Thailand's first privacy protection law bound to change the way many businesses operate.
FRANK Legal & Tax, in collaboration with the German Thai Chamber of Commerce, held an event at the Marriott Marquis Queen's Park Hotel to deliver insights on the Personal Data Protection Act ("PDPA"). The PDPA, which will come into full force on May 27th of this year, will have a significant impact on all businesses whose operations involve the collection, use, and disclosure of personal data.
The PDPA is Thailand's first comprehensive piece of legislation with the aim to offer data protection regulations against the misuse of personal data collected from individuals in Thailand. The PDPA was greatly influenced by the European Union's General Data Protection Regulation (GDPR) which set a new standard for data protection regulations around the world. When the PDPA comes into full effect on May 27th, 2020, it will exert pressure on organizations to amend their current policies and implement procedures to be in compliance with the PDPA.
The PDPA contains a wide range of definitions coupled with broad frameworks for compliance. Experts in corporate and commercial law, FRANK Legal & Tax pointed out that the new legal provisions are still creating some confusion at this stage. Without any existing trials and judgments as legal precedent, companies will have to await future court cases to obtain clarity on the rules. Furthermore, ministerial regulations and rulings by the newly established Personal Data Protection Committee will provide a better understanding of the currently still vague and not clearly defined legal terms.
However, FRANK Legal & Tax confirmed that there are some already predictable consequences of the PDPA for Thailand's businesses. One of the most notable is that a previously common practice of retaining email addresses of customers without their explicit consent could be a punishable offence under the new Act.
"The law is yet open to interpretation. Clear definitions remain to be provided in the future by specific ministerial regulations and rulings as well as court decisions. Still, some better understanding may be obtained by considering similar foreign legislation and its application," said Fabian Doppler, Managing Partner of FRANK Legal & Tax. "For example, the PDPA provides exemptions for small businesses -- there is a provision which stipulates that preparation and maintenance of a register of personal data is not required for small organizations. However, the term "small organizations" is a yet undefined legal term in the PDPA. In this case, it is interesting to note that the PDPA's European counterpart, the GDPR, stipulates in its Art. 30 V a limit of 250 employees for small organizations".
In conclusion, the PDPA will affect almost all businesses in Thailand and should be monitored with close proximity. Substantial decisions by the competent authorities are to be expected within the next few months. Businesses which are not in compliance with these new laws risk significant legal consequences.