DFDL Thailand, Bangkok | Over the last decades, the volume of domestic and cross-border data flows has skyrocketed. In response, a number of countries have implemented policies to enshrine data protection principles and address legitimate concerns regarding data privacy, while some local governments have yet to comprehensively address these new challenges.
Last year, the groundbreaking General Data Protection Regulation (“GDPR”) issued by the European Commission introduced a new phase of the regulatory process with respect to data privacy. This ambitious piece of legislation seeks to harmonize data protection legislation throughout the European Union. Falling under its purview are a great number of businesses operating around the globe – not merely EU-based companies – due to the expanded territorial scope of its application.
In light of recent privacy scandals, the need to establish a domestic data protection framework has come to the fore in Asian countries where the local digital economy is booming. In Thailand, the latest draft legislation issued by the Ministry of Digital Economy and Society incorporates some of the principles and concepts set out in the GDPR. Meanwhile, in some Asian countries, data protection policies were implemented prior to the arrival of the GDPR on the global digital stage, and different approaches towards local data privacy are emerging.
- THE EU’S GROUNDBREAKING DATA PROTECTION REGIME
The GDPR, which came into effect on 25 May 2018, is a wide-ranging reform that regulates the manner in which businesses process personal data, regardless of the legal entity’s location as long as the processing occurs on EU territory. This concept of widened jurisdiction is known as ‘extra-territorial applicability’.
Accordingly, a non EU-based business may fall under the GDPR’s purview so long as:
- The business has an establishment in the EU, which could be a single representative or a sales outlet;
- The business offers goods or services in the EU, through a website or a mobile application for instance; or
Any company subject to the GDPR is required to comply with several obligations in order to be able to lawfully process personal data. In summary, businesses must:
Identify the appropriate grounds for processing personal data, also known as ‘lawful basis’ under the GDPR, clearly document their choice and directly inform individuals in this regard. For instance, the collection of an individual’s personal data might be based on his/her express consent or on its necessity to perform a contract to which the individual is a party;
Adequately uphold the rights of data subjects to ensure control over their personal data (e.g. right to be forgotten, right to access personal data, right to be informed on the processing of their personal data, right not to be subject to automated decision making and profiling); and
- Be able to demonstrate compliance with the GDPR, also referred to as the ‘accountability principle’, by implementing risk-based technical and organizational measures such as having the most privacy friendly setting as the default setting, for example.
Failing to comply with GDPR may turn out to be significantly onerous and will expose businesses to substantial penalties: up to EUR 20 million or 4% of the annual global turnover in some circumstances. Reputation damage and loss of consumer trust may also result from a single breach, as information is shared across the world at lightning speed in this digital era.
The media flood resulting from the GDPR’s global reach and stringent requirements triggered attention and concerns among the business community, far beyond the EU’s borders. But it has and will likely continue to help raising awareness amongst countries lacking comprehensive legislation on data privacy, in Asia and around the world.
- A THAI DATA PROTECTION LAW TO INTEGRATE PART OF THE EU STANDARDS
In consideration of Thailand’s fast-growing online sector, the Ministry of Digital Economy and Society (“MDES”) has prepared a draft “Personal Data Protection Bill” (the “Draft Bill”).
Following several rounds of revisions since 2014, the latest version of the Draft Bill was approved in principle by the Thai Cabinet on 22 May 2018 and published for public hearing and public consultation in September 2018. The current wording of the Draft Bill is meant to reflect some of the main principles arising from the GDPR, such as:
: the Draft Bill will apply to any business, whether located in Thailand or overseas, that collects, uses or discloses personal data in Thailand. Also, the collection, use, or disclosure of personal data outside Thailand but where (i) part of such action occurred in Thailand, or (ii) the consequence of such action intentionally occurred in Thailand, or (iii) the consequence of such action should occur or it could be foreseen that the consequence would occur in Thailand, is subject to the Draft Bill; 
Lawful basis for collection of personal data
: collection of personal data must be based on a lawful purpose and necessary for the activities of the business; 
Information and transparency
: individuals have the right to be informed about the collection and use of their personal data, and must be provided with a minimum level of information prior to or at the time their personal data is collected; and
Rights of data subjects
: pursuant to the Draft Bill, data subjects shall be entitled to several rights such as accessing their personal data, requesting data portability and objecting to the processing of their personal data under certain circumstances.
