Thailand’s first-ever law on personal data protection will come into force on June 1, 2022, after being postponed since 2019. The law outlines the obligations for businesses regarding the collection and processing of personal information. The government is expected to provide a grace period for SMEs to comply with the new law.
Thailand’s first consolidated law on personal data protection, called the Personal Data Protection Act (PDPA), was initially signed in 2019 but will be enforced from June 1, 2022, after being postponed due to the pandemic.
The country has now joined its peers Singapore, Malaysia, and the Philippines in enacting data protection laws. The PDPA outlines the obligations of data controllers and processors to inform and request data owners of any collection, use, or disclosure of their personal information. Those found in violation of the law could be liable for civil and criminal fines. As such, the PDPA defines personal data as information that identifies a living person.
The PDPA supports the requirements under several Free Trade Agreements (FTAs) regarding data privacy requirements and a safe, secure environment for digital commerce and online banking in Thailand.
Personal data breaches are becoming more prevalent among ASEAN countries as the digitalization of their economies has resulted in more businesses and people storing their data online and are susceptible to data breaches.
An overview of Thailand’s Personal Data Protection Act
The Thai PDPA is applied to organizations that are directly based in Thailand or are based abroad but are involved in controlling and processing goods, services, and consumer behavior data in Thailand. Businesses should be mindful of two data types – i) general data, such as name, date of birth, phone number, etc. and ii) sensitive data, such as racial, sexual, religious, health, political, and biometric information.
Overall, the data owner must give explicit consent to approve any acts of collection, use, or disclosure of their personal data. Exemptions are granted in cases of:
- Fulfilling contractual obligations;
- Serving the public interest (eg: statistical research to protect the public health); or
- Serving legitimate interests (eg: prevention of danger to an individual).
In addition, the Thai PDPA also introduces a progressive General Data Protection Regulation (GDPR) styled regulation, in which data breach notifications are mandatory, rather than on a voluntary basis, which is the case in other countries like India or in jurisdictions like Hong Kong. Under PDPA, a comprehensive set of rights are guaranteed to the data owners, namely:
- Right to be informed (of the purpose of collection, data retention period, etc.);
- Right to access their personal data;
- Right to rectification (of inaccurate or misleading information);
- Right to objection/ withdrawal (from inappropriate uses at any time);
- Right to restrict processing;
- Right to erasure; and
- Right to data portability (send or transfer structured personal data from one Data Controller to another).
Violation of the data privacy law is subject to criminal and civil fines, ranging from 500,000 baht (US$15,000) to 5 million baht (US$165,000) as well as punitive compensations.
Compliance challenges for small and medium-sized enterprises
Retail businesses and small and medium-sized enterprises (SMEs) must quickly adapt to the new Protection Act, as the implementation of new IT systems and administrative procedures can result in higher operating costs. Despite the widespread publicity around the Act, many SMEs are still unaware of their obligations, and many face difficulties in assessing if they were data processors or controllers. Thai SMEs also face challenges in finding qualified personnel to monitor their compliance as well as having the right legal understanding of their rights and obligations under the new law.
SMEs are crucial to Thailand’s economy, as they contribute to some 35 percent of the country’s GDP annually. Under the 13th Social and Economic Development Plan (2022-26), the government has targeted SMEs to account for 50 percent of the country’s GDP.
The compliance challenge is likely to affect a sizable proportion of Thai SMEs, as digitization is no longer exclusive to technology-focused companies. According to the UOB ASEAN SME Transformation 2020 study, 60 percent of ASEAN SMEs are prioritizing digitization of their businesses, 58 percent are adopting digital marketing, and 52 percent are enhancing the online customer experience for competitive advantage in the market. The government is expected to provide a grace period for small businesses to comply with the minimum requirements in the new law and to avoid significant disruptions to their operations.
The Data Protection Act opening Thailand to free trade opportunities
The PDPA was highly influenced by the European Union’s (EU) GDPR. With the PDPA in place, Thai businesses can satisfy the EU’s strict requirements on data export measures under the Thailand-EU FTA. In June 2021, the EU and Thailand resumed trade negotiations after they collapsed following the 2014 military coup in Thailand. The establishment of a civilian government in 2019 restored the eligibility of Thailand as a trade partner of the EU, its fourth-largest trade partner after China, Japan, and the US.
In proceeding with the FTA, Thailand needs to satisfy the EU’s strict regulatory standards concerning labor and the environment, intellectual property, and most importantly, data export measures. If the FTA negotiations are successful, Thailand can further increase the current €29 billion (US$30 billion) bilateral trade, with €15.1 billion (US$15.9 billion) of exports to the EU, comprised of essential products, such as machinery, electronics, and transport equipment, as well as €11.3 billion (US$11.9 billion) of imports from the EU, constituting mainly machinery, transport equipment, and chemicals and their related products.
The accelerated emergence of e-commerce during the COVID-19 pandemic has given rise to digital payment and other forms of online payments. Cards, digital wallets, and bank transfers are the most dominant payment methods used in 30 percent, 23 percent, and 23 percent of all transactions, respectively. Prior to the Thai PDPA, weak legal measures failed to protect consumers from bank scams and fraud arising from data leakage and identity theft with 32 percent of Thai tech professionals having reported personal experience with payment fraud in 2019.
The Thai PDPA introduces strict, practical guidelines and penalties for any misuse of personal data, including for e-commerce activities. Public and private companies are obligated to protect confidential data and provide financial compensation for those affected by the data breach. The Act would secure a stable and sustainable environment for e-commerce, especially in dealing with cross-border transfers that already make up half of the online consumer purchases in Thailand. The country’s online shopping sector shows immense potential for growth. The industry has quadrupled in value in half a decade to almost US$93 billion in 2018, with high average annual spending at US$1,746, one of the highest in the ASEAN region.
This article was first published by AseanBriefing which is produced by Dezan Shira & Associates.