Thai­land’s Data Pro­tec­tion Bill: Im­por­tance and Im­pli­ca­tions

Thai-American Business (T-AB) Magazine - - Contents - Writ­ten by: Dhi­raphol Suwan­pra­teep and Kri­tiya­nee Bu­rana­treved­hya

In or­der to foster a true dig­i­tal econ­omy in Thai­land, a net­work in­fra­struc­ture and reg­u­la­tory frame­work must be es­tab­lished. Data pri­vacy reg­u­la­tion has be­come an in­creas­ingly prom­i­nent is­sue in this dig­i­tal era as Thai­land does not cur­rently have any con­sol­i­dated law gov­ern­ing data pri­vacy in gen­eral.

There are, how­ever, cer­tain spe­cific laws which pro­vide pro­tec­tion of data tar­get­ing dif­fer­ent busi­ness sec­tors and/ or dif­fer­ent types of data. For ex­am­ple, the col­lec­tion of per­sonal data by a com­pany op­er­at­ing credit data or telecom­mu­ni­ca­tions busi­nesses in Thai­land is con­trolled by the Un­der­tak­ing of Credit Bureau Act B. E. 2545 and the No­ti­fi­ca­tion of the Na­tional Telecom­mu­ni­ca­tions Com­mis­sion Re­gard­ing Mea­sures to Pro­tect Telecom­mu­ni­ca­tions Sub­scribers, Data Pri­vacy, Pri­vacy Rights and Free­dom of Com­mu­ni­ca­tions B. E. 2549, re­spec­tively. There are also the Na­tional Health Act B. E. 2550 and the Child Pro­tec­tion Act B. E. 2546 which men­tion cer­tain de­tails on health- re­lated data and in­for­ma­tion re­lat­ing to mi­nors.

Nonethe­less, th­ese ex­ist­ing laws are not able to cope prop­erly with the var­i­ous types of data col­lec­tion and pro­cess­ing sys­tems as op­er­ated in our cur­rent Big Data en­vi­ron­ment. Var­i­ous gov­ern­ment de­part­ments and com­mer­cial en­ti­ties are pro­vid­ing elec­tronic ser­vices to their cit­i­zens and cus­tomers to in­crease ef­fi­ciency and pro­duc­tiv­ity by re­duc­ing pa­per- based trans­ac­tions. Many com­mer­cial banks are pro­vid­ing in­ter­net or mo­bile bank­ing fa­cil­i­ties to their cus­tomers, and sim­i­larly, a num­ber of gov­ern­ment agen­cies also now pro­vide on­line ser­vices/ reg­is­tra­tions via their re­spec­tive web­sites due to the ini­tia­tives of Thai­land’s e- Gov­ern­ment scheme. High­light­ing the in­creas­ing promi­nence of Big Data, Har­vard Busi­ness Re­view re­cently la­belled data sci­en­tist as the ‘ sex­i­est job’ of the 21st cen­tury. De­spite the free flow of in­for­ma­tion, con­cerns re­main whether our per­sonal data en­ter­ing into var­i­ous plat­forms is be­ing han­dled ap­pro­pri­ately. There are com­pa­nies who are col­lect­ing, sell­ing and an­a­lyz­ing per­sonal data for tar­geted ad­ver­tis­ing to con­sumers with­out data own­ers be­ing no­ti­fied or aware of this. Hav­ing a con­sol­i­dated Thai data pro­tec­tion law, in ad­di­tion to gen­eral tort law and other spe­cific sec­tor/ type of data reg­u­la­tions, would help bol­ster Thai­land’s dig­i­tal econ­omy by en­sur­ing an ap­pro­pri­ate le­gal frame­work to­wards the man­age­ment of per­sonal data.

Af­ter al­most seven­teen years since ini­tia­tives to consolidate data pro­tec­tion laws were first pro­posed, the Thai Cab­i­net ap­proved in prin­ci­ple the Per­sonal Data Pro­tec­tion Bill ( the Bill) in Jan­uary 2015 as part of the coun­try’s dig­i­tal econ­omy plan. The Bill is now be­ing con­sid­ered by the Coun­cil of State, and once passed, it will im­pact ev­ery busi­ness that is col­lect­ing, us­ing, pro­cess­ing, dis­clos­ing, and trans­fer­ring per­sonal data over­seas. We will walk read­ers through cer­tain cri­te­ria that the Bill is im­pos­ing be­low, draw­ing from the lat­est re­vi­sion of the Bill re­vealed in May 2015, and con­clud­ing with rec­om­men­da­tions re­gard­ing the ‘ Do- Not- Call’ Registry.


