The Personal Data Protection Act B.E. 2562 (“PDPA”) requires data portability so that data subjects can obtain their personal data from a Controller in a format usable by another Controller. This is to enhance competition amongst Controllers and to reduce the impact of customer lock-in effects created by non-portable data.

Non-rivalrous Nature of Personal Data
Personal data is inherently non-rivalrous.  Regardless of how many times the data is used, it is not depleted.  Regardless of the number of times a name, email address, home address, telephone number and birth-date of a data subject are shared, their value to persons who use them is not diminished.  Despite this, the time and effort required for a data subject to give his/her personal data to a new controller is often a significant cost/barrier to switching from one Controller to another.

Data Portability
Data portability is a concept whereby Controllers must ensure that they disclose personal data in a format which is usable by other Controllers.  Data portability eliminates the formations of “walled gardens” where the personal data provided by a data subject to a Controller is only capable of being used by that particular Controller and, thus, if the data subject wishes to provide his/her personal data to another Controller, he/she must spend additional time and effort to provide personal data to the new Controller.  The mandated data portability will reduce time and barriers for the data subject to get services from other Controllers.

The PDPA requires Controllers to give personal data to data subjects in a format that is (a) readable or usable by machines or equipment and (b) can be used or disclosed via automatic means.

Data subjects have the right to:

(1)   request the Controller to send or transfer his/her personal data to other Controllers; and

(2)   obtain his/her personal data in the same format sent by the Controller to other Controllers, except where it is not possible to do so for a technical reason.

(a)   Readable or Usable by Way of Automatic Tools or Equipment

Section 31 of the PDPA requires that data must be structured in a commonly  used format which can be readable or usable by automated tools or equipment.

(1)   Structured data means data where the structural relation between elements is explicit in the way that the data is stored.  This includes data contained in relational databases and spreadsheets.  This type of data is helpful as it makes it easier for both humans, and more importantly, programs to extract specific elements of data due to the logical structure of how the data has been stored.  Below is an example of structured data.

(2)   Commonly used format refers to the type of file formats in which the personal data has been stored and distributed. This includes common formats such as Microsoft Excel Spreadsheet (“xls”) or Comma Separated Values (“CSV”).  It must be noted, however, that even though data may be stored on a commonly used format, it will not be considered portable unless it meets all of the portability characteristics.

(3)   Machine-readable is related to whether or not the personal data can be easily be easily identified, recognized and extracted by a software application.  Typically, structured data lends itself extremely well to being machine-readable by virtue of its logical and structured nature.

(b)   Used and Disclosed by Automated Means

A data subject may request for his/her personal data to be obtained by or sent to another Controller automatically via a machine/software.

Risks of Breaching Data Portability Requirement
The requirement of data portability can incur practical and technical costs of implementing an automated system of data dissemination for the purpose of providing personal data to either data subjects or other Controllers as may be requested by data subjects.

A failure to comply with the data portability requirement may result in compensation for actual damages suffered by the data subject plus a fine up to two times of the actual damages (Section 78 of the PDPA).

LawPlus Ltd.
Revised: January 2020