Thailand’s Personal Data Protection Act: An Understanding from the Perspectives of the European Privacy Law
DOI:
https://doi.org/10.14456/tresp.v6i1.249265Keywords:
Laws, Privacy, Data ProtectionAbstract
The Thai Personal Data Protection Act B.E. 2562 (2019) (PDPA) is Thailand’s first omnibus law that governs personal data protection in Thailand. It is predominantly based on the General Data Protection Regulation (Regulation 2016/679 or GDPR) of the European Union that came into force in 2016. Hence, there are several similarities between the two.
As PDPA’s practicality and enforceability remain largely untested in Thailand since its major operative provisions will come into effect in the middle of 2020. Thus, the author therefore compares PDPA with GDPR by investigating into GDPR and its applicability to determine best data protection practices for a company that deals with provision of financial services.
For personal data protection, PDPA and GDPR require satisfaction of one or more legal bases in order for a company to collect and process data of an individual. Obtaining consent is often seen as one method of this. However, the author finds that obtaining a consent is a key but – oftentimes – not necessary. There are several other legal bases that are as strong, if not stronger, than consent, e.g. contractual relationship and legitimate interests. Despite validity of legitimate interests as a legal basis, its coverage and applicability are not well-defined and yet conclusive. The company has to consider and evaluate individual experiences and expectations, along with industry best practices to carefully determine whether such legitimate interests have been realized and prudently balanced against individual rights.
References
Accenture (2019). Breaking through disruption. Retrieved from https://www.accenture.com/_acnmedia/thoughtleadership-assets/pdf/accenture-breaking-throughdisruption-embrace-the-power-of-the-wise-pivot.pdf
Bank of Thailand Notification No. SVG. 1/2561. (2018). Regulations on Market Conduct. Berliner Beauftragte für Datenschutz und Informationsfreiheit. (2018).
Datenschutz und Informationssicherheit. Retrieved from https://www.zaftda.de/tb-bundeslaender/berlin/695-tblfd-berlin-2018-ohne-drs-nr-vom-28-03-2019/file
Commission Nationale de l’Informatique et des Libertés (2019, January 21). Deliberation of the Restricted Committee SAN-2019-001 of 21 January 2019 pronouncing a financial sanction against GOOGLE LLC. Retrieved from https://www.cnil.fr/sites/default/files/atoms/files/san-2019-001.pdf
Deloitte (2015). Big Data: Mining a National Resource. https://www2.deloitte.com/xe/en/pages/aboutdeloitte/articles/no-place-like-home/big-data.html
DLA Piper (2020). Data Protection Laws of the World. https://www.dlapiperdataprotection.com/
Electronic Transactions Development Agency (2020, May 11). Knowledge Sharing of Personal Data Protection [Thai]. Retrieved from https://www.etda.or.th/content/personal-dataprotection-by-etda
Griswold v. Connecticut, 381 U.S. 479 (1965).
Hellenic Data Protection Authority (2019). Summary of Hellenic DPA’S Decision, 26/2019. Retrieved from https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/DECISIONS/SUMMARY%20OF%2 0DECISION%2026_2019%20(EN).PDF
IBM (2017). Big data solutions. Information Comissioner's Office (n.d.). Guide to the General Data Protection Regulation (GDPR). https://ico.org.uk/for-organisations/guide-to-dataprotection/guide-to-the-general-data-protectionregulation-gdpr/
The Law Society (2019, August 5). Legitimate interests. Retrieved from https://www.lawsociety.org.uk/supportservices/practice-management/gdpr/gdpr-forsolicitors/legitimate-interests/
National Authority for Data Protection and Freedom of Information (2019). Hatarozat, NAIH/2019/2526/2 [Hungarian]. Retrieved from https://www.naih.hu/files/NAIH-2019-2526-2-Hhatarozat.pdf
State Data Protection Inspectorate (VDAI) (2019, May 16). Įmonės atsakomybės neišvengs – Lietuvoje skirta ženkli bauda už Bendrojo duomenų apsaugos reglamento pažeidimus [Lithuanian]. Retrieved from https://www.ada.lt/go.php/lit/Imones-atsakomybesneisvengs--lietuvoje-skirta-zenkli-bauda-uz-bendrojoduomenu-apsaugos-reglamento-pazeidimus-/1
Decision of the Thai Supreme Court, 5372/2552 (2009).
Decision of the Thai Supreme Court, 4893/2558 (2015).
U.S. Const. amend. XIV. (n.d.). The United States Constitution (Fourteenth Amendment).
University College London (n.d.). Practical Data Protection Guidance Notices. https://www.ucl.ac.uk/dataprotection/guidance-staff-students-andresearchers/practical-data-protection-guidancenotices/legitimate
United Nations Conference on Trade and Development (n.d.). Data Protection and Privacy Legislation Worldwide. https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx
World Economic Forum. (2019). How much data is generated each day? Retrieved from https://www.weforum.org/agenda/2019/04/how-muchdata-is-generated-each-day-cf4bddf29f/