The Bill reg­u­lates data con­trollers re­gard­less of whether they are a per­son or cor­po­rate bod­ies, so long as they col­lect, use, and dis­close per­sonal data. Ev­ery per­son and or­ga­ni­za­tions, from bank­ing, health­care, in­sur­ance, web­site op­er­a­tors, cloud ser­vice providers, data cen­ter op­er­a­tors to so­cial net­work­ing sites can be deemed data con­trollers if they are making de­ci­sions re­gard­ing the man­age­ment of per­sonal data, un­less cer­tain ex­cep­tions ap­ply. Un­der the Bill, data con­trollers would ex­clude those who act un­der the or­ders of an­other per­son or cor­po­rate bod­ies, such as employees, con­trac­tors, or In­ter­net data host­ing providers.


In col­lect­ing per­sonal data, data con­trollers have a duty to pro­vide no­tice to data own­ers. This no­tice must in­clude spe­cific de­tails as stip­u­lated un­der the Bill, e. g. ( 1) the ob­jec­tives of the col­lec­tion; ( 2) the per­sonal data to be col­lected; and ( 3) rights of data own­ers.

Fur­ther to pro­vid­ing no­tice, the data con­troller must also ob­tain con­sent to the col­lec­tion, use, or dis­clo­sure from data own­ers. The re­quest for con­sent shall not be de­cep­tive or mis­lead­ing in terms of the ob­jec­tives.

The cross- border trans­fer of per­sonal data must com­ply with reg­u­la­tions to be is­sued by the Per­sonal Data Pro­tec­tion Com­mit­tee; un­less cer­tain ex­cep­tions ap­ply, e. g. con­sent is ob­tained from the data owner.


Un­der the Bill, data own­ers have cer­tain rights to their per­sonal data. Th­ese rights in­clude the abil­ity to ( 1) re­quest ac­cess to their per­sonal data; ( 2) re­quest data own­ers to delete, de­stroy, or tem­po­rar­ily sus­pend the use, or con­vert it into data which can­not iden­tify the data own­ers; and ( 3) the right to re­quest that their per­sonal data is made ac­cu­rate, up- to- date, com­plete, and not mis­lead­ing. There­fore, busi­nesses must pro­vide chan­nels avail­able for data own­ers to ful­fil th­ese re­quests to ex­er­cise their rights.


Be­ing data con­trollers, com­pa­nies must also set up ap­pro­pri­ate se­cu­rity mea-

sures to pre­vent the loss and ac­cess to per­sonal data with­out au­tho­riza­tion, among oth­ers. Such mea­sures should be able to de­tect the breach of per­sonal data in or­der to no­tify the users of such a breach, as well as its re­me­dial mea­sures. Fur­ther re­quire­ments ap­ply in case of breaches in a num­ber ex­ceed­ing those to be pre­scribed by the Per­sonal Data Pro­tec­tion Com­mit­tee at a later stage.


The Bill also es­tab­lishes two com­mit­tees - namely the Per­sonal Data Pro­tec­tion Com­mit­tee and Ex­pert Com­mit­tee. The Per­sonal Data Pro­tec­tion Com­mit­tee has the power and duty, among oth­ers, to ( 1) pre­pare strate­gic plans for the pro­mo­tion/ pro­tec­tion of per­sonal data, and ( 2) is­sue guide­lines/ no­ti­fi­ca­tions/ rules for per­sonal data pro­tec­tion, in or­der to en­sure that it is ex­e­cuted in ac­cor­dance with the Bill.

The Ex­pert Com­mit­tee is to deal with com­plaints from per­sonal data own­ers who suf­fer dam­age caused by a per­sonal data con­troller who vi­o­lates or fails to com­ply with the Bill. It is en­ti­tled to, among oth­ers, ( 1) carry out the me­di­a­tion process; ( 2) or­der the data con­troller to take cor­rec­tive ac­tions; ( 3) pro­hibit the data con­troller from caus­ing dam­age to the data owner; and ( 4) in­spect any ac­tion of the data con­trollers or their employees or con­trac­tors that ad­versely af­fects the data own­ers.

In view of this, once the law is passed, it is en­vis­aged that the rate of en­force­ment will be height­ened as there will, for the first time in Thai­land, be a cen­tral­ized reg­u­la­tor to scru­ti­nize and in­ves­ti­gate any mis­con­duct re­gard­ing per­sonal data.


