The PDPA adopts similar principles to that of the EU General Data Protection Regulation (GDPR) which allows for comprehensive protection of data subjects' rights…
Back in May 2019, the Thai government announced a new data privacy law intended to raise the standards of data privacy to those of its international counterparts. Personal data has become increasingly valuable in the digital age, which has piqued the interest of all manner of businesses in gathering personal information. This has led the government to recognise the importance of protecting the rights of citizens through law, thus the need to efficiently protect personal data and put in place effective remedial measures for data subjects whose data protection rights are violated.
The Personal Data Protection Act B.E. 2562 (2019), or PDPA for short, was first published in the Royal Thai Government Gazette and was originally scheduled to come into effect on 27 May 2020. However, the COVID-19 outbreak and its effects on the economy and society were cited as major obstacles for all affected sectors, causing the government to deem implementing a new law unviable during this time. The postponement of the fully effective date of the PDPA to 1st June 2021 was a welcome one, as it was able to alleviate the impact on public and private sectors as well as the general public.
Perhaps the most important aspect for data subjects is that the new law will give them the right to erase, object, rectify and access their personal data upon request. Not only does this protect the data subjects, but it also ensures accuracy of information and the potential to prevent being inundated by unwanted third party marketing messages. It also gives businesses and organizations a clearer understanding of how to best handle consumers' personal data.
The PDPA adopts similar principles to that of the EU General Data Protection Regulation (GDPR) which allows for comprehensive protection of data subjects' rights, whilst at the same time being beneficial for international businesses as they can implement comparable security measures across multiple jurisdictions. This should be of particular relevance to the integration of the EU GDPR's concepts for implementing the ASEAN Data Management Framework (DMF) and Model Contractual Clauses (MCCs) for cross-border data transfers, as the Personal Data Protection Committee (PDPC) of Thailand, who will act as the competent authority under the PDPA, will likely follow the DMF and MCCs with the same concepts of the GDPR to assist in the interoperability between ASEAN Member States.
PDPA requirements that have been influenced by the GDPR include sensitive personal data albeit with more restrictive legal exemptions under the PDPA, lawfulness of processing, consent requirements, privacy notices, and the rights of data subjects with a few specific details that will be tailored to business operations in Thailand. It is also worth noting that, while the requirements for Data Protection Officers (DPO), data breach notifications and the cross-border transfer of personal data will follow the provisions set out by the GDPR, there will be supplementary rules, qualifications and/or criteria added by the PDPC, although they have yet to be released.
As the PDPA is not yet effective, there are currently no sub-regulations or official guidelines relevant to the cross-border transfer of personal data, meaning adequate data protection standards are lacking in this area. As this is a significant part of data protection and considering that the DMF and MCCs mostly have the same principles as the PDPA, the relevant sub- regulations and guidelines that will be established under the PDPA would likely be tailored to the DMF and MCCs concepts. The only likely difference would be with certain parts that are not consistent between the PDPA and GDPR, for example, the definition of personal data under the PDPA also includes the personal data of deceased persons.
It is of the utmost importance that organizations and businesses from all industries that handle personal data in any capacity in Thailand are prepared to comply with the PDPA when it comes into full effect on 1 June 2021. This can prove challenging considering sub-regulations have yet to be announced, however, for those organizations wishing to get a head start, the DMF and MCCs may well be able to assist in mitigating the risks for processing personal data, which would help save time and internal resources when applying measures for the compliance of the PDPA.
Businesses and organizations can be safe in the knowledge that the DMF and MCCs would not create any negative impact towards those who are subjected to the PDPA. As the DMF only provides best practices which have no legal binding, it would be beneficial to everyone involved to adapt their processes and procedures for the cross-border transfer of personal data to fit with other ASEAN member states, especially where digital infrastructures and digital platforms that would typically transfer large amounts of personal data from several locations are concerned.
Conversely, MCCs may create legal binding agreements. Therefore, it would help organisations and businesses to create standard contractual clauses that are in line with other ASEAN Member States when carrying out activities of the cross-border transfer of personal data. Furthermore, organisations and businesses are able to amend the clauses to better suit their needs, as long as they do not contradict the MCCs and any applicable data protection laws, and are also free to provide the commercial terms and conditions upon a mutual agreement between all parties involved.
Although the PDPA was originally announced in the Government Gazette on 27 May 2019, no official guidance has been issued under the PDPA at the time of writing. So far, only one sub- regulation has been issued by the Ministry of Digital Economy and Society (MDES), which provides guidance on the security measures that must be taken to safeguard personal data during the current postponement period of the PDPA. Also, the competent authority under the PDPA, namely the PDPC, has not yet been officially established. However, more comprehensive sub-regulations are due to be issued on 27th May 2021 and once the new law comes into effect on 1st June 2021, it is to be expected that the establishment of the PDPC will also be announced.