Thailand’s Personal Data Protection Act (PDPA) has been enacted and became effective on May 28, 2019. However, all substantive requirements of the new law only become enforceable following a one-year grace period, on May 28, 2020. By that time, the Ministry of Digital Economy and Society and the Personal Data Protection Committee (“Committee”) shall have issued regulations prescribing further clarification and guidelines for the PDPA’s implementation.
The newly enacted PDPA has significant implications for foreign data controllers and data processors—even those who maintain no presence in Thailand.
The PDPA is made expressly applicable to all operators (data controllers and data processers) who are located in Thailand; but also provides for extraterritorial application to foreign operators who collect, use or disclose personal information belonging to persons in Thailand. .
PDPA Section 5 expressly provides for application to operators located outside Thailand, not only to protect the personal data of Thai nationals, but to protect the personal data of all persons “located in Thailand” regardless of nationality. Section 5’s extraterritorial application is, however, limited to foreign data controllers and data processors whose activities involve either (a) offering (free or paid) products or services to personal data owners located in Thailand; or (b) monitoring the behavior of personal data owners in Thailand.
The PDPA does not mandate that required notices and consent requests under the law be issued in the Thai language. This means that such notices/consent requests can theoretically be in English or any other language. However, the PDPA does require that notices and consent requests be “in an intelligible and easily accessible form, using clear and easy-to-read language”. Ministerial regulations to be issued will clarify these requirements further. These regulations may yet specify a Thai-language requirement in order to fulfil the “easy-to-read language” directive.
PDPA Section 28 also provides express requirements for cross-border transfers of relevant personal data to foreign recipients outside Thailand. The foreign recipient entity or country must ensure adequate protection for any personal data received in accordance with rules to be prescribed by the Committee. Such rules are expected before the grace period for enforcement expires in May, 2020.
Cross-border transfers of personal data also require compliance with applicable notice and consent requirements of the PDPA on each occasion. However, PDPA Section 28 provides exceptions to the notice/consent requirement for cross-border transfers when such transfers are in compliance with a contract obligation of the data controller “for the benefit of the data owner” or otherwise necessary “to comply with the data owner’s request” before entering into such a contract.
PDPA Section 29 provides further exceptions for cross-border transfers of personal data from Thailand if such transfers are made by a Thai data controller as part of either (a) an affiliated undertaking; or (b) an affiliated business, with the foreign entity receiving such personal data abroad. Such “affiliated” cross-border transfers must be in accordance with a written intra-group/affiliate data protection policy which must be certified by the office of the Committee. By obtaining such certification, international group companies may avoid the need for specific notice and consent of data owners in order to share personal data with foreign affiliates outside Thailand.
In the absence of a certified personal data protection policy, personal data may still be transferred abroad if the foreign data controller or data processor provide data protection measures that afford legally enforceable remedies to data owners in Thailand. While no guidance has been provided for what such “legally enforceable remedies” would need to be, we should expect this exception to be linked to Section 36(5)’s requirement that all foreign data controllers and data processors appoint in writing a local representative in Thailand which would be liable (without limitation) to ensure the lawful collection, use and disclosure under the PDPA.
Note, Section 37 provides an exception to the Section 36(5) requirement for appointing a locally responsible Thai representative in cases where (a) the affected personal data does not include sensitive data (defined as ethnicity, race, political opinions, doctrinal, religious or philosophical beliefs, sexual behavior, criminal records, health records, labor union information, hereditary information, and biological information); and (b) does not involve large volumes of data (which limits will be prescribed by the Committee when regulations are announced in May 2020).
Finally, Section 80 provides a final catch-all exception to notice and consent requirements, as well as the cross-border data transfer requirements of Section 28, in cases of disclosure of personal data to lawfully authorized foreign government agencies (analogous to required disclosures contained in banking and anti-money laundering laws).
Breach of the PDPA exposes foreign operators, and their authorized directors, to fines and potential imprisonment.