The Personal Data Protection Act is likely to affect banking and insurance sectors. (Photo by Wichan Charoenkiatpakul)
Data is hailed as the new "oil" of the 21st century, with digitalisation changing the landscape across every segment of society and business. When valuable and personal data can be exploited for personal or corporate gain, there is a need to ensure that personal information is well protected from fraud and mischief.
After numerous attempts over nearly two decades, Thailand's Personal Data Protection Act was finally approved and endorsed by the National Legislative Assembly (NLA) on Feb 28. Drafted in an attempt to mimic the EU's General Data Protection Regulation (GDPR), the act will be submitted for royal endorsement and subsequent publication in the Royal Gazette.
While the Thai constitution upholds the right to privacy, the country previously did not have any consolidated law governing data protection in general, according to legal firm Baker McKenzie.
There are only specific laws in certain business sectors, such as telecommunications, healthcare, banking and credit reporting.
In the past, personal data such as contact details, consumer behaviour and the like were collected and used without the knowledge of data subjects. Such personal data is used to analyse data subjects' behaviour, and later on goods and services will be offered to these data subjects based on the results of such analysis, said Dhiraphol Suwanprateep, partner for technology and intellectual property at Baker McKenzie.
When the act comes into effect, businesses need to notify the data subjects of certain details under the act, such as the purpose of collection, the data retention period and the rights of the data subject, as well as obtain consent from the data subject unless exceptions under the act can be relied on, Mr Dhiraphol said.
After the official publication, business entities will have a transition period to prepare for compliance, as the act will apply to most entities both onshore and offshore with limited exemptions.
There have been several cases in which the personal data of customers leaked to the public, stoking fears that such data could be used to commit fraud or identity theft.
In April 2018, the personal data of around 46,000 TrueMove H users was leaked onto Amazon Web Services (AWS) cloud storage.
The leaked data found by security researchers on the AWS storage, also known as the S3 bucket, included scanned images of users' ID cards, passports and driving licences.
TrueMove H was reportedly warned by security researchers about the lack of security on users' files but took no action to prevent it.
Another case in point is how mobile leader Advanced Info Service Plc (AIS) dismissed an employee for leaking a customer's call data records in 2016.
"Businesses will need to adjust before the Personal Data Protection Act comes into effect, especially as there are criminal penalties at stake," Mr Dhiraphol said.
Many businesses in Thailand currently lack privacy policies that cover all the details required under the act. Therefore, such privacy policies are not sufficient to meet the requirements of the notification under the act before consent can be obtained properly, according to Baker McKenzie.
Further, certain sensitive data, such as health data, religious beliefs and biometric data, is collected and used in businesses without explicit consent, while the act will require explicit consent for such types of sensitive data.
Revising and drafting a lot of documents, such as privacy policies, consent forms, data-processing agreements and cross-border transfer agreements, will play a key role in ensuring compliance, Mr Dhiraphol said.
"Another concern is that most companies who are currently in compliance with the EU's GDPR believe that they have to do nothing, as they already adhere to the GDPR," he said. "In fact, although the act has drawn various concepts from the GDPR, it still contains several different concepts from the GDPR."
The new PDPA regulates collection, use, disclosure and care of personal data. (Photo by Patipat Janthong)
Fines start at 500,000 baht and top out at 5 million baht. The National Data Protection Expert Committee will decide the final penalty.
The updated version of the law does not include jail sentences for criminal penalties in the event that a hacker attacks service providers and data is leaked or stolen, as long as service providers make efforts to protect data within the limits of their resources and capabilities, said Prinya Hom-anek, a member of the committee that oversees the law.
In case of an insider threat, a jail sentence for a criminal charge is applicable for no longer than one year.
Exceptions to the act include courts and investigation, the credit bureau, the media, members of parliament and senators.
The law has a grace period for one year after announcement in the Royal Gazette.
CLEARER DATA MANAGEMENT
The Personal Data Protection Act will not obstruct banking operations, especially for consumer finance, said Wallaya Kaewrungruang, chief legal and control officer at Siam Commercial Bank (SCB).
The act will, however, lead to more complication about customer data management in three categories: personal data collection, data usage and data disclosure, Mrs Wallaya said.
Consent that banks require from clients needs to be clear, easy to comprehend and separate from other conditions. These are the key elements of the new law, she said.
Under the law, SCB hopes to clearly manage customers' personal data for each category. The bank also needs customers' consent for data management in each category, as well as the objective of data usage.
With existing practices and regulations, banks do not require data management to be divided into different categories.
The PDPA aims to ensure good management of personal data, including information from credit card applicants. (Photo by Kosol Nakachol)
Mrs Wallaya said that since the bank needs to personalise data management of customers under the new law, preparation of new infrastructure and IT systems is a must. This will eventually contribute to higher operating costs, she said.
For product cross-selling, the new law will not affect product cross-selling because it is under the Bank of Thailand's existing regulations, she said.
Although the new law stipulates that customers can demand banks suspend, cancel and destroy personal data, financial institutions can further keep the data under other law avenues. For instance, banks need to maintain the personal data of depositors under the money-laundering law.
"As the law stipulates that [businesses need to have] consent from customers, insurance policies and insurance companies are also required to comply," said an insurance industry source speaking on condition of anonymity.
Concerns from the insurance associations centre on consent from existing customers who have insurance policies before the act takes effect, according to the source.
"Previous insurance policies did not request customers' consent to disclose information, so asking for consent when the law takes effect is a major issue," the source said.
It's also uncertain whether customers who have many insurance riders will have to sign every document or not, the source said. Customers' right to deny consent for providing information is another concern, as those with fraudulent intent could ask insurance companies to delete their personal information, resulting in the disappearance of traces to track down fraudulent cases and behaviour.
On the surface, the act appears to have good principles as it attempts to liaise with the GDPR, but it has flaws in terms of redundancy with existing laws covering insurance, telecom, banking and credit reporting, said Kanathip Thongraweewong, director of the Institute of Digital Media Law at Kasem Bundit University.
"The act mimics the GDPR principles, but it is also very contradictory because it does not copy some of the important principles of the GDPR," Mr Kanathip said. "The cybersecurity bill allows authorities to snoop on consumer data, so the act does not 'protect' their data at all. The act also does not punish hackers, but rather business operators alone."
Retail businesses and small and medium-sized enterprises (SMEs) are on the verge of being heavily affected by the act, as the law does not specify exemptions applying to these businesses such as business size, monthly revenue and customer base, he said.
"Online merchants will be heavily affected because they are identified as 'data controllers' of customer information," Mr Kanathip said.
It is also questionable how many SMEs are aware of the new law, he said.
The timing of the law's passage has also raised eyebrows, he said, as the committee responsible for drafting the act seems in a rush to complete the process ahead of the March 24 general election.
The act should ideally be open for public discussion and scrutiny, which should take place after the election ends to maximise transparency, Mr Kanathip said.
Besides the impact on businesses, individual users must be aware that their posted content and photo tagging without consent of the tagged person can face a penalty under the act if users do not remove the tagged photo upon a removal request, said Paiboon Amonpinyokeat, founder of the P&P law firm and adviser to a subcommittee overseeing the Personal Data Protection Act under the NLA.