21 ASIAN LEGAL BUSINESS – MAY 2024 WWW.LEGALBUSINESSONLINE.COM a data importer designed to facilitate the safe transfer of personal data without requiring explicit approval from regulatory authorities. The PDPC notification requires SCC to comply with the above three criteria for BCR together with some additional requirements, say Pranat and Suphakorn. Firstly, the processing must be in compliance with the personal data protection law. Secondly, specific requirements must be complied with if a data recipient is either a data processor, or a data controller. Furthermore, the appropriate safeguards must have legal enforceability and be binding upon the related parties and ensure the rights of data subject. “In any case, the subordinate regulation recognises two models of SCC - the ASEAN Model Contractual Clauses for Cross Border Data Flows, and the GDPR SCC - as appropriate safeguards in order to align with international practices,” add Pranat and Suphakorn. ENFORCEMENT CHALLENGES As Thailand has upped the ante in safeguarding data privacy and cracked down on insecure cross-border data transfers, businesses are expected to operate in a safer digital environment with the reassurance of enforceable legal remedies. However, lawyers believe the absence of the so-called whitelist and a blank history of adequacy decisions in regard to destination countries have forced business operators to take up the arduous task of evaluating the adequacy of their personal data protection measures themselves. The uncertain timeline of further PDPD announcements also adds to the complication. “In this scenario, operators must assume the associated risks themselves,” say Pranat and Suphakorn. “Under such circumstances, appropriate alternative safeguards, such as BCR and SCC, may prove to be more practical options for operators requiring cross-border transfers of personal data. These safeguards can help mitigate risks and ensure compliance with data protection regulations in the absence of recognized adequacy decisions or whitelist.” Failure to comply with the requirements and obligations under any subregulations issued under the PDPA could result in the penalties specified under the PDPA. The maximum fine of 5 million baht ($135,750) applies specifically to cases involving cross-border transfers of sensitive personal data, while the maximum fine for other cases is 3 million baht. That’s because in instances involving cross-border transfers, enforcement may be more challenging due to difficulties in compelling compliance from data recipients located outside Thailand. However, “when determining whether to impose an administrative fine, the relevant authority considers factors such as the severity and circumstances of the case, including the extent of damage to data subjects, the value of damages, fines historically imposed in similar cases, and the method of remedy,” note Pranat and Suphakorn. BROUGHT TO YOU BY CHANDLER MHM Choices Surrounding Personal Data Breach Notification The Personal Data Protection Act B.E. 2562 (“PDPA”) mandates prompt notification to the authority and/or affected data subjects in the event of a data breach. Despite this requirement, many operators have historically hesitated to report breaches due to fear of potential non-compliance with the PDPA. However, it is noteworthy that breaches are often brought to light by data subjects, who may take to social media to share their experiences or approach the authority directly without consulting with the operator first. This heightened and abrupt visibility can attract the attention of the authority and the public, potentially damaging the operator’s reputation and increasing the risks of non-compliance. Although the authority has not imposed any penalties on operators, this period of leniency is coming to an end. On the other hand, proactive reporting to the authority can lead to more favorable outcomes. The authority may request evidence demonstrating that the operator has taken reasonable steps to mitigate the risks, potentially avoiding further punitive action. Therefore, unless operators can definitively conclude that there is no risk to any data subjects, it is advisable for them to promptly notify the authority disasters. The rule of thumb is, regardless of the cause, prompt notification to the authority and affected data subjects must be considered. If deemed necessary, operators must report the incident to the authority within 72 hours. To expedite this process, it is crucial to educate employees about data breaches and establish clear protocols for reporting incidents. Some operators have implemented internal data breach notification forms to ensure that employees can report incidents promptly and with sufficient detail. Additionally, simulating breach scenarios through workflow exercises can help prepare operators for swift and effective responses. Lastly, a common question is whether to report right away upon discovery or to wait for more information and report at a later date. The answer is that if there is probability that personal data has been accessed, a prompt notification must be undertaken to avoid any risks involving the authority. In conclusion, operators should prioritize preparedness over fear of reporting. Timely and transparent reporting not only aligns with legal obligations but also minimizes potential damage from breaches. upon discovering the unfortunate occurrence. Furthermore, operators are advised to have necessary documents in place, as the lack of proper documentation may be discovered by the authority upon reporting. Data breaches can be caused not only by hackers but also by human error and natural 1 - Pranat Laohapairoj, Partner E: pranat.l@mhm-global.com 2 - Suphakorn Chueabunchai, Senior Associate E: suphakorn.c@mhm-global.com Chandler MHM W: www.chandlermhm.com 2 1
RkJQdWJsaXNoZXIy MjA0NzE4Mw==