User’s Guide to Thailand’s Controversial New Data Protection Law


The Personal Data Protection Act (PDPA) will finally come into force on June 1, 2022. The law aims to ensure the protection of individuals and their personal data and to impose obligations on companies and public bodies with regard to the collection, processing, use and disclosure. personal information. (Photo by Sai Kiran Anagani)

Postponed twice since 2019, Thailand’s first personal data protection law will finally come into force this Wednesday (June 1) – despite last-minute efforts by the private sector to delay its implementation for another two years.

The Personal Data Protection Act (PDPA) 2019 seeks to ensure the protection of individuals and their personal data and to impose obligations on companies and public bodies with respect to the collection, processing, use and disclosure personal information.

The legislation is based on the European Union’s General Data Protection Regulation, which came into force in 2016.

The PDPA also applies to data controllers and processors outside of Thailand if they process personal data of data owners in Thailand and offer goods and services to such data owners or monitor their behavior.

Data controllers and processors are required by law to obtain permission from data owners for any collection, use or disclosure of their personal information.

Financial and administrative fines

Anyone who violates the new law will be subject to civil and/or criminal penalties.

Fraudulent use or disclosure of personal data is punishable by up to six months in prison or a fine of up to 500,000 baht. Illegal misuse of personal data is punishable by one year in prison or a fine of up to 1 million baht.

The data privacy law also imposes administrative fines ranging from 500,000 to 1 million baht and allows the injured party to bring a civil action for compensation.

Under this law, personal data includes names, date of birth, telephone number, home address, email address, identity card number, passport number, education and financial information, weight, height, medical and criminal records, fingerprint and facial information and iris patterns.

Without the explicit consent of the data owner, any collection of personal information on racial or ethnic origin, political opinions, religions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, union information, genetic data and biometrics is prohibited.

Exemptions are granted in the following cases: Compliance with contractual obligations involving the data subject; serve the public interest, such as statistical research to protect public health; and serve legitimate interests, such as preventing harm to an individual.

In addition, the PDPA guarantees the following rights of data owners: right to be informed (of the purpose of the collection, the duration of the data retention, etc.); right to access their personal data; right to rectification of inaccurate or misleading information; right to oppose/remove inappropriate uses, at any time; right to restrict processing; right to erasure; and right to data portability.

Bangkok poll triggers national wave of demand for local democracy

Postponed twice and more delay requested

The law was published in the Royal Gazette in May 2019 with a one-year grace period. But its June 2020 effective date was pushed back to June 1, 2021 as both the public and private sectors wanted more time to prepare for compliance, which requires deployments of high-tech protections against the unauthorized access to stored personal data, and to manage data storage, deletion, transfer and review.

Law enforcement was again delayed, for another year, when the third wave of COVID-19 hit Thailand after Songkran in 2021.

In early May, the Standing Joint Committee on Commerce, Industry and Banking called for the PDPA to be postponed for at least two more years so that all stakeholders are ready to comply. The group said many businesses, especially micro-enterprises and SMEs, needed more time to fully comply with the law as they struggled to recover from the economic impacts of the pandemic.

However, Thienchai na Nakorn, chairman of the personal data protection committee, said last week that the law had already been delayed beyond the two-year deadline and therefore now needed to be implemented.

Many businesses are still unprepared

According to a recent survey, a large number of Thai companies claim that they still lack the required preparation to comply with the PDPA. Only 8% of nearly 4,000 companies surveyed said they had taken steps to be fully compliant, while 31% said they hadn’t even started the compliance process.

The majority of companies surveyed said that the hardest part of PDPA compliance was registering the processing of personal data.

Some business executives have expressed concern that companies that are unprepared for compliance could be blackmailed with the threat of exposing regulators.

Others say the jail term provided by law is the companies’ “biggest concern” because their board members could be affected. They warn that lawsuits stemming from the PDPA could scare off foreign investors, diverting them to countries without such legislation.

Some experts are urging the government to publicize more the new law regarding legal protection for members of the public and educate the police for effective enforcement.

By Thai PBS World’s Political Desk

East Meets West As Southern Thailand’s Nora Dance Lands In Venice


Comments are closed.