Tag: Data Controller

on by

Thailand Approves Draft Royal Decree on Inter-Agency Personal Data Sharing

On 5 May 2026, the Thai Cabinet approved in principle the Draft Royal Decree on the Disclosure of Personal Data under the Control of State Agencies to Other State Agencies (B.E. .…) (the “Draft Royal Decree”), as proposed by the Office of the Council of State.

The Draft Royal Decree represents a significant development in Thailand’s digital government agenda and is expected to substantially expand the capacity of state agencies to exchange and process personal data across the public sector.

The measure seeks to establish a centralized legal framework for inter-agency data sharing in support of more integrated and efficient public administration. It also forms part of Thailand’s broader transition toward a digital and data-driven government, with the stated aims of strengthening welfare systems, improving regulatory coordination, and streamlining public services.

Background and Policy Objectives

Historically, personal data held by Thai government agencies has remained fragmented across separate authorities and databases. This fragmentation has frequently resulted in duplicated procedures, inconsistent records, delays in public service delivery, and constraints on data-driven policymaking.

The Draft Royal Decree seeks to address these challenges by requiring state agencies to disclose relevant personal data to other government agencies upon request, where such disclosure serves public administration purposes. The stated objective is to facilitate more effective governance while reducing administrative burdens on citizens and businesses.

The Draft Royal Decree also seeks to balance greater data accessibility with robust safeguards relating to confidentiality, cybersecurity, and data protection compliance.

Key Provisions of the Draft Royal Decree

1. Mandatory Disclosure Between State Agencies

Under the Draft Royal Decree, state agencies would be required to disclose personal data under their control to other state agencies upon request. The proposed framework is intended to facilitate:

  • inter-agency data linkage;
  • integrated digital government services;
  • more efficient welfare administration; and
  • evidence-based policymaking.

This would represent a material departure from the current framework, under which data sharing between agencies is often limited, fragmented, or governed by sector-specific regulations.

2. Restrictions on Further Disclosure

The Draft Royal Decree imposes obligations on receiving agencies to safeguard any personal data disclosed to them. In particular, receiving agencies must:

  • maintain the confidentiality of the disclosed data; and
  • refrain from disclosing such data to external parties, whether public or private.

These requirements are designed to establish a controlled framework governing the circulation of personal data within the public sector.

3. Security and Cybersecurity Compliance

The handling and protection of shared data must comply with:

  • criteria prescribed by the Official Information Commission (“OIC”); and
  • applicable cybersecurity standards.

The inclusion of cybersecurity obligations reflects growing regulatory concern regarding unauthorized access, data breaches, and the risks associated with large-scale government data integration.

Interaction with Thailand’s PDPA

One of the most significant legal implications of the Draft Royal Decree lies in its interaction with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”). The Draft Royal Decree appears intended to qualify as “other law” within the meaning of Section 21(2) of the PDPA. If enacted, this would permit state agencies to process personal data for purposes beyond those originally notified to data subjects, provided that such processing is authorized under the Royal Decree.

In practice, this may operate as a statutory exception to the PDPA’s purpose limitation principle in the context of inter-agency data sharing within the public sector, thereby granting state agencies broader authority to reuse, exchange, and integrate personal data where necessary for public administration and service delivery.

Expected Impact

The Draft Royal Decree is expected to advance Thailand’s transition toward a more integrated digital government by:

  • reducing duplication across government databases;
  • streamlining administrative procedures;
  • improving access to public services;
  • enhancing transparency and regulatory oversight;
  • supporting anti-corruption initiatives; and
  • enabling more effective monitoring of informal economic activity.

For businesses and individual citizens, the proposed framework may reduce the need for repetitive document submissions and administrative formalities when dealing with government authorities.

At the same time, the expanded ability of state agencies to access and process personal data is likely to attract increased scrutiny with respect to proportionality, data governance standards, inter-agency oversight mechanisms, and the adequacy of cybersecurity safeguards.

The Draft Royal Decree may accordingly prove to be a defining development in Thailand’s evolving public-sector data governance landscape, particularly as government agencies continue to expand their digital infrastructure and interconnected service delivery capabilities.

