In May 2019, Thailand’s Personal Data Protection Act (PDPA) officially became law. Echoing General Data Protection Regulation (GDPR) somewhat, the PDPA regulates personal data collection, storage and dissemination. But while further regulatory developments are required to ensure the law can be fully implemented, businesses should be seeking out legal help to ensure they are compliant now — and not dragging their heels — say lawyers.
Over the past few years, data privacy has become a hot topic in Asia, and regulation has become a growing trend. Last year saw several signiﬁcant developments across the region. In India, the country’s Personal Data Protection Bill began making its way through the parliamentary process, while in Malaysia, a signiﬁcant medical leak that exposed patient data last September led to calls for legislative action. At the same time, the Philippines’ National Privacy Commission has led a push to change the way data is processed, with the commission banning online lenders for improper personal data use following data privacy complaints.
Last year, Thailand also joined the trend, rolling out its Personal Data Protection Act (PDPA) in May. The act offers a one-year grace period for businesses to become compliant before they face legal enforcement. During this time, the ofﬁce of the Personal Data Protection Committee, which will be responsible for the enforcement of PDPA, was launched, while additional rules continue to be ﬂeshed out.
While PDPA will officially come into force on May 27 this year, further developments and guidelines are to be expected in due course, lawyers say, adding that businesses are advised to begin making themselves familiar with PDPA’s speciﬁc requirements, and its scope.
Pranat Laohapairoj, counsel at Bangkok-based Chandler MHM, tells Asian Legal Business that Thailand’s Personal Data Protection Act has largely mirrored the 2016 European Union General Data Protection Regulation (GDPR). GDPR, with its stringent requirements, has been something of a global blueprint for data privacy, and carries a reputation as a regulation with teeth, and as something of a trendsetter.
“The PDPA was developed and enacted in response to previous and concurrent enactments of data protection laws in other jurisdictions. The intent was for Thailand to have comparable law so that the standards for data protection would be of an international standard and businesses holding data would not be negatively impacted due to the lack of trustworthy law,” Pranat says.
As jurisdictions throughout Asia push to strengthen their data privacy laws, many are looking to balance GDPR requirements, while also considering regional approaches.
“In general, the Act is comparable to those of other jurisdictions in terms of content or may in fact be considered to be more stringent when compared to other jurisdictions that do not currently follow GDPR e.g. Singapore,” Pranat says of Thailand’s approach.
“This is because the PDPA substantially follows GDPR and GDPR is currently the strongest data protection regime in the world. But the extent of enforcement is yet to be determined as the provisions concerning data protection will come into force on May 27, 2020 and subordinated legislation has not been issued yet,” he adds.
GETTING READY FOR PDPA
While certain provisions of PDPA will be immediately enforceable, other aspects still require supplementary regulations further down the line for the PDPA to be fully or reasonably workable, Pranat explains.
“Businesses should first under-take an internal data mapping exercise and conduct a due diligence exercise to know how they obtain, store, and process personal data. Thereafter, the necessary documents can be crafted to enable businesses to continue their operations. Training is also highly recommended to enable the employees of those businesses, especially those working with personal data, to be familiar with the law and its requirements. This would assist employees in avoiding skirting or breaching the law, which will have monetary and reputational consequences for the businesses,” he adds.
And though it may take some time and further developments for the legis-lation to be fully implemented, PDPA will have immediate consequences. “The immediate positive impact is that Thailand will be considered to be on par with other jurisdictions in terms of data protection,” says Pranat, but for businesses there are likely to be teething problems.
“The negative impact that most businesses may face is the additional cost of operation, especially those that deal with a lot of personal data. As more documents, protocols, personnel, physical and electronic mechanisms, and standards of operations are added to the operational steps, costs will increase for these businesses, and ultimately the end-consumers may feel the impact,” Pranat says.
But while the act is currently incomplete, and will likely require a number of supplementary regulations, it will still take time before the law is truly complete.
“This will be a gradual process in the coming years,” Pranat says. “Many businesses are currently of the view that the PDPA will not be fully operational by May 27, 2020, as many supplementary regulations are not yet in place, and are not likely in place by then. As a result, many businesses have not undertaken the required steps to comply with the data protection law. The approach some businesses are taking is to wait for the supplementary guidelines to be issued. This, unfortunately, is a common misunderstanding of the legal position.”
But while some businesses may be taking a ‘wait and see’ approach, this is unadvisable says Pranat. “Some provisions of the PDPA will be immediately workable and enforceable on May 27, 2020. Therefore, current approaches by some businesses to wait for the supplementary regulations to be issued may have both financial and reputational consequences for those businesses,” he adds.
To contact the editorial team, please email ALBEditor@thomsonreuters.com.