Lawyer: PDPA reprieve doesn't spare individuals

Lawyer: PDPA reprieve doesn't spare individuals

A royal decree that grants a one-year delay in enforcement of most parts of the Personal Data Protection Act (PDPA) does not spare individuals who violate the law from punishment but does protect organisations and businesses, a legal expert warns.

The royal decree was published in the Royal Gazette on May 21 and is scheduled to take effect on May 27.

The delay spares state organisations; foreign agencies and international organisations; foundations, associations, religious bodies and NGOs; and 19 business fields from complying with the PDPA until May 31, 2021.

The 19 business fields are agriculture; industry; commerce; healthcare; power, water and waste management; construction; maintenance; transport and storage; tourism; communication, computer and digital; finance, banking and insurance; property; profession; administration and service support; science, technology, academics, social work and arts; education; entertainment and recreation; security; and household businesses and community enterprises.

Paiboon Amonpinyokeat, a managing partner of P&P Law Firm, said the decree spares business operators, not individuals.

"Individuals that handle personal data must be cautious and make sure data is not leaked," Mr Paiboon said.

The Digital Economy and Society Ministry and the Personal Data Protection Committee must roll out clear guidelines regarding offences that define whether they fall into business or individual transgressions, he said.

For example, if a medical doctor sells a patient's personal data to a third party, the question is whether the doctor is liable for punishment or does the case fall under the decree's one-year exemption for businesses, Mr Paiboon said.

"We need a principle or guideline on data protection policy and data controller protocol to define whether violations are committed by businesses or individuals," he said.

Online merchants that get addresses and phone numbers from their buyers must keep data secure, he said. If they sell the data to a third party, they could face punishment for violating the PDPA.

The PDPA was published in the Royal Gazette last May and was scheduled to come into force on May 27 this year after a one-year grace period.

Do you like the content of this article?
COMMENT