Thai data protection bill crosses borders

Thai-data-protection-bill nishimura

Following the public hearing of the previous Personal Data Protection Bill (PDPB) in January 2018, the Ministry of Digital Economy and Society has amended the draft and published a revised version of the draft PDPB in early April 2018.

The revisions address many material issues, including making data controllers and data processors located overseas subject to the amended PDPB.

Key amendments

Extraterritorial applicability of amended PDPB. The concept of extraterritorial application is introduced in this draft for the first time. Data controllers and data processors, both located in Thailand and overseas, are subject to the requirements under the amended PDPB for the collection, use or disclosure of personal data occurring in Thailand.

Data controllers and data processors who collect, use or disclose personal data outside Thailand, but: (1) any parts of such actions occurred in Thailand; or (2) the consequence of such actions were intended to occur in Thailand; or (3) the consequence of such actions should occur, or could be foreseen to occur in Thailand, are all subject to the amended PDPB.

This could mean that any organization located overseas, especially online service providers, who collect, use or disclose personal data of, or provide services to individuals in, Thailand are subject to the requirements under the amended PDPB. Having any part of a network, data centres or servers in Thailand could also result in being subject to the amended PDPB.

Additional exemption from consent requirements. The amended PDPB adds another exemption from the consent requirements for cases where it is necessary for the performance of a contract to which the data subject is a party, or to proceed with the request of the data subject prior to entering into a contract.

The amended PDPB also revises the data controller’s public interest and legitimate interest exceptions to be broader than the previous PDPB. The application of these exemptions would still be subject to the interpretation of the Personal Data Protection Committee (PDPC), as no example or guideline has yet been provided.

Cross-border transfer of personal data. The amended PDPB adds requirements for a destination country. Data controllers can only transfer personal data to countries that provide sufficient personal data protection standards and are in compliance with a cross-border data transfer guideline to be issued by the PDPC, with certain exceptions. The concept of a data protection certification mark has also been removed.

More flexible grace period/transitory provisions. The amended PDPB will come into force one year after publication in the Government Gazette. It removes the three-year grace period for collection of retrospective consent to the use of the personal data collected before the enactment of the PDPB, and uses an opt-out mechanism instead.

Under the amended PDPB, data controllers can use previously collected data and continue to use such data in accordance with the original purposes. However, the data controller must provide and publicize a procedure to allow the data subjects to easily revoke their consent.

New concept of administrative fine and reintroduction of imprisonment. The amended PDPB introduces the concept of an administrative fine, where the PDPC has the authority to determine the amount of such a fine, taking into account the severity of non-compliant acts. The PDPC has the authority to initiate a lawsuit against data controllers and processors in the Administrative Court. Imprisonment as a criminal penalty was also brought back in the amended PDPB for certain non-compliant acts.

Slight amendment to the definition of “data processor”. The amended PDPB makes a slight change to the definition of “data processor” to specifically exclude data controller.

It is expected that the amended PDPB will be sent to the nation’s cabinet for review in April-May 2018, however no timeline has been announced. The main concern under the Amended PDPB is extraterritorial application. However, there are still questions on enforcement in practice, which should be closely monitored.

Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by emailing Danian Zhang at