The Personal Data Protection Act 2019 (‘PDPA’) entered, on 28 May 2019, into force after publication in the Royal Thai Government Gazette. In particular, the PDPA outlines, among other things, a new personal data definition, consent requirements including for minors, data subjects’ rights, data breach notification requirements, protections for sensitive personal data, exterritorial applicability and restrictions on transfers of personal data to third countries. There is a one year transition period for compliance with the PDPA from the date it comes into force.
Alan Polivnick, Partner at Watson Farley & Williams (Thailand) Ltd. noted, “As the PDPA creates a new regime for data handling, protection and privacy, a key issue is the extent to which breaches are investigated, prosecuted and the impact of convictions. Unlike EU enforcement agencies, Thai counterparts do not have the benefit of prior rulings to assist in interpreting the provisions of the PDPA and do not generally follow or apply decisions of courts in other jurisdictions. Over time, this could result in significant divergences [from the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)] in the interpretation of similar concepts, such as consent, the definition of personal data and extraterritorial application. […] [Another] key issue will be the ability to enforce the PDPA outside Thailand, particularly for companies with only an online presence. It remains unclear how the Thai authorities would seek to enforce against a breach from such organisations, particularly in circumstances where the company complies with local law and regulations where the data is processed or stored. Ultimately public pressure and the potential loss of business in Thailand may prove a stronger deterrent.”
The PDPA adopts the concept of extraterritorial scope from the GDPR, processing, handling or storing personal data outside Thailand will not exempt companies and organisations based outside Thailand from compliance with the PDPA. The PDPA will apply to data belonging to a person residing in Thailand where the Thai resident is offered goods and services regardless of whether any payment is required, and where monitoring the behaviour of Thai residents takes place in Thailand. The PDPA also introduces administrative fines of up to THB 5 million (approx. €14,120), criminal penalties of imprisonment up to one year and/or fines up to THB 2 million (approx. €2,820), and punitive damages up to twice the amount of the actual damages for violations of the PDPA. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data subjects to bring a class action lawsuit, and the director of a company could also be subject to penalties under the PDPA.
The PDPA will impose higher operating costs to business operators
In addition, Polivnick stated, “The PDPA provisions on the cross-border transfer of personal data are less clearly defined [than the GDPR] and carry a greater risk of claims of non-compliance, particularly in the absence of binding and accepted interpretations of the requirements. Thai subsidiaries of multinational companies will need to carefully consider the grounds on which they can transfer personal data out of Thailand, particularly where this attracts the extraterritorial application of the PDPA and given the fines and penalties for non-compliance. If the fines are uniformly enforced, they will create a strong incentive for companies and organisations to comply. It remains to be seen whether this will be the outcome.”
The PDPA also introduces requirements for consent, outlining that it must be obtained on or before the collection of personal data, it must be clear, and it shall not be made to cause deception or misunderstanding in relation to the data subject. Furthermore, the PDPA introduces consent requirements for data transfers to a third country. Although the PDPA provides no concept of data localisation, it does prohibit the transfer of personal data to a third country which does not have an adequate level of protection and where additional requirements are not fulfilled, including, among other things, requiring the express consent of the data subject, the data subject must be informed that the third country has an inadequate level of protection and transfers must be necessary for the public interest.
Further, Athistha (Nop) Chitranukroh, Partner at Tilleke & Gibbins International Ltd. commented that, “The PDPA will impose higher operating costs to business operators. For example, it requires a data controller and a data processor to designate a data protection officer in cases where, in respect to collecting, using or transferring personal data, there is ‘regular and systematic monitoring’ of individuals at a large scale as further designated by the Personal Data Protection Committee; or the core activities of a data controller or a data processor are related to collecting, using, or transferring sensitive personal data. […] There is also a data breach notification requirement that in case of a data breach, and depending on the degree of risk associated, notification to the regulator and each individual data subject within 72 hours could be required. […] [In addition,] the high risk [for non-compliance] would be more on the data controllers, that under the definition of the PDPA are required to handle a significant volume of personal data.”
CHRISTOPHER CAMPBELL Privacy Analyst