By Athistha Chitranukroh,Partner and Director, Corporate and Commercial, Tilleke & Gibbins
Thailand’s new Personal Data Protection Act (PDPA) is the country’s first unified data privacy legislation for personal data. Coming at a time when people around the world are increasingly aware of the risks and negative consequences of their personal data being compromised, the PDPA seeks to align with international standards such as the European Union’s General Data Protection Regulation (GDPR).
Prior to the enactment of the PDPA, privacy rights were recognized in the Thai constitution. Beyond this, the handling of personal data was governed by specific regulations for a handful of sectors, such as telecommunications, financial institutions, securities, and life sciences.
The PDPA was announced in the Government Gazette on May 27, 2019. Most of its provisions will take effect one year after enactment.
Often, the first thing lawyers want to do with new legislation is understand the extent of the law by taking a look at the exemptions. In the case of the PDPA, personal use, such as interactions between friends, is of course exempt, as is media use in the public interest. The operations of legislative bodies, credit bureaus, and court proceedings would also be made practically impossible and are thus exempt. (For instance, imagine having to ask permission to use a person’s name in order to file litigation against them.) Public safety-related authorities, such as the police or the Anti-Money Laundering Office, also do not have to comply with the PDPA.
“Personal data” includes any data pertaining to a living natural person that enables the identification of that person, whether directly or indirectly. The PDPA applies to both digital and physical data, and includes information such as phone number, address, email address, or anything that might enable identification of the data subject—the person directly or indirectly linked to the information in question.
The PDPA lays out two main roles relating to the handling of others’ personal data: the data controller and the data processor. The data controller is a person or entity with power to make decisions regarding collection, use, and disclosure of personal data. The data processor is a person or entity that collects, uses, or discloses personal data on behalf of, or under the instructions of, the data controller. The data controller carries significant liability and obligations, while the processor’s obligations and liabilities are very limited in comparison.
The collector of personal data must either have consent from the data subject or be covered by one of the exemptions detailed below. Consent can be given in writing or in electronic form. A request for consent must be clear and must not be deceptive or cause the data subject to misunderstand. The controller seeking consent must inform the data subject of the purpose of collection; the type of personal data being collected; relevant third parties to whom the data will be disclosed; and the period of retention or use. Any changes to this information will require further consent, and consent can be withdrawn at any time.
Some exceptions, such as when the personal information is for educational, research, or statistics collection purposes (provided appropriate personal data protection measures are in place), or when it helps to prevent danger to a person’s life, body, or health. Also, certain contractual obligations do not require further consent. For instance, an agreement to sell goods and deliver them to various locations or email addresses would not need consent for handling each separate delivery address or email.
Finally, there is an exemption covering the “legitimate interest” of the controller or a third party. This section of the PDPA is in fact a direct translation of the European Union’s GDPR and is probably the least defined of the exemptions. Under the GDPR, this covers things such as fraud prevention or data processing for internal administrative purposes, but it remains unclear how exactly the “legitimate interests” exemption will be applied in the context of Thai law.
Data subjects’ rights
Under the PDPA, data subjects are accorded a number of rights over their personal data:
- Objection: The right to object to any collection, use, or disclosure of personal data at any time.
- Access: The right to ask a data controller to provide a copy of the data subject’s personal information and disclose where they obtained it. The data controller will now be obligated to disclose, upon request, how they obtained the data subject’s personal data.
- Erasure: The right to ask a controller to anonymize or delete personal information at any time.
- Data portability: The right to obtain the data in commonly used machine-readable format. This right lets a data subject, for example, ask a hospital to transfer all personal data to the subject or to another hospital.
Data controller’s obligations
Data controllers take principal responsibility for ensuring that operations fulfill all their obligations for handling personal data, including collection, use, and transfer. Their first duty is to ensure that throughout these steps, the personal data remains correct, up-to-date, complete, and not misleading. In terms of security and maintenance, the data controller must implement suitable measures for preventing loss, unauthorized access, alteration, or disclosure of personal data. These measures must be reviewed whenever necessary, such as after the implementation of technological developments. The data must be recorded in a form—either written or electronic—that can be inspected by the data subject or an authorized party. When the storage period expires, the personal data is no longer relevant or exceeds the scope of necessity, or the consent is withdrawn, the data controller is also responsible for seeing that the personal data is erased.
