Thailand’s Personal Data Protection Act came into full effect on 1 June 2022 and various subordinate regulations have since been issued by the Personal Data Protection Committee. These include regulations on security measures to be implemented by data controllers, data breach notification requirements, a mandatory obligation to appoint a data protection officer when the processing activity requires regular monitoring of personal data or a system due to the large scale of personal data, administrative measures and data processors’ record of processing activities.
As some areas under the PDPA still require further clarifications, a series of public consultations for the remaining draft subordinate regulations is anticipated in 2024. Potential areas include data protection impact assessments and cross-border transfers of personal data, which are crucial for organizations and particularly for entities with establishments in other jurisdictions.
PDPA enforcement by Thai regulators was silent until the last quarter of 2023, when the PDPC published details about complaints that have been lodged to the Expert Committee. The committee is designated by virtue of the PDPA and has the power to make determinations related to imposing administrative fines and other penalties. Enforcement in 2024 is expected to become more active and potentially more serious, which means organizations should pay closer attention to ensure compliance with the PDPA.
Similar to the GDPR, the PDPA also has extraterritorial effect. Once the subordinate regulation on international cooperation has been issued by the PDPC, this should clarify how PDPA enforcement against organizations located outside of Thailand will be conducted by Thai regulators.
With respect to sector-specific data protection legislation, in September 2023, Thailand’s National Broadcasting and Telecommunications Commission issued the Notification of the NBTC Re: Measures to Protect Telecommunications Service Users’ Rights in regard to Personal Data, Privacy Rights, and Freedom of Telecommunications, which replaces the previous notification. The notification aims to enhance the protection of personal data and privacy rights for telecommunication users and to align its data protection requirements with the provisions of the PDPA. The development of specific data protection laws for other sectors is still silent.
Athistha (Nop) Chitranukroh and Gvavalin Mahakunkitchareon provided this update as part of the “IAPP Global Legislative Predictions 2024” from the International Association of Privacy Professionals. Tilleke & Gibbins also provided the Vietnam update.