Most parts of PDPA to be deferred by a year
Cabinet endorses royal decree on delay
The cabinet has agreed to postpone the enforcement of most chapters of the Personal Data Protection Act (PDPA) by a year to give the public and private sectors time to prepare their internal processes and ease the financial burden they are shouldering during the coronavirus pandemic.
A royal decree seeking deferral of enforcement was approved at Tuesday's cabinet meeting.
To fully comply with the PDPA, businesses and related parties that are processing the personal information of employees, partners and co-operators may need a huge budget and seek personnel to deal with related issues in connection with the act, according to Digital Economy and Society Minister Buddhipongse Punnakanta.
Since the start of 2020, the pandemic has hampered all organisations, especially private businesses, which are struggling to collect revenue and make investments, he said.
The PDPA, which has seven chapters and 96 sections, was published in the Royal Gazette in May 2019. It was due to be enforced on May 27 following a one-year grace period.
Once implemented, the PDPA is expected to change the landscape of personal data protection in Thailand.
The legislation mandates that data controllers and processors who use personal data must receive consent from data owners and use it only for expressed purposes.
Suspended from the enforcement by a year are Chapter 2 involving the protection of personal data, Chapter 3 related to the use or disclosure of personal data, Chapter 5 linked with complaints, Chapter 6 associated with civil liability and Chapter 7 concerning penalties.
Also suspended is Section 95 of the transitional provision, which involves personal data collected before the act took effect.
Mr Buddhipongse said Sections 1-7 and 91-94, as well as Chapters 1 and 4, have been enforced since May 28 last year.
To comply with the act, organisations of all sizes must improve their procedures and information systems, he said.
They will have to hire people or juristic persons to look after the personal data protection and improve the system to protect transmission of data overseas.
Violators face imprisonment of up to one year or a maximum fine of 500,000 baht.
"The government and prime minister are aware of all limitation of the implementation of the act through hearings from associations of related business sectors," Mr Buddhipongse said.