24 January, 2020
Data has been labeled the world’s most valuable resource in our current digital economy. It is the lifeblood of many companies, especially those in the technology, media and telecommunications sector where data is often used to predict, analyse and respond to consumers’ behaviours, patterns and preferences for services and products. Capabilities to collect and analyse mass data are therefore seen as a decisive factor used to distinguish whether one company is a cut above the rest, using data to accurately determine current and future market trends. But in a regulated society, companies cannot freely process whatever data they choose – a balance must be struck between technological innovation and protection of individuals’ rights attaching to their personal data.
In May 2019, Thailand’s first comprehensive data privacy law- the Personal Data Protection Act or the PDPA- emerged amidst growing concerns regarding the collection and use of mass data by corporations. The PDPA is a prescriptive and detailed data security regime that sets high standards for protecting personal information. It grants individuals greater rights over how their data is collected and used and equips the regulators with the power to impose heavy fines on companies for non-compliance. The PDPA is modeled after the General Data Protection Regulation (679/2016/EU) or the GDPR which was implemented by the European Union in 2018. Since its inception, the GDPR has become the global standard for personal data protection and many other jurisdictions, including Thailand, have followed suit by introducing their own version of data privacy laws that were drafted based on the GDPR.
The impact of the PDPA on businesses operating in Thailand is significant as it requires them to make several changes within the organisation regarding their data-handling practices to comply with PDPA mandatory requirements regarding the collection, use and disclosure of personal data. The government has allowed a one-year transition period for businesses to make the necessary preparations and arrangements to comply with the PDPA requirements before they come into full force on 27 May 2020.
The PDPA is far-reaching in its scope and applies extra-territorially. It applies to businesses located in Thailand if they collect, use and disclose personal data, regardless of whether such collection, use or disclosure takes place in or outside Thailand. The PDPA also applies to businesses located outside Thailand if they collect, use and disclose personal data from individuals located in Thailand, for purposes of offering products or services to them (irrespective of whether payment is required) or monitoring their behaviours.
Personal data is broadly defined in the PDPA. Similar to the GDPR, it is defined to include “any information relating to an identified or identifiable natural person (“data subject”) either directly or indirectly”. This could include anything from a customer’s name, mobile phone number, shipping address, credit card information, information relating to a customer’s membership programs, HTTP cookies to comments made on social media. Often businesses with an online presence collect that information regardless of whether they are selling any products or services. This could also include the kind of information which, on its own, does not identify a specific person but when combined with information from other sources – whether from a third party or the public – could be used to identify a person.
But perhaps the most fundamental requirement under the PDPA is the call for businesses to ensure that their data privacy policy is legally compliant. Central to the PDPA is the issue of consent being obtained from data subjects prior to the collection, use and disclosure of their personal information. The PDPA sets out several mandatory requirements regarding how consent from the data subjects should be obtained, the manner in which consent is to be requested and additional requirements if the data to be collected is classified as sensitive personal data. Businesses that fail to comply with the requirements under the PDPA risk heavy civil and criminal liabilities and public reputation damage that could be irreparable.
The PDPA’s breadth of application and the adverse consequences for businesses do not comply with its terms make it crucial for all companies to fully understand the requirements and potential impacts on their businesses. Moreover, though there are similarities between the PDPA and the GDPR, compliance with one does not necessarily ensure compliance with the other as there are differing requirements under the two regimes. Now that the PDPA compliance deadline is looming, it is fundamental that all companies potentially affected by the PDPA spend the next few months formulating and strengthening their personal data privacy schemes to ensure successful implementation of its terms within the organisation and demonstrate they are compliant when the deadline arrives.
For further information, please contact:
Warathorn Wongsawangsiri, Partner, Herbert Smith Freehills