By Dhiraphol Suwanprateep, Partner and Kritiyanee Buranatrevedhya, Associate Baker McKenzie
Protecting individuals’ personal data is crucial to the long term reputation, viability, and growth of data-driven businesses in Thailand. However, given how quickly the global business ecosystem has changed in recent years, lawmakers have struggled to keep pace with ever-evolving technologies and to implement laws that effectively encourage or ensure the protection of personal data.
However, 2018 saw waves of movement on data privacy issues, and many jurisdictions, including Thailand, now have or plan to implement a general legal framework for data protection.
Many Thai business operators already know that the Thai government is working hard to address data privacy and security concerns as an important part of its Thailand 4.0 plan to grow the digital economy. To this point, the Personal Data Protection Bill (the “PDPB“) is currently in the process of enactment.
There are a number of new concepts and specific requirements set forth in recent version of the PDPB, as follows:
– It introduces the concept of extraterritorial application. Data controllers and data processors, whether located in Thailand or overseas, could be subject to the requirements under the PDPB for the following activities:
(1) the offer of goods or services to data subjects in Thailand, whether there is a payment of the data subject or not;
(2) the monitoring of data subjects’ behaviors occurring in Thailand.
– Exemptions to the consent requirement include, among others, educational research or statistics for public interest, vital interest, contractual obligation, public interest, and legitimate interest.
– Explicit consent requirements apply to sensitive data, i.e. ethnicity, race, political opinions, cult, religion or philosophical beliefs, sexual behavior, criminal records, health records, labor union information, genetic data, biometric data or any data which may affect the data subject in the same manner as to be prescribed by the Personal Data Protection Committee (“PDPC“).
– A data controller can only transfer personal data to countries with sufficient personal data protection standards and in compliance with a cross-border data transfer guideline to be issued by the PDPC, with certain exceptions.
– A data controller is required to prepare an appropriate security measures to prevent loss, access to, use, modification, or disclosure of personal data without authorization or in a wrongful manner.
– In the event of a breach, a data controller is required to immediately notify the affected data subject(s). In addition, if a breach concerns a number of data subjects in excess of a threshold to be prescribed by the PDPC, the data controller shall without delay notify the PDPC of such breach and the remedial measures.
– Violations of PDPB provisions may result in civil, criminal, and/or administrative penalties.
For many businesses in Thailand, new privacy laws may seem overwhelming or intrusive. These feelings may be exacerbated by the fact that the most recent draft PDPB shortens the transition period from one year to 180 days. But at a time when consumers are more concerned about the privacy and security of their data then ever before, prioritizing consumer trust is also crucial to building long-lasting consumer relationships. Businesses should look at compliance as an investment in customer trust, and shouldn’t necessarily wait to get started, especially given the shortened transition period. Those businesses willing to plan for and prioritize upholding the security of consumers’ personal data are most likely to earn and keep public trust and loyalty. More broadly, Thai businesses working collectively to build trust around digital information storage and many related services is essential to Thailand’s evolution towards a thriving digital economy.
The PDPB, once enacted, is certain to have far-reaching impacts on business in Thailand. With some advance planning and a future-focused perspective, these impacts don’t have to be negative. All Thai business operators are encouraged to begin familiarizing themselves with the PDPB and other related laws in the pipeline, and to start implementing compliance solutions without delay.