Thailand’s PDPA comes into effect on May 31st, 2021 – almost exactly three years after the EU set benchmarks for global data privacy laws via GDPR adoption.
While Thailand PDPA laws draw a few parallels with certain GDPR provisions like the right to access data collected on the data subjects or the data subjects’ rights to be informed, both privacy laws also have notable differences.
In order to understand these differences, it’s important to examine privacy regulations in Thailand PDPA vs. GDPR based on four key elements:
- The scope
- The data subject’s rights
- Key definitions, and;
When we look at it from a personal scope standpoint, Thailand’s PDPA does not apply to public agencies that are responsible for state security. These include responsibilities like managing forensic science and cybersecurity threats, as well as stopping money laundering. In comparison, GDPR laws apply to data processors and data controllers only who may be acting as public agencies as well.
Now, from a material scope standpoint, there are three underlying differences in Thailand PDPA vs. GDPR laws:
- Thailand PDPA does not distinguish between automated and non-automated ways of processing data, whereas GDPR handles user information through automated or non-automated ways if that information belongs to a filing system.
- Thailand PDPA gives data subjects the facility to request their data to be anonymized, but it does not define this as an exception from its scope. GDPR, on the other hand, excludes anonymised data from its scope.
- Thailand PDPA’s scope does not apply to the Senate, House of Representatives, Parliament and other committees appointed by the above. In addition, it excludes the activities from its scope which are conducted by any credit bureau company. But GDPR does not explicitly exclude any law-making entities, while additionally not referring to any credit bureau companies, including their respective processes.
THE DATA SUBJECT’S RIGHTS
When it comes to “the right to be informed”, there are three key provisions between Thailand PDPA vs. GDPR:
Thailand PDPA does not clearly define the right of data subjects to be informed regarding whether profiling and automated decision-making exists. This particular aspect is distinct from GDPR, where data subjects must be made aware of profiling and automated decision-making at the time of data collection.
Thailand PDPA does not clearly explain or outline whether data subjects can be orally made aware of their rights. However, GDPR data subjects can be informed orally along with electronic and written notices.
In regards to “legitimate interest”, Thailand PDPA does not explicitly specify the instances or cases where this applies, whereas, in the case of GDPR, the laws clearly outline what can be regarded or treated as a legitimate interest.
In regards to “right to access”, Thailand PDPA does not specify what precisely should be provided when a data subject makes an access request – but in the case of GDPR, laws explicitly state that data controllers need to inform data subjects about the purpose of processing their personal data, along with the categories of personal information which apply, as well as the respective third parties with whom the data may be shared with.
In regards to, “right to erasure”, Thailand PDPA does not specify a set timeline under which the data controller must address a request, although it does give data subjects the liberty of notifying enforcement authorities should a data controller fail to respond to an erasure request in a timely manner. Furthermore, a data controller isn’t required to adhere to policies or measures to verify each data subject’s identity when the latter makes a request.
In comparison, GDPR explicitly states that data subjects’ requests with regard to the right to erasure needs to be addressed without any delays whatsoever and in any case, within a month after receiving such a request. Additionally, data controllers are required to adhere to policies and/or measures to verify the identity of every data subject who makes such a request.
As far as the “right of users to object” to personal information processing is concerned, both Thailand PDPA and GDPR guarantee it, along with the ability to withdraw consent to such processing at any time. However, with Thailand PDPA laws, there’s no specific duration for the data controller to address such requests where limiting processing of personal information is required.
With GDPR, the laws clearly state that data controllers much deal with requests to limit personal data processing within 30 days. But this duration can be extended to no more than 60 days, depending on how complex the volume of requests are.
The last difference between Thailand PDPA vs. GDPR – which is “individual rights” – is related to the “right to data portability”. Thailand PDPA requires data controllers to keep the justification of objection for each data portability request, in order to verify the data subject and the competent authority involved. On the other hand, GDPR does not impose this requirement on data controllers.
While “personal data” is a key term or definition frequently used in both GDPR and Thailand PDPA laws, the latter does not explicitly consider cookie identifiers, radio frequency ID tags and IP addresses as part of what may be categorized as personal data. GDPR, therefore, considers digital identifiers like cookie identifiers, radio frequency ID tags and IP addresses as part of personal data information.
In addition, Thailand PDPA has no definition in place for “pseudonymized information”, whereas GDPR laws define “pseudonymized information” as the handling of a data subjects’ personal data in such a way that the information in question cannot in any way be connected to any data subject in particular.
Thailand PDPA also does not provide any provision as such on whether unique protection should be afforded to underage data subjects, in situations where that data may be used for market purposes or for gathering specific data in order to deliver social services to them. This aspect is quite distinct from GDPR, where underage data subjects are described as ‘vulnerable natural persons’. As a result, the EU’s data privacy laws have additional provisions in place to ensure that children get higher than normal protection when their data may be used for delivering social services or marketing purposes.
Finally, Thai PDPA laws do not have any specific requirements around collecting, utilizing or sharing personal information for research purposes. Still, data controllers must ensure that the data subjects’ liberties, privileges and welfare are safeguarded at all times. With GDPR, on the other hand, any data subject’s information processed for research purposes is subject to certain regulations like data minimization, rights to erasure and pseudonymization.
In regards to non-compliance, penalties within Thailand PDPA can go up to 5 Million THB. In some cases, however, offenders might be awarded imprisonment of up to a year along with a fine. As for GDPR, offenders may be fined 2% of annual global turnover or €10 million, whichever one is higher – or 4% of annual global turnover or €20 million, whichever one is higher – as enforcement authorities deem fit.