What is PDPA - Singapore’s Personal Data Protection Act?

Thailand’s Personal Data Protection Act – There’s a New Privacy Law You Need to Know About

Table of Contents

Similar to GDPR, Enforcement of This Law Began on June 1

There’s a new privacy law that marketers and website owners need to be aware of.

Enforcement of Thailand’s Personal Data Protection Act began on June 1 after three years of delays. Originally enacted in May 2019, this law mirrors the European Union’s General Data Protection Regulation and joins a long list of laws meant to safeguard internet users and protect personal information.

Specifically, this law requires that data controllers and processors have permission to process personal data – information that can identify a person, either directly or indirectly. Explicit consent must be gained to collect, use or disclose data that is classified as personal and sensitive, such as information about a person’s health, their race and religion, their sexual preference, any criminal record and any other biometric information. There are a handful of exceptions, including those for the public interest, any contractual obligations, compliance with Thai law or anything deemed of vital interest.

Penalties for violations are stiff – fines start at 500,000 Thai baht, or about $14,400, and can reach 5 million Thai baht, or more than $144,000 at current exchange rates. On top of that, regulators can apply punitive damages. Some violations, including those that involve sensitive data and their unlawful exposure, can even land offenders in a Thai prison for up to one year.

Some of the key steps that websites operating in the country will need to take include updating or issuing a new privacy policy, providing website visitors with consent forms if necessary, making a record of all processing activities, entering into data processing agreements with relevant third parties and putting in place robust security measures that would prevent a security breach in the first place. Some entities, such as large corporations and many government departments, may also need to appoint a “data protection officer.”

More information is set to be released in the coming months, so stakeholders can ensure they implement the right policies and can then adhere to them.

New Thai Data Protection Law Mirrors Other Similar Regulations

The actions in Thailand mirror similar actions that have taken place around the world in recent years.

The most notable data protection law is the European Union’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. It applies to organisations within the European Union that use personal data, as well as any international organisation that provides goods and services to people in the EU or that monitors their behaviour.

Other countries were quick to draw up regulations of their own. Brazil approved the General Data Privacy Law, and Argentina and India passed their own similar laws. In the United States, the California Consumer Privacy Act enacted similar regulations and was soon joined by the California Privacy Rights Act, the Consumer Data Protection Act in Virginia and the Colorado Privacy Act.

Additional Details In the Personal Data Protection Act

While the law’s most notable features are requirements for data controllers and data processors, both public and private, in regard to obtaining consent from website users before processing, collecting or disclosing personal information, there are other parts to the law, one regional publication notes.

So-called “data subjects” also have the right to request access to their personal data and even demand that those data be erased. Further, they can object to the collection, use or disclosure of their information.

Personal data is defined under the law as “any information relating to a person that enables that person to be identified, whether directly or indirectly. This does not extend to information related to deceased persons in particular.”

The law explains that data protection officers be appointed for government bodies and organizations with large data processing activities. Those officers are responsible for helping the organization ensure that the data subjects’ personal information is processed in compliance with Thai law and will be the contact people for any issues that arise between data subjects and those collecting personal data.

Thai Data Collectors Are Slow to Meet the Requirements of the New Law

Although the law was passed in 2019 and implementation was delayed for three years, compliance with the new regulations has been slow. A survey by the Thai Board of Trade and the Thai Chamber of Commerce found that only 8 percent of businesses surveyed had taken measures to ensure they are fully compliant with the law, and nearly one-third of those surveyed, or 31 percent, had not done anything to be in compliance.

One notable adherent is Alibaba Cloud, the Chinese computing service part of Alibaba, the regional e-commerce giant. Alibaba Cloud recently opened a data center in Thailand, and the center is compliant with the new national regulations.

Enforcement will be lax for the first year, notes the Bangkok Post, as both regulators and entities come to understand the law and how it applies to their operations. Likely, only warnings will be issued during the first 12 months as the government urges violators to comply with the guidelines.

Are You Collecting Personal Information?

The first step in understanding how the new Thai law applies to you is knowing if your websites are collecting cookies, what information is being collected, what is being done with it and who else has access to it.

This is where a consent management platform like that offered by CookieHub can come into play. CookieHub has tools and solutions to make sure your website is compliant with laws like GDPR and others.

To learn more, contact CookieHub today.

Sales & Support