Personal data at risk in govt hands
Only one month after enforcing the law to protect the Thai people's personal data security and privacy, the government had a change of heart.
Instead of imposing the PDPA law on all organisations that handle data, the government has helped some government agencies to bypass the Personal Data Protection Act (PDPA) in the name of "national security" and "public service". As a result, government, national security agencies, the courts, public attorneys, police and tax authorities will be permitted to collect, access, and transfer our data with impunity.
In addition, the government can access citizens' personal data to fulfil those obligations.
A scary scenario indeed.
The Personal Data Protection Act (PDPA) took effect on June 1 this year after a two-year delay. The long-overdue law sets rules and standards for the private and public sectors to follow on collecting and using personal data to protect privacy and security.
While the business community is busy setting up new security mechanisms to comply with the PDPA's complex rules and avoid legal punishment, the government has hatched a plan to bypass the PDPA altogether.
On July 5, 2022, the cabinet approved the draft of the royal decree by the Ministry of Digital Economy and Society to exempt government agencies from the PDPA law if the data is to be used for public service, national security protection or the inspection of crimes such as narcotics offences, human trafficking and money laundering.
Following cabinet approval, the royal decree can bypass parliament as an urgent piece of law. The legislation will be effective after it is signed by His Majesty the King.
This royal decree will affect citizens' rights and freedoms for many reasons.
Firstly, the areas of exemption are too broad. Under the drafted royal decree, the PDPA's stipulations on data protection rights, petition procedures, financial compensation and the punishment for violators will not apply to those state authorities which are exempted by the royal decree.
In short, the officials will freely enjoy legal immunity from prosecution under data protection laws.
Secondly, the exemptions granted to protect "national security" and allow operations of "public service" are too wide-ranging and unclear. This ambiguity allows officials to interpret "national security" and "public service" as they see fit, making it easy for them to abuse power. Allowing all levels of the judiciary -- from police and attorneys to the courts -- and tax collectors to freely access and transfer the citizens' personal data creates similar worries.
Public concern over data safety is valid when trust is already so low and power abuse is so widespread.
The public sector has repeatedly failed to protect the personal data of those it should be serving. Government agencies experienced at least five data breaches last year alone. The hacked data involved users' health records and other sensitive information.
Apart from data breaches from external violators, the government also faces allegations of breaching public privacy and freedom by using spyware to track and record activists' and journalists' mobile phone use. Only governments can buy this spyware to hack people's cell phones.
The government's alleged violations have raised questions about state responsibility and accountability. Exempting the state from the PDPA further intensifies public concern about abuse of power and political persecution. It also perpetuates a culture of impunity, which aggravates state violence against the citizens.
The exemption may also affect the economy. The PDPA is an important part of a host of digital economic laws to set standards and regulations on the cross-border transfer of personal data, which is essential for digital economic transactions.
Public trust in a secure cross-border transfer of personal data is crucial for the growth of the digital economy. As a result, most international trade agreements, such as the Regional Comprehensive Economic Partnership or Comprehensive and Progressive Agreement for Trans-Pacific Partnership, require members to honour personal data protection. Even China, an economic powerhouse, agreed to pass the law on personal data protection last year.
The core principle of data protection and privacy in international trade is that the data senders' and receivers' countries must share similar data protection standards. To safeguard citizens' rights and freedoms, the General Data Protection Regulation of the European Union, the gold standard on data protection and privacy, prohibits intervention by the government or security agencies.
The government's attempt to free itself from the PDPA's legal obligations violates EU standards on data protection. It will backfire economically.
Data transfer to Thailand will become problematic from failure to meet international standards. The local businesses will be hit hard. The private sector will therefore miss the opportunities to grow in the era of the digital economy.
The government must realise the risks of allowing officials to tamper with people's privacy and threaten people's safety. The economic loss will be huge. So will the impact on the citizens' rights and freedoms.
This royal decree effort violates citizens' rights enshrined in the constitution. It protects the officialdom, not the people. It perpetuates state oppression and a culture of impunity. It risks seeing Thailand slide into becoming a pariah state. It must be stopped before it is too late.
Khemmapat Trisadikoon is a researcher at the Thailand Development Research Institute.
- Personal data