The Personal Data Protection Act BE 2562, 2019 (“PDPA”) of Thailand applies to any natural or legal person who processes personal data of Thai residents in the course of their legitimate activities. The Act defines “personal data” as any information relating to an identified or identifiable individual with the exceptions of personal benefit or household activity, whereas the data subject must be a living person from whom personal data is to be collected. Under the PDPA, any personal data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data would be impliedly regarded as sensitive data. Furthermore, “legitimate activities” is not exclusively applied to organizations within Thailand as the territorial scope of the PDPA extends beyond borders. Per Section 5, data controllers and processors who are located outside of Thailand are subject to the PDPA so long as their activities consist of monitoring the behaviour of or offering goods or services to data subjects in Thailand.
The PDPA bears similarities to other data protection laws around the world, such as the European Union’s General Data Protection Regulation (“GDPR”) which has been cited as a key reference for promulgating the PDPA. The two acts mirror each other in several aspects, such as the aforementioned territorial scope, which can be found in Article 3,4 & 11 of GDPR and Section 5 of PDPA. These extend also to its provisions on data subjects' rights, data controllers' obligations, and enforcement. There are however some key differences between the two. For example, both the Thai PDPA and the GDPR require organizations to appoint a Data Protection Officer (“DPO”), and both give individuals the right to access their personal data and the right to have that data erased. Notwithstanding that contained in Section 37 and 83, the PDPA does not have explicit provisions for data breaches, while the GDPR requires organizations to notify individuals of a data breach within 72 hours. The GDPR also has stricter penalties for organizations that violate the law, including fines of up to 4% of an organization's global annual revenue or €20 million (approximately THB 726 million), whichever is greater.
Under the PDPA, businesses must obtain consent from individuals before collecting, using, or disclosing their personal data. Consent has a high standard, although there is no definition, it does set out what is considered valid consent is in Section 19 (Request of Consent). However, realistically companies are not going to be capable of receiving consent from all their customers. Surely, much data has been collected prior to the enforcement of the PDPA. Businesses must now outline the lawful purpose(s) for the collection of the data in order to request consent, but what does this mean for the information that has already been collected? There has been little guidance on this aspect. It can be assumed that with time the Personal Data Protection Committee (“PDPC”) will clarify such instances.
The PDPA sets out numerous legal obligations to be complied by the businesses. Businesses that process personal data must disclose their contact information to the individuals and allow them to access their personal data. They must also take steps to protect personal data from unauthorized access, use, disclosure, or destruction. Notably, it is required to obtain an explicit consent before collecting sensitive personal data, unless the exemptions apply. The appointment of a data protection officer (“DPO”) is a mandatory condition under the PDPA (and the future sub-regulations) if their core activity is the collection, use, or disclosure of sensitive personal data.
There are a number of reasons why there have been compliance issues with the PDPA. An underlying reason is that the law is relatively new, and companies may not be fully aware of their obligations under the law. Another reason is that the law contains a number of complex provisions that can be difficult to understand and comply with, particularly for smaller organizations who do not fully understand what is fully required of them. Thankfully, some of this obscurity has faded away as the PDPC has since offered up some sub-regulations to clarify the contents within the PDPA. As of September 2022, there have been four new regulations implemented: Security Measures for Personal Data Controllers; Criteria and Methods for Records of Processing Activities (“ROPA”) for Personal Data Controllers; Exemptions of ROPA Requirements for Small and Medium Enterprises; and Criteria for Consideration of Issuing Administrative Fines and Orders by the Expert Committee, came into effect on 21st June 2022 whereas the second regulation will come into effect on 17th December 2022. The PDPC have stated that more are yet to come very soon.
Notably, the newly published subsidiary regulations from Thailand’s Government Gazette are designed to ensure that personal data is processed in a fair, transparent and accountable manner. The PDPC has also put smaller enterprises at ease as they will be exempt from maintaining a full record of ROPA, except under certain circumstances. These exempt organizations include SMEs, community, social and household enterprises, as well as NGOs, foundations, associations and religious organizations. The regulations also require data controllers to take steps to protect the personal data of individuals from unauthorized access, use or disclosure. In addition, the regulations stipulate that data controllers must provide individuals with information about their rights under the PDPA and ensure that these rights are respected. Finally, the regulations establish a complaints procedure whereby individuals can lodge a complaint with the Office of the Personal Data Protection Commission if they believe their rights have been violated. Although it has yet to be tested, it is expected the new subsidiary regulations are effective at enforcing the law by providing guidelines on how to comply with the PDPA. They also establish penalties for non-compliance and create a mechanism for companies to report violations.
Lastly, the PDPA allows data subject to lodge class action lawsuits in the event that the failure to comply with it causes damages to the data subject during the operations of the businesses. The data subject may demand compensation for such damages, regardless of whether such operations performed intentionally or negligently. Thus, failure to comply with the PDPA could result in civil liabilities with punitive damages, administrative fines of up to THB 5 million, and criminal penalties including imprisonment for up to one year, or a fine of up to THB 1 million, or both.