14 March, 2018
In January 2018, the government called for the fourth public hearing of the draft Personal Data Protection Act. There were no substantial changes in this draft as compared to the prior version published in March 2015, although minor changes were made. This article reviews some of the key provisions in the latest draft bill, noting where changes have been made from the previous draft.
§5: Definition of “Personal Data” – unchanged
“Personal Data” means any data pertaining to a person, which enables the identification of that person, whether directly or indirectly, but not including data which specifies only the name, title, workplace, or business address and data of the deceased specifically.
§5: Definition of a “Data Controller” – unchanged
“Personal Data Controller” means a person or juristic person with the power and duty to make decisions regarding the collection, use, or disclosure of personal data.
§5: Definition of “Data Processor” – updated
“Personal Data Processor” means a person or a juristic person that collects, uses, or discloses Personal Data on behalf of, or in accordance with, the instructions of a Personal Data Controller.
§20: Consent Requirements and Exemptions – updated
Consent from a Data Subject is still required for the collection of Personal Data. Under the 2015 draft, consent is exempted if data is collected:
- for conducting research, statistical analysis, or for the public interest, and the data is kept confidential;
- for preventing emergencies or protecting others from danger;
- from publicly available information;
- in compliance with the law; or,
- for other reasons as further prescribed by the Commission.
The new 2018 draft includes two additional provisions:
- for the public interest or in the exercise of a government authority, which is the Data Controller, provided that it does not violate the fundamental rights and freedom of the Data Subject; and
- for the legitimate interests of the Data Controller or a third party, provided that it does not violate the fundamental rights and freedom of the Data Subject.
§23: Cross-border Transfer of Personal Data – unchanged
Overseas transfers of Personal Data must be made in accordance with a specific regulation, which is to be prescribed by the Commission, except in the following cases:
- where the law so prescribes;
- where the consent of the Data Subject has been obtained;
- where it is in compliance with a contract entered into by the Data Subject and the Data Controller;
- where it is for the interests of the Data Subject, who is unable to give consent at such time;
- where it is a transmission to a person who has been granted a mark certifying the standards in relation to personal data protection; or
- other cases as prescribed by the Commission.
§28: Data Controller’s Duties – updated
Under the 2015 draft, the Data Controller is required to meet the following requirements:
- Security Measures. Arrange for appropriate security measures to prevent unauthorized access.
- Prevention Measures. If the personal data must be disclosed to another person (non-Data Controller), the Data Controller must prevent that person from using or disclosing the Personal Data unlawfully, or without authorization.
Deletion Requirement. Destroy Personal Data when the permitted period expires, or the Data Subject revokes their consent.
Notification of Breach. Inform the Data Subject of any breach incident without delay. The number of cases in which the Data Subjects have been affected must also be reported to the Commission, as required by the Commission.
New Internal Assessment Requirement. Frequently assess possible impacts to Personal Data from a privacy aspect.
§29: Data Processor’s Duties – new
The Data Processor is required to:
- arrange for collection, use, or disclosure of Personal Data, specifically in accordance with the instructions of the Data Controller, except for those instructions which are unlawful or which fall outside the personal data protection requirements under this act;
- arrange for appropriate security measures to prevent unauthorized access to Personal Data; and
- prepare and maintain records for processing transactions, as further required by the Commission.
§69 – 73: Penalties – updated
Imprisonment penalties have all been removed. The monetary fines remain unchanged.
§81: Grandfather Provision – new
The Data Controller may continue to use data that was collected before the law became effective for the purpose for which the Data Subject was initially informed. However, the Data Controller must arrange to obtain the consent of preexisting Data Subjects within a period, and under conditions, to be further prescribed by a ministerial regulation, provided that the period under the ministerial regulation does not exceed three years.
Effective Date
The 2018 draft Personal Data Protection Act will be effective 240 days after publication in the Government Gazette. When the law eventually comes into effect, it is sure to have a major impact on business operations. All businesses will need to continue to closely monitor the progress of the Personal Data Protection Act as it continues to move through the legislative process.
For further information, please contact:
Athistha (Nop) Chitranukroh, Tilleke & Gibbins
athistha.c@tilleke.com