Explainer: What is PDPA, Thailand's new data law?
text size

Explainer: What is PDPA, Thailand's new data law?

Enforcement of the Personal Data Protection Act finally starts on June 1, but what that means is a hazy area

The Personal Data Protection Act is Thailand's first law created to govern data protection.
The Personal Data Protection Act is Thailand's first law created to govern data protection.

Thailand's drive to provide more comprehensive online safety for individuals begins Wednesday with enforcement of the Personal Data Protection Act (PDPA).

Major firms welcomed the enforcement as it was pushed back twice because of the Covid-19 pandemic.

Q: What does Thailand's first law governing data protection entail?

The PDPA is Thailand's first law created to govern data protection. It sets forth requirements for data controllers and data processors, including both public and private entities, on how to receive consent from data subjects before processing, collecting or disclosing personal data.

Data subjects also have the right to request access to their personal data and demand for such data to be erased. They also have the right to object to the collection, usage or disclosure of their personal data.

The act, which has seven chapters and 96 sections, was published in the Royal Gazette on May 27, 2019, with a one-year grace period allowing stakeholders to adjust.

Data protection officers (DPO) must be appointed for government bodies and firms with large-scale data processing. A DPO is responsible for helping the organisation ensure that subjects' personal data is processed in compliance with the PDPA requirements and serves as a contact point for PDPA issues with the authorities and data subjects.

Q: What is considered personal data?

The definition of personal data, as defined in the Royal Gazette, is translated as "any information relating to a person that enables that person to be identified, whether directly or indirectly. This does not extend to information related to deceased persons in particular."

The PDPA is meant to prevent and thwart the misuse of personal data. The act is among the 12 digital-related laws the Thai government introduced as part of its digital economy transformation roadmap.

Digital Economy and Society Minister Chaiwut Thanakamanusorn said the new law would play a crucial role in supporting a digital-driven economy. The government projects digital-related business to generate 30% of GDP in five years.

Q: What are the penalties for breaching Thailand's PDPA?

The Royal Gazette outlines three types of liabilities: criminal, civil and administrative. The penalties are subject to the extent and types of violations, ranging from a few thousand baht to 5 million.

Phongphan Polyiem, a lecturer and lawyer who specialises in human resources and Thai labour law, provided a few examples during a seminar on the PDPA that could result in fines of up to 500,000 baht and/or imprisonment for up to six months.

He said taking someone's photo directly off Google to edit and/or add messages, whether it is supporting or criticising the person, is considered a violation of the PDPA. Posting about someone's illness and health data on social media platforms or issuing a notice to a specific employee through a mass Line group chat with other employees in it are also examples of violations.

The criminal penalties include fines of up to 1 million baht and/or imprisonment for up to one year, while non-compliance with administrative rules could result in fines of up to 5 million baht and punitive damages up to twice the amount of the actual damages.

Q: Is Thailand ready to implement the PDPA?

According to a PDPA readiness survey by the Thai Board of Trade and the University of the Thai Chamber of Commerce, only 8% of almost 4,000 businesses interviewed said they have taken measures to be fully compliant with the law, while 31% indicated they have not even started the process of compliance.

Somchai Lertsutiwong, chief executive of Advanced Info Service, the country's biggest mobile operator by subscriber base, said the company has been studying, developing and improving tools and processes to ensure compliance since the PDPA was published in 2019. He said the company is now fully ready for the legislation's enforcement.

Stephen James Helwig, interim chief corporate affairs officer for Total Access Communications (DTAC), the country's third-biggest mobile operator, said the company implemented its privacy policy and readiness projects since the General Data Protection Regulation came into effect in Europe in 2018. This means DTAC collects, stores and manages users' personal data in compliance with the PDPA, while its policy details the opportunities clients have to monitor and manage their personal data.

"The enforcement of the PDPA on June 1 marks a milestone for privacy protection and data security for customers in Thailand," Mr Helwig said.

As for international firms, Alibaba Cloud, the cloud computing service arm of Chinese e-commerce giant Alibaba Group, recently launched its first data centre in Thailand last month with 1.06 billion baht in registered capital.

Tyler Qiu, Thailand country manager for the firm, said the data centre secured ISO 27001 and ISO 20000 certificates. It is compliant with Thailand's PDPA regulations and the financial regulatory guidelines issued by the Bank of Thailand.

However Pranontha Titavunno, a board director of the Federation of Thai Industries, said the majority of small businesses that have suffered from the impact of the pandemic over the past two years are still unprepared for PDPA compliance.

Q: What is the government's position on enforcement?

The government said the enforcement of penalties would be relaxed in the first year of implementation if violators did not intend to commit a wrongdoing, as it is a transitional period when the development of understanding about the law and mediation for disputes would still be required.

Paiboon Amornpinyokiat, a member of the Personal Data Protection Committee legal subcommittee, said in the first year of the PDPA's implementation, the authorities will focus only on issuing warnings to violators and urging them to comply with the guidelines.

The core task in the first year is to protect people's rights to data protection, while ramping up efforts to boost understanding of the law among related parties, he said.

"The government wants the law to support the digital economy -- it is not intended to seek money from fines for the state," Mr Paiboon said.

He said a subordinate regulation would be issued to spare small and medium-sized enterprises from being obliged to comply with the PDPA's practices on the recording of processing activities.

Do you like the content of this article?