Despite the postponement of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) last year, the Ministry of Digital Economy and Society still foresees difficulty fully enforcing PDPA in 2021 due to technical obstacles in the course of PDPA implementation and the current situation of COVID-19 pandemic which has wrecked the economy and society nationwide. They thus proposed another one-year postponement of PDPA to the Cabinet Minister, who approved the resolution and enacted a Royal Decree prescribing Organization and Business Data Controllers in Exemption of PDPA Enforcement (No. 2) B.E. 2564 (2021) (“Royal Decree”) on May 7, 2021, to postpone the effective date of the major PDPA provisions from June 1, 2021, to June 1, 2022.
Critical Perspectives of the Postponement
According to this new Royal Decree, the following five Chapters and one Section of PDPA shall be effective in June next year.
- Chapter 2: Personal Data Protection
This includes the provisions addressing the notification obligations of data controllers, the consent requirements, the collection of general personal data and sensitive personal data, the use of personal data, and the disclosure thereof. - Chapter 3: Rights of the Data Subject
This Chapter addresses rights of data subjects and the obligations of data controllers and data processors with regards to efficient personal data protection.
- Chapter 5: Complaints
This Chapter establishes the authority of the Personal Data Protection Committee to appoint the Expert Committee to hear complaints, settle disputes, investigate, and carry out any acts in connection to claims in relation to PDPA. The dispute resolution process and the authorities of the competent officers in this regard are also established under this Chapter. - Chapter 6: Civil LiabilityThe Chapter imposes compensatory obligations to data controllers or data processors who operate in violation of the provisions of PDPA and thereby cause damage to data subjects.
- Chapter 7: Penalties
This Chapter imposes criminal liability and administrative liability on data controllers, data processors, and any associated persons in case of violation of any provisions stipulated in PDPA. - Section 95: Data management protocols for the personal data that has been collected before the effective date of PDPA.
Concluding Remarks
Since the postponement affords additional time for all sectors in Thailand to adapt and customize their operation for PDPA compliance, this Royal Decree is a blessing in disguise. By next year, most sectors’ operations, if not all, should be in full compliance with PDPA; this will only be beneficial for all parties involved because PDPA offers comfort to all data subjects that their personal data will be handled with due care and transparency. In another light, PDPA enforcement will usher in a new regulatory era of data transactions in Thailand, which is necessary, given how much data is being used in the current business paradigm of the global Big Data trend.
Citation:
พระราชกฤษฎีกากำหนดหน่วยงานและกิจการที่ผู้ควบคุมข้อมูลส่วนบุคคลไม่อยู่ภายใต้บังคับแห่งพระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. ๒๕๖๒ (ฉบับที่ ๒) พ.ศ. ๒๕๖๔ (๒๕๖๔, ๘ พถษภาคม). ราชกิจจานุเษกษา เล่มที่ ๑๓๘ ตอนที่ ๓๒ ก หน้า ๑ – ๓
Retrieved from http://www.ratchakitcha.soc.go.th/DATA/PDF/2564/A/032/T_0001.PDF ,Retrieved 4 June, 2021