The Personal Data Protection Act, BE 2562 (2019) (PDPA) is the primary law regulating the processing of personal data. Similar to in other jurisdictions, “personal data” is defined as any data which, by itself or in combination with other data, can be used to trace back to an individual, excluding the data of deceased persons in particular.
The PDPA focuses on the protection of data subjects whose personal data is processed – including by collection, storage, use, disclosure, etc – regardless of the original source of such personal data. Entities that make decisions and process personal data (known as “Personal Data Controllers” or “controllers” under the PDPA) are required to have a lawful basis for processing any personal data and to maintain proper security measures to prevent any loss, unauthorised access, use or disclosure of personal data. These requirements also apply to service providers who process personal data as instructed by or on behalf of a controller (known as “Personal Data Processors” or “processors” under the PDPA).
The PDPA, which is mainly based on the General Data Protection Regulation (GDPR) of the European Union (EU), has created obligations on the private sector and government (ie, both Personal Data Controllers and Personal Data Processors) regardless of the mode of processing (ie, both automated and non-automated processing), especially regarding burden of proof.
The PDPA itself applies to most activities, with certain exemptions, such as:
For businesses regulated by specific supervisory authorities (such as banks and insurance businesses), the PDPA allows those supervisory authorities to issue the standard form or guideline for their operators to follow. Although the PDPA has been in effect for five years, some points of uncertainty still remain, owing to lack of sub-regulations. As such, the supervisory authority under the PDPA takes a compromising approach when dealing with any misconduct, instead of pursuing punishment.
On 18 January 2022, the Cabinet officially appointed the Personal Data Protection Commission (PDPC) as a supervising authority under the PDPA, while the PDPA established the Office of the PDPC to support the PDPC in developing and facilitating enforcement. Under the PDPA, the PDPC shall have several duties, such as:
In addition, the PDPC shall appoint expert committees for considering any complaints under the PDPA, as regards investigating any act in connection with personal data, settling disputes, and carrying out any act assigned by the PDPC.
As mentioned in 1.2 Regulators, the expert committee will consider and investigate any complaints on behalf of the PDPC in accordance with the PDPC’s rules. If any complaint does not comply with such rules, the expert committee shall not accept such complaint for consideration.
If the expert committee’s consideration or investigation finds that such complaint can be settled, and if the relevant parties are willing to settle, the expert committee must proceed with the dispute settlement before issuance of any order mandating the operator (either the controller or processor) to perform or rectify their act, or prohibiting the operator from carrying out an act which would cause damage to the data subject.
If the operator does not then comply with the expert committee’s order, the administrative procedure will be applied (including the power to order seizure, attachment and sale by auction as allowed by law). The expert committee’s order shall be final. Any party may appeal such order in accordance with the administrative procedure within 15 days after receiving such order.
As a member state of ASEAN, Thailand has implemented the ASEAN Framework on Personal Data Protection (2016) to encourage trust among the ASEAN digital ecosystem. Recently, the PDPA recognised ASEAN Model Contractual Clauses for Cross-Border Data Flows (MCCs) as an acceptable appropriate safeguard for cross-border transfers, by issuing the sub-regulations relating to cross-border transfers (effective in March 2024). In addition to MCCs, the Standard Contractual Clauses (SCCs) prescribed by the GDPR serve as an alternative appropriate safeguard for cross-border transfers, given the strong influence of the GDPR on the PDPA.
There are currently no official non-governmental organisations (NGOs) or self-regulatory organisations (SROs) concerning privacy or data protection in Thailand.
As mentioned in 1.4 Multilateral and Subnational Issues, the PDPA draws significant influence from the GDPR, incorporating similar provisions to those found in EU countries. However, when it comes to enforcement, the authority adopts a compromising approach for all operators. This is because the PDPA only became fully effective in 2022, and there is a notable lack of awareness among operators, especially among SMEs.
Over one year following the PDPA’s becoming fully effective (ie, June 2022), the PDPC announced around 20 sub-regulations in the Royal Gazette to remove uncertainties for operators, especially regarding the requirements on:
The PDPC has also published three manuals (ie, a manual for SMEs, a manual for data subjects, and a manual on risk assessment and data breach notification) and two guidelines (ie, a guideline on the acceptable consent form and on the details of privacy notice) to raise awareness among the public and to support operators regarding how to comply with the PDPA.
