In response to the recent surge of COVID-19 infections across the country, the Thai Cabinet has, in principle, approved a motion to postpone the enforcement of the Personal Data Protection Act (“PDPA”) by one year. While the motion awaits publication in the Royal Thai Gazette, it is likely to be materially identical to the royal decree issued last year as a result of the first wave of COVID-19 in Thailand.
Initially proposed by the Ministry of Digital Economy and Society (“MDES”), the postponement comes as businesses are struggling to stay afloat amidst the economic hardships caused by the pandemic. The one-year delay is expected to give all companies a much-needed pause to prepare for the legislation and ease the financial burden of the Act.
Nonetheless, companies should take advantage of this extension to prepare for the implementation of the PDPA and draw up plans for compliance. It is important not to interpret this extension as a carte-blanche to delay preparations indefinitely as it is expected that most sectors in Thailand must immediately comply with the PDPA when it is enforced next year.
What does the PDPA entail?
Approved as law in 2019, the PDPA will require all companies in Thailand handling personal data to review and ensure that their data policies, especially those on the rights of data subjects and obligations of data controllers, are in line with its provisions. Upon approval, the PDPA was welcomed by numerous stakeholders as a step towards legally recognizing the importance of data privacy and building legislative protection for data owners during a time when industries are becoming increasingly data-driven.
Like the General Data Protection Regulation (GDPR) enforced in the European Union, the PDPA contains both territorial and extra-territorial applications, meaning entities in Thailand and abroad collecting personal data from data subjects in Thailand will be subject to the upcoming regulation. The Act specifically highlights that collecting, using, and disclosing data for either offering goods and services to data subjects or monitoring their behavior for corporate intelligence will be subject to its provisions.
The PDPA contains several Chapters covering different aspects of personal data. Chapter 2 primarily contains provisions tackling notification obligations of businesses that collect and handle personal data (otherwise known as data controllers) as well as requirements for collecting personal data, acquiring consent from data subjects, and the disclosure of such information. Chapter 3, on the other hand, addresses the rights afforded to data subjects and the responsibilities expected of both data controllers and data processors concerning protecting the integrity of personal data.
Chapters 5, 6, and 7 cover complaints, civil liabilities, and penalties, respectively. Disputes regarding personal data or breaches of the provisions of the PDPA are to be adjudicated by the Expert Committee as appointed by the Personal Data Protection Committee, and damages caused by violations of a data subject’s rights are to be compensated according to the provisions highlighted in Chapter 6 of the Act. Companies and businesses collecting data from data subjects in Thailand, regardless of nationality, will be subject to administrative fines of up to THB 5 million or criminal penalties of up to THB 1 million and/or imprisonment.
Silk Legal will continue to monitor developments surrounding the PDPA and will provide updates when available. For more information about the PDPA or legal best practices for handling personal data, please contact us at [email protected] or using the contact form provided.