Andreas Richter and Anuwat Ngamprasertkul
Thailandās Personal Data Protection Act B.E. 2562 (2019) (āPDPAā)*, which was published in theĀ Royal GazetteĀ on 27 May 2019, was due to be fully enforced one year later on 27 May 2020. On 21 May 2020, however, the Thai government announced a Royal Decree in theĀ Royal GazetteĀ to partially postpone the enforcement of the PDPA by one more year to 1 June 2021 (the āRoyal Decreeā).
The impetus behind this postponement is the Thai governmentās recognition that implementing compliance with PDPA law is complex, and therefore, costly and requires advanced training at all levels. Also, personal data is currently collected and processed by many companies and government agencies to cope with the COVID-19 crisis, which would create major legal compliance issues if the PDPA would now come into full force.
Included in the postponed enforcement of the PDPA are provisions relating to personal data protection, including data collection and use or disclosure of personal data; rights of the data owner; complaints; civil liability; penalties, including criminal liability and administrative liability; and grandfather clauses. However, the Thai government is moving ahead with further establishing the regulatory body and related committee under the PDPA.
The Royal Decree,Ā despite its intention to cover all businesses in Thailand,Ā lists the types of business that will be qualified for this extension, including businesses in the commercial, industrial, construction, energy, public utility, maintenance, transportation, hospitality, communication, banking, insurance and professional industries, among others (see the full list below).
This does not mean that you should not prepare for compliance with the PDPA, however, as the Royal Decree still requires business owners, as data controllers, to have in place security safeguards for personal data in accordance with the standards set by the Ministry of Digital Economy and Society. Therefore, businesses should still have an adequate standard of protecting personal data under their control.
Also, in a competitive world, if businesses can demonstrate that they are fully compliant with the PDPA before their competitors, these businesses will gain the trust of their customers, suppliers, shareholders, stakeholders as well as the general public, and at the same time, mitigate the risk of a data leakage which may cause negative reputational damage and open the door for damaged persons to take legal action against the business owner under general rules, even though the enforcement of the PDPA has been postponed.
In addition, businesses with connections of any means to the European Union are still exposed and are subject to the rules and regulations of the European Unionās General Data Protection Regulation (āGDPRā) and its exterritorial reach, and therefore, are strongly advised to now become compliant with the PDPA which, essentially, is the equivalent of the GDPR.
*The PDPA law is a new law in Thailand that is aligned with the GDPR in the European Union. The PDPA law will change how all businesses operate, setting a high standard for protecting personal data that is collected, stored, disclosed or used for any processing activities. It also sets out important and far-reaching obligations for business owners to respond to new data owner rights, such as the right to access, right to be forgotten, right to withdraw consent and more. In addition, the PDPA law introduces severe penalties for breaches of up to THB 5 million as well as criminal penalties for active directors and responsible officers and double damages to damaged persons.
***
Translated Extracted details of the Royal Decree
Rationale
The Personal Data Protection Act B.E. 2562 (2019) has thoroughly specified rules, procedures and conditions for personal data protection mandating every data controller across the country, both public and private sectors, to strictly comply with such rules, procedures and conditions. However, compliance with such rules, procedures and conditions prescribed by law is detailed and complex, and requires advanced technology to provide effective personal data protection in line with the spirit of the law. This has caused data controllers, both government agencies and private organizations, to not be ready to comply with such Act. Moreover, Section 4, paragraph two of the Personal Data Protection Act B.E. 2562 (2019) states thatĀ āThe exceptions to apply all or parts of the provisions of this Act to any Data Controller in any manner, business or entity, in a similar manner to the Data Controller or for any other public interest purpose, shall be promulgated in the form of a Royal Decree.āĀ For these reasons, it is appropriate to identify the entities and businesses that qualify to be exempted from the Personal Data Protection Act B.E. 2562 (2019) during the grace period and in the promulgation of this decree.
The essence of the Royal Decree
- This decree defines Data Controllers that are entities and businesses exempted from specific provisions of the Personal Data Protection Act B.E. 2562 (2019).
- This decree shall come into force from May 27, 2020 until May 31, 2021.
- The provisions of Chapter II, Chapter III, Chapter V, Chapter VI, Chapter VII and Section 95 of the Personal Data Protection Act B.E. 2562 (2019) shall not be applied to data controllers that are the entities or businesses specified in the list attached to this decree.
- For the benefit of protecting personal data, the data controller under the list shall provide security measures for personal data in accordance with the standards prescribed by the Ministry of Digital Economy and Society.
List attached to the Royal Decree Specifying Data Controllers that are Entities and Businesses exempted from the Personal Data Protection Act B.E. 2562 (2019):
(1) Government agencies
(2) Foreign government agencies and international organizations
(3) Foundations, associations, religious organizations and non-profit organizations
(4) Agricultural business
(5) Industrial business
(6) Commercial business
(7) Medical and public health affairs
(8) Energy, steam, water and waste disposal business including related business
(9) Construction business
(10) Repair and maintenance business
(11) Transportation, delivery and storage of goods business
(12) Tourism business
(13) Communications, telecommunications, computers and digital business
(14) Finance, banking and insurance business
(15) Real estate business
(16) Professional practices
(17) Administration and support services
(18) Science and technology affairs, academic work, social work and arts
(19) Educational affairs
(20) Entertainment and recreation activities
(21) Security business
(22) Household affairs and community enterprises which are unable to be clearly classified
In case there is a problem with an entity or business specified in this list, the Personal Data Protection Committee shall be entitled to make a decision on this.
Disclaimer:
This document is of a general nature only and is provided as an information service. It is not intended to be relied upon as, nor is it a substitute for specific professional advice. No responsibility can be accepted by Blumenthal Richter & Sumet Ltd. for any losses or damages incurred by any person doing anything as a result of this document.
For more information, please contact Andreas C. Richter, Senior Partner at Blumenthal Richter & Sumet,Ā atĀ [email protected] or Anuwat Ngamprasertkul, Partner and Head of Litigation and Dispute Resolution, at [email protected].
