Why Trust in Data Governance is key to the new Thai PDPA

With the Thai Personal Data Protection Act finally implemented on 1 June, 2022, following its delay due to the COVID-19 pandemic, we interviewed Dr Prapanpong Khumon, Associate Dean of Academic Affairs at the Faculty of Law, at the University of the Thai Chamber of Commerce.

He shares his thoughts on the new Thai PDPA law, its background and how it compares with other privacy laws and frameworks, as well as why this is the right moment for it to be implemented.

1. What is the background for the Thai PDPA - what prompted the Thai government to adopt this law in the first place?

About five years ago, we saw the phenomenon of global standards shifting towards more protection of personal data.

And we saw that Thai people also had needs, in terms of having their data privacy be protected; and there were very important elements that prompted the Thai government to enact the law in 2019. Basically, three elements have been the main ones that prompted the Thai government to adopt the PDPA.

So the first one is about trust. The Thai government, actually, I think people, not only the government, it's now become a fact that in order for our society and economy to grow and move [forward] together, to enjoy the benefits from the economy, there needs to be trust.

Now there is so much data, especially personal data, that we give out to entities, and they actually collect and disclose our personal data for the gains of the entity and for the benefit of the people in society as well. So it's very important for people to have trust in what the entities are doing in terms of processing of the personal data of customers and people.

A growing amount of data is being stored today, combined with a new focus on personal data privacy is making managing sensitive information more challenging than ever. Learn more about managing and governing data in the all-new Advanced Certificate in Data Governance Systems here.

And the second element is the duties for the entities to have better data governance.

It actually connects with trust because people say that they want to have trust, but how can trust be sustained if the entities do not have an appropriate measure to do better data governance?

So it would be a good thing to have a framework in terms of data privacy law, to frame the entities to move forward and do better in terms of governance.

And the third element, which is also a very important one, is global standards.

Five years ago, the Thai community saw the tendency of countries in and around the Asian region adopting frameworks on data privacy.

We saw existing frameworks, such as that of the OECD and the EU GDPR, and we saw in our region as well that Singapore, the Philippines and Malaysia were all adopting data privacy laws. So it's time for Thailand to step up to those standards. And we believe with the PDPA that we are enforcing now, is going to make Thailand, as a whole, a country that has appropriate standards in terms of personal data protection.

And that the standards are good enough for businesses and entities around the world to exchange information with safeguards to privacy.

2. What are its key provisions - how does it differ from or bear similarities to other PDPA laws in the ASEAN region (and to other regulations)?

So I think the basic thing, or the key essential elements of the Thai PDPA, is that our provisions of the law are very similar to the EU's GDPR in that the provisions are very human rights-centric.

The Thai PDPA is very heavily based on the provisions and the concepts of the GDPR, so it gives the data subjects or the owner of the data a lot of rights concerning privacy.

The basic principles of the PDPA also align with the principles of the ASEAN region frameworks as well, and that also aligns with countries that have adopted the privacy laws before Thailand, such as Malaysia, Singapore and Philippines, in that the key elements of the frameworks to the Thai PDPA that have similar features to the countries in the region that have adopted the law.

The principles include transparency, purpose limitation, having appropriate security to protect the data, and also accountability.

When entities are not compliant with the provisions of the law, the entities must bear some form of accountability and there are some sanctions to make sure that the future incidents will not repeat itself and that the people can get the most benefits from the protection that the Thai PDPA is giving them.

That rights and that sort of the accountability features that can enforce the companies that are not compliant to be compliant, and that's for the benefit of the people in terms of the protection of the data.

When I say that the Thai PDPA is very much heavily based on the GDPR, but there are also some elements that the Thai PDPA do not have, and the GDPR might offer that protection more than Thai PDPA, I think one of the key principles is data minimisation.

Click to view image in new tab.

This is a very interesting question because when the law was enacted in 2019, that was a year before the pandemic broke out in early 2020.

In 2019, there were a lot of roadmaps in place for the public agencies. A lot of budgets are in line to be used for supporting the activities of setting regulatory frameworks and organisational bodies.

So when the pandemic came, in that situation, it was not only the government that suffered – a lot of roadmaps needed to be adjusted and revamped in order to meet new demands, whereby resources were diverted to respond to the pandemic first – but also private entities as well. They would have had a lot of difficulties making sense of the PDPA because it was a law so new to the Thai community.

So for that, the government decided later by the end of 2020 to postpone the implementation of the act because nobody was ready. Both COVID-19 and the PDPA were also very new at the time.

When 2021 came, the pandemic was still there. But there were developments that year because the public was becoming more aware of data privacy. They were becoming more concerned about the issue and more accustomed to this new law.

The public saw the signs that they might need this data privacy law to protect their rights, and that this law could actually benefit the people. As more people understood the importance of the law, there was demand for the government not to delay the act anymore.

With the good signs on both public understanding of data privacy and the COVID-19 situation becoming a lot better now, the government decided that it's finally time in 2022.

So hence 1 June 2022 was the day that the Thai PDPA was fully implemented.

Click here to view Part 2 of the interview.