Although around 20 sub-regulations have been announced during one year, the enforcement of certain sub-regulations is still pending owing to lack of further sub-regulations or announcements, such as adequate decisions and details regarding appropriate safeguards for cross-border transfers (“Certificates”).
The PDPC may play a more active role in 2024, as many complaints and requests have been sent to it. The PDPC (by expert committee) is investigating cases and inviting some operators to clarify such complaints or requests. Rulings and further interpretation from the PDPC may be published soon.
Basis of Treatment
The PDPA splits personal data into two types:
Both of these types may be treated under different sets of bases.
Ordinary Data
Like data protection regulations in other countries, the PDPA provides for a set of lawful bases under which treatment of ordinary data can occur, as follows:
Of the above list, the four most important and often-used lawful bases for processing personal data are:
Additional explanations for the first three of these items are as follows.
Consent
Consent must generally be clear and be in written, electronic or other unequivocal form; and different objectives should be kept separate to assist the understanding of the data subjects. Consent must also provide other information to allow the data subjects to carefully consider whether their consent should be given to the Personal Data Controller (such as rights of data subjects, contact information, retention period, etc). Note that consent must not be lumped in with information gathered on a contractual performance basis.
Contractual performance/entering into a contract
The most important principle to remember is that all items of personal data given on this basis must be necessary for the performance of or entering into a contract. If a piece of data is not needed for performance of or entering into a contract, it cannot be lumped in with this basis and must, by itself, find its own basis.
Legitimate interests
Legitimate interests of the controller must always be weighed against fundamental rights of the data subjects over such personal data. There is no official guideline under the PDPA as to any mechanism for weighing such interests, or as to what extent a controller can trust their own judgement. Therefore, it is recommended that the surrounding circumstances for a single use of data on this basis be thoroughly considered before an operator decides to proceed with this treatment. Any miscalculation will mean treatment of data without a proper lawful basis, rendering the operator liable to penalties under the PDPA.
Sensitive Data
Like data protection regulations in other countries, the PDPA provides for a set of bases under which treatment of sensitive data can occur. These bases, although different from bases for ordinary data, have largely been derived from the same fundamentals. The bases are as follows:
Treatment of sensitive personal data by commercial operators will most likely occur via express consent, with that basis being the most common in day-to-day operations.
Rights of Data Subjects
The PDPA provides an extensive list of the rights of data subjects, many of which can be universally invoked, while others can be used only under certain circumstances. The rights are as follows:
The rights outlined above are not always absolute as the controller may have the ability to argue against such requests, depending on specific facts of the case, such as:
Security Measures
The PDPA provides a blanket requirement for both controllers and processors to treat personal data in an appropriate manner, which materially includes well-organised safe-keeping of data, safe storage (physical and electronic), automatic deletion of data, etc. Additional details on minimum-security measures were set out in a PDPC Notification announced in the first half of 2022. The security measures must (at least):
If a controller hires a processor, the agreement between both parties must outline proper security measures for preventing loss or unauthorised or unlawful access, use or disclosure of personal data, as mentioned above.
Data Protection Officer (DPO)
The PDPA recognises that there may be a need for organisations to have a DPO (or multiple DPOs in the case of high complexity or a large volume of work). On 14 September 2023, the PDPC announced a sub-regulation to provide the criteria for “regular or systematic monitoring of personal data” and “on a large scale” in order to consider the necessity of DPO appointment under Section 41(2) of the PDPA. The criteria are similar to those of the GDPR, but provide some examples which are deemed as automatically large-scale and where a DPO may be needed, such as:
In this regard, the PDPC issued the DPO notification template, and asked all operators to submit this form again in order to verify that their DPO does not perform any contrary tasks and duties.
Sensitive Data
The PDPA does not define “sensitive data”, but provides an exhaustive list of sensitive data, as including:
In this regard, the PDPC may specify any data as sensitive data in the future if such data may affect the data subject in the same manner as other sensitive data. The PDPA further describes biometric data as personal data arising from the use of technics or technology related to the physical or behavioural characteristics of a person, which can be used to identify such person apart from other persons (such as facial recognition data, iris recognition data or fingerprint recognition data).
