Thailand Personal Data Protection Act
Thailand’s Personal Data Protection Act (PDPA), fully enforceable this year, offers opportunities for U.S. companies in data technologies and services.
Thailand’s first consolidated law to govern data protection, becomes fully enforceable in June 2022. The PDPA, which was signed in 2019, was postponed from 2020 following Cabinet approval of a royal decree that proposed the enforcement begin in 2022.
The PDPA is considered the first Thai law designed to govern data protection in the digital age and has been considered comparable to the European General Data Protection Regulation (GDRP). Key aspects of the PDPA include data processing, data collection, data storage, and data consent protocols. Once implemented, the PDPA is expected to change the landscape of personal data protection in Thailand. The legislation mandates that data controllers and processors who use personal data must receive consent from data owners and use it only for expressed purposes. The PDPA imposes punishment for non-compliance of up to THB 5 million in administrative fines and up to THB 1 million in criminal fines.
Key principles under the PDPA are highly influenced by the EU GDPR, but there are still some unique Thai perspectives in the law, notably as regards consent. Generally, the data protection obligations under the PDPA apply to all organizations that collect, use, or disclose personal data in Thailand or of Thai residents, regardless of whether they are formed or recognized under Thai law, and whether they are residents or have a business presence in Thailand. This extraterritorial scope of the PDPA represents a significant expansion of Thailand’s data protection obligations to cover all processing activities relating to Thailand-based data subjects.
Prior to June 1, 2022, data controllers are allowed to continue to process personal data collected if the purpose for which the personal data was collected remains the same. However, data controllers/processors must publicize a consent withdrawal method and notify the data subjects of the same so that data subjects have the option to withdraw their consent/opt-out. However, if a data controller/processor uses or discloses personal data beyond the original purpose for which the data subjects had previously given consent, further specific consent is required for each separate purpose.
With the PDPA becoming fully enforceable, data collectors and users need to ensure systems are compliant with the necessary requirements. Working with a local agent, distributor and representative is critical for U.S. companies interested in selling their products and services in the Thai market. Local companies and buyers put a high premium on companies with a local or regional presence and on-going support. Government regulators may also interact better with a U.S. company’s local partner. Seeking advice from a professional legal advisor is recommended for specific circumstances.
U.S. companies with data technologies, services and expertise are encouraged to contact the U.S. Commercial Service in Bangkok by emailing office.bangkok @trade.gov to find projects and partners that may need data technology expertise.