After a two-year wait, the country's much-needed Personal Data Protection Act (PDPA) came into effect on Wednesday. Yet instead of eliciting a sense of relief it brought about widespread confusion and near panic.
People were panicked as they thought they might be fined or even imprisoned for simple online activities such as taking a selfie or uploading images of others without their consent, or even penalised for having passively recorded images of others with their home CCTV. Other worries, not all of them based on facts, have included hefty fines for running afoul of the PDPA.
Another surprising reaction has been from business.
On Wednesday, the Joint Standing Committee on Commerce, Industry and Banking (JSCCIB) asked the government to delay full enforcement of the PDPA until clear directions are issued and 12 organic laws completed -- a process needing 18 months to complete.
Sanan Angubolkul, chairman of the Thai Chamber of Commerce, said business operators are concerned about PDPA enforcement as well as punishments.
Medium- and small-scale entrepreneurs, especially individual online vendors, expressed the worry that they might not have enough knowledge nor the financial resources to comply with the act.
The request for postponement is rather surprising -- if not impossible to effect -- as the data train has left the station. What's more, the Ministry of Digital Economy and Society (MoDES) postponed the promulgation of the PDPA, originally set for implementation in 2020, for two years for the very purpose of reducing economic hardship among business sectors.
Whatever reasons business is giving now, there is no justification for another postponement.
It is understandable that business sectors and individuals have worries. Data privacy laws are a relatively new field, not only in Thailand but around the world. The European Union (EU) only passed its data protection law in 2018 (MoDES wrote the PDPA with the EU's version as a model). But the field's newness doesn't warrant procrastination. Consumers, business and society need the act in its current form to establish a framework towards effective data privacy protection.
The PDPA provides vital rules regarding a complaints process, penalty assessment and compensation protocol. A crucial aspect of the PDPA is protecting people's personal data from being used wrongly, particularly for online purchases, for instance a requirement that vendors ask clients for permission to retain data. The penalty for improper data use carries a fine of up to 1 million baht and a maximum jail term of one year (applied however only in commercial and state, not personal, contexts).
Thus the law requires data collectors such as companies, public institutes and governments to invest in data protection systems or face legal consequences should client data be leaked and exploited. The law further enables companies abroad to do business with Thai firms and be confident that high standards of data protection apply on both ends.
While not postponed, full PDPA enforcement is indeed delayed while the aforementioned 12 organic laws are being drafted. The MoDES also has announced that for the first year application will focus on warnings except for serious cases and will exclude small business operations. Perhaps this could be emphasised to help allay the recent panic.
Indeed commotion surrounding the PDPA is anxiety-driven, with the MoDES partly to blame given its failure to adequately educate all sectors, public and private, despite having two years to do so.