The Thailand Personal Data Protection Act – and What It Means for Business
On 28 February, the National Legislative Assembly approved the Personal Data Protection Act (“PDPA”). The Act is aimed at regulating the lawful collection, use, or disclosure of personal data that can directly or indirectly identify a natural person – but does not apply to the data of a deceased person. This Act also provides a framework how to process the personal data. The PDPA, which in many ways resembles a similar initiative in Europe (the General Data Protection Regulation, known as GDPR), requires a data controller (a natural person or a legal person), who has the authority to decide to collect, use, or disclose the personal data, to follow guidelines in an effort to protect each data owner.
Following its passage at a governmental level, the Act was published in the Government Gazette on May 27, 2019. Provisions related to the collection, use, or disclosure of personal data will come into effect with the full force of law on May 28, 2020, changing how businesses (as data controllers) are permitted to interact with their online audience (as data owners). Financial institutions as well as insurance and e-commerce companies are among those that will need to give the PDPA particularly careful attention.
Although much time remains for organizations to make the necessary technical and strategic adjustments, this new legal framework for processing online personal data requires several significant changes to standard business practices. Only a clear understanding of the new rules will allow companies to prepare responsibly for the privacy obligations that form the core of the PDPA.
The PDPA: An Overview
In essence, the PDPA is designed to protect a data owner from the unauthorised or unlawful collection, use, or disclosure and processing of their personal data. As with Europe’s GDPR, for example, websites will have to include simple and straightforward language, and receive clear consent from each user, before (or at the time of) collecting such data, using it in any way, or passing it along to third parties. Moreover, each website will need to explain what this data will be used for, and ensure that the data is indeed used for no other purpose.
The rights of data owners under the PDPA include the following:
- Right to be informed
- Right to access
- Right to data portability
- Right to object
- Right to erasure / right to be forgotten
- Right to restrict of processing
- Right to rectify
The PDPA contains several enforcement mechanisms to ensure compliance with this new Act, and requires online organisations to identify a data controller who shall be responsible for the proper functioning of this process.
Even foreign entities will need to follow the rules spelled out in the PDPA, as long as they deal with any activities that are related to the processing of personal data, such as offering of goods and services or monitoring of users’ online behavior, from users who are based in Thailand.
However, unlike Europe’s GDPR, the PDPA contains no clause which prevents online entities from making decisions about user data based solely on automated processing. And yet the PDPA is not always less stringent than the GDPR; and compliance with one set of rules does not automatically mean that an entity is also in compliance with the other.
The Devil is in the Details
Setting up a request for receiving a consent to collect, use and transmit users’ personal data may at first seem like a task that can be completed in a short amount of time. Yet these steps are carefully regulated under the PDPA in order to ensure that user data is safeguarded in exactly the ways that the new law intends.
Each organisation will need to assign a data controller to monitor its own data collection, use, or disclosure, including processing activities. This person has special responsibilities – such as informing the Office of Personal Data Protection Commission within 72 hours upon the discovery of any breach or violation of personal data – and can be held legally liable if the organisation’s data collection activities fail to meet the requirements of the law.
Even for entities based outside of Thailand, if they have received personal data from a data controller for the purpose of use or disclosure of the personal data of users in Thailand, a data controller needs to be in place to ensure that such foreign entities have efficient measures to protect the personal data of users in Thailand. However, at the present time, subordinate legislation related to this activity has not yet been enacted.
The data controller is required to cooperate with authorities in case of any data breach or violation of the Act. Data owners may file legal complaints against the data controller or processor if their data has been misused, and the consequences for negligence or malfeasance may be severe.
To mitigate risk, companies need to revisit their data protection plans and procedures in order to ensure that they comply with the new requirements under the law. Such an effort means ensuring that data is tightly controlled within the system, and used only for the express purposes that users have clearly given their consent. It also means isolating specific categories of data for security purposes, and creating new electronic data removal systems to comply with users’ right to be forgotten.
All personally identifiable information falls under the scope of the PDPA, and the clock is now ticking for every company that collects such data from users in Thailand. If you’d like to learn more about how your business can ensure compliance with Thailand’s forthcoming Personal Data Protection Act – the country’s new standard for digital privacy protection – contact us today.