[Thailand] Are you aware of Thailand’s Personal Data Protection Act BE 2562 (2019)?

Pinyapa (Aime) Somphong

The Personal Data Protection Act BE 2562 (2019) (“PDPA”) is a welcome statute in Thailand which regulates the collection, use, disclosure, and care of personal data in Thailand. It was enacted on 27th May 2019 and has come into full effect on 1st June 2022, after having been delayed by the Royal Decree allowing an original one-year grace period and an additional two-years extension period for businesses to become compliant with the PDPA.

As prior to its construction, Thai citizens and businesses did not have explicit protections governing data privacy, with the exception of the fundamental right to privacy found in Article 32 of the Constitution of the Kingdom of Thailand B.E. 2560. However, without dedicated provisions this constitutional right acted more as an overarching concept, with courts often having to rely on other bodies of law such as the Civil and Commercial Code, 1925 (“CCC”) or Credit Information Business Act, 2002 (“CIBA”). Though, statutes such as these are not necessarily designed to protect consumer data. For example, The Thai Supreme Court ruled that Section 25 of the CIBA, which refers to data collection, does not allow an individual the right to remove their data from the credit bureau database. Thus, once it is in the database it is there to stay. The PDPA aims to resolve these issues, reaffirming data privacy rights in a modern context.

The PDPA aims to make data collection fair and transparent per Section 22 of PDPA. Essentially what this means is that the data that is collected only to the extent necessary for the stated purposes, but this does not mean the data must always be essential for that purpose. However, the most important aspect of the PDPA is the inclusion of appropriate consent, which is outlined in Section 24, offering six legal grounds to collect data. Without such consent the data collection would be considered unlawful. Although, a company may opt to choose multiple grounds, selecting the correct ones is crucial, as it is not so simple to swap to a different basis of collection, even if another is better applied to the situation, as consent would need to be obtained for the newly selected basis. Therefore, businesses and organizations must choose carefully.

Also interestingly, even though the PDPA has been created as a way to adapt to the modern world, as it is so easy now for personal data to be collected via simply visiting a website on our phones or computers, the PDPA neglects to address IP addresses or cookie identifiers. Which is an odd omission considering the PDPA’s Model, the European Union’s General Data Protection Regulation (“GDPR”) does reference “online identifiers” as personal data, which is clarified in Recital 30 to include IP addresses. Although the PDPA defines personal data as any information relating to a person, which enables the identification of such persons (directly or indirectly), without an explicit mention within the PDPA, or clarity from the Personal Data Protection Committee (“PDPC”), it is difficult to ascertain whether online identifies such as IP addresses or cookie trackers require consent to collect. It is possible that the PDPC will release further guidance on this as they continue to create and develop new sub-regulations.

The PDPA is a welcome development in Thailand, where personal data has previously been poorly protected. The Act should help to boost confidence in e-commerce and other online activities, as well as protect the rights of individuals. Not just Thai citizens, but anyone in the country, as the PDPA makes sure to use the phrase “in Thailand” as opposed to referencing only those with Thai nationality or citizenship.

The PDPA is a good first step towards protecting the personal data of Thai residents. However, there are some concerns about its effectiveness. For example, the law does not apply to government agencies, and it is unclear how well it will be enforced. As aforementioned there is also no specific provision for data breaches, which could leave individuals vulnerable if their personal data is mishandled or leaked. On the other hand, the PDPC has published a comprehensive guide on how to prepare and respond for data breaches which is accessible here.

Overall, the PDPA is a positive development that should help to improve the protection of personal data in Thailand. However, more work needs to be done to ensure that it is fully effective in practice. Importantly, with time we will see how courts interpret cases relating to the PDPA.