Thailand Finally Passed Its Personal Data Protection Bill

April 12th 2019

On 28 February 2019, the National Legislative Assembly (“NLA”) issued its final approval for the Personal Data Protection Bill of Thailand (“PDPB”) with the votes of 161-0, with 5 abstentions.  The bill will then be presented to the King for His Royal Signature followed by its publication in the Government Gazette.

It has been a very long story for the enactment of this law.  Before it reached the final approval of the NLA, there had been a number of drafts of PDPB and various attempts of revisions.  This PDPB as passed by the NLA will be Thailand’s very first consolidated law governing data protection in general.  Previously, personal data is protected under the rights to privacy given by the Constitution of Thailand, and the data protection has been mentioned in some specific laws in certain business sectors, like telecommunications, healthcare, banking, and the credit bureau.

Under the PDPB, the term “personal data” means any information or data of a person which can directly or indirectly identify a natural person excluding information of a deceased person.

Subject to some exceptions, the collection, use or disclosure of personal data without the consent from the data subject is prohibited and a data subject must be fully informed of the purpose of collection and/or use of such data when consent is obtained.  Consent must be clear and explicit and must be acquired before or during the collection of personal data. Legitimate grounds for which personal data can be collected, processed and used without the explicit consent from data subject include, but not limited to, the performance of contractual obligations, vital interests and, public interests.

The PDPB also grants various rights to data subject, e.g. the right to obtain a copy of data undergoing processing, the right to data portability, the right to request for correction of data, and the right to object to the processing of their personal data in certain circumstances.

One of the key provisions of PDPB which has been of much interest of the general public and business sectors is the provision with regard to the extraterritorial effect of the law which has been adopted and adapted from the General Data Protection Regulation (EU) 2016/679 (“GDPR”).  The PDPB will not only apply to personal data collected, used or disclosed by a data controller or a data processor residing in Thailand but also apply to a data controller or a data processor who residing outside Thailand when collecting, using or disclosing personal data of a data subject in Thailand for offering goods or services to individuals in Thailand, or where the behavior of data subjects within Thailand is monitored.  However, how the actual implementation of this provision has yet to be clarified.

The PDPB will become effective from the date immediately following the date of its publication except for provisions Chapters 2, 3, 5, 6 and 7 and Sections 95 and 96 which are the operative provisions.  These operative provisions will come into force after a grace period of one year from its publication date.

Once the PDPB is published in the Government Gazette and comes into effect, updates on further developments will be provided.