EU data privacy laws creating local waves
Thai firms affected to varying degrees, write Suchit Leesa-nguansuk and Suchat Sritama
Reactions to the implementation of the EU’s General Data Protection Regulation (GDPR) have been mixed in Thailand, with executives claiming their companies are prepared to handle the additional burden, but third-party observers have expressed scepticism about local firms’ ability to adapt to the regulation and its legality in the country.
Companies that serve EU customers will have to adhere to GDPR starting from today, including Thai firms.
WHAT IS GDPR?
The GDPR empowers European citizens as data producers and data owners, but may represent a substantial burden for firms in developing countries. The law is expected to make waves not only in IT departments, but also in the way products are marketed and sold.
Under the terms of the regulation, personal data includes: name, photos, email addresses, bank details, updates on social networking websites, location details, medical information, computer IP addresses, and other personal information. Processing is defined broadly and refers to anything related to personal data, including how a company handles and manages data, such as collecting, storing, using and destroying data.
The GDPR establishes a higher standard of consent for using some types of data, and increases the rights individuals have to access and transfer their data.
Failure to comply with the GDPR will result in significant fines, which represent up to 4% of a company’s global annual revenue.
The law makes no distinctions between personal data about individuals in their private, public or work roles. The regulation will extend to business-to-business (B2B) settings, when personal data is involved.
However, there is no distinction between personal data about individuals in their private, public or work roles — the person is the person. Also in a business-to-business (B2B) setting, everything is about individuals interacting and sharing information with and about each other. Customers in a B2B market obviously share companies, but the relationships that handle the business topics are people — or individuals.
In short, the GDPR applies to all businesses and regulations established in the EU, regardless of whether the data processing takes place in the EU or not. If a business offers goods and/or services to citizens in the EU, then it is subject to GDPR.
TECH FIRMS: PRIVACY IN PROGRESS
According to Facebook’s statement, the company is in compliance with current EU data protection law and will comply with the GDPR. The company’s GDPR preparations are well underway, led by its Dublinbased data protection team and supported by the largest cross-functional team in Facebook’s history.
The company launched a new control centre to make privacy settings easier to understand and update.
“We’ll also remind people how to view and edit their settings as they use Facebook,” the company said in a press release.
Businesses that advertise with Facebook companies can continue using Facebook platforms and solutions in the same way they do today.
Each company is responsible for complying with the GDPR, just as they are responsible for complying with the laws that apply to them today.
William Malcolm, legal director for privacy at Google, recently expressed Google’s commitment to comply with GDPR in a blog.
“We’ve been working on our compliance efforts for over 18 months, ahead of the new law coming into effect,” he said.
Google updated its privacy policy to make it easier to understand what information Google collects, and why Google collects it. Each day nearly 20 million people around the globe visit My Account, from which users can review Google’s security, privacy and ad settings.
“As part of our GDPR compliance efforts, we’ve improved both the controls and the clarity of information in ‘My Account’ so that people are better informed about how and why their data is collected. Within My Account, users can use Activity Controls to choose what activity is saved to your Google Account,” said Mr Malcolm.
Google will provide on/off switches to control Location History, Web and App Activity, YouTube Search History across devices signed in to user accounts.
Users can view or delete data — including search history, location history, browsing history using My Activity.
The GDPR places new obligations on Google, but also on any business providing services to people in the EU. That includes Google’s partners around the globe: advertisers, publishers, developers and cloud customers.
“We’ve been working with them to prepare for May 25, consulting with regulators, civil society groups, academics, industry groups and others,” he added.
Under the new rules, companies must get consent from parents to process their children’s data in certain circumstances.
To obtain that consent and to make sure that parents and children have the tools to manage their online experiences, the company is rolling out Family Link — already available in various countries around the world — throughout the EU.
“For advertising partners, we already ask publishers to get consent from their users for the use of our ad tech on their sites and apps under existing legislation, but we’ve now updated that requirement in line with GDPR guidance,” said Mr Malcolm.
Google is working closely with publisher partners to provide a range of tools to help them gather user consent, and built a solution for publishers that want to show non-personalised ads, using only contextual information, he said.
