The Electronic Transactions Development Agency (ETDA) has urged the government to submit the Data Protection Act to the National Legislative Assembly (NLA) this month to avoid sanctions from the EU for General Data Protection Regulation (GDPR) compliance.
The GDPR states that the EU will conduct business with countries that have the same level of data protection, particularly to protect EU citizens' data.
Surangkana Wayuparb, executive director of the ETDA, said the data protection draft is being considered by the Office of the Council of State and is expected to be passed to the NLA this August.
The draft can be amended at this stage to comply with GDPR.
"The law has been delayed for 19 years and passed through many governments, but as the EU's GDPR came in effect this May, we can no longer postpone the law, or many businesses that have EU citizen data might face sanctions because we lack the same legal standards," Mrs Surangkana said.
Self-regulation
ETDA executive director Surangkana Wayuparb calls time on delays. WISIT THAMNGERN
"This indicates that organisations with a lot of customers, including EU citizens, are ensuring data protection through self-regulation in the absence of the Data Protection Act," she said.
Under the MoU, all parties will follow the guidelines for data protection. Any new services and products need to be designed with security support.
Urs Gasser, a director on the board of Digital Asia Hub, a Hong Kong-based non-profit organisation, said in the past five years, privacy was solely a legal matter, but has recently become key in the internet community.
The EU's GDPR is a new law that increases personal data and privacy standards to a new cybersecurity norm for operators in the digital world.
"Privacy should not be a legal matter, but when adopting privacy governance, all variables -- markets, laws, norms and technology -- should work together," said Mr Gasser, who is also the executive director of Berkman Klein Centre at Harvard Law School.
Digital Asia Hub is also branching out to set up a local office in Thailand to promote internet governance in terms of research, training and policy recommendations.
Digital Asia Hub Hong Kong signed an MoU with ETDA and is collaborating with Berkman Klein Centre in Harvard Law School to push forward digital transformation in Thailand and Southeast Asia.
Legal warning on GDPR
Dhiraphol Suwanprateep, the head of the telecommunications, media and technology Practice Group at Baker McKenzie, said shipping, airline and hotels, including government agencies, that operate overseas or have any connections with EU citizen data need to comply with GDPR.
Facebook and Google have already faced lawsuits over GDPR.
This was a wake-up call to other businesses, making assessments of data protection policy and systems that ensure more security for prevention of data breach more pertinent.
Mr Dhiraphol said if the personal data of subjects in the EU related to Thai companies' goods or services is available in the EU, or if Thai companies tracked the behaviour or location of individuals in the EU, these Thai companies could be subject to compliance with the GDPR.
Any Thai businesses that is subject to the GDPR should consider whether they are deemed "controllers" or "processors" under the GDPR and what their obligations are.
Compliance must start with data mapping, asking the critical questions of what data is collected and processed, from whom, and why, and where that data flows to and from, he said.
Next, the business operator should determine the legal basis for processing personal data, such as by relying on the subject's consent, legitimate interest, public interest or other legal reasons. Privacy policies and corporate governance frameworks should be adopted.
Records of compliance should be made, as they can later serve as evidence to prove that a business operator has duly complied with the GDPR.
Other obligations must also be considered, such as conducting a data protection impact assessment and designating a data protection officer, implementing technical security measures, reporting data breaches to the competent authority within 72 hours, and so on.
"Companies must not only focus on regulation but also reputation. Damage can occur in seconds following news of a breach, which may take years to be resolved," said Nont Horayangura, partner in the telecommunications, media and technology practice group of Baker McKenzie.