The Digital Economy and Society (DES) Ministry is seeking to postpone the enforcement of the Personal Data Protection Act (PDPA), due to take effect late next month, saying state and private organisations will be too burdened to comply during the pandemic.
The PDPA was published in the Royal Gazette in May last year, but comes into force on May 27 after a one-year grace period.
Once implemented, the PDPA is expected to change the landscape of personal data protection in Thailand. The legislation mandates that data controllers and processors who use personal data must receive consent from data owners and use it only for expressed purposes.
DES Minister Buddhipongse Punnakanta said given the pandemic and the lack of preparedness among state and private organisations to comply with the law, he agreed the ministry should look to defer enforcement.
Members of the National Cyber Security Committee suggested the government draft a royal decree to suspend the enforcement of either some or all sections of the act, he said.
The minister said he also discussed with Deputy Prime Minister Wissanu Krea-ngam the feasibility and necessity of issuing the decree.
“Hasty enforcement is not useful for anyone,” said Mr Buddhipongse.
A postponement must be determined by the end of this month, he said.
A delay would provide time to select members of the PDPA Committee, establish a committee office and roll out subordinate legislation, said Mr Buddhipongse.
Putchapong Nodthaisong, deputy permanent secretary for DES, said the royal decree would be rolled out to suspend only some sections, which mainly involve penalties and complaint mechanisms under the law.
The suspension of the entire law would affect the process to select members for the PDPA committee and other internal procedures, he said.
The DES ministry is in the process of selecting PDPA committee members, which is expected to conclude by the end of this month.
The PDPA committee will set up a subcommittee to iron out related standards or other involved regulations, which must be wrapped up one year after the PDPA committee is formed.
The related standards include minimum data protection security requirements, qualifications for data protection officers and complaint procedures.
Mr Putchapong said the subcommittee will also have to appoint an expert panel to screen complaints that meet the PDPA’s criteria.
The postponement would ward off complaints, especially on small and medium-sized enterprises, which might not yet be prepared for the legislation, he said. Major enterprises, telecom and SET-listed companies are mostly aware of the law.
Mr Putchapong suggested businesses ask for users’ consent to use their personal data and make the purpose of the data collection clear.
Consumers can still sue businesses misusing their data, such as selling it to a third party, in line with existing laws, he said.