Thailand’s Ministry of Digital Economy and Society (“MDES”) recently published the latest draft of the Personal Data Protection Bill (the “Bill”) for public hearing and public consultation from 5^th – 20^th September 2018 before the MDES revises the Bill and submits it to the National Legislative Assembly (“NLA”) for approval. It is one of the six pending bills of the digital economy laws that need to be approved by the NLA to implement the country’s digital economy roadmap.

This draft of the Bill was first revised after the public hearing and public consultation from 22^nd January to 6^th February 2018.

The key changes and additions under the latest draft of the Bill as compared with its previous draft are as follows:-

1.   The Bill will come into force after 180 days from its publication in the Royal Gazette. This is much shorter than the period of one year in the previous draft.

2.   The term “personal data” means any information or data of a person which can directly or indirectly identify a natural person by reference to the facts, data or any other materials about that natural person, excluding information of a deceased person. This definition is broader than its previous counterpart.

3.   Some main principles from the General Data Protection Regulation (EU) 2016/679 (“GDPR”), e.g. extraterritorial applicability of GDPR, have been adopted. This Bill will apply to personal data collected, used or disclosed by a data controller or a data processor residing in Thailand no matter where the data is collected, used or disclosed.  It will also apply to a data controller or a data processor residing outside Thailand but collecting, using or disclosing personal data of a data subject in Thailand (1) for offering goods or services to individuals in Thailand (regardless of whether payment is required), or (2) where the behavior of data subjects within Thailand is monitored.

4.   A request for consent from a data subject must be made explicitly for the consent given to be valid. The Bill also sets further requirements in case of requesting consent from minors.

5.   New exemption of consent requirement is also adopted from the GDPR. An explicit consent of a data subject is not required for collecting personal data if it is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.  The provision allowing other exceptions to be prescribed later by an implementation regulation has been removed.  This makes it definite and clear in which situation consent is not required.

6.   Several provisions on new rights of a data subject and obligations of a data controller or processor have been added, including the data subjects’ right to obtain a copy of data undergoing processing, the right to data portability and the right to object to the processing of their personal data in certain circumstances.

7.   On the civil liability for any violation under the Bill, unlike the previous draft, the court is empowered to levy punitive damages as high as twice the actual damages.

8.   A statute of limitation for civil cases for compensation of damages is three years from the date of knowledge of the cause of action and the identity of the responsible person, or ten years from the day when the breach of personal data was committed.

In a nutshell, the latest draft of the Bill has been changed in many aspects after the implementation of the GDPR and MDES has adopted various concepts from GDPR as briefly discussed above.

The published Bill is not its final version to be submitted to the NLA for their approval.  Once the Bill is passed by the NLA, we will update readers in future issues of our newsletters.