The Cabinet has approved in principle the draft of new data-protection legislation, following inthe footsteps of the European Union (EU), whose General Data Protection Regulation (GDPR) law comes into effect today. The National Legislative Assembly is expected to enact the Thai bill later this year.
Its key features are definitions of both direct and indirect personal data and the rights of data owners to access their information, as well as to stop the use of that data and to delete it.
In the event of a data breach, the owners must be immediately notified and reports must be filed with the national data-protection commission, which will be in charge of remedial measures. In addition, data owners must be asked to give explicit consent before their information can be stored or used for any specific purpose.
As for data controllers, their responsibility is to ensure that storage and use of personal data are done with full and proper consent from the owners and that personal data are deleted after a specific time period.
The bill requires data processors, meanwhile, to comply with rules and regulations on storage and use of personal data, while ensuring there are appropriate security precautions in place.
In preparation for enforcement of the proposed law, the Ministry of Digital Economy and Society has assigned the Electronic Trans-actions Development Agency to set up a knowledge centre on issues concerning personal data security and protection.
The new unit is called the Data Protection Knowledge Centre (DPKC).
The educational effort is crucial, given that Thailand now has more than 100 million mobile numbers. The users’ devices contain a massive amount of personal data that is vulnerable to abuse by cyber-criminals and unscrupulous businesspeople. In addition, Thai consumers must be informed of their rights regarding their own personal data, which are now routinely stored and used by many businesses, from mobile phone operators to hotels, airlines and hospitals.
As the country moves ahead with its digital economy and society platforms, data protection will undoubtedly become more and more important, especially in view of the EU enforcement of its GDPR law beyond its own territory.
Thailand and other countries around the world are all affected by the EU law, which carries hefty penalties on intentional violators, including fines amounting to a maximum of 20 million euros (Bt750 million) or up to 4 per cent of a company’s global revenues, whichever is greater.
With the Thai version of the data-protection legislation, the country and its people will stay up to date as far as the international legal framework on this issue is concerned. Unless the Thai bill is quickly enacted, there will be room for the EU to take punitive actions against Thailand in the near future, especially when EU citizens’ rights are infringed upon due to the absence of a proper legal framework on data protection in Thailand.
In addition, Thailand needs to set up an independent commission on data protection to ensure that citizens’ rights are also properly safeguarded.
The commission will have to work with the Data Protection Knowledge Centre to boost public awareness on this issue.
Published : May 24, 2018
By : The Nation