Controversial law on personal data again postponed, for another year

Controversial law on personal data again postponed, for another year

The cabinet has postponed enforcement of the Personal Data Protection Act for one more year, to May 31 2022. (Bangkok Post photo)
The cabinet has postponed enforcement of the Personal Data Protection Act for one more year, to May 31 2022. (Bangkok Post photo)

The cabinet has approved the deferral of the full enforcement of the Personal Data Protection Act (PDPA) slated for this June by another year, with the explanation the country is facing a difficult time with the pandemic and the legislation’s related processes have yet to be settled.

The postponement request was forwarded by the Ministry of Digital Economy and Society to the cabinet meeting on Wednesday and the royal decree drafted to defer the enforcement was agreed upon, according to a ministry source. 

Enforcement is pushed back to May 31, 2022. 

The source said several procedures linked to the act have yet to be completed, including the appointment of the 16-member Personal Data Protection Committee.

Subsidiary legislation in connection with consent procedures, complaint reception and expert panels have been drafted, but require approval from the committee. 

Automotive and travel business operators have written to the government, asking to postpone the enforcement of the act. 

The Federation of Thai Industries (FTI) and the Thai Chamber of Commerce have also voiced their concerns about their compliance with the legislation, saying it would place an extra burden on the private sector. 

FTI chairman Supant Mongkolsuthree said a violation of the PDPA carries a jail sentence, which is hasher than similar laws in foreign countries, and global practice. 

He said the law may result in businesses receiving harsh punishment through loopholes.

“As the government decided to postpone the enforcement of the act, it may also need to consider amending the law in terms of penalties by having only fines, in line with other countries,” Mr Supant said. 

The PDPA, which has seven chapters and 96 sections, was published in the Royal Gazette in May 2019, but a one-year grace period was allowed for affected parties to adjust.

In May 2020, the cabinet agreed to postpone the enforcement of most chapters of the PDPA by another year to give the public and private sectors time to prepare their internal processes and ease the financial burden shouldered during the pandemic.

Once implemented, the PDPA is expected to change the landscape of personal data protection in Thailand.

The legislation mandates that data controllers and processors who use personal data must receive consent from data owners and use it only for expressed purposes.

Dhiraphol Suwanprateep, a partner for technology, media and telecommunications at law firm Baker McKenzie, said this business law should not contain criminal penalties.

Thailand has adopted similar practices to the EU’s General Data Protection Regulation, which provides for strong punishment. 

As enforcement of the PDPA has seen the two postponements, it would be unreasonable to defer it again next year, he added.

Do you like the content of this article?
COMMENT (5)