AI compliance and innovation: Navigating personal data regulations in Thailand

SATURDAY, AUGUST 10, 2024

A balance between regulatory compliance and fostering innovation in AI

Artificial Intelligence (AI) is revolutionising industries worldwide, promising unprecedented advancements in efficiency, accuracy, and innovation. Thailand is no exception, with AI being a hot trend and many organisations are considering and embracing AI.

However, the rise of AI also brings significant challenges. Thailand's Personal Data Protection Act (PDPA), enacted to safeguard individuals' personal data, imposes requirements on how organisations collect, store, and process data. This article explores the connection of AI and the PDPA, outlining the implications for businesses and the strategies they can adopt to ensure compliance while leveraging AI's full potential.

It is important to understand global regulatory drive, which is led by the European Union (EU) and other more regulatory developed countries. In May 2024, the EU introduced the AI Act, to create a comprehensive regulatory environment addressing AI's ethical and safety concerns. Thailand is also aligning its AI policies with international standards. Thailand issued the Artificial Intelligence Ethics Guideline in 2019 to help government agencies in the development, promotion, and use of AI, and in 2023 adopted the Thailand Artificial Intelligence Guidelines to help the private sector develop AI-related work. 

Specifically, the PDPA, which came into full effect on June 1, 2022, is Thailand's first comprehensive personal data protection law. Modelled after the European Union's General Data Protection Regulation (GDPR), the PDPA aims to protect personal data, ensuring that individuals' privacy rights are respected.
Non-compliance of PDPA may lead to litigation, regulatory penalties, reputation, and financial damages.

AI and Data Privacy: A Complex Relationship

AI systems rely heavily on large datasets to function effectively. This requires massive quantities of raw data to learn patterns, make predictions, and improve over time. The more data the better. This dependency on data presents a unique challenge in the context of the PDPA.

Data Collection and Consent

One of the primary concerns is the collection of personal data. AI systems often collect vast amounts of data, sometimes without individuals being fully aware of the extent of data being gathered. PDPA requires clear and transparent communication about what data is being collected, how it will be used, and the potential risks involved.

Data minimisation and purpose limitation

The PDPA emphasises data minimisation and purpose limitation principles, requiring organisations to collect only the data that is necessary for a specific purpose and to use it solely for that purpose. The idea is to de-personalised data, for example, by using approaches such as pseudonymisation (replacing personal identifiers with placeholder data, which reduces, but does not eliminate, data protection risks) and anonymisation (deleting identifiers, which means data is no longer “personal”). Organisations should have an appropriate framework in place to assess, explain and assure the regulator how they determine what is necessary.

Data Subject Rights and AI Transparency

The PDPA grants individuals the right to access, correct, and delete their personal data. Implementing these rights in the context of AI can be challenging, particularly when dealing with complex machine learning models that generate insights and predictions based on vast datasets.

Transparency is crucial in addressing these challenges. Organisations must ensure that AI systems are designed and implemented in a way that allows individuals to understand how their data is being used. This involves providing clear explanations of AI decision-making processes and ensuring that individuals can exercise their rights effectively.

Data Breach Notification and Security

AI systems, like any other data processing systems, are vulnerable to security breaches. The PDPA mandates notification of data breaches to the relevant authorities and affected individuals. Ensuring robust data security measures is essential to prevent breaches and mitigate their impact.

For AI systems, this involves implementing strong encryption, access controls, cybersecurity measures and regular security reviews and audits. Additionally, organisations should have a clear incident response plan in place to handle potential data breaches swiftly and effectively.

The Role of Data Protection Officers (DPOs)

Under the PDPA, certain organisations are required to appoint a Data Protection Officer (DPO) to oversee PDPA compliance. The DPO plays a critical role in ensuring that AI systems comply with the PDPA's requirements. This includes conducting data protection impact assessments (DPIAs) for AI projects, monitoring data processing activities, and providing guidance on best practices for data protection.

Conclusion

How AI technology will shape up in the years ahead and what impact it could have is still unknown. It is certain that the integration of AI technology into business operations in Thailand offers significant opportunities for innovation and growth. It also necessitates a careful consideration of data privacy and compliance with the PDPA.

The collaboration in the form of open and transparent conversations between industry and regulators is essential for developing a pragmatic approach that balances regulatory compliance with fostering innovation in AI.

By adopting transparent data collection practices, implementing robust security measures, and ensuring that individuals' rights are respected, organisations can harness the power of AI while upholding the principles of data protection. Navigating the complexities of AI and the PDPA requires a proactive and informed approach, but with the right strategies, businesses can achieve a balance between technological innovation and data privacy compliance. 

AI compliance and innovation: Navigating personal data regulations in Thailand

 

 

 

 

 

 

 

Somkrit Krishnamra | Partner 

AI compliance and innovation: Navigating personal data regulations in Thailand

 

 

 

 

 

 

 

 

 

Puttida Sriwong |Senior Manager

Strategy, Risk & Transactions
Deloitte Thailand