Thailand’s Cyber Security Act and Personal Data Protection Act Passed

On 28th February 2019, the National Legislative Assembly passed the Cyber Security Act (“CSA”) and the Personal Data Protection Act (“PDPA”) of Thailand. They will be submitted to HM the King for his endorsement and later be published in the Government Gazette before they come into force from the date immediately following the date of their publication, except for provisions Chapters 2, 3, 5, 6 and 7 and Sections 95 and 96 of the PDPA, which shall come into force after a grace period of one year from its publication date.

In principle, the CSA aims at securing the national security in cyberspace, covering both public and private sector databases, while the PDPA requires explicit consent from the data subject before personal data can be collected, used or disclosed  by other parties including data controllers.

Under the CSA, the National Cyber Security Committee (“NCSC”) will be established with the Prime Minister as the Chairman of the NCSC, the Minister of Defense as the First Vice Chairman and the Minister of Digital Economy and Society (“MDES”) as the Second Vice Chairman.

The most significant provisions of the CSA are those related the powers of the NCSC Office and the NCSC Secretary-General to:

  • collect information, analyze situations and assess their impacts as a cyber-security threat on the national cyber security;
  • collect information by way of ordering persons to give information or documentation and entering into properties or business premises without being liable for wrongdoing;
  • prevent, handle and mitigate a critical cyber security threat by way of ordering owner or possessor or user of a computer or a computer system to do or not to do something in relation to the computer or the computer system including the power to access to the same;
  • prevent, handle and mitigate a critical cyber-security threat by investigating and entering into premises, accessing information and copying computer programs, testing computers or computer systems or seize computers or computer systems suspected to be related to the critical cyber-security threat without obtaining a prior court order.

PDPA is the first specific law governing data protection in line with the right of privacy under the Constitution of the Kingdom of Thailand B.E. 2560 (A.D. 2017). A Personal Data Protection Commission (“PDPC”) will be established to regulate compliance with the PDPA.  A number of the principles from the European Union’s General Data Protection Regulation 2016/679 (“GDPR”), e.g. extraterritorial applicability, has been adopted and adapted in the PDPA.

Some key provisions of the PDPA are about the followings:

  • the consent requirement for collection, processing and use of a personal data in certain ways (subject to certain exceptions);
  • the rights of a data subject and obligations of a data controller or processor;
  • the restrictions against the transfer of personal data to a third country;
  • the extraterritorial effect of the law; and
  • the requirement for data controller outside Thailand who collects, uses or discloses personal data to appoint a local representative in Thailand without a limit of liabilities.

During the one-year grace period of the PDPA, several implementation rules will be drafted and issued by the PDPC. The members of the public would have opportunities to get involved in drafting such rules.

Once the CSA and the PDPA are published in the Government Gazette, we will update readers in future issues of our newsletters.


The information provided in this document is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided. Under no circumstances shall LawPlus Ltd. and LawPlus Myanmar Ltd. or any of their directors, partners and lawyers be liable for any direct or indirect, incidental or consequential loss or damage that results from the use of or the reliance upon the information contained in this document. Copyright © 2016 to 2020 LawPlus Ltd.