Companies Unready To Comply With New Data Protection Law

Thailand’s first and controversial personal data protection law comes into force today despite being postponed twice in three years and against last-minute efforts by the private sector to delay its implementation.

According to official government information, the 2019 Personal Data Protection Act (PDPA) was imposed to guarantee that people’s personal data is protected. The ruling also obliges state companies and agencies to collect, process, disclose and use personal information under several regulations.

It also applies to controllers and data processors outside the country who process personal data of people in Thailand, monitor them, or offer goods and services.

Such controllers and data processors must also obtain legal permission from the data owners to carry out any aforementioned activity.

However, many companies say they are not ready to comply with the PDPA. A recent survey showed that only 8% of almost 4,000 companies had taken steps to fully comply with the new law.

In contrast, 31% of companies said they had not started the compliance process, arguing that the most challenging requirements to comply with the PDPA were records of personal data processing.

Executives also believe that companies that are not prepared to comply with the new law risk being blackmailed or receiving threats to sue regulators.

Other experts argue that PDPA breach lawsuits could scare away international investors and encourage them to invest in countries that do not have strict personal data legislation.

Regarding penalties for violators, the government explained that those who violate the PDPA might be subject to civil and/or criminal penalties.

The data privacy law states that anyone who fraudulently uses or discloses personal data can face a maximum prison term of up to six months or be fined up to 500,000 baht.

Also, those who illegally abuse personal data can be punished with a year in jail or receive a fine of up to one million baht.

The PDPA also allows damaged parties to take civil action against violators for compensation, with administrative fines ranging from 500,000 to 1 million baht.

Data protection law protects details such as names, date of birth, home address, email address, identification card number, passport number, telephone number, educational information, height, weight, medical history, and criminal record. It also encompasses fingerprints, iris patterns, and facial patterns.

The PDPA also prohibits collecting any information regarding racial or ethnic origin, religious beliefs, cults, political opinions, philosophical beliefs, sexual behavior, disability, genetic data, union information, and biometric data.