It took more than 20 years for the Thai government to pass the law on the personal data protection since its first attempt in following the EU Directive 95/46/EC in 1996.
The draft was first introduced under the government’s “IT2000” policy alongside the five other IT-related laws, including the Electronic Transaction Act and the Computer-Related Crime Act which have come in to effect since 2001 and 2007, respectively. For the law on the personal data protection, it seemed too intricate to be finalized. However, as personal data protection has become a global concern in recent years due to the progress of technologies, especially after the advent of the EU General Data Protection Regulation (“GDPR”), the government had no choice but to eventually pass the Personal Data Protection Act (“PDPA”) in 2019 with the “two-step” effectiveness. Namely, some of the provisions came into effect on May 28, 2019 while the rest of them, including those in relation to the rights of the Data Subjects as well as the obligations and the liabilities of the Data Controllers and the Data Processors, were initially scheduled to come into effect on May 28, 2020.
However, in May 2020, before the second-step effectiveness took place, it appeared that a numerous of stakeholders in both public and private sectors were not yet ready to comply with the PDPA. The situation was even worsened by the COVID-19 pandemic. Hence, the government explored the possibilities to allow more time for preparation for the compliance.
As the effective date was strictly set by the Act passed by the Parliament, the postponement must be in form of the laws with the same hierarchy, i.e. another Act of Parliament, which must be approved by the Parliament, or an Emergency Decree, which may be issued solely by the Cabinet but only under certain conditions set out in the Constitution.
Due to the difficulty of both of the above options, another option was selected. Section 4 of the PDPA authorizes the Executive (the Cabinet) to promulgate a Royal Decree designating businesses or entities which shall be exempted from some or all obligations of the Data Controllers under the PDPA. Pursuant to this Section, the Cabinet has decided to issue the Royal Decree exempting the Data Controllers in 22 businesses and entities from the obligations until May 31, 2021. These 22 businesses and entities are adopted in accordance with the Thailand Standard Industrial Classification (“TSIC 2009”), which is understood to cover all kind of businesses and entities. Therefore, all Data Controllers should generally fall within the scope of this exemption.
However, there remain some unclear issues which may be open for further interpretation. Firstly, one may argue that the Royal Decree effecting a general exception for all businesses and entities may be beyond the intention of Section 4 of the PDPA, which intends to provide exception for only certain businesses and entities. Secondly, as the Data Processors are not mentioned in Section 4 or this Royal Decree, one may argue that the Processors may remain obligated by the PDPA. Moreover, some businesses are not expressly listed, e.g. securities
business, and it may be disputable whether they can be covered by the listed ones or not.
Though this Royal Decree is commonly understood as a further extension, it is actually temporary exception of the Data Controller’s obligations for a certain period of time, i.e. until May 31, 2021.
Though the Royal Decree exempts the Data Controllers from certain obligations under the PDPA, the Controllers are still required to provide the security measures for personal data. In this relation, the Ministry of Digital Economy and Society has recently issued the Ministerial Notification regarding the Standard for Maintaining the Security of the Personal Data.
Under the above-mentioned standard, the Data Controllers must maintain the confidentiality, integrity and availability of all personal data in their possession. The measure should include the administrative safeguard, technical safeguard, and physical safeguard for access control of such personal data. All personnel, staff, employees, and relevant parties must be informed of the measure thereof. Optionally, the Data Controllers may adopt different standard provided that such standard is not less protective than that in this Notification.
The Personal Data Protection Committee
Another essential part of the PDPA is the Personal Data Protection Committee (the “Committee”), which is established for performing certain functions, including issuing relevant rules and regulations.
Currently, the list of the nominated chairperson and honorary directors has been approved by the Cabinet. However, as the said list has not yet published in the Government Gazette, it may somehow be disputable whether the Committee is officially appointed and authorized to perform its functions yet.
What should businesses do in the meantime?
While certain obligations of the Data Controllers under the PDPA are “technically” postponed, it should be a great opportunity for businesses to prepare for the full enforcement next year. The preparation may include the studying of their obligations arising from the PDPA, exploring the flow of personal data in their possession, improving the IT system, designating a person in charge of complying with the relevant law and regulations, as well as educating relevant personnel of the importance of the personal data. As some detailed regulations and guidelines are yet to come, following the international standards or “best practice” such as those set out in the GDPR should be a good choice. /