Thailand’s first-ever law on personal data protection will come into force on June 1, 2022, after being postponed since 2019.
The law outlines the obligations for businesses regarding the collection and processing of personal information. The government is expected to provide a grace period for SMEs to comply with the new law.
Thailand’s first consolidated law on personal data protection, called the Personal Data Protection Act (PDPA), was initially signed in 2019 but will be enforced from June 1, 2022, after being postponed due to the pandemic.
The country has now joined its peers Singapore, Malaysia, and the Philippines in enacting data protection laws. The PDPA outlines the obligations of data controllers and processors to inform and request data owners of any collection, use, or disclosure of their personal information. Those found in violation of the law could be liable for civil and criminal fines. As such, the PDPA defines personal data as information that identifies a living person.
Personal data breaches are becoming more prevalent among ASEAN countries as the digitalization of their economies has resulted in more businesses and people storing their data online and are susceptible to data breaches.
The Thai PDPA is applied to organizations that are directly based in Thailand or are based abroad but are involved in controlling and processing goods, services, and consumer behavior data in Thailand. Businesses should be mindful of two data types – i) general data, such as name, date of birth, phone number, etc. and ii) sensitive data, such as racial, sexual, religious, health, political, and biometric information.
Overall, the data owner must give explicit consent to approve any acts of collection, use, or disclosure of their personal data. Exemptions are granted in cases of:
In addition, the Thai PDPA also introduces a progressive General Data Protection Regulation (GDPR) styled regulation, in which data breach notifications are mandatory, rather than on a voluntary basis, which is the case in other countries like India or in jurisdictions like Hong Kong. Under PDPA, a comprehensive set of rights are guaranteed to the data owners, namely:
Violation of the data privacy law is subject to criminal and civil fines, ranging from 500,000 baht (US$15,000) to 5 million baht (US$165,000) as well as punitive compensations.
Retail businesses and small and medium-sized enterprises (SMEs) must quickly adapt to the new Protection Act, as the implementation of new IT systems and administrative procedures can result in higher operating costs. Despite the widespread publicity around the Act, many SMEs are still unaware of their obligations, and many face difficulties in assessing if they were data processors or controllers. Thai SMEs also face challenges in finding qualified personnel to monitor their compliance as well as having the right legal understanding of their rights and obligations under the new law.
This article was first published by AseanBriefing which is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in in China, Hong Kong, Vietnam, Singapore, India, and Russia. Readers may write to [email protected]
About the author
ASEAN Briefing features business news, regulatory updates and extensive data on ASEAN free trade, double tax agreements and foreign direct investment laws in the region. Covering all ASEAN members (Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam)