Best of 2022: What the new Thai PDPA means for individuals and businesses

With the Thai Personal Data Protection Act finally implemented on 1 June 2022, following its delay due to the COVID-19 pandemic, we interviewed Dr Prapanpong Khumon, Associate Dean of Academic Affairs at the Faculty of Law, at the University of the Thai Chamber of Commerce.

In the first part of our interview, he shares his thoughts on the new Thai PDPA law, its background and how it compares with other privacy laws and frameworks, as well as why this is the right moment for it to be implemented. Read more here.

In this article, he elaborates about his thoughts on the new Thai PDPA law, what it entails and what it means for Thailand in the short and medium term.

1. What are the latest developments with regards to the Thai PDPA – what does it mean for the law to become fully in-force from 1 June 2022? 

There are two sides to this. The first is the development in terms of the regulatory institutional setup, like in Singapore, we have the Personal Data Protection Committee (PDPC), which is the regulator.

After a brief period of turbulence, with the COVID-19 situation, the committee has been fully set up and is ready to carry out the regulatory work.

The second side that I would like to mention is the public side, which includes people who are now demanding for their privacy to be protected and the private and public institutions and agencies that are under the auspices of the PDPA.

These organisations need to be compliant, and people are now demanding for the law to be enforced and I think this is a happy sign as people are asking [privacy-related] questions.

If the PDPA is enforced fully, the problems about cold calling, unsolicited calls, unsolicited telemarketing, are these problems going to go away?

The latest developments show that people are now becoming more aware, they actually know what the Thai PDPA can do for them, what the Thai PDPA can do to protect their data privacy.

With public sentiment coinciding with the institutional readiness of the regulator, all the committees are in place and are ready to launch regulations that are supplementary rules to the main PDPA.

Get an in-depth understanding of the Thai data protection law and the practical application through our course here.

Click to view our infographic of the Thai PDPA

2. Who is under the purview of the law, are DPOs mandatory, and what is the grace period for SMEs to comply?

Since the Thai PDPA is heavily influenced by the European Union General Data Protection Regulation (EU GDPR), the regulatees, or the sort of entities that are under the purview of the law, will be both public and private entities that decide the collection and disclosure of the personal data, or what we call in our law as the data controller.

So, the Thai PDPA is very comprehensive; it covers both public entities and private entities, just like the GDPR. No particular type of organisation is spared from complying.

Interested in learning more about the EU GDPR and its application in Asia? Sign up for our course here.

But of course there are some exemptions, like for the police or for national security.

In some ASEAN countries, data protection officers (DPOs) are mandatory for businesses to appoint. But for the Thai PDPA, DPOs are only mandatory for entities with regular and significant processing of personal data. Entities that are both public or private entities, that have a regular processing of data, DPOs are mandatory for them. We have supplementary rules [for this] in the final draft now.

We also have specific business activities whereby DPOs are mandatory. These include business sectors such as insurance, banking, credit scoring, advertising, social media, search engines, any business that operates membership card schemes, businesses that operate public transportation, telecommunications, security guards, and of course any business with core business activities processing sensitive data.

When it comes to SMEs, of course, the issue that is very important globally is that when you have a small- or medium-sized business, how far do you have to comply with the PDPA? In Thai law, SMEs are small and medium businesses are exempt from some of the obligations, such as to record data processing activities or the appointment of a DPO given the threshold of data processing needed for it to be mandatory.

As we can see from fellow ASEAN member states that have implemented data protection laws, such as Singapore, the Philippines and Malaysia, in the first year of implementation, sanctions will tend to be warning-based. Serious violations of data privacy will still warrant serious action, but minor violations should see the regulator lean towards warning-based sanctions rather than full-on sanctions.

3. How do you assess this implementation of Thai PDPA in June and what predictions do you have about how well or problematic this implementation may be?

I think that's a very important question. First, I would like to give my assessment on the awareness of people.

The law is still quite new, but it’s not as new anymore in 2022, compared to five years ago, when nobody had any idea what the Thai personal data protection law was about.

Now the public awareness is up to a very good level, because the public have been affected by a lot of unsolicited calls, cold calling, and unsolicited telemarketing. This has prompted a lot of questions for the public and there is a lot of information that is available to the public now.

So, people in general get the idea of what the law can make their lives better. They are waiting to see the response in terms of the enforcement as well. If there is a breach of data, how will the regulator respond to those breaches?

Meanwhile, entities are kind of waiting to see the official [supplementary] rules so that they can be certain that, okay, there are no further changes and that they can adopt these rules into their process designing.

There has been some uncertainty, but the good news is that the draft rules are going to be official very soon. I believe that by the end of July, we are going to see a lot of official rules coming into place, in a lot of priority areas that need certainty.

The last part I'm going to talk about is the readiness of the PDPC.

Having undergone turbulence because there was COVID-19 and the government having to draw resources away to deal with the pandemic, a lot of those timelines and pipelines are now back in place for the PDPC.

The good news now is that all the budgets and all the resources have been drawn back to the regulatory body, so they can perform these duties according to the timeline.

I believe that these three areas are starting to come together.

But then the whole thing is very new because the law is just enforced [1 June 2022]. So we have [to spend] a lot of time to make adjustments [to the law] on the part of the regulatory body, the entities and the people.

4. If there's anything you'd like to add about Thai PDPA, please feel free to elaborate.

I see a lot of countries launching data privacy laws, including China, where the standards are similar to the principles of the GDPR.

We see that the global standards now in terms of data protection are beginning to look more alike in terms of the principles that are very similar to the new, stronger concepts of protection for the people like the GDPR offers.

So, I think this would be a very important trend. If we can project at least for a three- or five-year period, I think the trends are still going to continue down the road of stronger protection and more human-centric, data subjects-based protection – and the Thai PDPA is no exception.

We see a lot of countries follow down this path. So if you are the businesses or even if you are people interested in the data privacy area, this would be, I think, the trends of the regulation that these countries are moving towards these similarities of the concept of stronger protection.

This article was originally published on 6 June 2022.