In general, any collection of sensitive data without explicit consent from the data subject is prohibited, except in certain cases as mentioned in 2.1 Omnibus Laws and General Requirements. The PDPA does not provide specific requirements for each type of sensitive data, except for criminal records. The PDPA sub-regulation provides that a criminal record shall be a record related to a criminal offence or criminal penalty, which is officially collected or certified by government agencies, regardless of the status of the case. The collection of a criminal record is limited to cases:
Minors’ Data
The PDPA stipulates that in the case where a data subject is a minor and does not meet the legal age by marriage (ie, 20 years of age) or does not have status as a person meeting the legal age under Section 27 of the Civil and Commercial Code (ie, where a minor is deemed as acting as a person of legal age if acting in matters relating to commercial transactions, other business or employment, and where the guardian has given their consent to the minor), a request for consent from that data subject must comply with the following rules.
The above provisions shall apply mutatis mutandis to:
Generally, online marketing may be based on legitimate interest or consent of the data subject. Behavioural and targeted advertising is regarded as too intrusive for data subjects, and consent under the PDPA is required.
In addition to the PDPA, online marketing may be counted as computer data or electronic mail under the Computer Related Crime Act BE 2550 (2007). Where an operator sends any computer data or electronic data (such as email, SMS or comments) to another person in a manner that disturbs that person, such operator must give that person an easy opportunity to cancel or to notify the wish to deny receipt of such computer data or electronic mail (ie, an opt-out option). Otherwise, such operator shall be liable to a fine not exceeding THB2 million. Once any person requests to deny such receipt, the operator must stop sending such marketing messages immediately (ie, after no more than seven days).
There are no specific regulations concerning workplace privacy in Thailand. Only general PDPA provisions are applicable to this area.
As described in 1.3 Administration and Enforcement Process, the PDPA provides the expert committee with an enforcement power to issue an administrative order for addressing any misconduct under the PDPA. However, most cases have been discharged or have ceased at the expert committee stage. In addition to the powers of the expert committee, the PDPA contains three types of liabilities:
For criminal liabilities, the authority may pursue a criminal case against any commercial operator who has breached the PDPA. Any use or disclosure of sensitive data without consent and which has caused damage to the data subject carries penalties of imprisonment of up to six months or a fine of up to THB500,000, or both. However, any use or disclosure, if undertaken for undue benefit of the commercial operator, will double the above-stated maximum imprisonment duration and fine amount. In this regard, the relevant director or manager of the juristic person may be subject to the same penalties as the juristic person.
A PDPC Notification on Administrative Penalties relates to the enforcement of administrative penalties, and sets out the criteria for how administrative penalties (as determined by the expert committee) are used. The expert committee will consider and apply administrative penalties to a controller or processor based on the level of seriousness of such offence. Offences are separated into two groups: serious and non-serious offences. Under the Notification on Administrative Penalties, the expert committee is empowered to levy administrative penalties as follows.
Serious Offences
The expert committee can impose administrative fines on a controller and/or processor. In addition, administrative fines can be imposed on offenders who fail to comply with an order from the expert committee to remedy a violation. Such orders include remedying, stopping, suspending or seizing related processing activities.
Non-serious Offences
The expert committee may issue orders to remedy, stop, suspend or seize related processing activities, or it may carry out any other acts to stop/minimise the damage within a specific time.
For civil liabilities, a damaged data subject may bring a civil suit against a controller and/or processor who has wronged them. The PDPA expressly allows the court to award punitive damages, which is generally rare in Thailand and which shall not exceed two times the actual damages (if the court believes the breach is severe). As this civil liability is based on tort law and privacy cases often involve more than one impacted data subject, class actions are allowed for privacy cases.
Evidence acquired in contravention of the rights of the parties or of the stipulations in the Criminal Procedure Code will not be admissible. The authority is mandated to act in accordance with procedures prescribed by law. Generally, prior approval from a court judge is mandatory for any compulsory search or seizure. Note that the PDPA does not apply to activities conducted in line with criminal justice procedures.
Generally, the laws empowering government authorities to access personal data will provide a clear scope and application for such surveillance and/or access – eg, to protect national security or to acquire documents and/or information relating to the commission of an offence. In addition, the legislation generally requires that there must be an element of “necessity” for said interference.
The term “national security” is broadly interpreted, and in practice it is common for interference with the rights to privacy to be allowed based on the grounds of national security and public interests. In many circumstances, national security may be exploited to serve certain political purposes against opponents; this thus leads to a deterioration in terms of legal certainty. However, the approval from a court judge must be obtained, except in the event of an emergency.
