After approximately a decade drafting general personal data protection laws and formulating a regime to protect personal data and privacy rights, Thailand finally issued the country’s first unified personal data protection legislation in 2019.
The public was surprised when the draft Personal Data Protection Act (PDPA) was published for the final round of hearings. The draft PDPA largely adopted the preeminent personal data protection standards as expressed in the European Union’s General Data Protection Regulation (GDPR). The government expressed its objective to enhance personal data protection standards in Thailand to meet international standards, which would permit cross border transfers of personal data to Thailand, without any material limitations.
The PDPA, which was finally published in the Government Gazette in May 2019, also established a new independent regulator, the Personal Data Protection Commission (PDPC), tasked with enforcing the PDPA. All members of the commission must possess the qualifications required by the PDPA.
The PDPA was enacted with a grace period of one year for the requirements relating to the processing of personal data—which would provide businesses with sufficient time to adjust their practices to ensure compliance with the new requirements. It is a significant undertaking for businesses to adjust from having no general law on data protection to being required to meet high international data protection standards comparable to those in the GDPR.
GPDR concepts that were incorporated into the PDPA include (1) purpose limitation, (2) transparency, (3) lawfulness and fairness, and (4) data minimization. When collecting personal data, data controllers are required to establish a lawful basis to allow for such collection and processing of personal data. The lawful bases for general personal data are also similar to those under the GDPR, with concepts such as contractual necessity, legal obligation, legitimate interest, vital interest, and consent. Special types of personal data, such as health data and biometric data, will be subject to more stringent requirements under the PDPA. Data breach notification requirements are also imposed by the PDPA, and this is one of the obligations that data controllers are expected to meet.
The PDPA also recognizes the concept of extraterritorial effect, which is not common in Thailand. This raises the possibility that overseas data controllers could also be subject to the PDPA’s requirements in respect to their processing activities involving the personal data of data subjects in Thailand. Certain types of overseas data controllers and data processors are also required to appoint a local representative in Thailand without any limitation of liability in respect to the conduct of the overseas data controller or data processor.
In early May 2020, shortly before the PDPA grace period was scheduled to conclude, Thailand found itself embroiled in the global COVID-19 pandemic. Similar to what transpired in Brazil, the Thai government, led by the Ministry of Digital Economy and Society (MDES), decided to postpone the PDPA by issuing a royal decree. In essence, the decree meant that full implementation of the PDPA was further postponed to June 1, 2021, for almost all types of businesses (subject to the details specified in the royal decree).
To prepare for full enforcement of the PDPA, businesses should start the process of attaining a full understanding of the requirements of the PDPA if they haven’t already (see the unofficial English translation of the PDPA). The PDPA includes a number of principles that businesses can prepare to address, but the law does not fully detail or clarify all of the tasks that data controllers and data processors need to undertake in order to ensure full compliance with the PDPA, as the relevant clarifications will be issued in the form of supplemental regulations, notifications, or guidelines during the upcoming 12 months.
Due to the long delay in the PDPC’s selection process, the official appointment process for the PDPC only recently reached its final stage. This may impact the timeline for implementing supplemental regulations, without which businesses may be unsure about whether they need to appoint a DPO, how to establish incident management procedures to detect and report data breaches, and how to respond when data subjects make a request in accordance with their rights. Nevertheless, the Office of PDPC has announced its plan to hold public hearings on the first set of the sub-regulations on February 15–18.
Preparation of Industry Guidelines
While awaiting further developments relating to the PDPA and its supplemental regulations, certain business associations and industry groups are currently in the process of preparing their specific guidelines to ensure compliance with the PDPA, as well as collaborating with industry regulators such as the Bank of Thailand and the Office of Insurance Commission. A key concern for these organizations is the sharing of health data, which is subject to more stringent requirements than general personal data. Under the GDPR, it may be possible to rely on substantial public interest conditions for collecting and processing health data for insurance purposes, without the need to obtain explicit consent from the data subject (i.e., the insured). The PDPA, on the other hand, may not provide exemptions for businesses in the insurance industry or other related industries in regard to the processing of health data for insurance purposes. It is therefore imperative for industry regulators and associations to be actively involved in the development of the PDPA’s supplemental regulations and industry guidelines, so that the needs of the businesses are fully factored in when assessing the requirements to be included in these regulations.
How exactly the PDPA will develop remains to be seen, but it is anticipated that Thailand will look to and rely on personal data protection requirements set out under international standards—particularly those encompassed under the GDPR and personal data protection laws adopted in other countries—and use those principles to formulate and shape its own specific guidelines in the future.
Passed around the same time as the PDPA, the Cybersecurity Act B.E. 2562 (2019) also plays an important role in the ongoing digital transformation of Thai society. Upon the law’s enactment, there were no subordinate regulations stipulating specific requirements and obligations, especially in relation to the law’s provisions on prevention, protection, and management of cyber risks for government agencies or private organizations providing critical information infrastructure services, or “CII organizations.”
The National Cyber Security Commission recently issued a draft master plan and subordinate regulations for public hearing. These five draft regulations consist of (1) policies and plans on the cybersecurity, (2) a cybersecurity action, (3) management policies in connection with cybersecurity for state agencies and CII organizations, (4) a code of practice for the cybersecurity, and (5) a standard framework for cybersecurity.
Of these, items 3 through 5 have significant implications for state agencies and CII organizations, comparing to the first two draft regulations. The draft management policies in connection with cybersecurity for state agencies and CII organizations indicate that state agencies and CII organizations will have to observe principles of governance, risk, and compliance; prescribe the authority, role, and responsibility of their personnel; implement three lines of defense management; and provide a risk management plan with policies, standards, and guidelines.
Additionally, the draft code of practice for cybersecurity requires state agencies and CII organizations to have a cybersecurity verification procedure, cybersecurity risk assessment, and cybersecurity threat response plan.
Lastly, the draft standard framework for the cybersecurity sets out guidelines covering (1) cybersecurity risk identification and assessment, (2) cybersecurity risk protection measures, (3) cybersecurity threat verification and monitoring measures, (4) follow-up measures for after a cybersecurity threat is detected, and (5) sustainability and restoration measures relating to cybersecurity threats.
The development of these cybersecurity provisions is still at an early stage and will require further approval from the relevant authorities. However, it is anticipated that Thailand will look to and rely on the principles of the U.S. National Institute of Standards and Technology cybersecurity framework in order to set out internationally accepted guidelines and establish cybersecurity standards in Thailand.
Digital Transformation in Thailand
As access to and adoption of new technologies continues to expand at a rapid pace in Thailand, the PDPA and Cybersecurity Act provide important structure to guide businesses, regulators, and individuals in these technological developments. Moreover, these legal frameworks set a solid basis for sustainable, standards-based growth that responds to the unique needs and challenges of today’s technological landscape. While certain aspects of the laws’ implementation are still being clarified, both pieces of legislation have an important role in both the short- and long-term success of Thailand’s technological advancement.