Last Updated on
While globalization has entailed a series of policy convergence across the globe, one area that has not been smoothly integrated is that of data protection. The Western concept of privacy signifies individualism, liberalism, public-private divide, and the rule of law, all of which underpin liberal democracy widely espoused in the West, but not so in other regions of the world including Asia.
Such notions are simply not present in the context of Thailand, a Southeast Asian nation with an extensive history of state surveillance. From the ancient to the modern period, extensive collection of people’s personal information has been a long-standing practice. Ancient Siamese states collected personal information of their commoners’ population through registration rolls and a coded wrist-tattooing system. In the modern era, the state keeps its population under bureaucratic surveillance through citizen ID cards, household registration passbooks, social welfare cards, and so forth. And Thailand so far has not enacted any specific statutory law governing the handling and protection of personal data.
Currently, general principles dealing with the protection of personal data are scattered over many laws (including, amongst others, the Constitution of the Kingdom of Thailand, the Civil & Commercial Code, the Penal Code, the Telecommunication Business Act, the Financial Institutions Act, and the National Health Security Act). Such laws do not offer comprehensive protection and apply only to specific situations and industries. Further, the Official Information Act sets out restrictions on the collection, use or disclosure of personal data maintained by the government only.
Without clear regulations in place, there is much uncertainty among private businesses on their obligations on handling personal data of their customers, clients, employees, etc.
1.The Proposed Personal Data Protection Act
Aiming to end this situation a Personal Data Protection Act was drawn up several years ago, but so far still has not been passed into law. With the Cabinet now having approved this bill in principle, there is speculation that Thailand will one day have proper regulations in place governing this important issue. However, it is still unclear if and when the proposed bill will eventually be enacted as binding law.
If the Personal Data Protection Act became law in the form as it currently is, a data controller would need to comply with the following:
- Unless permitted by law, the collection, usage or disclosure of personal data without the consent from the data subject is prohibited;
- A data controller must inform the data subject on the purpose for which the respective personal data is collected and obtain the data subject’s consent. Collected personal data can be used or disclosed for the approved purposes only;
- If a data controller intends to use or disclose personal data beyond the purpose for which consent has been obtained, he will need to inform the data subject and obtain additional consent;
- The collection of sensitive data (e.g. data related to sexual conduct, criminal history, health, national origin, race, political opinions or religious beliefs) is only permitted within the strict limitations of the law;
- Except where the data subject expressly consented otherwise, any processing of personal data for marketing purposes is not permitted;
- Measures must be implemented to ensure that collected personal data is protected against loss, alteration and modification;
- A Personal Data Protection Committee would be established and hear any claim lodged by a data subject concerning the abuse of personal data; and
- Violations would be punishable under criminal law and permit the data subject to claim for damages.
The Personal Data Protection Act, if passed into law, will provide higher standards for the protection of personal data.
Please see some specific issues related to data protection as follows:
a) Electronic Marketing
Currently, there is no particular law that restricts the use of personal data for electronic marketing. The availability of an option for opt-in and opt-out is just the practice as a norm and not yet the law.
b) Online Privacy (including cookies and location data)
Presently, there is no provision under the relevant laws and the Draft that specifically prohibits or regulates the placing of cookies on users’ computers.
Although there are provisions under the Computer Crime Act B.E. 2550 (2007), imposing punishments for specific computer data alterations, the computer cookies or location tracing mechanisms are excluded as they do not cause any of the above alterations on computers.