While globalization has entailed a series of policy convergence across the globe, one area that has not been smoothly integrated is that of data protection. The Western concept of privacy signifies individualism, liberalism, public-private divide, and the rule of law, all of which underpin liberal democracy widely espoused in the West, but not so in other regions of the world including Asia.
Such notions are simply not present in the context of Thailand, a Southeast Asian nation with an extensive history of state surveillance. From the ancient to the modern period, extensive collection of people’s personal information has been a long-standing practice. Ancient Siamese states collected personal information of their commoners’ population through registration rolls and a coded wrist-tattooing system. In the modern era, the state keeps its population under bureaucratic surveillance through citizen ID cards, household registration passbooks, social welfare cards, and so forth. And Thailand so far has not enacted any specific statutory law governing the handling and protection of personal data.
Currently, general principles dealing with the protection of personal data are scattered over many laws (including, amongst others, the Constitution of the Kingdom of Thailand, the Civil & Commercial Code, the Penal Code, the Telecommunication Business Act, the Financial Institutions Act, and the National Health Security Act). Such laws do not offer comprehensive protection and apply only to specific situations and industries. Further, the Official Information Act sets out restrictions on the collection, use or disclosure of personal data maintained by the government only.
Without clear regulations in place, there is much uncertainty among private businesses on their obligations on handling personal data of their customers, clients, employees, etc.
1.The Proposed Personal Data Protection Act
Aiming to end this situation a Personal Data Protection Act was drawn up several years ago, but so far still has not been passed into law. With the Cabinet now having approved this bill in principle, there is speculation that Thailand will one day have proper regulations in place governing this important issue. However, it is still unclear if and when the proposed bill will eventually be enacted as binding law.
If the Personal Data Protection Act became law in the form as it currently is, a data controller would need to comply with the following:
The Personal Data Protection Act, if passed into law, will provide higher standards for the protection of personal data.
Please see some specific issues related to data protection as follows:
a) Electronic Marketing
Currently, there is no particular law that restricts the use of personal data for electronic marketing. The availability of an option for opt-in and opt-out is just the practice as a norm and not yet the law.
b) Online Privacy (including cookies and location data)
Presently, there is no provision under the relevant laws and the Draft that specifically prohibits or regulates the placing of cookies on users’ computers.
Although there are provisions under the Computer Crime Act B.E. 2550 (2007), imposing punishments for specific computer data alterations, the computer cookies or location tracing mechanisms are excluded as they do not cause any of the above alterations on computers.