the GDPR’s most progressive and strict requirements. Like other countries, Thailand is probably hoping for an adequacy ruling from the European Commission that will mean that it has a high enough level of data protection to ensure a smooth flow of data between Thailand and the European block.