The rapid emergence of data protection and privacy laws is a global phenomenon. Countries with at least one form of legislation in this area went up from 56 to 106 in number between 2009 and 2020. Thailand is no exception: the country’s Personal Data Protection Act (PDPA), passed in 2019, finally took effect this year on June 1. The PDPA imposes obligations on data controllers such as businesses that collect personal data and grants rights to consumers whose data are collected as data subjects.
While the primary purpose of adopting the PDPA is to elevate the standard of privacy protection in Thailand, another considerable driving force is to lower the economic pressure set by the European Union. Like other countries, Thailand has been trying to meet the strict cross-border data transfer requirements of the EU General Data Protection Regulation (GDPR), which has an interjurisdictional reach. As the PDPA is also extraterritorial, businesses operating outside of Thailand but collecting personal data from consumers residing within the country may also have to keep an eye on the law.
I. Understanding the PDPA
The PDPA, however, is not as foreign as one may think. Its significant legal requirements can be put in parallel with the Fair Information Practice Principles (FIPs), which have become the basis for many data protection frameworks worldwide. The table below leverages the FIPs as recognized in the U.S. to systematically list out important PDPA provisions. The right column contains PDPA requirements that reflect each FIP principle on the left.
| FIPs | PDPA Requirements |
| Transparency | – The data controller must provide a notice at or before data collection. (S.23) |
| Individual Participation | – Where applicable, the data controller must receive informed consent before data processing. (S.19-20) – The data subject has the right to withdraw consent for any consent given. (S.19) – The data subject has the right to access, the right to data portability, the right to object, the right to deletion, and the right to restriction of processing. (S.30-34) |
| Purpose Specification | – The data controller must specify the purpose of data processing. (S.21) |
| Data Minimization | – The data controller must process the personal data only as necessary. (S.22) |
| Use Limitation | – The data controller must limit the use of collected personal data only to the purpose specified (S.21), which must be in line with one of the stipulated legal bases (S.24, S.26). |
| Data Quality and Integrity | – The data controller must ensure the personal data held is accurate, up-to-date, complete, and not misleading. (S.35) |
| Security | – The data controller must adhere to the requirements for cross-border data transfer. (S.28-29) – The data controller must put in place appropriate safeguards. (S.37(1)) |
| Accountability and Auditing | – The data controller and processor must appoint a Data Protection Officer. (S.41) – Other obligations of data controllers include passing down limits on data processing to a third party (S.37(2)), putting in place data a data destruction schedule (S.37(3)), providing data breach notifications (S.37(4)), and maintaining Records of Processing Activities (S.39), among others. – The data processors also have some of the obligations as data controllers. (S.40) |
II. Observations
As the above table also shows, the legal requirements under the PDPA are GDPR-like. Legislating the PDPA, in other words, is an import of certain European ethics on the use and sharing of personal data to the Thai community, some of which, however, are not part of the existing Thai norms and practices.
For instance, the PDPA—like the GDPR–imposes stricter obligations on data controllers when religious information is in scope. But one’s religious belief is not necessarily what the Thai community deems private, at least not in the same sense that the European community does. Consider an instance where many Thai schools require students to publicly perform their religious practice in the morning before school starts. Such practice would unlikely survive in Europe, where one’s freedom to manifest religion is protected against interference by others.
Now that the PDPA is taking effect, schools, businesses, government agencies, and any data controller would have to change some of their practices to comply with the law. One question worth investigating, however, is whether they would do so to merely avoid legal fines or to help protect consumer privacy and increase privacy awareness of the public. If avoiding legal sanctions is the only driving factor for change, the PDPA may face a potential challenge, namely normalized privacy.
Normalized privacy is a state in which the concept of privacy is shaped and stagnated by the surrounding regulations, preventing it from evolving through continuous public discourse. As observed by Professor Ari Ezra Waldman, an example of such circumstance happens in the United States, where the general understanding of privacy among privacy professionals has become normalized into the concept of consumers having “control” over their personal data, or “privacy-as-control.”
Privacy-as-control, according to Prof. Waldman, nevertheless, has a pitfall. In practice, it shifts the burden of protecting consumer privacy from businesses to the consumers, who are not always capable of making rational decisions to protect themselves. Through notice and consent and other disclosure, as required by laws, corporations often believe and claim they have done their part to protect consumer privacy. The rest of the privacy protection, then, depends on the consumers.
The PDPA enforcement environment may as well fall into the privacy-as-control normalization. As the table shows above, the PDPA is, in a way, a disclosure and choice regime, putting consumers in a place where they need to read and understand privacy policies and decide if any rights need to be exercised. Furthermore, unlike the GDPR at Article 25, the PDPA does not expressly impose on the data controllers the requirement of Privacy by Design and by Default (PbD), which—if properly coded into law—could protect consumers’ privacy without their participation. Thus, without the PbD, the PDPA lacks an explicit default safeguard to protect consumer privacy.
Nonetheless, irrespective of privacy-as-control ending up being the dominant notion under the PDPA regime, to avoid any adverse normalization, those who implement the law on the ground should examine the spirit of the law, rather than memorizing the dos and don’ts to avoid sanctions. Therefore, seminars and training courses, which have rapidly increased in number, should put privacy discourse as part of their curriculum. As the PDPA is still in its early national implementation stage, regardless of how comprehensive the law reads, there exists a risk the law would end up protecting nothing much. At the same time, there is also an opportunity for the Thai community and relevant stakeholders to build something impactful out of it.
Author: Attamongkol Tantratian
S.J.D. Candidate, Indiana University Maurer School of Law