In this regard, the PDPA provides exemptions for controllers from compliance with the PDPA when the controllers receive a request for personal data from certain government agencies, such as:
Although these controllers are exempted from compliance with the PDPA, they are still required to ensure the safety of personal data by implementing the appropriate security measures required by the PDPA.
There is no specific lawful basis permitting organisations in Thailand to collect and transfer personal data for the purpose of a foreign government access request. However, a controller is exempted from compliance with the PDPA for the collection of personal data in operations related to:
Note that Thailand does not participate in a Cloud Act agreement with the USA.
The fundamental privacy concern revolves around the inclusion of unnecessary information in official documents. While the PDPA promotes data minimisation and discourages the collection of sensitive data unless absolutely essential, certain official documents (particularly identification cards and government official identification cards) still include sensitive information such as religious affiliation and blood type (without a clear specific purpose). This poses a challenge for operators who are required to collect such documents, necessitating the redaction of superfluous information.
The PDPA does not provide for the concept of absolute restriction for any type of transfer of personal data outside the jurisdiction of Thailand. Instead, controllers, as the transferors, may be subject to several obligations and/or must ensure that the transferee meets the qualifications as prescribed under the PDPA.
In general, in the case of transfer of personal data outside Thailand, the countries in which the transferee is located should have adequate personal data protection measures. The list of countries deemed to have adequate personal data protection measures is set to be prescribed by the PDPC; however, such list has not yet been prescribed. Two key criteria to consider regarding whether a country is deemed as having adequate personal data protection measures are as follows:
In any event, even upon the prescription of such list, several exemptions exist where the controller may transfer the personal data to countries outside such list (eg, regarding compliance with the law, obtaining consent from the data subject, the execution of a contract to which the data subject is one of the parties, etc).
Another exemption to the limitation of personal data transfer to only those countries included in such list applies when the following qualifications are fulfilled:
During the period where no list is prescribed for those countries deemed to have adequate personal data protection, or where the BCR have not been approved by the PDPC office, the PDPA stipulates that the transferor provide appropriate security measures to be enacted in accordance with the rights of the data subject, as well as the effective legal remedial measures – ie, appropriate standard contractual clauses for cross-border transfer (SCCs) and a certificate. Under the PDPA’s notification, SCCs from the ASEAN Model Contractual Clauses for Cross-Border Data Flows, and GDPR SCCs, are acceptable.
Please see 4.1 Restrictions on International Data Issues.
Cross-border transfer does not require government notification or approval.
In certain cases, operators have to retain documents on their premises, such as accounting documents and a VAT certificate. However, an operator can duplicate and transfer such data internationally (see 4.1 Restrictions on International Data Issues for more detail).
No software code, algorithms, encryption or other technical details are required to be shared with the Thai government.
An organisation collecting or transferring data in connection with foreign government data requests, foreign litigation proceedings (eg, civil discovery) or internal investigations is not exempted from the cross-border requirements mentioned in 4.1 Restrictions on International Data Issues.
There are no blocking statutes under Thai privacy laws.
Even though Thai society has seen the introduction of various new technologies (such as big data analytics, automated decision-making, profiling, AI and IoT), many of these emerging technologies lack specific legal frameworks and regulations. Consequently, addressing digital and technology issues often involves navigating through several general laws, including those related to data protection (such as the PDPA), consumer protection and trade competition.
Presently, authorities are making efforts to introduce new laws specifically governing AI and digital platforms. The aim is to consolidate necessary requirements into one or a few regulations, thereby alleviating the operational burden on stakeholders in these fields.
The Electronic Transactions Development Agency (ETDA) was established with the mission of promoting and advancing Thailand’s economy and society towards a digital economy and society. The goal is to create an environment where all sectors can confidently and securely conduct reliable transactions online. To achieve this objective, ETDA has issued various standards and recommendations for the implementation of digital technologies in both public and private sector operations. These guidelines aim to enhance the efficiency, security and safety of online transactions across diverse industries.
As described in 1.3 Administration and Enforcement Process and 2.5 Enforcement and Litigation, enforcement or litigation in privacy or data protection cases is not notably prominent, as the supervisory authority tends to adopt a compromising approach in addressing any misconduct.
While the PDPA does not specifically mandate a due diligence process, it is crucial to emphasise that due diligence must be given to privacy issues during corporate transactions. Buyers are obligated to gather comprehensive information in order to identify any gaps or risks associated with the target’s operations. It is noteworthy that, in this context, privacy concerns should be taken into account, given that targets may only disclose essential information. The following privacy issues are usually encountered when conducting due diligence.
