A user’s guide to Thailand’s controversial new data protection law
Postponed twice since 2019, Thailand’s first law on personal data protection will finally come into force this Wednesday (June 1) – despite last-minute efforts by the private sector to delay its implementation for another two years.
The Personal Data Protection Act (PDPA) of 2019 aims to guarantee protection for individuals and their personal data and to impose obligations for businesses and state agencies regarding the collection, processing, use, and disclosure of personal information.
The legislation is based on the European Union’s General Data Protection Regulation, which came into force in 2016.
The PDPA also applies to data controllers and processors outside Thailand if they process personal data of data owners in Thailand and offer goods and services to, or monitor the behavior of, those data owners.
Data controllers and processors are required by the law to obtain permission from data owners for any collection, use, or disclosure of their personal information.
Financial and administrative fines
Anyone found violating the new law will be liable for civil and/or criminal penalties.
Fraudulent use or disclosure of personal data carries a maximum prison term of six months or a fine of up to 500,000 baht. Illegal abuse of personal data carries up to one year in jail or a fine of as much as 1 million baht.
The data privacy law also imposes administrative fines ranging from 500,000 to 1 million baht and allows the damaged party to pursue civil action for compensation.
Under this law, personal data includes names, date of birth, phone number, home address, e-mail address, ID card number, passport number, educational and financial information, weight, height, medical and criminal records, fingerprints, and facial and iris patterns.
Without explicit consent from the data owner, any collection of personal information on racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, and biometrics is prohibited.
Exemptions are granted in cases of: Fulfilling contractual obligations involving the data subject; serving the public interest, such as statistical research to protect the public health; and serving legitimate interests, such as prevention of danger to an individual.
Also, the PDPA guarantees the following rights of data owners: Right to be informed (of the purpose of collection, data retention period, etc); right to access their personal data; right to rectification of inaccurate or misleading information; right to objection/withdrawal from inappropriate uses, at any time; right to restrict processing; right to erasure; and right to data portability.
Bangkok poll triggers national wave of demand for local democracy
Postponed twice and more delay urged
The law was published in the Royal Gazette in May 2019 with a one-year grace period. But its enforcement date of June 2020 was postponed to June 1, 2021 because the public and private sectors wanted more time to prepare for compliance, which requires deployments of high-tech safeguards against unauthorized access to stored personal data, and to manage data storage, deletion, transfer and revision.
Enforcement of the law was delayed again, for another year, when the third wave of COVID-19 hit Thailand after Songkran in 2021.
In early May, the Joint Standing Committee on Commerce, Industry and Banking called for the PDPA to be postponed for at least two more years so that all stakeholders would be ready to comply. The group said many businesses, particularly micro-firms and SMEs, needed more time to fully comply with the law as they struggled to recover from economic impacts of the pandemic.
However, Thienchai na Nakorn, chairman of the Personal Data Protection Committee, said last week that the law had already been delayed beyond the two-year timeframe, so must now be implemented.
Many businesses still unprepared
According to a recent survey, a large number of Thai businesses say they still lack the preparation required to comply with the PDPA. Only 8 percent of almost 4,000 businesses surveyed said they have taken measures to be fully compliant, while 31 percent said they have not even started the compliance process.
The majority of businesses surveyed said the most difficult part of PDPA compliance was making records of processing personal data.
Some company executives have voiced concern that businesses that are unprepared for compliance could be blackmailed with a threat of blowing the whistle to regulators.
Others say the law’s penalty of jail time is the “biggest concern” among businesses, as their executive board members could be affected. They warn that lawsuits stemming from the PDPA could scare away foreign investors, diverting them to countries with no such legislation.
Some experts are urging the government to conduct more publicity about the new law regarding legal protection for members of the public, and to educate the police for effective enforcement.
By Thai PBS World’s Political Desk