On December 25, 2023, Thailand’s Personal Data Protection Committee (PDPC), responsible for enforcing the nation’s Personal Data Protection Act (PDPA) and related regulations, issued two notifications in the Royal Gazette concerning cross-border transfers of personal data. Both notifications will be effective starting March 24, 2024.
These notifications, in accordance with Section 28 of the PDPA, address gaps in requirements and procedures for data controllers and processors when transmitting personal data abroad, particularly focusing on whether the receiving country provides adequate standards and protections for such data.
What do these notifications mean for business operators?
Business operators in Thailand must adhere to cross-border transfer restrictions outlined in the Thai PDPA when transferring personal data out of the country. Having said this, the act mandates that personal data can only be transferred across borders to jurisdictions or international organizations on a whitelist with adequate protection levels, determined by the PDPA through an “adequacy decision.” The specific whitelist will be announced later; however, there are currently some exceptions to this rule. These include circumstances such as consent, legal obligations, contract necessity, vital interests, and public interest; Binding Corporate Rules (BCRs); and appropriate safeguards like Standard Contractual Clauses (SCCs).
Binding Corporate Rules (BCR) function as a set of guidelines for cross-border data transfers within the same affiliated business or in the same group of undertakings. These rules, as outlined in the notification, are legally binding for all relevant parties, including related entities, data controllers, processors, and recipients, contingent upon adherence to data protection regulations and best practices.
Standard Contractual Clauses (SCC), on the other hand, provide standardized data protection provisions for companies and business entities processing data to meet regulatory requirements, including those mentioned in the PDPA. The new notifications mandate SCCs to address issues related to data processing activities, ensure legal compliance with data protection measures, and regulate data controllers and processors to uphold data security standards.
These notifications offer additional guidance on fulfilling these requirements, specifically regarding the utilization of exemptions such as standard contractual clauses (SCCs) and binding corporate rules (BCRs). This clarification addresses longstanding queries among business operators and practitioners regarding compliance.
It is important to note that non-compliance with the requirements outlined in these notifications may result in administrative fines of up to THB 5 million, along with imprisonment for up to a year and/or additional fines of up to THB 1 million.
While the issued notifications aim to address gaps in cross-jurisdictional data protection measures, certain ambiguities persist. Specifically, the PDPC must clarify circumstance-specific exemptions to the outlined restrictions, similar to the approach adopted by the GDPR. Additionally, further information regarding certifications obtainable from accreditation bodies to ensure PDPA-compliant cross-border data transfers is needed.
It is highly probable that the PDPC will release supplementary notifications to address these lingering questions in the near future.
At Silk Legal, we can provide a range of services around personal data, technology, and regulatory compliance. This article is for information only, and while we have tried to keep our updates as accurate as possible, there may be errors and changes to proposed legislation that can affect your decisions. Please feel free to contact us for a free consultation at [email protected].