Comparisons between European Union’s General Data Protection Regulation and Thailand’s Personal Data Protection Act

The General Data Protection Regulation (“GDPR”), which has been in effect since 25 May 2018, is designed to harmonise data privacy laws across all European Union countries as well as enhance the protection of privacy and data breaches for their citizens. Due to accelerating globalisation and the increase in the data-driven nature of transactions, it is necessary that Thailand issues a similar regulation to conform to this global standard. Consequently, the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) was issued and came into effect as of 27 May 2019; however, full enforcement of the PDPA has been suspended until 1 June 2022 due to the prolonged COVID-19 outbreak. As the GDPR can be considered the world’s strongest set of data protection rules, the PDPA therefore largely embraces the provisions of the GDPR. However, there are still differences between the GDPR and the PDPA, and the PDPA may not be interpreted in necessarily the same ways as the GDPR. Having said that, it might be helpful for business operators to familiarise themselves with the GDPR in order to understand how likely it is that the PDPA will affect personal data processing activities in Thailand. Thus, some comparisons between the two laws have been explored, as below.

The GDPR’s objective is to formulate rules relating to the protection of natural persons regarding the processing of personal data as well as regulations relating to the free movement of personal data[1]. On the other hand, the PDPA focuses on the collection, use or disclosure of personal data[2]. Although the term ‘process’ is clearly defined under the GDPR, there is no definition for the phrase ‘collect, use and disclose’ or the individual terms thereof under the PDPA. However, the general meaning of ‘collect, use and disclose’ has a relatively broad scope in the Thai context, and should cover most activities concerning personal data in a similar nature to the term ‘process’ under the GDPR. Both laws apply to the processing of personal data in establishing a controller or processor in each territory, regardless of whether or not the processing occurs in each territory[3].

There is a high degree of similarities in the rationale, core and scope of definitions in the GDPR and PDPA. For instance, the definitions of ‘data controller’ and ‘data processor’ in both laws are almost the same, i.e. a data controller in essence determines the purpose and meaning of data processing; whereby a data processor processes personal data on behalf of the data controller. However, according to the definitions of ‘data controller’ and ‘data processor’ under the GDPR, it is clear that the concept of a joint data controller or joint data processor exists, while the said concept is not clearly specified under the PDPA. Moreover, the GDPR clarifies that a ‘data subject is ‘an identified or identifiable natural person’^[4], whereas the PDPA does not provide a definition of a data subject but such term is not difficult to grasp due to the context of legal definition of 'personal data’.

In addition, the GDPR and the PDPA both indicate what type of data is considered as sensitive data, which requires greater protection than general personal data. For further clarification, the GDPR establishes special categories of personal data[5], while the PDPA provides for the collection of data that requires explicit consent of the data subject^[6]. In essence, the data requiring explicit consent and special care under the GDPR and the PDPA are the same, except that the PDPA empowers the relevant authority (i.e. the Personal Data Protection Committee (“PDPC”)) to announce more sensitive data in the future if it considers such data would affect the data subject in the same manner as those currently provided under the PDPA.

The GDPR and the PDPA both define the term ‘personal data’^[7]. Nonetheless, the GDPR stipulates a more detailed definition than the PDPA. The GDPR also specifically provides that it does not apply to anonymised data, where the data can no longer be used to identify the data subject^[8]. As for the PDPA, by interpretation of the legal definition of ‘personal data’, the law also recognises that anonymised data is not personal data and thus provides a data subject with the right to request that personal data be anonymised^[9], to exclude such requested data from its application. 

With respect to the legal basis of the processing of personal data, both the GDPR and the PDPA require similar legal bases. The GDPR contains six legal bases for processing: consent; performance of a contract; a legitimate interest; a vital interest; a legal requirement; and a public interest.  This also applies for the PDPA, except that the PDPA clearly indicates one more basis, i.e. a historical document on a research and statistical basis.[10] It should be noted, however, that consent plays a dominant role under the PDPA, while the other bases are applied as ‘exemptions’ where the data subject’s consent is not required. Furthermore, exemptions of consent for sensitive data under the GDPR and PDPA are in essence the same;  and they are more limited and different from general personal data, as stated above.

Both the GDPR and PDPA impose an obligation on data controllers and data processors to record their processing activities. However, the GDPR specifies a list of information that the data processor must record, while the PDPA has not yet established such list; the rules and methods pertaining to the information record under the PDPA are pending further notification by the PDPC[11]. The GDPR and PDPA require a certain category of data controllers and data processors, including their representatives, to designate the Data Protection Officer (“DPO”). The nature and scope of the DPO’s tasks are included in both laws. Taking into consideration the category of ‘public authority or body’ alone - the critical difference is that under the GDPR, the DPO must be appointed in a case where any public authority or body carries out the processing[12]. In contrast, a list of public authorities or bodies that require the appointment of a DPO under the PDPA is pending supplemental notification of the PDPC^[13].

