Thailand – Asia’s Strong New Data Protection Law

Abstract

Thailand’s Personal Data Protection Act of 2019 may become one of the strongest data privacy laws in Asia. It is much stronger than the previous Bill, both in terms of its principles and its enforcement. However, the picture will not be complete until the many rules that can be made by its data protection authority (the PDPC), and any Royal Decrees granting exemptions, are developed. The main significance of the Thai law is that it is the first explicitly ‘GDPR-based’ law to yet be enacted in Asia, ahead of the GDPR-informed draft Bills in India and Indonesia, While not all of the innovations of the EU GDPR’s data protection principles are included in the PDPA, a substantial set are included. Following the Thai 2019 elections, the EU is again willing to re-commence negotiations on a free trade agreement (FTA) with Thailand and is its third-largest trading partner. For businesses operating in Thailand, this Act imposes serious obligations, but to assess their full extent they will need to obtain much further information which is not yet available. For data subjects the PDPA creates serious rights and remedies not previously available, and the Act overall is a major step forward. From the perspective of Civil Society, the complex administrative and enforcement structure of the Act raises difficulties in determining who could be held responsible for effective enforcement. The potential scope of exemptions are also of great concern. The enforcement mechanisms in the Act are all much stronger than in the previous Bill. Rights of appeal against administrative fines and other decisions of the PDPC or its expert Committees, and in criminal prosecutions, might benefit from some further clarity. All of these matters are examined in detail in this article.