Primer on Thailand's Personal Data Protection Act
In May 2019, Thailand joined the growing list of countries adopting a comprehensive privacy law. Although many of the principles and obligations under the new law were adapted from the EU’s General Data Protection Regulation (GDPR), organizations operating in Thailand or handling the personal data of data subjects in Thailand will need to familiarize themselves with this new law and operationalize its new requirements before the compliance date, which is only a few weeks away. The following is a summary of the background and key components of this new law.
Background on the PDPA
On February 28, 2019, Thailand’s National Legislative Assembly approved the Personal Data Protection Act, B.E. 2562 (2019) (PDPA) and it was formally enacted by royal endorsement on May 24, 2019. On May 27, 2019, the PDPA was published in the Government Gazette and became effective on May 28, 2019. Although the PDPA is now effective, the PDPA provided a one-year grace period to provide time for businesses to prepare and implement new internal controls and systems to ensure compliance with the PDPA. The substantive personal data protection provisions under the PDPA, including data subject consent requirements, the collection, use, and disclosure of personal data, data subject rights, complaints, civil liabilities, and penalties, will be effective May 28, 2020.
Key Requirements of the PDPA
PDPA versus GDPR
The PDPA, in large part, follows the provisions of the GDPR. The new “rules, mechanisms, or measures regulating personal data protection as a matter of general principles” were drafted to demonstrate to the EU and other countries that Thailand has an “adequate” level of data protection. Companies that have a robust GDPR compliance program in place may leverage those existing processes and procedures in developing a PDPA compliance program. However, these companies will still need to review the specific provisions of the PDPA to ensure their compliance program incorporates the unique provisions under the PDPA.
Territorial and Extraterritorial Scope
The PDPA applies to the collection, use, or disclosure of personal data by a data controller or a data processor that is in Thailand, regardless of whether such data collection, use, or disclosure takes place in Thailand or elsewhere. If a data controller or data processor is outside of Thailand, the PDPA will apply to the collection, use, or disclosure of personal data of data subjects who are in Thailand when the data controller or data processor is engaged in either of the following activities:
- Offering of goods or services to data subjects who are in Thailand, regardless of whether payment is made by the data subject; or
- Monitoring of the data subject’s behavior where the behavior takes place in Thailand.
Creation of Personal Data Protection Committee
The PDPA created a Personal Data Protection Committee (PDPC) to enforce compliance with the PDPA. Although the PDPC was staffed and launched in late 2019, the PDPC has not released model consent forms, statements, access rules, or other guidance as of the date of this alert.
Operative Terms
The term “personal data,” as used under the PDPA, means any information relating to a person which enables the identification of such person, whether directly or indirectly. Personal data does not include the information of deceased persons.
The PDPA also establishes a separate category of “sensitive personal data” that includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal record, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, and prohibits the collection of sensitive personal data without express consent from the data subject, except in certain prescribed circumstances (e.g., medical emergency or as required by law).
The term “data subject” is not specifically defined under the PDPA. Although the PDPA applies to data subjects “in” Thailand, it does not tie coverage to the nationality or place of residence of the data subject.
“Data controller” means a person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of personal data.
“Data processor” means a person or a juristic person who operates in relation to the collection, use, or disclosure of the personal data pursuant to the orders given by or on behalf of a data controller, whereby such person or juristic person is not the data controller.
Rights and Obligations
Consent
The consent of the data subject will be required for any collection, disclosure, or use of personal data. Any such consent must generally be presented in a manner clearly distinguishable from other matters, use clear and plain language, and be in writing or made through an electronic system. The PDPA created a new national data protection authority, the Personal Data Protection Committee (PDPC). The PDPC may require data controllers to use a prescribed consent form and statements.
Rights of Data Subject
A data subject is entitled to request access to his or her personal data and to submit requests to delete, destroy, or anonymize his or her personal data. The PDPC may prescribe rules for access to and requests to obtain data.
Transfer of Personal Data
A data controller is prohibited from disclosing or transferring personal data to third parties, except with the data subject’s consent (subject to certain limited, customary exceptions). If a transfer of personal data is being made to another country or an international organization outside of Thailand, such transfer may only take place where such country or international organization has an adequate level of protection (i.e., complies with the criteria for protection of personal data to be prescribed by the PDPC, except for certain limited exceptions, including specific consent from the data subject to disclose to persons in a noncompliant country).
Civil and Criminal Liability
Violations of the PDPA can result in both civil and criminal liabilities, including administrative fines.
Next Steps
Organizations already subject to the GDPR may be able to leverage their past privacy governance work and current GDPR compliance efforts in operationalizing their new PDPA compliance program. However, compliance with the GDPR will not guarantee compliance with the PDPA.
Thailand, like other countries, is implementing measures to prevent the spread of COVID-19. As of the date of this alert, the effective date of the PDPA has not been changed. The COVID-19 pandemic adds another layer of complexity to the PDPA. For example, employers are personal data controllers under the PDPA and will be subject to extensive requirements when collecting, using, or disclosing personal data of employees as of the effective date of the PDPA. Organizations that handle the personal data of Thailand data subjects should not wait to start working on PDPA compliance.
This alert provides a brief overview of certain PDPA requirements This alert is not intended to provide a comprehensive summary of the PDPA or any related laws or regulations. The information in this alert is provided for general informational purposes only and does not, and is not intended to, constitute legal advice. You should carefully review the PDPA and any related laws and regulations, as the same may be amended from time to time, and consult with their legal counsel to determine the applicability of the PDPA to your unique business operations. No reader of this alert should act or refrain from acting in reliance on any information in this alert without first seeking legal advice from their counsel. Only your legal counsel can provide assurances that the information contained in this alert, and your interpretation of this information, is applicable or appropriate to your business. The publication, distribution, and use of this alert does not create an attorney-client relationship between CENTRL, Inc. and any reader or user.