How to protect data
The ID card is the most common form of personal data Thais use for their financial transactions, legal agreements or obtaining commercial and public services. While the use of it has become more widespread and the storage of data has been increasingly easier, protection of personal data by law has remained weak and almost nil for many cases.
A bill on personal data protection, which is pending cabinet approval, is seen as a remedy proposed by lawmakers. But critics is not hopeful that the bill, which has been in the making for a few years, in its current form can bring about far-reaching impacts.
Like many Thai laws, the bill is vague, broad and almost toothless. Critics have cast doubt how much consumers can rely on it, especially in the wake of the recent consumer data breach cases concerning True Move H’s data leak of 11,400 customers’ personal information including scanned images of ID cards.
For decades, Thailand has not had a law that specifically governs personal data protection. When it comes to the need to safeguard data, the country relies either on the Official Information Act that governs personal information possessed by state agencies or the Credit Information Business Operation Act.
The rest of data protection may possibly be handled on a case-by-case basis, like the True Move H case in which the National Broadcasting and Telecommunications Commissions (NBTC) vows to use its own regulations to force the telecom operator to pay for “proper compensation” to affected customers. But the regulator said it has not considered any punishment or fine for the company.
In an act that sounds like a desperate measure, NBTC yesterday proposed itself as a body that will collect personal data of 121 million accounts of all mobile phone customers to prevent possible leaks.
In fact, data breach can occur beyond the realm of the telecom industry. Therefore, the government and the National Legislative Assembly (NLA) should give a high priority to the personal data protection bill which will give birth to a national committee to regulate personal data collection, use and storage.
The bill had been put up for public hearings in January and February this year. In the wake of the True Move H data breach, critics point out that the bill is not good enough to provide sufficient data protection because it merely requires service providers or data processors to adopt “proper measures” to safeguard data.
In fact, the bill should be more specific. For example, it should require businesses to use encryption to prevent unauthorised access.
Experts also see the bill as outdated, failing to catch up with technologies such as the Internet of Things and big data.
Its weakness also lies in its provisions on penalties for non-compliance. A number of fines specified as punishment are not big enough to force big firms, who usually collect and handle massive amounts of personal data of their customers, to be vigilant and come up with extra and stringent measures to safeguard their customers’ data.
The bill merely says compensation shall be made when owners of personal data suffered damage. It implies that if, for example, data leakage occurred but there is no actual damage on part of data owners, then businesses can possibly get away with it.
The maximum monetary penalty for failure to adopt the “proper measures” to safeguard data is in a range of between 200,000 to 300,000 baht.
On the contrary, Europe Union’s similar law, the General Data Protection Regulation which will come into effect on May 25, imposes much heftier fines in which breaches of the law will lead to fines of up to 4 percent of annual global turnover or 20 million euros, whichever is bigger.
The NLA needs to listen more closely to critics of this bill and make many more important changes to ensure that this new law is most updated and have real teeth to regulate and punish big firms.