The MDES now needs to submit the Draft Bill to the National Legislative Assembly for approval. At this stage, no official timeframe has been announced and the enactment date of the Draft Bill remains to be confirmed.
The latest draft of the Draft Bill has fortunately adopted various concepts from the GDPR and other major data protection laws around the world; hence, companies with solid data protection procedures in place may not need to undertake too many changes to become compliant with the data privacy law soon to be enacted. However, some countries in the region decided to follow a different path and develop their own standards and requirements with regard to data protection.
- EXAMPLES OF OTHER SOUTHEAST ASIAN APPROACHES TOWARDS DATA PROTECTION
In Singapore, personal data is protected under the Personal Data Protection Act 2012 (“PDPA”) which took effect in 2013 and ensures a baseline standard of protection. Pursuant to this Act,
businesses may only collect, use or disclose personal data either where they obtain express consent from the individual prior to the processing or where there is deemed consent by the individual; i.e., personal data provided on a voluntary basis. The PDPA provides limited and specific exclusions where the express or deemed consent of the individual is not required. Consent appears to be the key term for processing personal data; this limited flexibility diverges from the GDPR standards in respect of which businesses may rely on six different legal bases for processing data lawfully.
In addition, business contact information (including name, position, business telephone number, business address, business email address) provided solely for business purposes is excluded from the PDPA’s scope of application. The topic of processing data collected from business cards caused trouble to many companies falling under the GDPR’s purview, with respect to the need to request consent or not from the business card holders to use their data.
Another noteworthy legislative approach is the Law on the Protection of Electronic Data (“LPDE”) enacted by the government of the Lao PDR in 2017, which covers the processing of electronic data; not personal data specifically. Of note, this data protection law addresses electronic data privacy only, and non-electronic data is covered solely by the Penal Law.
The LPDE classifies electronic data under two distinct categories
: general data that refers to generic data that may be freely accessed, used and disseminated given that the source of the data is stated; and specific data that refers to the official and personal data that is restricted to be accessed without authorization from the data owner.
Also, the entities referred to as data processors under the GDPR – i.e., organizations responsible for processing personal data on behalf of the data controller (e.g., cloud service provider) – are not subject to the LPED; hence, are not subject to any legal obligations and legal liability with respect to a data breach.
The EU’s GDPR standards will be reflected in further data protection regulations yet to be issued. But despite the emergence of global standards addressing data privacy, different local legislative approaches remain visible on a regional scale. Multinationals and regional firms, in compliance with the GDPR requirements, may nevertheless fall afoul of local data protection laws which enforce different sets of requirements. DFDL Thailand therefore recommends always checking the legislative peculiarities of each jurisdiction where your business is settled, rather than merely presuming that your GDPR compliance will be sufficient in all cases.
For more information on the services, people and operating regions of DFDL please visit www.dfdl.com, which is the central website covering DFDL Thailand (Bangkok, Samui & Phuket) and all firms within the network. You can also contact DFDL Thailand by phone on +662-059-4090.
 Article 3 of the GDPR.
 Article 6 of the GDPR.
 Articles 12 to 22 of the GDPR.
 Article 23 of the GDPR.
 This refers to the notion of data protection by default. Article 25 of the GDPR.
 Article 83 of the GDPR.
 Section 5 of the Draft Bill.
 Section 19 of the Draft Bill.
 Section 20 of the Draft Bill
 Sections 26 to 31 of the Draft Bill.
YouTube: DFDL | Thailand 2019 Outlook
YouTube: DFDL Thailand | 2018 Year in Review