Thailand’s Data Protection Bill: Importance and Implications
In order to foster a true digital economy in Thailand, a network infrastructure and regulatory framework must be established. Data privacy regulation has become an increasingly prominent issue in this digital era as Thailand does not currently have any consolidated law governing data privacy in general.
There are, however, certain specific laws which provide protection of data targeting different business sectors and/ or different types of data. For example, the collection of personal data by a company operating credit data or telecommunications businesses in Thailand is controlled by the Undertaking of Credit Bureau Act B. E. 2545 and the Notification of the National Telecommunications Commission Regarding Measures to Protect Telecommunications Subscribers, Data Privacy, Privacy Rights and Freedom of Communications B. E. 2549, respectively. There are also the National Health Act B. E. 2550 and the Child Protection Act B. E. 2546 which mention certain details on health- related data and information relating to minors.
Nonetheless, these existing laws are not able to cope properly with the various types of data collection and processing systems as operated in our current Big Data environment. Various government departments and commercial entities are providing electronic services to their citizens and customers to increase efficiency and productivity by reducing paper- based transactions. Many commercial banks are providing internet or mobile banking facilities to their customers, and similarly, a number of government agencies also now provide online services/ registrations via their respective websites due to the initiatives of Thailand’s e- Government scheme. Highlighting the increasing prominence of Big Data, Harvard Business Review recently labelled data scientist as the ‘ sexiest job’ of the 21st century. Despite the free flow of information, concerns remain whether our personal data entering into various platforms is being handled appropriately. There are companies who are collecting, selling and analyzing personal data for targeted advertising to consumers without data owners being notified or aware of this. Having a consolidated Thai data protection law, in addition to general tort law and other specific sector/ type of data regulations, would help bolster Thailand’s digital economy by ensuring an appropriate legal framework towards the management of personal data.
After almost seventeen years since initiatives to consolidate data protection laws were first proposed, the Thai Cabinet approved in principle the Personal Data Protection Bill ( the Bill) in January 2015 as part of the country’s digital economy plan. The Bill is now being considered by the Council of State, and once passed, it will impact every business that is collecting, using, processing, disclosing, and transferring personal data overseas. We will walk readers through certain criteria that the Bill is imposing below, drawing from the latest revision of the Bill revealed in May 2015, and concluding with recommendations regarding the ‘ Do- Not- Call’ Registry.
WHO WILL BE IMPACTED By THIS BILL?
The Bill regulates data controllers regardless of whether they are a person or corporate bodies, so long as they collect, use, and disclose personal data. Every person and organizations, from banking, healthcare, insurance, website operators, cloud service providers, data center operators to social networking sites can be deemed data controllers if they are making decisions regarding the management of personal data, unless certain exceptions apply. Under the Bill, data controllers would exclude those who act under the orders of another person or corporate bodies, such as employees, contractors, or Internet data hosting providers.
NOTICE, CONSENT, AND CROSSBORDER TRANSFER
In collecting personal data, data controllers have a duty to provide notice to data owners. This notice must include specific details as stipulated under the Bill, e. g. ( 1) the objectives of the collection; ( 2) the personal data to be collected; and ( 3) rights of data owners.
Further to providing notice, the data controller must also obtain consent to the collection, use, or disclosure from data owners. The request for consent shall not be deceptive or misleading in terms of the objectives.
The cross- border transfer of personal data must comply with regulations to be issued by the Personal Data Protection Committee; unless certain exceptions apply, e. g. consent is obtained from the data owner.
RIGHTS OF DATA OWNERS
Under the Bill, data owners have certain rights to their personal data. These rights include the ability to ( 1) request access to their personal data; ( 2) request data owners to delete, destroy, or temporarily suspend the use, or convert it into data which cannot identify the data owners; and ( 3) the right to request that their personal data is made accurate, up- to- date, complete, and not misleading. Therefore, businesses must provide channels available for data owners to fulfil these requests to exercise their rights.
SECURITY MEASURES AND DATA BREACHES
Being data controllers, companies must also set up appropriate security mea-
sures to prevent the loss and access to personal data without authorization, among others. Such measures should be able to detect the breach of personal data in order to notify the users of such a breach, as well as its remedial measures. Further requirements apply in case of breaches in a number exceeding those to be prescribed by the Personal Data Protection Committee at a later stage.
