Thailand’s long-awaited Personal Data Protection Act (PDPA) was approved by the National Legislative Assembly today, February 28, 2019. It will now be passed to the monarch to be signed and endorsed, and will then be published in the Government Gazette before passing into law later this year.
Most provisions relating to the collection, use, and disclosure of personal data will come into force one year after publication in the Government Gazette. Several pieces of subordinate legislation will be enacted later on to provide a procedural framework for implementing the provisions of the PDPA, and we will provide updates on that procedural framework as it becomes apparent.
The most significant provisions of the PDPA are:
- a requirement for data controllers to gain consent from data subjects (in writing or online) before they can process their personal data in certain ways (subject to certain exceptions);
- enhanced requirements for the protection of sensitive personal data;
- restrictions against the transfer of personal data to a “3rd country”;
- the extraterritoriality of the law’s effect, meaning that the law is nominally applicable to data controllers outside Thailand; and
- a requirement for data controllers outside Thailand to appoint a representative within the jurisdiction, who will have certain rights.
These provisions are intended to reflect global trends in data privacy legislation, such as the European Union’s GDPR.
Penalties for noncompliance with the PDPA are severe, and any companies collecting any data from those residing in Thailand would be prudent to prepare themselves in advance to ensure that they are in compliance before the PDPA comes into effect.