Notice to Relevant Data Subjects
The PDPA requires that all data subjects be informed about the data processing, while the due diligence may be conducted secretly in order to mitigate any operational risks. Therefore, some operators have addressed the details of business acquisition or transfer in their privacy documents. The PDPA also provides some exemptions for indirect collection of personal data in order to avoid the necessity of further notice to data subjects.
Sharing Personal Data to Several Stakeholders
A corporate transaction may involve several advisers/service providers from both the seller and buyer side. Some of these may be considered as processors. As such, the data-processing agreement should be executed as between a controller and a processor. The seller has to ensure the safety of personal data uploaded in the data room by implementing adequate security measures, especially access control.
Data Minimisation
Although the buyer needs to get as much information as possible, the seller must still only share data necessary for the purpose of due diligence. As such, certain information which it is not important to note or address during the due diligence stage can be redacted.
There are no laws specifically pertaining to privacy or data protection that mandate the disclosure of an organisation’s cybersecurity risk profile or experience. However, an occurrence deemed as essential for making investment decisions may be considered a material event triggering the obligation for listed companies to inform all investors. Additionally, certain specific industries, such as financial enterprises, have additional disclosure requirements as part of their risk-management practices.
It is important to note that the Cybersecurity Act of Thailand, BE 2562 (2019) mandates the National Cyber Security Agency to publicly warn of any serious cyber threats. These threats are defined as those significantly increasing attacks against a computer system, computer data or computers with the intention of targeting critical infrastructure. The impact of such threats extends to the functionality or service outage of a computer system or critical information infrastructure relevant to the provision of critical infrastructure services in the areas of:
As described in 5.1 Addressing Current Issues in Law, the authorities are making efforts to streamline regulations to facilitate business operators. Furthermore, Thailand is contemplating the introduction of new laws aligned with international standards, similar to the PDPA, to enhance the recognition of Thai business operators on the global stage. A noteworthy example is the draft digital economy law, inspired by the Digital Markets Act and the Digital Services Act of the EU.
Despite the recent effectiveness of the PDPA and the relatively low awareness among operators, the efficacy of PDPA enforcement may be influenced by the limited number of personnel in the PDPC office. This limitation could lead to the PDPC adopting a compromising approach in handling current privacy cases.
However, there has been a positive development, as the PDPC office has bolstered its team by recruiting additional authorities in 2023. This expansion is expected to pave the way for a more proactive approach in the near future.
17th and 36th Floors
Sathorn Square Office Tower
98 North Sathorn Road
Silom
Bangrak
Bangkok 10500
Thailand
+66 2 009 5000
+66 2 009 5080
bd@mhm-global.com www.chandlermhm.comMove Towards Compliance – Data Protection, Privacy Compliance and Action Trends in Thailand
Data protection
The Personal Data Protection Act BE 2562 (2019) (PDPA) is one of the newest sets of regulations in Thailand. It is not just “new” by virtue of its date of enactment and practical enforcement, which came only a few years after formal enactment, but is also new by virtue of its concepts. In short, data protection and privacy are relatively new concepts in Thailand. Prior to the enactment and enforcement of the PDPA, data protection and data privacy were largely not at the forefront of the public’s concern – and even if they were in some way for certain individuals or entities, there were still not many legal actions that could have been undertaken to address them.
As a result, people’s personal data was mined, collected, stored, sold, transferred, analysed and used directly with such persons or with other parties without consent of the data owners, simply because there was no general law to cover these issues and actions, and also because Thailand’s general tort law has little deterrence effect as it is difficult to prove damage from non-consensual use of personal data or to obtain any damages from the alleged wrongdoer. Therefore, for many operators that survived and thrived on use of personal data, the decision to use people’s personal data without consent and to manage future risks and damages from arguably rare complaints and cheap lawsuits was economically and financially sound.
The above line of business reasoning and ethically questionable business practices have, fortunately, come to an end with the gradual introduction of the PDPA and subsequent threat of enforcement. Since its inception, most medium-sized and large companies – especially those that are subsidiaries of global corporations (usually from jurisdictions with applicable data protection and privacy law) or those who have routine commercial transactions or business contacts with foreign entities from jurisdictions with relevant data protection and privacy law – have taken action to comply with the PDPA. This trend of steady adjustment and compliance, which began at the top, has effectively trickled down (although slowly) to smaller and local operators. Unfortunately, even though many years have passed since this trend started, some small and even medium-sized organisations still have yet to commence their adjustment and compliance process with the PDPA.