The similarities in individuals’ rights regarding their personal data in the GDPR and the PDPA are the right to be informed, access, rectification, erasure, restriction of data portability and to object. Nevertheless, the GDPR has an additional provision on the right of data subjects to be informed of the existence of automated decision-making^[14] (making a decision solely by automated means without any human involvement), including profiling (automated processing of personal data to evaluate certain aspects about an individual). Meanwhile, the PDPA does not address such right in relation to automated decision-making and profiling. However, from public hearings, it is likely that the PDPA will also embrace said two rights, and this will be reflected by subordinate legislation to be issued.  Nonetheless, it is important to note that this issue has not been officially settled yet. Thus, please await further details as to when the relevant subsidiary legislation will be officially published in the Royal Gazette.

Regarding data transfer, both the GDPR and PDPA provide restrictions and exceptions for the cross-border transfer of personal data to a third country or international organisation. Such transfer must be made based on legitimate grounds or follow an adequate level of data protection as prescribed by the relevant authority. In order to transfer personal data from a European Union country to a third country, such third country must be declared as offering adequate protection through a European Commission decision (“Adequacy Decision”). The GDPR provides that the transfer to an adequate third country will be comparable to a transmission of data within the European Union. In the absence of an Adequacy Decision, the transfer can occur through the provision of appropriate safeguards and on the condition that enforceable rights and effective legal remedies are available for individuals. In such regard, one of the appropriate safeguards which may be provided for, without requiring any specific authorisation from a supervisory authority, is by binding corporate rules. Furthermore, if the transfer of personal data to a third country is subject to the Adequacy Decision and if appropriate safeguards are absent, the transfer shall be executed based on an exception, such as the data subject's consent after being provided with all necessary information about the risks associated with such transfer.[15] The same concepts are also embraced by the PDPA. However, Thailand is still in the process of establishing sub-regulations to be issued under the PDPA, such as stipulating the list of  foreign destination countries (which are considered to have adequate data protection standard), the criteria considered as an adequate data protection standard of the particular foreign destination country receiving the personal data transfer, the scope of affiliates of national data controller or data processor who apply the personal data protection policy approved by the PDPC, and the criteria of personal data protection policy for the effective and clear implementation of rights and obligations under the same (which is comparable to the binding corporate rules under the PDPA) so as to be exempted from the requirement of sending or transferring personal data to the foreign destination  country  or  international  organization  which has adequate data protection standard.[16]

Finally, whilst both the GDPR and PDPA clearly provide for administrative penalties in case of non-compliance[17], the PDPA also contains criminal liabilities as well as civil liabilities. Violations of the PDPA could result in criminal liabilities, in which imprisonment could be up to one year[18]. In addition, the director of the juristic person may also be penalised[19]. Even though the GDPR does not specifically provide criminal liabilities, it states that Member States of the European Union (“Member States”) shall lay down the rules on other penalties applicable to infringements of the GDPR, particularly for infringements which are not subject to administrative fines, and shall take all necessary measures to ensure that such rules are implemented. Therefore, the issue of criminal liabilities would depend on each Member State. As for the compensation and punitive damages as civil liabilities, the GDPR does not specifically outline the maximum amount of compensation that a competent court can increase the amount of compensation up to, which leaves room for  Member States to choose appropriate measures to remedy violations, including to fix the amount of punitive damages. However, the PDPA explicitly provides an authority for a competent court to increase the amount of compensation up to double the actual damages at the court’s discretion, as punitive damages.[20]

It can be summed up that the GDPR generally contains more details than the PDPA. The GDPR came  into effect as of 25 May 2018 and there were some other personal data protection legislation enforced prior to the said period; consequently, there are numerous case studies which can help guide and assist the compliance of such regulation. While the PDPA was issued on 27 May 2019, it will come into full force in Thailand on 1 June 2022. The PDPA still has many details yet to be announced because relevant subsidiary legislations are pending to be officially published in the Royal Gazette. Taking into consideration that the PDPA will soon come into effect, the business sector in Thailand should commence making necessary preparations for its upcoming full implementation.

This is intended merely to provide a regulatory overview and not to be comprehensive, nor to provide legal advice. Should you have any questions on this or on other areas of law, please do not hesitate to contact:

Chanakarn Boonyasith
Partner

Pimsiri Harnpanicharoen
Attorney-at-Law 

Maychaya Phoraksa
Attorney-at-Law