On 28 February 2019 Thailand’s National Legislative Assembly approved the Personal Data Protection Act (PDPA), marking a shift from numerous sector-specific, patchy laws to a comprehensive law governing data protection in Thailand.
In that context, some restructuring within the government is needed to ensure that the PDPA is respected. The first example of such restructuring is the newly created Personal Data Protection Committee (PDPC). This legal body’s role is to implement further sub-regulations regarding the PDPA. The second example of eventual positions to be created are the ones of a Data Protection Officer and a Local Representative (within Thailand’s jurisdiction) for data controllers and processors outside the country.
The PDPA is also about guaranteeing rights. In fact, under the PDPA, the data controller will have to guarantee the rights of the data subjects, which includes right of access, right to erasure and rectification, right to object, and the right to data portability.
The PDPA ensures that data usage has legal grounds. Actually, the data controller may only collect, use, disclose and/or transfer personal data if it has a legal basis; i.e. if the data subject has given their consent or under other exemptions such as legal obligations, legitimate interest and public interest.
Penalties are set to be put in place to ensure PDPA compliance. As a matter of fact, the PDPC has the legal power to give civil and criminal penalties for any person or entity that does not comply with the PDPA. Civil penalties include administrative fines up to THB 5m and punitive damages up to twice the amount of actual damages. Criminal penalties include imprisonment for up to one year and fines of up to THB 1m.
The PDPA, whose draft has been heavily influenced by the General Data Protection Regulation (GDPR), has material as well as compliance differences with its European counterpart. The first example of such differences is that the PDPA contains no detailed rules regarding the use of automated processing of individuals’ personal data for decision making (which includes profiling).
The second example, which is quite specific in the GDPR, regards the adoption of security measures for data controllers and processors (although it is rather vague on the exact measures to implement) - the PDPA only provides general obligations thereof.
Along the same line is the Cybersecurity Act (CSA) which was approved and endorsed by the Thai National Legislative Assembly on 28 February 2019 and became effective on 27 May 2019. The CSA’s aim is to prevent, handle, and/or mitigate the risk of cyber threats from both inside and outside the country, which affect national security, economic security, martial security and public order. The CSA has its own measures which could, at times, potentially intertwine with the PDPA regulations. One example of such overlap is in the occurrence of cyber threats. In such cases, under the CSA, entities may be required to provide access to relevant computer data or a computer system, or other information related to the computer system which could effectively bypass the PDPA’s guarantee of rights of the data subjects. Such circumvention would be justified using the legal basis principle of the PDPA (i.e. the legal obligations).
The PDPA is an ambitious legal act that will empower data subjects based in Thailand and that has created and will create new opportunities. Nevertheless, undertaking such opportunities should be done cautiously and methodically, even for companies that have experience with similar privacy regulations such as the GDPR. Indeed, as explained and implied above, being GDPR compliant will not guarantee that a company is also PDPA compliant. Therefore, all companies with interests in Thailand should take action to become compliant with the PDPA by the imminent deadline. According to literature on the subject, such actions include conducting data mapping and self-assessment as data processor and/or controller, determining legal bases for data controllers and other obligations as well as implementing data management process and operation systems, including relevant legal documents such as privacy notices and data processing agreements. Lastly, don’t forget to keep in mind and respect the potential overlap between the PDPA and the CSA!