HOTELS: INCREASE GUEST CONFIDENCE
Hotel operators in Thailand welcomed the EU’s new data and privacy protection regulation, saying enforcing more exacting privacy standards would assure guests their personal information is safe.
Supawan Tanomkieatipume, president of Thai Hotels Association and managing director of Twin Towers Hotel Bangkok, said hotels in Thailand should have implemented regulations similar to those of GDPR already.
Thai hotel guests will feel more confident and safe during their stays and when they return home if these hotels implement GDPR, she said.
“GDPR was designed to protect personal data and information. If data is given to third parties without permission, the distributor can be sued,” Ms Supawan said.
In fact, business organisations in Thailand, including hotels, are already forbidden from giving or exchanging customer information with third parties.
Every hotel in Thailand is required to collect guest information and report it to the Immigration Bureau and Interior Ministry for security reasons. Most customers are not worried about handing this data to authorities, but are concerned it could then be transferred to others for commercial purposes, she said.
In Southeast Asia, Singapore has been enforcing the system for one year. All hotels in that city have been quick to comply.
Ms Supawan said implementing the system in Thailand may not be easy due to weak enforcement. Moreover, many hotels are not ready to accept it, and a substantial number of these establishments don’t understand the system.
HOTEL PRACTICES SUBJECT TO FINES
Chatchai Thaweedej, managing director of e-Travel Marketing Co, a local digital marketer focused on the travel sector, said there is relatively low awareness of GDPR in the industry, even though EU is secondlargest source of tourists to Thailand.
Hotels can be data controllers and data processors under GDPR. Hotels, and local SMEs in particular, need to engage in risk assessment to ensure their customers’ data is secure both offline and online. For example, tracing consumer behaviour through IP addresses and cookies may become a sensitive practice that can lead to fines moving forward.
Hotel operators need to ask customers to consent to any data kept for any objective, and to allow them delete their data.
Online travel platform Booking.com said it handles customer data in line with the highest technical standards and endeavours to adjust its business to comply with the new legislation, including the new GDPR.
“Where a trip provider, such as an accommodation, holds customer data, it is the provider’s sole responsibility to comply with applicable legislation like GDPR,” the company said.
MINOR ADJUSTMENT FOR BANKS
Wallaya Kaewrungruang, Siam Commercial Bank’s (SCB) general counsel group head, said the stringent data privacy rules would deal only a “modest blow” to Thai banks, since they have been preparing for the data protection standards.
The impact on each bank will be different depending on what percentage of their clients are European nationals, she said.
Local banks have embraced the data privacy law and Thailand’s data protection bill is expected to be enforced soon, said Ms Wallaya.
Most of SCB’s European individual clients are expats, and the bank will sort out their data to comply with the new regulation, she said.
“It is normal practice for SCB to comply with data protection standards, and customers’ consent is already required for the bank to use their personal data,” said Ms Wallaya.
Thai Bankers Association chairman Predee Daochai said local banks’ operations will not be hard hit by GDPR, since they already comply with customer data privacy standards as required by the Bank of Thailand Act.
It is normal practice for banks to integrate local and international regulations into their business operations, he said.
GDPR NOT ENFORCED HERE
Deputy Prime Minister Wissanu Krea-ngam said the Digital Economy and Society Ministry is assessing the issue to limit the adverse effects of GDPR.
The government’s Personal Data Protection Act is also aimed at mitigating the effects of GDPR, said Mr Wissanu.
“If there is any impact on Thais, it would come from Thai law, not from EU law,” he said.
The EU imposes fines of up to €20 million (752 million baht) for personal data leakage of EU citizens. The Thai law does not impose such severe fines. Instead it requires presumed offenders to undergo legal proceedings in Thai courts, under Thai law, said Mr Wissanu.
Asked whether Thailand could be blacklisted or suffer trade restrictions with the EU if EU citizen data is leaked in the country, he said GDPR cannot be applied in Thailand’s jurisdiction, and such blacklisting cannot occur because Thailand has already prepared measures for personal data protection.