On 27 May 2020, Thailand’s PDPA will come into effect, two years after the EU set the precedent for global data privacy laws with the adoption of the GDPR.
While the Thailand PDPA boasts of certain similarities with specific GDPR provisions such as the consumers’ right to be informed or their right to access the data collected about them, the two privacy laws also have significant differences.
To explore the differences between Thailand PDPA and the GDPR, it is important to examine both privacy regulations based on:
- The scope
- Individual’s rights
- Key definitions
From a personal scope perspective, Thailand PDPA is not applicable to public agencies that oversee state security including duties such as forensic science, curbing money laundering, and managing cybersecurity issues. In contrast, the GDPR applies to data controllers and processors that may be public agencies
In terms of material scope, Thailand PDPA differs from the GDPR in three different ways;
Thailand PDPA does not distinguish or identify automated and non-automated means of processing consumer data. In contrast, GDPR applies to handling user information by either automated or non-automated means if the information in question is part of a filing system.
While Thailand PDPA allows consumers to request their data to be anonymized, it does not clearly define it as an exception from its scope. On the other hand, the GDPR exempts anonymized data from its scope.
The scope of Thailand PDPA does not extend to the House of Representatives, the Senate, Parliament, and respective committees appointed by these entities. Furthermore, it exempts the activities undertaken by any credit bureau company from its scope. On the contrary, GDPR does not explicitly exempt law-making organs, in addition to the fact that it does not refer to the credit bureau companies and their processes.
Concerning the right to be informed, Thailand PDPA and GDPR have three specific differences in their provisions;
Thailand PDPA does not spell out the right of consumers to be informed about the existence of automated decision-making and profiling. This aspect differs from the GDPR, which requires consumers to be made aware of automated decision-making, inclusive of profiling at the point of data collection.
Thailand PDPA does not make it clear whether consumers can be informed about their rights orally. On the other hand, GDPR is explicit about consumers being informed orally alongside written and electronic formats.
Concerning legitimate interest, Thailand PDPA does not provide specific instances when it is applicable whereas, GDPR outlines circumstances that can be regarded as ‘legitimate interest.’
Regarding the right to access;
Thailand PDPA does not state what needs to provided in response to an access request. Meanwhile, the GDPR explicitly states that data controllers must provide inform consumers about the purposes of processing their data, the categories of personal information involved, the third parties to whom the data was disclosed.
Under the right to erasure, Thailand PDPA does not provide a specific timeline within which the data controller needs to address a request, although it allows consumers to notify enforcement authorities about a data controller’s failure to respond to an erasure request. Additionally, under the PDPA, a data controller is not required to institute strategies to identify a data subject that requests the deletion of their data.
In contrast, the GDPR states explicitly that consumer requests in line with this privilege must be addressed without ‘undue delay and in any event within one month from the receipt of the request.’ Furthermore, data controllers are obliged to have measures in place to verify the identity of the data subject making the request.
Both the GDPR and Thailand PDPA guarantee the right of users to object to the processing of their information as well as the ability to withdraw their consent to the processing at any time. However, Thailand PDPA does not state explicitly define the required duration for a data controller to address a request to limit the processing of personal data. On the other hand, the GDPR makes it clear that data controllers need to address requests for restricting the processing of personal data within 30 days. However, this duration can only be extended for a maximum of two months depending on the complexity and volume of requests.
In terms of individual rights, the last difference between Thailand PDPA and the GDPR is connected to the right to data portability. On the one hand, Thailand’s PDPA imposes an obligation on data controllers to keep the justification of objection to a data portability request for the verification of consumers and the competent authority. In contrast, the GDPR, does not explicitly impose this requirement.
While personal data is one of the crucial definitions under both Thailand PDPA and GDPR, the Thai privacy law does not specifically consider IP addresses, cookie identifiers, and radio frequency identification tags as part of what constitutes personal information. This aspect differs from the GDPR, which states explicitly that digital identifiers such as IP addresses, cookie identifiers, and radio frequency identification tags constitute personal information.
Secondly, Thailand PDPA does not provide a definition of pseudonymized information. In contrast, the GDPR describes pseudonymized information as the handling of personal data in a way that ensures the information in question cannot be connected to a specific data subject.
Thailand PDPA does not provide explicit provisions on whether unique protection should be accorded to personal data belonging to children when it is either used for marketing or gathered for the purpose of delivering social services directly to them. This aspect is different from the GDPR, which describes children as ‘vulnerable natural persons.’ Consequently, the EU’s data privacy law creates provisions focused on ensuring that children are accorded special protection when their data is used for marketing or the delivery of social services.
Lastly, Thailand’s data privacy law does not have explicit requirements concerning the collection, utilization, or sharing of personal information on the basis of research. Nonetheless, data controllers are expected to ensure that they safeguard consumer privileges, liberties, and welfare. When it comes to the GDPR, processing user data for research objectives is subject to particular regulations such as the rights to erasure, data minimization, as well as pseudonymization.
Concerning penalties, non-compliance with Thailand PDPA attracts a fine of not more than $165, 000. In some cases, entities found in violation of Thailand’s data privacy regulation may get imprisoned for a term of not more than one year. Entities that violate the GDPR can be fined either 2% of the global yearly revenue or 10 million euros, whichever is higher, or 4% of global annual turnover or 20 million euros, whichever is higher.
If you have any questions or concerns about Thailand PDPA compliance requirements, schedule a call with us today and get personalized support from a data privacy expert.