{"id":2389,"date":"2019-03-21T12:00:49","date_gmt":"2019-03-21T17:00:49","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=2389"},"modified":"2019-03-21T12:00:49","modified_gmt":"2019-03-21T17:00:49","slug":"the-shift-from-sectoral-to-comprehensive-data-protection-in-thailand","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=2389","title":{"rendered":"The Shift from Sectoral to Comprehensive Data Protection in Thailand"},"content":{"rendered":"\n

Dhara Shah<\/em><\/p>\n\n\n\n

Associate Editor<\/em><\/p>\n\n\n\n

Loyola University Chicago School of Law, JD 2020<\/em><\/p>\n\n\n\n

Ever since the enactment of the General Data Protection Regulation in the European Union, data privacy and data protection have become a hot topic for businesses and countries around the world. In the digital age where personal data is constantly collected, processed, and used, the need for strong data collection regulations has never been more important. Many countries have begun to enact data protection laws, and the most recent addition to a comprehensive data protection act is seen in Thailand. On February 28th<\/sup>, 2019 Thailand\u2019s National Legislative Assembly approved the very first comprehensive data protection law in the country, the Thailand Personal Data Protection Act<\/a>, which will be effective after a one-year transition period to help ensure compliance.<\/p>\n\n\n\n

The Right to Privacy in Thailand<\/strong><\/p>\n\n\n\n

Thailand\u2019s Constitution<\/a> upholds basic fundamental rights, including the right to privacy. However, up until now there has been no consolidated law that regulates data protection as a whole. Prior to the passing of the Personal Data Protection Act (PDPA), Thailand\u2019s data protection model mirrored the United States\u2019 sectoral approach. A sectoral approach entails that data is protected within individual industries. For example, in the United States there is the Health Insurance Portability and Accountability Act<\/a> (HIPAA) that serves to govern and protect data that relates to medical information and the Children\u2019s Online Privacy Protection Rule<\/a> (COPPA) which regulates the privacy of children online. Similarly, prior to the PDPA, Thailand only had separate laws that individually governed various industries such as telecommunications, healthcare, banking, and the credit bureau<\/a>.<\/p>\n\n\n\n

The\nimplementation of the PDPA shifts data protection in Thailand from sectoral to\ncomprehensive. This means that Thailand now more closely mirrors the European\nUnion and its General Data Protection Regulation<\/a>\n(GDPR). Although the PDPA uses similar terminology as the GDPR and both allow\nfor data protection measures on a national scale, it is important to note that compliance\nwith one does not necessarily mean compliance with the other, as there are still\ndifferences in each of the regulations set forth.<\/p>\n\n\n\n

The Personal Data Protection Act\u2019s Key\nPoints<\/strong><\/p>\n\n\n\n

While the\nPDPA covers a range of data protection measures, the following are a few of the\nkey measures found in the Act.<\/p>\n\n\n\n

The PDPA\nhas extraterritorial\napplicability<\/a>, meaning that the law is applicable not only to data\ncontrollers<\/a>, those who make decisions on collection, use, or disclosure of\ndata, within Thailand but also to data controllers outside of the country. This\nmeans that companies located outside of Thailand can be held responsible for not\ncomplying with the PDPA. There are also consent\nrequirements<\/a>, which hold that consent from data\nsubjects<\/a>, or a person whose data is being collected, is necessary, in\nwriting or online, before personal data can be processed. For minors, the PDPA\nrequires parental\nconsent of minors<\/a> before collecting data for those under 10 years old. Data\nsubjects also hold the power to revoke consent in such a situation at any\npoint, given some restrictions. Additionally, restrictions and exemptions exist\nsurrounding the collection, use, disclosure, and cross-border transfer of\npersonal data. Other\nprovisions<\/a> in the PDPA include security measures, data breach notification,\nexplicit consent requirements for sensitive data, records of processing\nactivities, representatives of controllers or processors who are not established\nin Thailand, data protection officers, data subjects\u2019 rights, and damages.<\/p>\n\n\n\n

Looking Forward: The Personal Data Protection\nAct and Beyond<\/strong><\/p>\n\n\n\n

The\nNational Legislative Assembly approved the PDPA on February 28th<\/sup>,\n2019 and it will soon be published in the Government Gazette, where law and\nregulatory notification are officially published in Thailand. Following its publication\nin the Government Gazette, a one-year transition period will be allotted to\nbusinesses to ensure there is effective compliance with the PDPA.<\/p>\n\n\n\n

Evidently, the\nimportance of data protection regulations in the digital age we are living in\nis increasingly being realized, and hopefully such regulations will go from being\nan after-thought to becoming the basis of structuring a new business. Similar\nto existing data protection measures, the PDPA will bring forth new challenges\nand businesses should not hesitate to put measures in place that ensure compliance\nimmediately \u2013 as those who fail to do so will face penalties.<\/p>\n","protected":false},"excerpt":{"rendered":"

Ever since the enactment of the General Data Protection Regulation in the European Union, data privacy and data protection have become a hot topic for businesses and countries around the world. In the digital age where personal data is constantly collected, processed, and used, the need for strong data collection regulations has never been more important. Many countries have begun to enact data protection laws, and the most recent addition to a comprehensive data protection act is seen in Thailand. On February 28th, 2019 Thailand\u2019s National Legislative Assembly approved the very first comprehensive data protection law in the country, the Thailand Personal Data Protection Act, which will be effective after a one-year transition period to help ensure compliance.<\/p>\n","protected":false},"author":28,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2389","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/2389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2389"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/2389\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}