After two years of delayed enforcement, the Personal Data Protection Act (PDPA) is set to come into force on June 1, with the authorities hoping the law sets a clear standard for personal data protection and raises international confidence in local businesses.
Yet there is mounting concern over the business sector's ability to comply, given it is still grappling with the impact of the pandemic.
The PDPA was published in the Royal Gazette in May 2019, with a one-year grace period for stakeholders to adjust.
The full enforcement of the legislation was then pushed back twice due to the pandemic.
The government is now pressing ahead with the enforcement of PDPA on June 1, despite calls by the business sector for further postponement of its enforcement, citing unpreparedness, particularly among small enterprises.
Once implemented, the PDPA is expected to change the landscape of personal data protection in Thailand. The legislation mandates that data controllers and processors who use personal data must receive consent from data owners and use it only for expressed purposes.
Data subjects have the right to request access to their personal data and demand their personal data be erased. They also have the right to object to the collection, usage or disclosure of their personal data.
Data controllers are obliged to provide appropriate security measures and notify data breaches to the Personal Data Protection Committee (PDPC) office within 72 hours. They are obliged to prevent other people who receive personal data from using or disclosing it unlawfully or without authority.
Data processors have the duties of collecting, using and disclosing personal data in line with the data controller's orders and ensuring appropriate security measures.
Meanwhile, data protection officers (DPO) must be appointed for government bodies and firms with large-scale data processing.
A DPO is responsible for helping the organisation in ensuring that the data subjects' personal data is processed in compliance with the PDPA requirements as well as being a contact point for PDPA issues with the authorities and data subjects.
The PDPA imposes penalties for non-compliance with administrative fines of up to 5 million baht, criminal penalties with imprisonment of up to one year and/or fines of up to 1 million baht and punitive damages up to twice the amount of the actual damages.
International acceptance
Digital Economy and Society (DES) Minister Chaiwut Thanakamanusorn said the PDPA is a core foundation that will create confidence in personal data protection in the country's digital economy.
It is one of 12 digital-related laws under this administration to support the digital economy.
"As the law is to be enforced on June 1, people's rights to the data ownership and usage will be protected by the law. Businesses or organisations that keep personal data of people have obligations to comply with the law's requirements," Mr Chaiwut said.
As the government also has a huge trove of people's data, it is building the Government Platform for PDPA compliance as a centralised mechanism to accommodate PDPA compliance among state agencies.
Thienchai Na Nakorn, chairman of the PDPC, emphasised that the law is not meant to obstruct the use of personal data but sets a standard for personal data protection so organisations will not misuse it.
Organisations must also ensure security measures for personal data protection.
"The PDPA will also level up the standard of data protection in Thailand to be on par with other countries," he said. "It will also support Thai businesses in gaining international acceptance in terms of personal data protection standards."
Paiboon Amornpinyokiat, a member of the PDPC's legal subcommittee, said in the first year of the PDPA's implementation, the authorities will focus only on giving warnings to violators, urging them to comply with the guidelines.
The core task in the first year is to protect people's rights to data protection while ramping up efforts to boost understanding of the law among related parties, he said.
"The government wants the law to support the digital economy, it is not intending to seek money from fines for the state," Mr Paiboon said.
He said a subordinate regulation will be issued to spare small and medium-sized enterprises (SMEs) from being obliged to comply with the PDPA's practices on the record of processing activities.
Concern for SMEs
Atip Asvanund, director of the Digital Council of Thailand, said the PDPA is not a problem for large organisations which can hire professionals to help with the compliance.
But it will affect SMEs, freelancers and online sellers, who still have many unanswered questions about PDPA compliance.
"If I were an online merchant with thousands of customers, I would still have no idea what to do [in response to PDPA compliance]," Mr Atip said.
Pranontha Titavunno, a board director of the Federation of Thai Industries, said many businesses have been battered by the impact of the pandemic over the past two years, making them unprepared for the PDPA.
According to a PDPA readiness survey by the Thai Board of Trade and the University of the Thai Chamber of Commerce, only 8% of almost 4,000 businesses interviewed said they have taken measures to be fully compliant with the law, while 31% indicated they have not even started the process of compliance.
Mr Pranontha said large listed enterprises are likely to have complied with the PDPA requirements but 80-90% of companies are still puzzled on how to comply.
The Joint Standing Committee on Commerce, Industry and Banking has petitioned the government to postpone enforcement of the PDPA for another two years as businesses remain unprepared, he said.
To comply with the law, businesses have to seek help from legal consultancies, which adds to their financial burden, said Mr Pranontha.
The government should help make it easy for businesses to understand and comply with the law, he said.