Thailand's Personal Data Protection Act aka the "Thai GDPR"

Home, Bangkok, Thailand, 2018-10-02

#compliance #thailand #cloud

Photo by ev

Recently a customer asked about the “Thai GPDR” and how it would affect their business, specifically what the impact would be on storing data on the cloud in regions outside Thailand.

His question was not how the European GDPR applies in Thailand - but rather how the upcoming Thai regulation will impact his business. Many people haven’t heard about this regulation, so I’d like to share the understanding I’ve gathered from various reports which are all linked below.

The regulation is still in draft, and is sometimes referred to in the media as the “Thailand Personal Data Protection Regulation” or the “The Thai GDPR”. I believe the correct term is the “Thailand Personal Data Protection Act” or PDPA and I’ll refer to it this way for the rest of this post.

The PDPA has been in draft since 2014 and is now going through the legislative process. A draft was approved on May 22nd and the regulation was redrafted again on September 1st - basically it’s a work in progress.

According to Paiboon Amonpinyokeat the May draft was a major rewrite of “40-50 percent” - I suspect that this draft was heavily influenced by the European GDPR.

Key points:

  • You can only collect personal data for justifiable purposes, and only with consent
  • You cannot collect certain types of information except in special circumstances - medical, religious, sexuality, political
  • You can only transfer data cross-border if the destination country has similar regulation in place, and only with consent
  • “Data Subject” is entitled to access data about themselves
  • Data collected pre-regulation is grandfathered in (with caveats)

To the point the customer asked - currently it’s not clear according to Khun Dhiraphol Suwanprateep from Baker McKenzie:

However, the bill does not exactly provide safe harbour or exemptions that will fit the nature of digital business, big data and cloud computing business, he said.

We’re probably going to have to wait for the final regulation to be published before we can be sure the impact, but so far it looks like it’s going to be GDPR-like and that we’ll be able to use cloud regions in a jurisdiction that have equivalent regulation.