Personal Data Protection Laws Update: Thailand’s New Decree on the criteria, type and organisations that are exempt from certain obligations under the Personal Data Protection Act B.E. 2562 (2019); B.E. 2566 (2023)

Section 4 of the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”) provides exemptions to which the PDPA shall not be applied, such as an activity for personal benefit or activities operated by the relevant authorities for public security or financial security, mass media or public interest, etc. Said Section 4 also rules that some organisations may be exempt from certain obligations under the PDPA by promulgation in the form of a royal decree.

Since the issuance of the PDPA in 2019, there was a royal decree promulgated in 2020 to exempt data controllers from obligations under the PDPA, due to the fact that the personal data protection laws are complicated and rely on several technological measures, which most data controllers may not be able to perform or be obligated at that time. Said royal decree expired on 31 May 2022 and therefore, on 17 August 2023, the Royal Decree on the criteria, type and organisations that are exempt from certain obligations under the Personal Data Protection Act B.E. 2562 (2019): B.E. 2566 (2023) (“Royal Decree”) was published in the official royal gazette. The Royal Decree provides some exemptions to data controllers from certain obligations under the PDPA, and shall be in full effect after 150 days from its publication date in the royal gazette, or 14 January 2024.

The Royal Decree exempts obligations of the data controller regarding the collection, use or disclosure of personal data under the PDPA when requested to provide by the listed authority. Nevertheless, they still need to comply with other relevant laws. The criteria for being exempt, such as the request for personal data under this Royal Decree, must be for public interest in accordance with the purpose and scope provided by the laws that empower such authority. The authority shall state which law empowers them to request such personal data. Any act that is contrary to the Royal Decree shall not be exempt from the civil or criminal liability. Lastly, the exempted data controllers are still required to provide security measures to ensure that the exemption does not unreasonably affect the personal data protection principle.

In summary, a data controller, when receiving a request to provide personal data from the following authorities, may be exempt from certain obligations or duties under the PDPA:

• National Anti-Corruption Commission, or any assigned authorities with the power to collect personal data for the purpose of anti-corruption activities (Section 6);
• Department of Revenue, Customs Department, Excise Department or any authorities empowered by the laws to request personal data for carrying out the purpose or task in their responsibility, in connection with tax/official fee/duty collection, including the implementation of international cooperation in relation to the said tasks (Section 7);
• Local administrations, as listed by the Committee, for the purpose of collecting land and building taxes (Section 8);
• The Secretariat of the Cabinet, executing the royal prerogative of the monarch to appoint or remove government officials, a person or persons which is in the king power or to submit to the Cabinet; and other request for royal mercy (Section 9);
• Any authorities empowered by the laws to request personal data for carrying out a legitimate purpose or task in connection with public interest, as listed by the Committee (Section 10). The Committee may issue sub-regulations on the criteria and method for the authorities to comply with for the protection of the basic rights and interests of the data subject; and
• Any collection, use or disclosure in accordance with deportation, extradition, international cooperation on criminal justice, prevention and suppression of involvement in transnational organised crime, or other judicial cooperation or international justice (Section 11).

A data controller, when requested by the above authorities, shall be exempt from the obligations under Chapter 2 (Personal Data Protection) and 3 (Rights of the Data Subject) of the PDPA. In some scenarios (except anti-corruption activities under Section 6 and justice activities under Section 11), a data subject may have the right to know which personal data about themselves as collected by the data controller, as well as the right to request the data controller to correct and update their personal data.

In the same way, the Authority which are the data collectors, when performing activities listed under the Royal Decree, shall also be exempt from obligations under Chapters 2 and 3 of the PDPA. The Committee may issue sub-regulations on the criteria and method that the authorities must comply with for the protection of the basic rights and interests of the data subject (Section 12).

For the interest of personal data protection, the Committee is obligated to issue a guideline on security measures for a data controller to comply with within 120 days from the date of publication of the Royal Decree. However, said guideline will not be in force before enactment of the Royal Decree, i.e. 14 January 2024 (Section 14). As and when we receive any developments regarding the issuance of this guideline, we will promptly publish such accordingly. 

The issuance of this Royal Decree appears to be an attempt by the authority to find a balance between personal data protection and specific public interest which the same can raise concerns about personal data protection. Their provision for specific public interest is therefore reasonably understandable. Nevertheless, a transparency oversight and clear sub-regulations, including guidelines to be issued in the near future, will be necessary to ensure that these exemptions are utilised responsibly and that individuals' rights and data are adequately protected.

This is intended merely to provide a regulatory overview and not to be comprehensive, nor to provide legal advice. Should you have any questions on this matter, please do not hesitate to contact our Personal Data Protection team at pdpa_bkk@eml.nishimura.com, and our team would be pleased to assist.

Reference
1. The Royal Decree on the criteria, type or organisations that are exempt from the Personal Data Protection Act (Thai): 7220-พระราชกฤษฎีกากำหนดลักษณะ-กิจการ-หรือหน่วยงานที่ได้รับการยกเว้นไม่ให้นำพระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล-พ-ศ--๒๕๖๒-บางส่วนมาใช้บังคับ-พ-ศ--๒๕๖๖ (mdes.go.th)

Authors