Thailand Privacy Law Becomes Operational: 5 Compliance Issues
Thailand enacted its comprehensive privacy law on 28 May 2019. After giving covered organisations three years to bring their operations into compliance, the Personal Data Protection Act (PDPA) entered into force on 1 June 2022. This article will discuss five key compliance issues stemming from the Thailand privacy law that Australian organisations should know about.
Thailand Privacy Law: The Personal Data Protection Act
The EU’s GDPR highly influences the Thai PDPA. For instance, the PDPA mirrors the requirement for data controllers and processors to have a legal basis for processing personal data. It also includes more stringent consent requirements for the processing of sensitive information.
Read the translated Personal Data Protection Act.
5 PDPA Compliance Issues
Extraterritorial Application
Like many other comprehensive privacy laws, the PDPA applies to:
- Thai entities; as well as
- foreign entities that process personal data to offer products or services in Thailand.
It’s important to note that whether payment is received is irrelevant; simply offering those products or services in Thailand brings organisations under the purview of the law.
Foreign entities that collect, use and disclose personal information where those activities relate to the monitoring of Thai data subjects will also be subject to the PDPA.
Potential Jail Time for Certain Breaches
The potential penalties for breaching the PDPA include fines ranging up to 5 million Thai Baht (AUD 200,000) and administrative and criminal consequences. The criminal penalties include fines of up to 1 million Thai Baht ($39,700) and imprisonment in some instances. Imprisonment is a potential penalty for certain breaches involving sensitive information and unlawful disclosure.
Many Organisations Don’t Have a DPO
Organisations covered by the PDPA must appoint a Data Protection Officer (DPO).
However, recent research by PWC highlights that 60% of organisations surveyed are yet to appoint a DPO. Since appointing a DPO is a mandatory requirement, covered organisations which haven’t yet appointed a DPO are already in breach of the Thai privacy law.
Mandatory Data Breach Notifications
The PDPA makes it mandatory for organisations that have experienced a data breach to notify the Thai privacy authority (the PDPC) within 72 hours of becoming aware of it.
While the exact terms of the Thai mandatory notifiable data breach scheme are yet to be created, the existing law does specify that breaches that result in a high risk to the data subjects must be disclosed without undue delay.
Children’s Data Protected by Thailand Privacy Law
Any data collected from minors under 20 years of age are subject to additional requirements under the PDPA. Specifically, parental consent is required for minors under ten years of age. For minors older than ten and younger than 20, the minor may consent to certain data processing activities, while the minor and their parent will need to give consent in circumstances where ‘minors are not competent to give consent’.
Bring Your Organisation into Compliance with the PDPA
According to the Bangkok Post, Thai authorities have said that enforcement standards will be relaxed in the first year where wrongdoers did not intend to violate the PDPA. However, it is vital for any Australian organisation that collects personal information from Thai data subjects to be aware of and comply with the PDPA.
Reach out if you need help navigating privacy law. We’d love to help.