NBTC Uplifted Personal Data Protection for Telco Users

Since the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) has been in effect for more than a year, several authorities, including the National Broadcasting and Telecommunications Commission (“NBTC”), have attempted to establish and implement policies in order to comply with the PDPA. Previously, there has been a Notification of the National Telecommunications Commission on Protecting User Rights Regarding Personal Data, Privacy, and Freedom of Communication through Telecommunications Service that became effective on 16 August B.E.2549 (2006) (“Original Notification”) ruling measures to protect user rights through telecommunications service. However, in order to (1) protect the rights of telecommunications service users while operating in parallel with the use of personal data, (2) modernize and improve the user rights protection measures, and (3)  fully and accurately comply with and implement the PDPA, the NBTC considers amending the Original Notification by drafting the Notification of the National Telecommunications Commission on Protecting User Rights Regarding Personal Data, Rights to Privacy, and Freedom of Communication through Telecommunications Service (“Notification”). This Notification was approved at meeting no. 13/2566 on 14 June 2023 and will be published in the Royal Gazette and shall be effective on the following announcement date, in which the Original Notification shall be replaced.

Examples of the main key contents that have been amended are as follows:

1. Some terms and definitions have been amended, such as “Personal data of user “Service Provider” “User” and “Collection”.
2. Although the Original Notification has included the consent matter, this Notification has additionally specified more details, such as (1) the service provider’s obligation to specify the purpose of collecting or processing personal data prior to or at the time of obtaining consent, (2) the consent must be given in writing or electronic means, and (3) the consent request must be made in a clear sentence, not misunderstood, and separate from the main agreement.
3. In addition to the sensitive personal data such as (1) disabilities and (2) hereditary characteristic that has been specified in the Original Notification, this Notification has included Section 26 of PDPA in order to determine the sensitive personal data matter.
4. Personal data relating to the use and provision of services for the previous 90 days must be retained. This can be extended to two years on a reasonable basis, such as legitimate interest.
5. In addition to the written method specified in the Original Notification for exercising the rights under PDPA, the Notification has determined that the user, as a data subject, is able to exercise the same through electronic means. If the service provider fails to comply with the request to exercise rights within 15 days, the user may notify NBTC in writing, demanding the service provider to do so. Please note that the authentication and verification mechanism for the user must be conducted by the service provider prior to exercising the aforementioned right.
6. The provisions requiring service providers to inform NBTC of a data breach incident within 72 hours, in accordance with the PDPA, have been added.
7. The service providers (licensee) must prepare a proper measurement to protect users’ rights regarding personal data, the right to privacy, and freedom of communication through telecommunications with the minimum requirements in accordance with this Notification and PDPA in Thai language and other languages in which the license holder operates marketing and send the same to the Secretary of NBTC for further consideration and verification according to NBTC criteria.
8. The cross-border transfer of data matter under Sections 28 and 29 of PDPA has been added, to which the service provider must comply.

The NBTC further declared that all of these revisions had been adjusted to the present digital economic period, which includes every business engaged in communication, and that this Notification will provide consumers with assurances about the protection of their personal data as well as efficient and fair service. The license holders must acknowledge this Notification in order to prepare for compliance, as personal data protection is a critical issue at the moment, and the failure to comply with this Notification may result in the suspension or revocation of the NBTC licenses.

Author: Panisa Suwanmatajarn, Managing Partner.