The Thai Cabinet, on May 19, 2020, approved a Royal Decree on Organizations and Businesses which shall be exempted from compliance with the Personal Data Protection Act B.E. 2562 (2019) (“Royal Decree“) to delay the enforcement date of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA“). The Royal Decree has been published in the Royal Gazette on May 21, 2020 and will be effective from May 27,2020 to May 31, 2021. It provides exemptions to data controllers listed under the Royal Decree to certain chapters and section under the PDPA which include:
– Chapter 2 (data controllers’ obligations relating to the use, collection, and disclosure of personal data, privacy notices, consent requirements, exemptions and cross-border of data privacy);
– Chapter 3 (data subject rights, data protection officer and record of processing);
– Chapter 5 (complaints and administrative punishments);
– Chapter 6 (civil penalties and punitive damages);
– Chapter 7 (criminal liabilities and administrative punishments); and
– Section 95 (transitional matter).
Data controllers who shall obtain the exemptions under the Royal Decree are as follows:
1) Government authorities;
2) Foreign public authorities and international organizations;
3) Foundations, associations, religious organizations, and non-profit organizations;
4) Agricultural businesses;
5) Industrial businesses;
6) Commercial businesses;
7) Medical and public health businesses;
8) Energy, steam, water and waste disposal businesses, including their related business;
9) Construction businesses;
10) Repair and maintenance businesses;
11) Transportation, logistic, and warehouse business;
12) Tourist businesses;
13) Communication, telecommunication, computer, and digital businesses;
14) Financial, banking and insurance business;
15) Real estate businesses;
16) Professional businesses;
17) Management and support services business;
18) Scientific and technological, academic social welfare and artistic businesses;
19) Educational businesses;
20) Entertainment and recreational businesses;
21) Security business; and
22) Household and community enterprise businesses whose activities cannot be clearly classified.
If there is any question as to whether particular organizations or businesses are fallen under the above list, the Personal Data Protection Committee (PDPC) shall consider and render its final decision at its sole discretion.
The main reason as specified in the Royal Decree is to provide more time for the business operators, which shall be regarded as data controllers by the PDPA, to prepare themselves to be fully compliant with the PDPA. The Royal Decree further specifies that business operators, including private and government sectors, are not ready to be in compliance with the PDPA. This was mainly due to requests from the private sector filed with the government indicating problems with the economy and within their organizations, such as the economic impact and other restrictions due to Covid-19 situation.
The extension is not to be interpreted that the Government of Thailand is relaxing its readiness to implement the PDPA. An essential action by the Thai government is that the PDPC committee has been appointed and will start the process of formulating regulations and an enforcement culture surrounding the PDPA. The list of the PDPC members approved by the Cabinet as announced by the government’s spokesperson on 19 May 2020 are as follows (note that this list is not official until published in The Government Gazette):
1) The Chairman: Mr. Thienchai Na Nakorn
Professor of faculty of law, Sukhothai Thammatirat Open University
Former Constitution Drafting Committee (CDC)
Former senior member of various committees (e.g. Committee of Official Information Commission, Committee of National Institute of Educational Testing Service (NIETS) and secretary-general of Political Development Council).
2) Senior committee (personal data protection): Mr. Nawanan Theera-Ampornpunt
Technocrat on health informatics;
Deputy dean on practitioner level of faculty of medicine, Ramathibodi Hospital.
3) Senior committee (consumer protection): Pol.Lt.Col Thienrath Vichiensan
Senior committee of Official Information Commission;
Former chief of inspector of Prime Minister Office;
Director of the Official Information Commission.
4) Senior Committee (Information and communication technology): Mr. Pansak Siriruchatapong
Former Vice Minister of Ministry of Digital Economy and Society;
Former director of National Electronics and Computer Technology Center (NECTEC)
5) Senior committee (social science): Asst. Prof. Tossapon Tassanakunlapan
Professor and researcher of faculty of law, Chiang Mai University
6) Senior committee (legal): Ms. Thitirat Thipsamritkul
Teacher of faculty of law, Thammasat University
7) Senior committee (legal): Prof. Supalak Pinitpuvadol
Professor of faculty of law, Chulalongkorn University
8) Senior committee (health): Prof. Prasit Watanapa
Dean of faculty of medicine, Siriraj Hospital
9) Senior Committee (finance): Ms. Ruenvadee Suwanmongkol
Secretary-general of the Securities and Exchange Commission
10) Senior Committee (Government Information Management): Mrs. Methinee Thepmanee
Former secretary-general, Office of the Civil Service Commission (OCSC);
Former permanent secretary, Ministry of Information and Communication Technology (ICT).
In addition to the abovementioned members, please note that the PDPA requires that the PDPC must appoint permanent secretary of the MDES as the vice-president of the PDPC, together with 5 additional board members which include (i) the permanent secretary of the Prime Minister Office, (ii) the secretary-general of the juridical council, (iii) the secretary-general of the office of consumer protection board, (iv) the director-general of the Rights and Liberties Protection Department, and (v) the attorney-general. Please note that as of the writing of this article 27 May 2020, the official list of the PDPC members are not yet published in The Government Gazette.
The above is for general information purposes only and should not be relied upon as legal advice.