In an era where personal data is the new gold for exploitation under various business models, regulators in many parts of the world are aware that there should be better data privacy laws to provide protection for their citizens.
The European Union is ahead of the curve, with a new data privacy law to take effect on May 25. The EU General Data Protection Regulation (GDPR) will replace its predecessor, the Data Protection Directive 95/46/EC. Not only does it promise to change the legal landscape in terms of personal data protection all across the EU, it will have an extra-territorial effect on companies outside of the EU (Thailand included), if their processing of personal data is related to:
the offering of goods or services to data subjects in the EU, or
the monitoring of data subjects' behaviour, so long as that behaviour takes place within the EU.
In light of this extra-territorial effect of the GDPR, Thai companies whose activities include handling personal data of data subjects in the EU should prepare for compliance, especially if they intend to continue doing business with EU residents.
The potential impact of the new EU rules was among the subjects covered in Baker McKenzie's 2018 report entitled Globalisation 3.0: A New Era of Trade, Tax and Political Uncertainty. It cited a survey which noted that "a majority of data privacy professionals expect that organisations will need to devote more spending and effort to complying with the GDPR, particularly its consent, data mapping, and cross-border data transfer requirements".
Failure to comply with the GDPR can lead to fines up to €20 million or 4% of a company's global revenue of the preceding financial year, whichever is higher.
Looking at our local regulations, the Thai government is aware that the country still has no consolidated law to govern personal data protection in general. It has been attempting to pass such a law for many years. The latest development occurred in January this year, when the Digital Economy and Society Ministry released the revised draft of the Personal Data Protection Bill (PDPB) for public hearing purposes.
While major concepts introduced in the earlier 2015 version of the draft PDPB remain the same (such as consent and notice requirements), the revised 2018 bill has introduced certain concepts similar to those in the EU GDPR.
For example, exemption from consent requirements now covers cases in which it is necessary for the public interest and for the legitimate interest of the data controller. Further, a data controller is required to regularly perform a data protection impact assessment (DPIA), while the data processor is required to establish and maintain records of processing activities to be prescribed by the Data Protection Committee.
Unlike the EU GDPR, the Thai PDPB does not contain recitals, a legal term describing statements of fact that help to clarify and explain the reasons for each article. Therefore, there remain potential challenges to the application of new legal principles introduced in the revised PDPB. For example, it does not provide examples of what constitutes "public interest" and "legitimate interest" that would trigger certain consent exemptions (as opposed to the GDPR which provides examples in its recitals).
The revised PDPB is still subject to change as it continues through the legislative process before passing into law, so the final version remains to be seen. In the meantime, businesses should re-evaluate their compliance programmes to be ready for both local and international levels of a more complex and sophisticated data protection regime.