The Bill pro­vides for both civil li­a­bil­ity and crim­i­nal penal­ties. For civil li­a­bil­ity, a data con­troller who com­mits any ac­tion re­gard­ing per­sonal data that causes dam­age to the per­sonal data owner shall pay com­pen­sa­tion to the per­sonal data owner for that ac­tion, re­gard­less of whether the ac­tion was due to an in­ten­tional or neg­li­gent act of the per­sonal data con­troller, un­less cer­tain ex­cep­tions ap­ply. The com­pen­sa­tion will in­clude all costs paid by the per­sonal data owner as nec­es­sary to pre­vent im­mi­nent dam­age or stop on­go­ing dam­age.

With re­gard to crim­i­nal penal­ties, the max­i­mum penalty un­der the Bill is up to 2 years im­pris­on­ment and/ or a fine of Baht 2 mil­lion ( ap­prox­i­mately USD 57,000).

It is im­por­tant to also note that Thai­land re­cently passed the Act to Amend the Civil Pro­ce­dure Code ( No. 26) B. E. 2558 which al­lows class ac­tion civil law­suits stem­ming from cases of tort, con­tract, en­vi­ron­men­tal law, con­sumer pro­tec­tion law, la­bor law, se­cu­ri­ties law and trade com­pe­ti­tion law. There­fore, there is a pos­si­bil­ity that a group of per­sonal data own­ers, who suf­fer from any mis­use and/ or in­ap­pro­pri­ate col­lec­tion, use, pro­cess­ing, dis­clo­sure or trans­fer of per­sonal data, may band to­gether to file a clas­s­ac­tion law­suit to claim dam­ages un­der tort law.


In var­i­ous coun­tries like in the UK, Ger­many, France, and Aus­tralia, there are ‘ Do- Not- Call’ reg­istries which en­able data own­ers to reg­is­ter and opt out from var­i­ous types of un­so­licited mar­ket­ing calls, text mes­sages, and emails.

In Aus­tralia, there is the Spam Act 2003, which aims to reg­u­late the send­ing of elec­tronic com­mer­cial mes­sages, and also the Do Not Call Reg­is­ter Act 2006 that re­lates to tele­mar­ket­ing. Con­se­quently, data own­ers are able to reg­is­ter their home, per­sonal mo­bile or fax num­ber to re­duce tele­mar­ket­ing calls at the gov­ern­ment es­tab­lished web­site ‘ donot­call. gov. au’. Once an in­di­vid­ual reg­is­ters their par­tic­u­lars on this web­site, tele­mar­keters and fax mar­keters must not con­tact such reg­is­tered data own­ers.

While Thai­land al­ready has Sec­tion 11 of the Com­puter Crime Act B. E. 2550 to deal with spam mes­sag­ing, it does not tech­ni­cally re­duce the vast amount of spam tar­get­ing email re­cip­i­ents in Thai­land. The cur­rent draft of the Bill also does not rec­og­nize the con­cept of a ‘ Do- Not- Call’ registry. This is one el­e­ment that cer­tainly should be im­ple­mented na­tion­wide to com­bat the rise in un­so­licited mar­ket­ing in Thai­land.


As the Bill is be­ing con­sid­ered by the Coun­cil of State, it is still sub­ject to changes. There­fore, close mon­i­tor­ing of devel­op­ments is en­cour­aged. There is spec­u­la­tion that the Bill may be passed dur­ing the course of this year, how­ever, it will need to progress through the ap­proval process first.

Once the process of re­view is com­plete, the Bill will be for­warded to the Cab­i­net and later to the Na­tional Leg­isla­tive As­sem­bly ( NLA) for fur­ther con­sid­er­a­tion. Should the NLA en­dorse the Bill, it will be sent to his Majesty the King for fi­nal ap­proval, and will then be pub­lished in the Gov­ern­ment Gazette. The law will then ul­ti­mately come into ef­fect 180 days af­ter this pub­li­ca­tion date.

Dhi­raphol Suwan­pra­teep is a Part­ner and Kri­tiya­nee Bu­rana­treved­hya is a lawyer at Baker & Mcken­zie. They can be con­tacted at: Dhi­raphol. Suwan­pra­teep@ bak­erm­cken­zie. com and Kri­tiya­nee. Bu­rana­treved­hya@ bak­erm­cken­zie. com.

Hav­ing a con­sol­i­dated Thai data pro­tec­tion law, in ad­di­tion to gen­eral tort law and other spe­cific sec­tor/ type of data reg­u­la­tions, would help bol­ster Thai­land’s dig­i­tal econ­omy by en­sur­ing an ap­pro­pri­ate le­gal frame­work to­wards the man­age­ment of per­sonal data.

Newspapers in English

Newspapers from Thailand

© PressReader. All rights reserved.