Compliance
The authors have noticed a clear upwards trend in compliance and attempts at compliance. For example, many companies in Thailand have chosen to take compliance exercises for data protection and privacy exceptionally seriously, and have invested large sums of money in data analysis, due diligence and mapping exercises. Many of these companies have engaged in expensive and time-consuming, but highly effective and useful, personnel interview processes. These interviews targeted different business units within their organisations, usually commencing with those that deal heavily with personal data (such as human resources, sales and after-sales, administration and IT). These personnel interviews, when implemented correctly using ethnographic methods, will often produce a very complete set of information regarding how each business unit uses personal data, including:
The interviews also inadvertently serve as unplanned training sessions in practice for both the interviewees and the internal data protection team, as legal rationale, principles and in-depth explanations are often provided to the interviewees when an issue is discovered during the interview. The companies are then able to use the obtained information to come up with proper documents that address data protection and privacy concerns in very specific ways (such as different policies, consent forms, protocols and standards of operation, impact assessment documents, etc). Often, the companies will discover the level of risk being associated with each data utilisation process; and most companies will realise that some of their historical and current high-risk data utilisation processes can no longer be supported and justified, and must be ceased to comply with the law. Meanwhile, other less risky data utilisation processes may be able to continue if a supporting rationale can be found that is covered by proper PDPA-related documentation.
While many entities have engaged in interview processes to elicit facts regarding use of personal data within their own organisations, other entities have approached this compliance issue with a more economical mindset, and instead chose questionnaires as a fact-finding tool (rather than interviews). A neatly crafted and customised questionnaire is normally sent to all, or at least key, business units, who provide answers regarding their data utilisation processes (including points of collection, storage location, access limitation, transfer and deletion).
The positive aspects of using a questionnaire are that it is much more expedient than interviews, and costs much less in terms of financial expense and utilisation of internal manhours. The process is simply easier. The negative aspect of using a questionnaire is that although it is very expedient, the results (information about use of personal data) will naturally be less detailed and more prone to oversight. Many companies have chosen the questionnaire method without realising that the work products will have much less specific coverage; for example, companies will not be able to notify data subjects in full detail on how they use their data, and likewise will not be able to seek proper consent from the data subjects for all data utilisation processes, simply because they have not discovered them during the questionnaire process.
Many companies have, however, chosen this method knowing the risk outlined above, simply because the PDPA itself is not yet fully supplemented, and they wish to wait and see what specific rules will emerge from the Personal Data Protection Committee (PDPC). This, essentially, is a quick fix to achieve immediate, apparent compliance. It is worth noting that there have been many instances of companies preliminarily choosing to proceed with the questionnaire method, only to later realise that the final products (PDPA documents, all of which are populated with questionnaire-procured information) are not good or detailed enough, meaning that known risks are not properly mitigated. In many such instances, the companies had to re-commence the whole process by engaging a team to undertake full interviews, which ended up being more expensive than choosing interviews from the beginning.
Owing largely to cost concerns, some smaller companies have chosen not to proceed with front-heavy fact-finding processes such as interviews and questionnaires, but instead have chosen to produce PDPA-required documents (such as policies/notices and consent forms) by using existing templates and basic customisation based on currently available knowledge of one’s own organisation. This kind of exercise requires little time to complete and can be undertaken at little cost, whether done with assistance of external parties or internally by own manpower. However, the natural downside is that the companies rely heavily on files and templates developed by other companies for other purposes and circumstances, and many of these available templates are very generic in nature and content; therefore, it is a given that many data utilisation processes actually undertaken by the companies will be accidentally left out. This means that the risks of breach under the law, such as failure to notify or seek consent, will be heightened. This methodology is therefore not recommended.