Data processors’ obligations
Data processors are required to strictly comply with the controller’s lawful instructions and orders—and conversely not take action outside those instructions. The data processor must also implement suitable measures for preventing loss or unauthorized access. They must make sure suitable measures for storing personal data and preventing unauthorized access are in place.
The data processor must also record processing information. This means maintaining an inventory of the collection, transfer, and use of personal data.
Data Protection Officer
Data controllers or processors with a large amount of personal data will also have to appoint a data protection officer (DPO) to monitor and verify compliance with the PDPA by conducting compliance audits or inspections. The DPO will interact with the regulator if any issues arise. Businesses with a large retail customer base that generates a large volume of personal data will probably already have a DPO in place.
The PDPA requires appointment of a DPO if the nature of the data controller’s activities consist of collecting, using, and disclosing personal data, or if these activities need regular monitoring due to the large scale of personal data (the exact scale to be set later by the Personal Data Protection Commission).
Data breaches under the PDPA
The PDPA recognizes two types of breaches—not only when someone takes personal data hostage, but also cases of simply sending personal data to the wrong person.
There is no exemption provision for the DPO’s personal liability in the case of a data breach. Nevertheless, it is again the data controller who is obligated to take action in such an event. The data controller must notify the office of the Personal Data Protection Commissions of any data breach within 72 hours, unless the breach has no risk of affecting personal rights and liberties. The controller must also notify the data subject(s) of any data breach that has a high risk of affecting personal rights and liberties and provide them with remedial measures.
The 72-hour timeline can be challenging, as during this time the data controller must be able to assess the risk level and identify what to do about the data breach. As a general rule, if more than just one or two data subjects is likely to be impacted by the data breach, it should be judged a high risk that needs to be remedied.
Penalties and liabilities for failure to comply
The PDPA sets out civil liability for parties who fail to comply with the law’s requirements and suggested programs. These liabilities may take the form of actual compensation or punitive damages. The prescription period can be from three to ten years.
Disclosure of personal data without consent, or use outside the stated scope, can incur a fine of THB 500,000–1 million. Failing to implement security measures, report a data breach, or provide a copy of personal data can result in a fine of THB 1–5 million.
In addition, the data controller is required to pay compensation for any damage to personal data. The PDPA also empowers the court to impose punitive damages (up to two times the actual damages) on the controller—for example, if the damage is THB 1 million, the court can increase the penalty up to THB 2 million to impose punitive damages.
Class action lawsuits can significantly amplify the amount of damages or compensation. With a data breach, the controller’s liability to pay damages is usually quite small for just one or two people, but if a large numbers of people are involved, compensation plus damages could reach into the hundreds of millions of baht. Coupled with the requirement to notify each data subject of a data breach, the associate costs can be quite imposing. In other words, while the initial time, money, and effort needed to get in compliance with the PDPA might seem burdensome, the costs of failing to adhere to the standards introduced by the new law could be catastrophic.
Athistha (Nop) Chitranukroh is the head of the Tilleke & Gibbins’ insurance practice and joint head of the firm’s technology industry group. Prior to joining Tilleke & Gibbins, Nop served as Thailand general counsel and regional legal counsel of an American multinational corporation. She serves as an advisor to the Thai General Insurance Association, an advisory board member of Insurtech Asia, the firm’s representative to the Thai Fintech Association, and a Certified Information Privacy Professional/Asia (CIPP/A) with the International Association of Privacy Professionals. Nop is ranked as a Band 2 practitioner in Chambers Asia-Pacific 2020 and is recognized as an “authority on non-contentious insurance” by Asialaw Profiles. In 2018 she was named one of Asia’s top 40 lawyers under 40 by Thomson Reuters’ Asian Legal Business.