The data protection bill as written is likely to impede the flow of foreign investment by technology firms because ambiguity in the legislation is creating obstacles, a leading law firm says.
The draft bill also imposes significant legal burdens on foreign tech companies as responsibility falls solely on the data controller. Such companies would also run a greater risk of being subject to legal action, said Dhiraphol Suwanprateep, a partner at Baker & McKenzie.
The eight cybersecurity draft bills — including the data protection draft, which recently gained cabinet approval — have raised questions of privacy as well.
"The action to be taken on the bill is unclear, which is likely causing fear and alarm for potential foreign investors," Mr Dhiraphol said.
He said the bill posed a challenge for the government's digital economy policy, as there is no clear distinction between "personal data processor" and "personal data controller".
The draft only identifies a data controller as the person with the authority to control and manage his or her personal information.
"Data processor" typically refers to a third party that processes personal data on behalf of a data controller, Mr Dhiraphol said. In the absence of such identification in the bill, data processors such as internet service providers, web hosting providers, cloud service providers and content hosting platforms could be broadly interpreted as a data controller.
For instance, search engines do not collect personal data. It is the end-users or the website owners collecting information on themselves and others before posting on the internet.
In addition, search engines do not view or edit personal data before showing search results. Therefore, end-users and website owners are categorised as data controllers while the search engines act as data processors.
"If there is no separate definition between data controllers and data processors, it will be difficult to enforce the law, as most technology businesses are dwelling on cloud-based services which are physically located outside the country," Mr Dhiraphol said.
"This will not attract foreign investors into Thailand, as stringent legislation would rather hamper businesses' innovative technology instead of promoting Thailand as a digital economy hub for the Asean Economic Community."
Moreover, Section 23 of the bill says a data subject/owner has the right to request access to his or her own data being kept by data controllers. But Section 28 (3) provides a vaguely drafted exception that a data subject cannot do so if the request will affect Thailand's economy and commerce.
"This vague exception seems to impose an ambiguous restriction rather than providing the right to the data owner to access their own data," Mr Dhiraphol said.
He recommended the bill add more specifics such as requiring parental consent before collecting, using or disclosing children's personal data.
Nakorn Serirak, a policy adviser to Thai Netizen, a non-profit online data protection group, said the data protection bill must focus on the "human dignity" of citizens and guard against misuse of personal data by third parties.
Arthit Suriyawongkul, the coordinator of Thai Netizen, said the secretariat for the draft bill should be neutral and independent, rather than a team of national security experts.
He said the data privacy committee as constituted lacked representation from civil liberties groups and consumer watchdogs.