20 ASIAN LEGAL BUSINESS – MAY 2024 WWW.LEGALBUSINESSONLINE.COM THAI LAND Thailand has been quickly catching up with Southeast Asia’s brisk pace in enhancing data protection as crossborder activities increase and cyber security threats loom larger. And companies doing businesses in the second largest ASEAN economy are staring at increasingly severe punishment for noncompliance. In June 2022, the Personal Data Protection Act (PDPA) - Thailand’s first consolidated data protection law - came into full effect after being postponed twice due to the COVID pandemic. Since then, Thailand has been actively refining its approach on safeguarding personal data and securing cross-border transfers with an emphasis on transparency and consent. “In general, the transfer of personal data outside Thailand typically requires obtaining consent, unless the destination country has adequate personal data protection measures (known as ‘adequate country’), the transfer qualifies under specific exemptions, or appropriate safeguards are in place,” explain Pranat Laohapairoj, partner, and Suphakorn Chueabuncha, senior associate, at Thai law firm Chandler MHM. However, it could be a nuisance for companies to secure permission for international data transfers during their regular activities. Business operations are subject to disruptions if consent cannot be obtained. All this has made it essential to explore alternative approaches. In December last year, the country’s Personal Data Protection Committee (PDPC) issued two subordinate regulations to address essential aspects of the cross-border transfer of personal data. The two notifications have come into effect since March. “After a long period during which a loophole in cross-border transfer requirements existed, some operators opted to manage risks by engaging in offshore transfers without seeking exemptions,” Pranat and Suphakorn point out. “These regulations provide operators with guidance on how to navigate cross-border data transfers under the PDPA, allowing for transfers with fewer statutory hurdles while ensuring compliance with data protection requirements and facilitating international business activities,” they add. NEW SAFEGUARDS The first notification sets out two criteria classifying whether a destination country or organisation is “adequate” in offering personal data safeguards. To satisfy the “adequacy” test, there needs to be data protection law or regulations in place in the destination country or organisation that align with or exceed the standards of the PDPA. Those include obligations assigned to data controllers to put in place security measures to protect the rights of data subjects with enforceable legal instruments in the case of breaches. The second criteria is to determine whether such country, subject to consideration for its adequacy, has a proper authority or organisation to enforce their regulations. Pranat and Suphakorn tell ALB that this notification imposes a self-assessment requirement on business operators, according to a PDPC member. “Operators must assess whether the destination country meets the adequacy criteria, assuming the associated risks themselves. Alternatively, in uncertain cases, operators may request the PDPC to make a decision on a case-bycase basis (referred to as an ‘adequacy decision’),” say Pranat and Suphakorn. They add that PDPC may publish a list of countries deemed adequate - known as a “whitelist”, which has yet come into existence. The second notification deals with data transfers to destination countries which fail to be seen as adequate under the PDPA, nor qualify for any derogations as stipulated in the law. In this case, business operators are required to ensure a set of appropriate safeguards, which include implementing Binding Corporate Rules (BCR). “In this regard, the BCR must be certified by the PDPC office based on the following three criteria: the legal effectiveness and enforceability of such BCR; clauses that recognise personal data protection, data subject’s rights, and mechanisms for lodging complaints; and appropriate security measures that are in compliance with the minimum requirements prescribed by PDPA,” note Pranat and Suphakorn. In addition, operators can utilise Standard Contractual Clauses (SCC) for cross-border transfers, which is an agreement between a data exporter and Thailand is one of the countries in Southeast Asia most prone to cyber vulnerabilities and data breaches. To combat that, the authorities in the past year released two subordinate regulations concerning the transfer of personal data across borders under the Personal Data Protection Act (PDPA). Lawyers in Thailand unpack the new rules and outline what businesses are required to do. BY SARAH WONG NEW DATA, NEW RULES
RkJQdWJsaXNoZXIy MjA0NzE4Mw==