Thailand: New law on Personal Data Protection

The Constitution of Thailand has long recognized the right to privacy. Yet, there was no specific personal data protection law to implement the protection that right. There are many data protection laws for different sectors, but there was no general one. However, as technological advances have vastly increased the scale and speed of collection and exposure of personal information, exploitation of the personal information has become a serious concern and there have been demands for a law to regulate it.

Following approval and endorsement by the National Legislative Assembly earlier this year, Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) was published in the Government Gazette on May 27th, 2019. According to its preamble, PDPA provides not only protection to personal data, but also remedies for the data’s owners when data privacy infringement arises. The law provides for a transition period of one year to prepare to comply to the PDPA. Thus, by 27th May 2020, whoever is collecting, using, or disclosing personal data of others will have to be ready to comply with the requirements of the Act.

However, with the PDPA still in its transition period, there are already some concerns and calls for further amendments in the future.

  • Obligations under the PDPA is not applicable to government sectors

Section 4(2) of the PDPA excludes  government sectors having the authority to observe public security from the law. The questionable exception has created debate among the private sector that, despite this new Act, there is a risk that government officials might exploit the exception and obtain personal data for their own interest. For example, officials might collect personal data for evaluation of their political campaign.

On the other hand, some argue that the exception is necessary. Governmental officials should be allowed to collect people’s personal data for public security. However, the argument remains that Section 24 of the PDPA already provides exceptions based on purposes of data collection (not based on the bodies collecting the data). Specifically related to government sector, Section 24 provides:

“Controller of Personal Data shall not collect Personal Data unless permission from the owner of personal data is obtained, except that:

(4) it is necessary for the performance of missions for public interest by the Controller of Personal Data, or for carrying out the state power assigned to the Controller of Personal Data;

…” 

Many view Section 24 as sufficient as an exception for certain acts by the government sector, and there is no need to exempt the government sector as a whole under Section 4(2). Section 4(2) is criticized as too broad and unfairly beneficial to the government sector.

  • Enforcement of the PDPA might not be practical

Different entities, which will qualify as Controller and/or Processer of Personal Data under the Act, have been discussing foreseeable problems once the PDPA fully applies. Below are examples of the discussion. 

  • No room for issuance of Ministerial Regulation on exception to collection and disclosure of the personal data without consent.

While Section 24 and 26 of the PDPA set out exceptions to collection of the personal data without consent and Section 27 provides exception to disclosure of personal data again without consent, there is concern that the Act does not allow for issuance of secondary legislation (usually in the form of Ministerial Regulation) as a way to implement additional exceptions. The criticism is that the inability to allow additional exceptions through Ministerial Regulation makes the Act too rigid and impractical to businesses in a fast-moving world, because the only way to accommodate the need for additional exceptions will be to amend the PDPA itself.

  • Lack of enforcement across jurisdiction

As mentioned above, technological advances and changes are key reasons for enactment of the PDPA. We have seen increasing number of businesses and transactions processed online. Many companies now have an online presence worldwide, including in Thailand, but without brick and mortar places of business in the country. However, with very few exceptions, Section 5 of the PDPA provides that

“This act would apply to collection, use, or disclosure of the personal data by Controller and/or Processer of Personal Data residing in the Kingdom, whether the collection, use, or disclosure is conducted within the Kingdom or not”.

The foreseeable problem relates to enforcement against those online companies. It is unclear how the Act could protect personal data from the misconduct of entities not residing in the country. The PDPA is claimed to be to the same standard as the EU General Data Protection Regulation (GDPR). But, unlike the GDPR which can be enforced across the EU, the PDPA is likely to be only enforceable against entities in Thailand. This is likely good news for online businesses without establishments in Thailand, but bad news for the public concerned about use of their personal information by online businesses residing outside Thailand. As a result, there are continuing talks about amendment to the law to address this problem.

Last but not least, having been told that the PDPA essentially follows the concepts of the GDPR, most companies in the EU already complying with the GDPR may feel relieved that no further action is required. But, in reality, the PDPA presents many provisions that are different from those under the GDPR. It is therefore highly recommended for all entities, including those operating under the GDPR – whether the controller, processor or owner of the personal data – to pay close attention to this first consolidated law on personal data of Thailand and review their activities to be in compliance with this law before it comes into effect and the risk of penalties (including criminal ones) kicks in.