New data law aimed at ensuring privacy
Thai citizens' data privacy is expected to be secured with the Data Protection Act's enforcement this year after being approved by the cabinet this month.
The Electronic Transactions Development Agency (ETDA) will be responsible for the temporary Data Protection Knowledge Centre to educate the public about data privacy protection. Prior to the Cybersecurity Act, ETDA will also act temporarily as the National Cybersecurity Agency.
"The enforcement of Data Protection Act will enable Thailand to have data privacy in accordance with global international standards," said Pichet Duringkawaroj, after speaking at the seminar "Startup: Business insight" held by Positioningmag.com.
The new law clearly defines data protection, covering three categories of data owners, data controllers and data processors. The proposal follows the revelations that mobile phone operator True Move exposed some 46,000 records — identity, addresses, scans of ID cards and passports — but faces no punishment.
Punishment has been stated for data controllers and data processors for any activities that violate or misuse the data owners' privacy.
Data controllers and data processors must be permitted by data owners to use their data.
"After the draft bill is approved by the cabinet and submitted to the National Legislative Assembly, it's expected to become effective by 2018," said Mr Pichet.
The law will be in line with the new EU General Data Protection Regulation, which will come into effect on May 25 and affects local businesses involved with EU citizens' data.
Mr Pichet said on May 3, the DE Ministry will join the first meeting of acting National Cybersecurity Committee before the Cybersecurity Act becomes effective.
The meeting will cover the working procedures of critical infrastructures in collaboration with responses to a cybersecurity incident.
ThaiCert, a unit under ETDA, will temporarily act as the National CERT (Computer Emergency Response Team) during the Cybersecurity Act and Cybersecurity Agency's absence.
Dhiraphol Suwanprateep, partner and senior associate for technology, media and telecommunications at Baker McKenzie, said the new bill encompasses data processor concept, additional consent exemptions in the case of public interest and legitimate interest, revised the structure of the commission, and removed imprisonment.
However, the bill does not exactly provide safe harbour or exemptions that will fit the nature of digital business, big data and cloud computing business, he said.
As the data flow is mandated by computer systems, in many cases the data controllers and the data processors will not know if the data flow complies with laws.