Action trends
One positive note on the compliance action trend in Thailand is that regardless of what internal due diligence methodology is used (whether in-depth and detailed personnel interviews, quick questionnaires, or template customisation based purely on limited existing knowledge), many companies in Thailand have come up with data protection and privacy documents that are required by law. Some versions and forms are naturally more complete and more compliant than others, and some are more detailed due to larger amounts of information elicited from fact-finding processes; overall, though, these companies have done reasonably well in terms of moving in alignment with the law. Basic documents that have been seen include:
Another positive note on the compliance action trend in Thailand is the surge in data breach reports. The PDPA requires an entity to notify the PDPC of a known or discovered data breach that may have an impact on data owners, whether from accidental leakage (unintended transfer, loss of electronic storage device, system failure leading to loss or corruption of data, etc) or from intentional acts (unlawful access from hacking, phishing, ransomware, etc) within 72 hours of becoming aware of such incident. So far, hundreds of cases have been reported to the PDPC since the PDPA’s inception – many more than most anticipated. This surge in incident reports signifies two things.
First, it shows a worrying trend of a rise in electronic crime related to personal data, not just in Thailand but globally. In fact, most cases that have been filed with the PDPC in Thailand pursuant to the PDPA were the results of offshore breaches or hacking activities that had nothing to do with Thailand, but filing had to be undertaken in Thailand as Thai citizens and residents were affected by such offshore incidents.
Second, it shows a positive trend of self-learning and self-imposed compliance. Although there may be little communication between the PDPC and other data protection regulators from other countries (meaning that awareness of an incident in one jurisdiction is unlikely to be communicated to another jurisdiction), these local companies (whether subsidiaries of international corporations or otherwise) have chosen to voluntarily comply with the legal requirements and to report their accidental failures, despite the risk of discovery being small.
Part of this surge in willingness to comply with the requirements of the PDPA is due to the fact that the PDPC has provided fair and reasonable judgments in past cases. To date, it is believed that no company has been fined for late reporting of a breach incident, although statistically speaking most companies report long after 72 hours from discovery, simply because it normally takes many days for the companies to become aware of a breach or an attack. Further days or even weeks are used to analyse and pinpoint whether any person in Thailand has been particularly affected, and if so, whether such impact rises to the level that must be reported to the PDPC. It may also take a few more days for the companies to consult with external experts on what to do.
In this regard, the PDPC has been very understanding. As long as a report is properly and expediently (to the extent possible) filed and questions from the PDPC satisfactorily answered when asked, and provided the report-makers do not act unreasonably or tardily, the PDPC will show leniency. This, however, is not to suggest that this kind of exceptional leniency will continue to be the PDPC’s operational norm far into the future. One should note that, in Thailand, the older the law, the less leniency will likely be provided. This is confirmed by the PDPC’s own public statements that they have provided leniency because they want to allow operators in Thailand to understand the law and to have enough time to adjust well to the legal requirements, whether on internal training of employees regarding understanding and avoiding risks, or on the documentation side.
A third positive note is that most companies, especially those belonging to a global operation or those with routine contacts with offshore companies that hail from jurisdictions with relevant data protection and privacy law, have been much more careful regarding transfer of personal data. Most companies have been comparatively more reluctant about such transfer, and this has manifested in discussions during business meetings as well as in execution of documents to cover transfer of data for any particular project. Some companies have even gone so far as to re-train their project personnel on PDPA requirements prior to commencement of each project. This shows that many companies do put extra care into ensuring compliance with the PDPA.
The fourth positive note that the authors have witnessed actually contains a difficulty in itself. The authors have noticed that many ordinary citizens and residents in Thailand have been much more vocal about their rights provided by the PDPA. This has both positive results and negative consequences. On the positive side, louder noise and higher likelihood of complaints from ordinary citizens and residents have pushed businesses towards compliance. At the same time, the authors have noticed that the costs of operations of many businesses have gone up owing to compliance costs, as have expenses for dealing with complaints and allegations (many of which are ungrounded and baseless due to misunderstanding of the law by the complainants).
Summary
Overall, Thailand-based companies are moving towards compliance with the PDPA. Large and international companies have led the way, and local entities have slowly followed suit. The year 2023 also produced a few supplementary updates on the law for enabling enforcement. The authors expect 2024 to follow 2023, whereby more supplementary updates will likely be issued, and enforcement will slowly ramp up. Companies are encouraged to learn about the law and to undertake compliance exercises as soon as possible, in order to minimise – or, if possible, extinguish – the related risks.
17th and 36th Floors
Sathorn Square Office Tower
98 North Sathorn Road
Silom
Bangrak
Bangkok 10500
Thailand
+66 2 009 5000
+66 2 009 5080
bd@mhm-global.com www.chandlermhm.com