In July 2022, the Thai cabinet approved in principle a royal decree exempting some businesses and other entities from parts of the Personal Data Protection Act B.E. 2562 (PDPA).
The draft royal decree proposes to exempt certain business operators and activities from the requirements of the following portions of the PDPA:
- Chapter II: Personal Data Protection – Consent, notification, cross-border transfer of the personal data requirements, etc.
- Chapter III: Rights of the Data Subject – Requirements and criteria on data subject rights.
- Chapter V: Complaints – Requirements on the submission of complaints to the Office of the Personal Data Protection Commission.
- Chapter VI: Civil Liability – Conditions in relation to the civil liability of a data controller or data processor.
- Chapter VII: Penalties – Administrative and criminal penalties.
The proposed exemptions would apply to three main categories of business operators and activities:
1. Data controllers acting on government requests in adherence with specific laws for the following purposes:
- State security and public safety. Exempted operations include activities intended to safeguard state security, intelligence, and information relating to national security, as well as efforts to maintain fiscal and economic security and public security. Also exempt are prevention and suppression of certain criminal activities, such as money laundering, drug trafficking, transnational threats and terrorism, transnational crime, and human trafficking; activities to bolster anticorruption or cybersecurity efforts; and actions relating to public health, sanitation to prevent epidemics, and protection of public life, health, and property.
- Taxation. Exempted activities include those related to tax collection under laws that are the responsibility of the Revenue Department, Customs Department, or Excise Department. This also extends to any action relating to the enforcement of taxation fees or duties, and actions related to social security, the performance of obligations, or international cooperation.
- Risk mitigation, monitoring, and surveillance. These purposes include monitoring and providing measures to mitigate remedial damage caused by threats to national security. Qualifying actions in this category are conducted by competent officials and government agencies in accordance with laws to prevent public disasters or threats that may affect the public.
2. Processing of personal data for government organizations for the public interest or for compliance with international agreements.
3. Processing of personal data for domestic or international court proceedings (e.g., by judges, public prosecutors, inquiry officials, legal professionals, government organizations, or other relevant officials).
For assistance with matters related to the PDPA, including this draft royal decree or any other developments, please contact Nopparat Lalitkomon at [email protected], Thammapas Chanpanich at [email protected], or Suphitsara Jaturaphitjaroen at [email protected].