Lawyer urges action on data protection bill
The recent cases of data leakage by Facebook and True Move H are a wake-up call for the government to update and enforce data protection laws, says a legal expert.
Paiboon Amornpinyokiat, founder of P&P law, said the draft of the data protection bill passed a public hearing and has been pending for cabinet approval before proceeding to the National Legislative Assembly (NLA).
But the bill may not come into effect, he said, as it is not considered as high a priority as the cybersecurity law, which is likely to be endorsed before the election.
“Thailand has planned to endorse the data protection law for almost 21 years, from when Chuan Leekpai was prime minister until the present government,” Mr Paiboon said.
The latest data protection draft was deemed outdated because it fails to address newer technologies like the Internet of Things (IoT), artificial intelligence and big data.
Moreover, the draft lacks a penalty statement for service operators that leak data and makes no mention of requiring service providers to inform users in the event of a personal data breach.
The draft omits a mandate f or data processors and service providers t o include strong measures for data protection, particularly encryption, merely alluding to “proper measures”.
Mr Paiboon said European and US laws offer tax incentives to business operators who invest in technology for data protection in compliance with the law.
He said IoT and cloud computing have been incorporated in the EU’s upcoming General Data Protection Regulation (GDPR), to take effect next month.
The GDPR also covers any organisation that has business with the EU and stores EU citizen data.
Mr Paiboon said the GDPR includes three major principles that the NLA might take into consideration for Thailand’s data protection law.
The first is personal data minimisation, meaning that companies must limit personal data collection, storage and usage to data that is relevant, adequate and necessary for carrying out the purpose for which the data is processed.
The second is data anonymisation for login, a type of information sanitisation for privacy protection through encrypting or removing personal identification information.
The third is privacy-friendly design, requiring online service providers to set the default to protecting user data first. For example, Facebook defaults to a public setting and lets users switch their setting to private later, but less-savvy users may not know how to turn off exposure of their data.