Thailand’s draft Personal Data Protection Act (PDPA), which was approved by the Council of State in December 2018, is now under consideration of the National Legislative Assembly (NLA), which will appoint an extraordinary committee to consider the details. Once the committee approves the draft, the NLA will consider their opinion, issue a final approval, and present it to the monarch to be signed into law.
It will then be published in the Government Gazette before becoming effective, which is expected within 2019. Most provisions will come into force 180 days after publication in the Government Gazette.
- Extraterritorial effect. Overseas data controllers and processers can be subject to the PDPA if they offer any goods or services to data subjects in Thailand, or monitor any behavior that takes place within Thailand. Such overseas data controllers and processers must also appoint a local representative and comply with the PDPA. The concept has been adopted substantially from the GDPR.
- Definition of Personal Data. The definition of “Personal Data” remains unchanged from the previous draft—i.e., any data pertaining to a person that enables the identification of that person, whether directly or indirectly, but specifically excluding data of the deceased. Personal Data does not include business information (business title, business address, and business contact details).
- Definition of a Data Subject. This definition has been entirely deleted since the previous hearing. Interpretation of “Data Subject” now varies section-by-section.
- Collecting consent. Requests for consent must be clear and must not be made to deceive or mislead the data subject. Consent must be made in writing or via electronic means, unless impossible by its nature. Consent can be exempted in several circumstances, including for vital interests, legitimate interests, public interests, and the performance of contractual obligations.
- Parental consent for minors. The draft PDPA still requires parental consent for data subjects under 10 years old, and parental consent in certain circumstances for minors over 10 years old.
- Sensitive personal data. Categories of sensitive personal data are unchanged from the previous draft, including labor union-related data, genetic data, and biometric data.
- Transfer to third countries. The requirements and exemptions for the transfer of personal data to a third country which does not have an adequate level of protection (generally strictly prohibited) are unchanged. The exemptions are:
- transferring personal data pursuant to applicable laws;
- consent from the data subject, who has been informed that the third country lacks a suitable level of data protection;
- it is necessary to comply with contracts in which the data subject is a party, or pursuant to the data subject’s requests prior to entering into contracts;
- transfer in accordance with an agreement between a data controller and another entity for the benefit of the data subject;
- to prevent or suspend damage to the life, body, or health of the data subject, or other persons, when the consent of the data subject could not be obtained at that time; and
- when necessary for substantial public interest purposes.
- Right to data portability. The PDPA still grants data subjects the right to data portability.
- Data protection officer. Data controllers and data processors must designate a data protection officer when their collection, use, or transfer of personal data regularly requires monitoring of personal data or systems, due to the possession of personal data on a large scale, as designated by the Personal Data Protection Commission, or when their core activities relate to collecting, using, or transferring sensitive personal data.
- Civil liabilities. Civil liability remains unchanged—the court can order punitive damages up to twice the value of the actual damage.
- Administrative fines. Administrative fines range from THB 1 million to THB 5 million, as in the previous draft.