Thailand’s Personal Data Protection Act (PDPA) was passed by the National Legislative Assembly on February 28, 2019. The PDPA provides creates legal obligations for “Data Controllers” and “Data Processors” governing their collection, processing and disclosure of personally identifiable data and requirements for giving notice and obtaining consent from the “Data Owners”. As with all laws, the PDPA must be signed by the King and then published in the Government Gazette before being deemed officially enacted. We anticipate this will be accomplished shortly after the King’s coronation in May, 2019.
Even after official enactment, the PDPA does not become fully effective right away. The sections governing the formation of the Personal Data Protection Board and its related committees do take effect immediately. These government agencies are, inter alia, tasked with drafting ministerial regulations implementing the new law to be published within one year of the PDPA’s enactment. However, the substantive sections governing (a) personal data collection, processing and disclosure, (b) the requirements for giving notification and obtaining consent from personal data owners, (c) other transitional terms and (d) all punitive measures (including imprisonment), do not become effective for an additional one year grace period—i.e. approximately May, 2020.
Moreover, on that date in May, 2020, any Data Controllers who have already been collecting and processing data prior to and up to said effective date, may continue to do so provided such collection and use remains within the original scope for which it was collected. Note, however, that this open-ended grandfathering does not extend to the disclosure of such pre-collected personal data. On the expected May, 2020 effective date, the PDPA becomes immediately applicable with respect to any disclosures of personal data—even for data collected prior to the law’s effective date.
The grandfather clause for personal data collected prior to the PDPA’s effective date is subject to a further limitation as well. Data Controllers with such pre-collected data must notify the Data Owners and enable them (through some simple method) to be able to revoke their consent for the continuing collection and processing of their personal data. The particular section mandating this “publication” of notice to all Data Owners for pre-collected data does not contain an y specificity as to the means or the timing for issuing same. (Most likely, this will be something which will be addressed by the implementing ministerial regulations when published in one year).
Finally, note that in the final weeks leading up to the approval of the new law, the Thai National Legislative Assembly incorporated many changes—expanding the original draft law significantly and in material ways—to match closely the language and terms of the EU’s General Data Protection Regulation, but with several key distinctions and exceptions.
UPDATE: The PDPA was officially published in the Royal Gazette on May 27, 2019, and becomes effective May 28, 2019. All grace periods contained in the PDPA as discussed above begin from the May 28, 2019 date–making full compliance mandatory on May 28, 2020.