DataGuidance confirmed, on 21 September 2018, with Dhiraphol Suwanprateep, Partner at Baker & McKenzie Ltd. Bangkok, that the Ministry of Digital Economy and Society (‘MDES’) published, on 5 September 2018, a revised draft of the Personal Data Protection Bill (‘the Bill’) updating a previous draft published in May 2018. The Bill addresses the collection, processing and disclosure of personal information by data controllers and processors, as well as, data subject rights, cross-border transfers and penalties.
The Bill provides that controllers of personal information must not collect, use, or disclose personal information if the owner of the personal information has not consented, either in writing or by electronic means, to the same. In addition, the Bill requires controllers to outline the purpose for personal information processing and provide data subjects with a means to withdraw their consent. Furthermore, it establishes that the collection and processing of data pertaining to race, ethnicity, genetic and biological identifiers, is prohibited when no express consent has been provided by a data subject.
Where the controller of personal information transmits or transfers personal information outside of Thailand, the receiving country must have an adequate standard of protection in place
The Bill regulates cross-border transfers of personal information and stipulates that where a controller of personal information transmits or transfers personal information outside of Thailand, the receiving country must have an adequate standard of protection in place. However, the Bill also provides exemptions, namely when the transfer is necessary for the fulfilment of a contract or if the information is of major public interest, among others. The scope of the Bill is extraterritorial, therefore organisations located outside of Thailand which process the personal information of data subjects covered by the Bill would have to comply with its provisions.
The Bill also seeks to introduce penalties in cases of non-compliance, which would be administered by the Secretary General or by a person assigned by the Secretary General, in particular the seriousness of the offence would be considered when calculating a fine. The Bill will be submitted to Council of Ministers and, if approved, move to the National Legislative Assembly for approval.
GEORGE HANNAFORD Junior Privacy Analyst