Thailand’s National Broadcasting and Telecommunications Commission (NBTC) has issued the Notification of the NBTC Re: Measures to Protect Telecommunications Service Users’ Rights Regarding Personal Data, Privacy Rights, and Freedom of Telecommunications to replace the previous 2006 notification of the same name. The replacement notification supports compliance with the Personal Data Protection Act B.E. 2562 (2019) (PDPA), modernizes the regulations in response to technological change and the convergence of digital business, and enhances the protection of telecommunications users’ personal data, privacy rights, and freedoms.
Key aspects of the replacement notification are highlighted below.
User Data and Consent
The notification specifies that “user’s personal data” includes name, address, ID number, mobile number, usage information, and user behavior that can identify the user. “User” does not include resellers of telecommunications services.
To collect, use, or disclose users’ personal data for a purpose other than telecommunications service, service providers must obtain each user’s consent prior to or at the time of collecting the data. The consent (whether written or electronic) must be separate from the telecommunications service agreement. Service providers must clarify the purpose of collecting data, and they must honor users’ rights to opt in and opt out by providing clear and convenient channels for users to withdraw any of their information or cancel any services offered by the operator.
Service providers must add an electronic channel for receiving requests from users to review, access, edit, change, or obtain a copy of their data. The electronic channel must also allow requests from users to suspend use or disclosure of their personal data and withdraw consent to collect, use, or disclose their personal data. In addition, service providers must have a system for verifying the identity of users who want to exercise the rights listed in this paragraph.
Data Collection and Storage
Collection of a user’s personal data is limited to necessary and lawful purposes. Service providers must also provide the user with a channel to update their personal data. While under contract to provide a user with telecommunications service, the service provider must keep the user’s personal data for 90 days. If the user makes any complaint regarding the service, the service provider must keep the relevant user’s data until the complaint is resolved, but not exceeding two years.
Collection of sensitive personal data (e.g., data on race or religion, criminal record, health data, disability data, biometric data) is prohibited without explicit consent from the user, unless it is to provide telecommunications service to benefit a disabled person.
Data Security and Device Access
Service providers must have security measures for the unauthorized or unlawful loss, accessing, use, alteration, correction, or disclosure of users’ personal data. These measures must be reviewed when necessary or when technology has changed. Service providers must notify the NBTC within 72 hours of becoming aware of a breach of any user’s personal data and within 24 hours if the breach is likely to result in a high risk to the rights and freedoms of the affected user.
Policy Formulation
Telecommunications operators are encouraged to establish a policy aligned with the NBTC notification and the PDPA. The policy should be transparent and available in Thai and other relevant languages, and it must be presented to the NBTC for approval.
For further information, please contact:
Charuwan Charoonchitsathian, Partner, Tilleke & Gibbins
charuwan.c@tilleke.com