By

Attorneys Naytiwut Jamallsawat & John Formichella

Background

The Thai Cabinet, on May 19, 2020, approved a Royal Decree on Organizations and Businesses which shall be exempted from compliance with the Personal Data Protection Act B.E. 2562 (2019) (“Royal Decree“) to delay the enforcement date of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA“). The Royal Decree has been published in the Royal Gazette on May 21, 2020 and will be effective from May 27,2020 to May 31, 2021. It provides exemptions to data controllers listed under the Royal Decree to certain chapters and section under the PDPA which include:

–          Chapter 2 (data controllers’ obligations relating to the use, collection, and disclosure of personal data, privacy notices, consent requirements, exemptions and cross-border of data privacy);

–          Chapter 3 (data subject rights, data protection officer and record of processing);

–          Chapter 5 (complaints and administrative punishments);

–          Chapter 6 (civil penalties and punitive damages);

–          Chapter 7 (criminal liabilities and administrative punishments); and

–          Section 95 (transitional matter).

Data controllers who shall obtain the exemptions under the Royal Decree are as follows:

1)      Government authorities;

2)      Foreign public authorities and international organizations;

3)      Foundations, associations, religious organizations, and non-profit organizations;

4)      Agricultural businesses;

5)      Industrial businesses;

6)      Commercial businesses;

7)      Medical and public health businesses;

8)      Energy, steam, water and waste disposal businesses, including their related business;

9)      Construction businesses;

10)  Repair and maintenance businesses;

11)  Transportation, logistic, and warehouse business;

12)  Tourist businesses;

13)  Communication, telecommunication, computer, and digital businesses;

14)  Financial, banking and insurance business;

15)  Real estate businesses;

16)  Professional businesses;

17)  Management and support services business;

18)  Scientific and technological, academic social welfare and artistic businesses;

19)  Educational businesses;

20)  Entertainment and recreational businesses;

21)  Security business; and

22)  Household and community enterprise businesses whose activities cannot be clearly classified.

If there is any question as to whether particular organizations or businesses are fallen under the above list, the Personal Data Protection Committee (PDPC) shall consider and render its final decision at its sole discretion.

The main reason as specified in the Royal Decree is to provide more time for the business operators, which shall be regarded as data controllers by the PDPA, to prepare themselves to be fully compliant with the PDPA. The Royal Decree further specifies that business operators, including private and government sectors, are not ready to be in compliance with the PDPA. This was mainly due to requests from the private sector filed with the government indicating problems with the economy and within their organizations, such as the economic impact and other restrictions due to Covid-19 situation.

The extension is not to be interpreted that the Government of Thailand is relaxing its readiness to implement the PDPA. An essential action by the Thai government is that the PDPC committee has been appointed and will start the process of formulating regulations and an enforcement culture surrounding the PDPA.  The list of the PDPC members approved by the Cabinet as announced by the government’s spokesperson on 19 May 2020 are as follows (note that this list is not official until published in The Government Gazette):

1)      The Chairman: Mr. Thienchai Na Nakorn

Professor of faculty of law, Sukhothai Thammatirat Open University

Former Constitution Drafting Committee (CDC)

Former senior member of various committees (e.g. Committee of Official Information Commission, Committee of National Institute of Educational Testing Service (NIETS) and secretary-general of Political Development Council).

2)      Senior committee (personal data protection): Mr. Nawanan Theera-Ampornpunt

Technocrat on health informatics;

Deputy dean on practitioner level of faculty of medicine, Ramathibodi Hospital.

3)      Senior committee (consumer protection): Pol.Lt.Col Thienrath Vichiensan

Senior committee of Official Information Commission;

Former chief of inspector of Prime Minister Office;

Director of the Official Information Commission.

