Thailand's Personal Data Protection Act (PDPA) was originally scheduled to be enacted at the end of May 2020. But because of the burdens of compliance facing many businesses, The Thai cabinet recently ruled that companies will be given another year to update their processes and hire additional staff in order to comply. The PDPA will impact the internet and companies offering services and products online.
A significant part of the act is a set of rights that apply to businesses as well as individuals. These rights include:
The PDPA also consists of a number of enforcement mechanisms that businesses and individuals can use to ensure their rights are respected and to seek redress when they are violated. Online organisations are required to have a data controller in their employment who will be responsible for adherence to these rights under the PDPA.
Foreign organisations doing business with online users based in Thailand must also comply with the directives of the act when it concerns processing personal data, offering goods and services, or monitoring online behaviour.
The PDPA, as written, is intended as an organisation-regulated safeguard. The PDPA stipulates that an organisation conducting personal data processing as part of the transactional nature of its business must name a data controller to be legally liable in the event the organization breaks any of the rules contained in the act.
This data controller must contact the Office of Personal Data Protection Commission within 72 hours of the discovery of any violation of personal data. Failure to do so may lead to criminal prosecution of the data controller.
For large organisations conducting many transactions a day, this may be a tough pill to swallow. Entire departments may need to be set up to monitor the data processing and ensure compliance with the act.
The organisation data controller responsible for compliance should set up a close relationship with the Office of Personal Data Protection to ensure they are following all the rules. The law is written to put a lot of the burden of oversight on the organisation itself.
It’s going to be a matter of time before we find out whether this self-regulating approach to enforcement will be successful, or whether the government will be forced to play a larger role in enforcement. Reasons why the government would have to play a larger role would be because of organisations that fail to report breaches and violations of the law, only to have their violations reported by the individual victims.
For users who have had their data stolen or misused, the act represents a recourse, and a means to identify and punish responsible parties. The act serves as a concrete set of laws that target organisations who sell a user's data without obtaining consent.
Although the user would have to go through existing legal channels within Thailand’s justice system, the PDPA puts the onus on the organisation to prove its innocence. This will empower more and more users to stand up for their rights when entering into online transactions.