THE PERSONAL DATA PROTECTION COMMITTEE AND EXPERT COMMITTEE
The Bill also establishes two committees - namely the Personal Data Protection Committee and Expert Committee. The Personal Data Protection Committee has the power and duty, among others, to ( 1) prepare strategic plans for the promotion/ protection of personal data, and ( 2) issue guidelines/ notifications/ rules for personal data protection, in order to ensure that it is executed in accordance with the Bill.
The Expert Committee is to deal with complaints from personal data owners who suffer damage caused by a personal data controller who violates or fails to comply with the Bill. It is entitled to, among others, ( 1) carry out the mediation process; ( 2) order the data controller to take corrective actions; ( 3) prohibit the data controller from causing damage to the data owner; and ( 4) inspect any action of the data controllers or their employees or contractors that adversely affects the data owners.
In view of this, once the law is passed, it is envisaged that the rate of enforcement will be heightened as there will, for the first time in Thailand, be a centralized regulator to scrutinize and investigate any misconduct regarding personal data.
The Bill provides for both civil liability and criminal penalties. For civil liability, a data controller who commits any action regarding personal data that causes damage to the personal data owner shall pay compensation to the personal data owner for that action, regardless of whether the action was due to an intentional or negligent act of the personal data controller, unless certain exceptions apply. The compensation will include all costs paid by the personal data owner as necessary to prevent imminent damage or stop ongoing damage.
With regard to criminal penalties, the maximum penalty under the Bill is up to 2 years imprisonment and/ or a fine of Baht 2 million ( approximately USD 57,000).
It is important to also note that Thailand recently passed the Act to Amend the Civil Procedure Code ( No. 26) B. E. 2558 which allows class action civil lawsuits stemming from cases of tort, contract, environmental law, consumer protection law, labor law, securities law and trade competition law. Therefore, there is a possibility that a group of personal data owners, who suffer from any misuse and/ or inappropriate collection, use, processing, disclosure or transfer of personal data, may band together to file a classaction lawsuit to claim damages under tort law.
‘ DO- NOT- CALL’ REGISTRY
In various countries like in the UK, Germany, France, and Australia, there are ‘ Do- Not- Call’ registries which enable data owners to register and opt out from various types of unsolicited marketing calls, text messages, and emails.
In Australia, there is the Spam Act 2003, which aims to regulate the sending of electronic commercial messages, and also the Do Not Call Register Act 2006 that relates to telemarketing. Consequently, data owners are able to register their home, personal mobile or fax number to reduce telemarketing calls at the government established website ‘ donotcall. gov. au’. Once an individual registers their particulars on this website, telemarketers and fax marketers must not contact such registered data owners.
While Thailand already has Section 11 of the Computer Crime Act B. E. 2550 to deal with spam messaging, it does not technically reduce the vast amount of spam targeting email recipients in Thailand. The current draft of the Bill also does not recognize the concept of a ‘ Do- Not- Call’ registry. This is one element that certainly should be implemented nationwide to combat the rise in unsolicited marketing in Thailand.
As the Bill is being considered by the Council of State, it is still subject to changes. Therefore, close monitoring of developments is encouraged. There is speculation that the Bill may be passed during the course of this year, however, it will need to progress through the approval process first.
Once the process of review is complete, the Bill will be forwarded to the Cabinet and later to the National Legislative Assembly ( NLA) for further consideration. Should the NLA endorse the Bill, it will be sent to his Majesty the King for final approval, and will then be published in the Government Gazette. The law will then ultimately come into effect 180 days after this publication date.
Dhiraphol Suwanprateep is a Partner and Kritiyanee Buranatrevedhya is a lawyer at Baker & Mckenzie. They can be contacted at: Dhiraphol. Suwanprateep@ bakermckenzie. com and Kritiyanee. Buranatrevedhya@ bakermckenzie. com.
Having a consolidated Thai data protection law, in addition to general tort law and other specific sector/ type of data regulations, would help bolster Thailand’s digital economy by ensuring an appropriate legal framework towards the management of personal data.