The Shift from Sectoral to Comprehensive Data Protection in Thailand

Dhara Shah

Associate Editor

Loyola University Chicago School of Law, JD 2020

Ever since the enactment of the General Data Protection Regulation in the European Union, data privacy and data protection have become a hot topic for businesses and countries around the world. In the digital age where personal data is constantly collected, processed, and used, the need for strong data collection regulations has never been more important. Many countries have begun to enact data protection laws, and the most recent addition to a comprehensive data protection act is seen in Thailand. On February 28th, 2019 Thailand’s National Legislative Assembly approved the very first comprehensive data protection law in the country, the Thailand Personal Data Protection Act, which will be effective after a one-year transition period to help ensure compliance.

The Right to Privacy in Thailand

Thailand’s Constitution upholds basic fundamental rights, including the right to privacy. However, up until now there has been no consolidated law that regulates data protection as a whole. Prior to the passing of the Personal Data Protection Act (PDPA), Thailand’s data protection model mirrored the United States’ sectoral approach. A sectoral approach entails that data is protected within individual industries. For example, in the United States there is the Health Insurance Portability and Accountability Act (HIPAA) that serves to govern and protect data that relates to medical information and the Children’s Online Privacy Protection Rule (COPPA) which regulates the privacy of children online. Similarly, prior to the PDPA, Thailand only had separate laws that individually governed various industries such as telecommunications, healthcare, banking, and the credit bureau.

The implementation of the PDPA shifts data protection in Thailand from sectoral to comprehensive. This means that Thailand now more closely mirrors the European Union and its General Data Protection Regulation (GDPR). Although the PDPA uses similar terminology as the GDPR and both allow for data protection measures on a national scale, it is important to note that compliance with one does not necessarily mean compliance with the other, as there are still differences in each of the regulations set forth.

The Personal Data Protection Act’s Key Points

While the PDPA covers a range of data protection measures, the following are a few of the key measures found in the Act.

The PDPA has extraterritorial applicability, meaning that the law is applicable not only to data controllers, those who make decisions on collection, use, or disclosure of data, within Thailand but also to data controllers outside of the country. This means that companies located outside of Thailand can be held responsible for not complying with the PDPA. There are also consent requirements, which hold that consent from data subjects, or a person whose data is being collected, is necessary, in writing or online, before personal data can be processed. For minors, the PDPA requires parental consent of minors before collecting data for those under 10 years old. Data subjects also hold the power to revoke consent in such a situation at any point, given some restrictions. Additionally, restrictions and exemptions exist surrounding the collection, use, disclosure, and cross-border transfer of personal data. Other provisions in the PDPA include security measures, data breach notification, explicit consent requirements for sensitive data, records of processing activities, representatives of controllers or processors who are not established in Thailand, data protection officers, data subjects’ rights, and damages.

Looking Forward: The Personal Data Protection Act and Beyond

The National Legislative Assembly approved the PDPA on February 28th, 2019 and it will soon be published in the Government Gazette, where law and regulatory notification are officially published in Thailand. Following its publication in the Government Gazette, a one-year transition period will be allotted to businesses to ensure there is effective compliance with the PDPA.

Evidently, the importance of data protection regulations in the digital age we are living in is increasingly being realized, and hopefully such regulations will go from being an after-thought to becoming the basis of structuring a new business. Similar to existing data protection measures, the PDPA will bring forth new challenges and businesses should not hesitate to put measures in place that ensure compliance immediately – as those who fail to do so will face penalties.