4)      Senior Committee (Information and communication technology): Mr. Pansak Siriruchatapong

Former Vice Minister of Ministry of Digital Economy and Society;

Former director of National Electronics and Computer Technology Center (NECTEC)

5)      Senior committee (social science): Asst. Prof. Tossapon Tassanakunlapan

Professor and researcher of faculty of law, Chiang Mai University

6)      Senior committee (legal): Ms. Thitirat Thipsamritkul

Teacher of faculty of law, Thammasat University

7)      Senior committee (legal): Prof. Supalak Pinitpuvadol

Professor of faculty of law, Chulalongkorn University

8)      Senior committee (health): Prof. Prasit Watanapa

Dean of faculty of medicine, Siriraj Hospital

9)      Senior Committee (finance): Ms. Ruenvadee Suwanmongkol

Secretary-general of the Securities and Exchange Commission

10)  Senior Committee (Government Information Management): Mrs. Methinee Thepmanee

Former secretary-general, Office of the Civil Service Commission (OCSC);

Former permanent secretary, Ministry of Information and Communication Technology (ICT).

In addition to the abovementioned members, please note that the PDPA requires that the PDPC must appoint permanent secretary of the MDES as the vice-president of the PDPC, together with 5 additional board members which include (i) the permanent secretary of the Prime Minister Office, (ii) the secretary-general of the juridical council, (iii) the secretary-general of the office of consumer protection board, (iv) the director-general of the Rights and Liberties Protection Department, and (v) the attorney-general. Please note that as of the writing of this article 27 May 2020, the official list of the PDPC members are not yet published in The Government Gazette.

The above is for general information purposes only and should not be relied upon as legal advice.

Posted by John P. Formichella

John P. Formichella is a US trained attorney and a leading expert in the Tech-Media-Telecoms (TMT) sector in East and Southeast Asia. He has 23 years’ sophisticated technology transaction experience (5 in Taiwan, 18 in Thailand), covering technology development and licensing projects, data privacy issues, infrastructure and business process outsourcings, systems integrations, ERP implementations, cloud computing and web hosting arrangements, data center and co-location agreements, and telecommunications procurements. John represents some of the largest software and telecommunications companies in the US, Europe and Japan with regard to their affairs in Thailand. His jurisdiction experience covers Thailand, Taiwan, India, Vietnam, Hong Kong and Laos, and his practice areas include corporate, regulatory compliance, labour & employment and energy. John has practiced with the firm for the past 14 years. Prior to joining BRS, he was an attorney at Minter Ellison practicing out of the firm’s Bangkok offices in its Corporate practice group. Prior to joining Minter Ellison, he was Vice President/General Counsel of Wherever.net Holding Corporation (a NASDAQ-listed telecoms company based in Hong Kong). Prior to joining Wherever.net, he was an associate for East West International Law Offices in Taipei, Taiwan from 1996 to 1999. John graduated from the State University of New York (University of Buffalo) earning Bachelor of Arts and Master of Arts (Economics) degrees, and a Juris Doctorate. He also studied at the Chulalongkorn University Faculty of Law in Bangkok. John is admitted to practice law in Washington, D.C. and is a member of the District of Columbia Bar Association. He has served as Chairman of the Information & Communications Technology Committee at the American Chamber of Commerce in Thailand since January 2013. He is also the exclusive member for TMT and Corporate Law in Thailand of IR GLOBAL, which is ranked by Chambers & Partners in its global-wide list of “Leading Law Firm Networks” and listed by The Legal 500. He has been ranked in Chambers & Partners’ Asia-Pacific client guide since 2014 and in The Legal 500 Asia-Pacific client guide since 2013. He is also recognized as an expert in Telecommunications Law by Who’s Who Legal. John’s publications include the Comparative Law Yearbook of International Business (Vol. 40A), a Special Issue examining recent developments in regulatory compliance and their impact on business operations in select jurisdictions, to which John contributed a chapter on Thailand, and Getting the Deal Through: Telecoms & Media (2017-19), a key legal industry publication that provides a comprehensive overview of the regulatory environment of the telecoms & media sectors in the world’s major jurisdictions. John was pleased to contribute as jurisdiction author for Thailand.

Leave a Reply