The Personal Data Protection Act B.E. 2562 (“PDPA”) requires data portability so that data subjects can obtain their personal data from a Controller in a format usable by another Controller. This is to enhance competition amongst Controllers and to reduce the impact of customer lock-in effects created by non-portable data.
Non-rivalrous Nature of Personal Data
Personal data is inherently non-rivalrous. Regardless of how many times the data is used, it is not depleted. Regardless of the number of times a name, email address, home address, telephone number and birth-date of a data subject are shared, their value to persons who use them is not diminished. Despite this, the time and effort required for a data subject to give his/her personal data to a new controller is often a significant cost/barrier to switching from one Controller to another.
Data portability is a concept whereby Controllers must ensure that they disclose personal data in a format which is usable by other Controllers. Data portability eliminates the formations of “walled gardens” where the personal data provided by a data subject to a Controller is only capable of being used by that particular Controller and, thus, if the data subject wishes to provide his/her personal data to another Controller, he/she must spend additional time and effort to provide personal data to the new Controller. The mandated data portability will reduce time and barriers for the data subject to get services from other Controllers.
The PDPA requires Controllers to give personal data to data subjects in a format that is (a) readable or usable by machines or equipment and (b) can be used or disclosed via automatic means.
Data subjects have the right to:
(1) request the Controller to send or transfer his/her personal data to other Controllers; and
(2) obtain his/her personal data in the same format sent by the Controller to other Controllers, except where it is not possible to do so for a technical reason.
(a) Readable or Usable by Way of Automatic Tools or Equipment
Section 31 of the PDPA requires that data must be structured in a commonly used format which can be readable or usable by automated tools or equipment.
(1) Structured data means data where the structural relation between elements is explicit in the way that the data is stored. This includes data contained in relational databases and spreadsheets. This type of data is helpful as it makes it easier for both humans, and more importantly, programs to extract specific elements of data due to the logical structure of how the data has been stored. Below is an example of structured data.
(2) Commonly used format refers to the type of file formats in which the personal data has been stored and distributed. This includes common formats such as Microsoft Excel Spreadsheet (“xls”) or Comma Separated Values (“CSV”). It must be noted, however, that even though data may be stored on a commonly used format, it will not be considered portable unless it meets all of the portability characteristics.
(3) Machine-readable is related to whether or not the personal data can be easily be easily identified, recognized and extracted by a software application. Typically, structured data lends itself extremely well to being machine-readable by virtue of its logical and structured nature.
(b) Used and Disclosed by Automated Means
A data subject may request for his/her personal data to be obtained by or sent to another Controller automatically via a machine/software.
Risks of Breaching Data Portability Requirement
The requirement of data portability can incur practical and technical costs of implementing an automated system of data dissemination for the purpose of providing personal data to either data subjects or other Controllers as may be requested by data subjects.
A failure to comply with the data portability requirement may result in compensation for actual damages suffered by the data subject plus a fine up to two times of the actual damages (Section 78 of the PDPA).
Revised: January 2020
- Managing Partner | bangkok
- Coordinator |
The information provided in this document is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided. Under no circumstances shall LawPlus Ltd. and LawPlus Myanmar Ltd. or any of their directors, partners and lawyers be liable for any direct or indirect, incidental or consequential loss or damage that results from the use of or the reliance upon the information contained in this document. Copyright © 2016 to 2020 LawPlus Ltd.