Approved by the Council of State in December 2018, Thailand’s draft Personal Data Protection Act is now under consideration by the National Legislative Assembly (NLA), which will appoint a committee to deliberate over the Act’s provisions. Upon approval by the committee, the NLA will move towards reviewing and approving the Act, after which it may be signed into law by the King of Thailand.

While it may be some time before the Act is published in the Royal Gazette, the current draft outlines several key provisions of interest. Among them is the draft’s definition of “personal data,”[1] which as of now remains unchanged from that of the previous version, stating that “any data pertaining to a person that enables the identification of that person, whether directly or indirectly” will constitute personal data. The draft further clarifies that information pertaining to private businesses and data belonging to the deceased are excluded from the Act.

Several other key elements of the Act are summarized below:[2]

1. Rights of data owners: The Act states that data owners bear the right to request access to personal data pertaining to them except in cases where, among others, the request is incongruent with provisions of other applicable laws or court orders. Data owners are likewise entitled to request that their personal data be destroyed, temporarily suspended, or anonymized.
2. Responsibilities of data administrators: The draft Act highlights several obligations of data administrators, including the collection of data within lawful means or purposes. Administrators are required to inform data owners of the details regarding the collection of their personal data and obtain their consent to do so. Moreover, the Act specifies that administrators must implement appropriate security measures to prevent loss or unauthorized alterations to the data and give data owners access to their information upon request.
3. Extraterritorial reach: Personal data administrators based overseas may be subject to the Data Protection Act if goods and services are offered to data owners residing in Thailand. These administrators will also be required to assign a local representative in the Kingdom and must comply with the conditions set forth in the Act.
4. Consent: The draft states that requests for consent must be clear and conducted in a way that does not mislead data owners. It adds that requests must be made in writing or via digital means, outlining the purpose of the collection, what data is to be collected, and to whom the data will be disclosed. However, exemptions can be made under certain circumstances, notably for vital interests or if parties are bound by contractual obligations. The draft also stipulates that parental consent is required to collect data from minors below 10 years of age, and under certain circumstances, even those beyond that age.
5. Transfer of data to third countries: The draft Act specifies that the transfer of personal data to third countries where data protection regulations are substantially deficient is not permitted except in the following scenarios:

• Where consent from the data owner, who has been made aware of the third country’s insufficient data protection laws, has been obtained;
• Where obligations to a contract to which the data owner is a party must be performed;
• Transfer of data to a third country is conducted for the benefit of a data owner who does not have the capacity to give consent; and
• Where data is transferred to individuals or entities that are certified by the official mark declaring fully compliant personal data protection practices by the committee and/or transactions that fall under legal frameworks established by international agreements.
• Where otherwise required by another law.

6. Data Protection: Data administrators are required to implement procedures to keep personal data secure. According to the draft Act, the committee may produce and circulate guidelines data administrators can use as a basis for their data protection practices. The Committee may also grant data administrators the right to display an official mark indicating that the data administrator’s data protection practices have been certified as fully compliant by the Committee.

As of now, the Act is still in the process of being finalized, and the elements discussed above may be subject to change. Silk Legal will continue to monitor new developments in the Act and will provide updates when they are available.

For more information, please contact us using the contact form provided.

[1] “Draft Personal Data Protection Act,” Section 6, Ministry of Digital Economy and Society (25 December 2018) (available at https://ictlawcenter.etda.or.th/de_laws/detail/de-laws-data-privacy-act)

[2] “Draft Personal Data Protection Act,” Ministry of Digital Economy and Society (25 December 2018) (available at https://ictlawcenter.etda.or.th/de_laws/detail/de-laws-data-privacy-act).