Following the public hearing of the Personal Data Protection Bill (Previous PDPB) in January 2018 (our alert available here), the Ministry of Digital Economy and Society has amended the draft again and published a revised version of the draft Personal Data Protection Bill (Amended PDPB) in early April 2018.
The revisions address many material issues, including making data controllers and data processors located overseas subject to the Amended PDPB.
Key amendments in the Amended PDPB
1. Extraterritorial applicability of Amended PDPB
The concept of extraterritorial application is introduced in this draft for the first time. Data controllers and data processors, both located in Thailand and overseas, are subject to the requirements under the Amended PDPB for the collection, use or disclosure of personal data occurring in Thailand.
Data controllers and data processors who collect, use, or disclose personal data outside Thailand but (1) any parts of such actions occurred in Thailand; or (2) the consequence of such actions intentionally to be occurred in Thailand; or (3) the consequence of such action should occur or it could be foreseen that the consequence would occur in Thailand, are subject to the Amended PDPB.
This could mean that any organization located overseas, especially online service providers, who collect, use, or disclose personal data of or provides services to individuals in Thailand are subject to the requirements under the Amended PDPB. Having any part of a network, data centers or servers in Thailand could also result in being subject to this Amended PDPB.
2. Additional exemption from consent requirements
Apart from the exemptions provided in the Previous PDPB, the Amended PDPB adds another exemption from the consent requirements, which is for a case where it is necessary for the performance of a contract to which the data subject is a party, or to proceed with the request of the data subject prior to entering into such contract.
In addition, the Amended PDPB revises the data controller's public interest and legitimate interest exceptions to be broader than the Previous PDPB.
Thus, the exemptions from consent requirements are much broader and practical. However, the application of these exemptions would still be subject to the interpretation of the Personal Data Protection Committee (PDPC) as no example or guideline has been provided so far.
3. Cross-border transfer of personal data
The Amended PDPB adds the requirements for destination country. Data controllers can only transfer personal data to countries that provide sufficient personal data protection standard and in compliance with a cross-border data transfer guideline to be issued by the PDPC, with certain exceptions.
Further, the concept of data protection certification mark has been removed. Thus, a data controller can no longer rely on the certification mark exemption for cross-border data transfer.
4. More flexible grace period/transitory provisions
The Amended PDPB will come into force 1 year (as opposed to 240 days prescribed in the Previous PDPB) after publication in the Government Gazette.
The Amended PDPB removes the 3-year grace period for collection of retrospective consent to the use of the personal data collected before the enactment of the PDPB and uses an opt-out mechanism instead. Under this Amended PDPB, data controllers can use previously collected data and continue to use such data in accordance with the original purposes. However, the data controller must provide and publicize a procedure to allow the data subjects to easily revoke their consent. For the disclosure of the data or the conducting of any other activity related thereto, the data controller is required to comply with the Amended PDPB.
5. New concept of administrative fine and reintroduction of imprisonment
The Amended PDPB introduces the concept of administrative fine, where the PDPC has the authority to determine the amount of such fine, taking into account the severity of non-compliant acts. The PDPC has the authority to initiate a lawsuit against data controllers and processors in the Administrative Court.
Imprisonment as a criminal penalty was also brought back in the Amended PDPB for certain non-compliant acts. However, the PDPC has the authority to settle criminal cases under the Amended PDPB.
6. Slight amendment to the definition of "data processor"
The Amended PDPB makes a slight change to the definition of "data processor" to specifically exclude data controller.
It is expected that the Amended PDPB will be sent to the Cabinet for review in April-May 2018. However, no official timeline has been announced.
The main concern under the Amended PDPB is extraterritorial application. From our interpretation, the language of the extraterritoriality concept is similar to that of the territorial principle under the Criminal Code. However, there are still questions on enforcement in practice, which should be closely monitored.
We will continue to provide updates on further developments as they occur.