Since our July 2015 update, the 2015 draft Personal Data Protection Bill (the "2015 PDPB") was withdrawn by Cabinet Resolution and returned to the Ministry of Digital Economy and Society (the "MDES") for amendment. Now, after more than two years, a new draft Personal Data Protection Bill (the "New PDPB") has finally been drawn up and a public hearing has been scheduled from 22 January 2018 to 6 February 2018. Participation in this public hearing is now sought.
Major changes introduced in the New PDPB
While many of the major concepts introduced in the 2015 PDPB remain in the New PDPB, such as the consent requirements and the definitions of personal data and data controller, there are also several new concepts introduced for the first time. Please see a summary of the changes below.
1. Definition of the data processor and its obligations
The New PDPB provides a definition for the term "data processor" as "a person or entity who conducts activities related to collection, use, or disclosure of personal data under the instructions or under the name of the data controller."
Data processors are subject to various obligations, including implementing appropriate security measures, notifying the data controller of data breach incidents, and establishing and maintaining records of processing activities. Failure to comply would result in fines.
2. Additional obligation of the data controller
Apart from existing obligations set forth in the 2015 PDPB, a data controller is also required to regularly perform a data protection impact assessment of the data subjects under the New PDPB.
3. Exemptions of consent requirements
Generally, consent of the data subject is required before or at the time of collection, use, or disclosure except in certain circumstances. The New PDPB has broadened the scope of these exceptions to include:
(1) a case where it is necessary for the public interest or in the exercise of official authority vested in the data controller with an exemption; or
(2) a case where it is necessary for the purposes of the legitimate interest pursued by the data controller or by a third party with exemptions.
4. Grace period and transitory provisions
The New PDPB shall come into force 240 days after publication in the Government Gazette. In instances where personal data has been collected by a data controller before the New PDPB comes into force, the data controller shall be able to continuously use or disclose such personal data in accordance with the purpose for which the data subject was previously notified.
However, the data controller must obtain consent from data subjects for collection, use, or disclosure of such personal data in accordance with the New PDPB, according to the conditions and for the duration to be prescribed under a ministerial regulation. The duration to be prescribed in the ministerial regulation shall not exceed a period of three (3) years from the effective date of the New PDPB.
5. New concept of penalties for non-compliance
The New PDPB removes imprisonment as a penalty.
After the public hearing process is complete, the New PDPB will be forwarded to the Cabinet for approval before its submission to the National Legislative Assembly (the “NLA”) for further consideration. Once the NLA endorses the draft law, it will be sent to His Majesty the King for final approval before being published in the Government Gazette.
Based on our reading, the New PDPB adopts a number of concepts from the EU's General Data Protection Regulation (the "GDPR"), which will become effective in May 2018.
There are of course potential challenges to the application of new legal principles. Certain provisions in the New PDPB remain unclear and open to interpretation. Some such provisions could potentially cause impractical difficulties for and/or impose excessive liability on data controllers and/or processors. For example, in practice it may be difficult for some data processors, especially those from businesses that serve as intermediaries (i.e., internet service providers (ISP), cloud service providers, or data center providers), to comply with the New PDPB. The exclusion of such business operators from the definition of the term data processor and data controller should be considered to reflect the nature of their businesses.
Also of concern is that the New PDPB is not clear on the public interest and legitimate interest concepts introduced as new exceptions to consent requirements thereunder, as opposed to the GDPR which provides examples of what constitutes public interest and legitimate interest.
Once the New PDPB becomes effective, it will change the landscape of personal data protection in Thailand and impact almost every business entity. The sub-regulation for the transition period is important as it will require considerable time and effort to obtain consent from existing and previous customers and employees in order to comply with the New PDPB.
We are closely monitoring the progress of this bill and will continue to provide updates on future developments as they occur.