Key Takeaways

  • Thailand is advancing toward a mandatory inter-agency data sharing framework within the public sector.
  • State agencies may be legally required to disclose personal data to other government authorities upon request.
  • Receiving agencies must maintain confidentiality and comply with applicable cybersecurity and data protection standards.
  • The Draft Royal Decree may operate as an “other law” exception under the PDPA, permitting broader processing of personal data by state agencies.
  • The proposed framework forms part of Thailand’s broader digital government strategy, aimed at improving administrative efficiency, regulatory coordination, and public service delivery.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Medical Data: Balancing Privacy and Legal Needs in Inheritance and Liability Cases

In Thailand, the disclosure of medical records involves a delicate balance between protecting patient privacy and enabling access for legitimate purposes, such as legal proceedings. A landmark 2025 ruling by the Official Information Board’s Appeal Committee (Social Affairs, Public Administration, and Law Enforcement Branch) illustrates this principle: a public hospital initially refused to release a deceased patient’s treatment history, but the board overturned the decision, ordering disclosure to support a civil lawsuit.

Case Summary: Authorized Representative Seeking Records for Tort Claim

The appellant sought the medical treatment records of “Ms. K.” (a pseudonym), their full sibling who had passed away. The hospital denied the request, citing privacy concerns.

On appeal, the Committee found that:

  • The appellant was acting under a power of attorney granted by “Mrs. B” (the mother of the deceased and a legal heir).
  • The records were needed to support a tort lawsuit alleging medical negligence that contributed to Ms. K.’s death.
  • Since the patient was deceased and unable to request the records herself, the authorized representative was exercising rights on her behalf.
  • This was pursuant to the Ministerial Regulation No. 2 (B.E. 2541 (1998)) issued under the Official Information Act, B.E. 2540 (1997), which allows designated representatives to access information when the data subject is incapacitated or deceased.

The Committee explicitly ruled that this did not constitute a request for “another person’s health information” under Section 7 of the National Health Act, B.E. 2550 (2007). After weighing the agency’s legal duties, public interest, and private benefits, the board concluded that disclosure was justified, with appropriate redactions for unrelated personal data.

This decision reinforces that authorized heirs or representatives can access deceased patients’ records for legitimate legal purposes without violating core privacy protections.

Key Legislation Governing Medical Record Disclosure:

  1. Official Information Act, B.E. 2540 (1997) Public agencies, including state hospitals, must disclose official information upon request (Section 11). Exceptions include personal data where disclosure would unreasonably invade privacy (Sections 14-15). Appeals against refusals are handled by the Official Information Board, whose rulings are binding. Ministerial Regulation No. 2 (B.E. 2541) specifically permits representatives to act for deceased or incapacitated individuals.
  2. National Health Act, B.E. 2550 (2007) Section 7 protects health information privacy and restricts disclosure of “another person’s” data without consent. However, as clarified in this ruling, requests by authorized representatives of deceased patients fall outside this prohibition when tied to legal rights.
  3. Personal Data Protection Act, B.E. 2562 (2019) (PDPA). Health data is sensitive personal data requiring strict protection. Exemptions apply for legal claims, compliance with law, or court processes. Disclosures mandated by the OIB under the OIA are generally permissible.
  4. Medical Profession Act, B.E. 2525 (1982), and Hospital Regulations. These impose confidentiality on healthcare providers but allow exceptions for legal obligations or authorized requests.

How These Laws Interact:

The system operates through complementary layers:

  • Patient/Representative Rights vs. Third-Party Requests: Direct access (by patients or proxies) is facilitated under the National Health Actม B.E. 2550 (2007)  and OIA regulations, while unrelated third-party requests face higher barriers.
  • Privacy vs. Justice: Hospitals often invoke Section 7 of the National Health Act, B.E. 2550 (2007) or PDPA to refuse, but the OIB can override when disclosure serves legal accountability (e.g., malpractice suits) without undue harm.
  • Deceased Persons’ Data: Post-mortem privacy persists, but heirs’ inheritance or liability claims create legitimate interests, resolved via representative powers under OIA regulations.
  • Enforcement Mechanism: OIA appeals provide an administrative remedy, binding on public agencies. Parallel court subpoenas or PDPA complaints may arise in complex cases.

This ruling sets valuable precedent for families pursuing medical negligence claims after a relative’s death. Individuals facing similar denials should document authorization (e.g., power of attorney from heirs) and appeal through the Official Information Commission (oic.go.th). Consulting legal experts or the Ministry of Public Health can further clarify rights in such sensitive matters.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

PDPA: Administrative Fine

The Personal Data Protection Act B.E. 2562 (2019) (PDPA) of Thailand, enforced from June 1, 2022, has reshaped the data protection landscape by mandating strict compliance standards for organizations. One of the key enforcement tools available under the PDPA is the imposition of administrative fines for non-compliance.

Following the issuance of the Royal Gazette Notification in April 2025, the procedures for administrative fines are now clearly outlined. Below is a comprehensive overview of the administrative fine system and process.

Scope of Administrative Fines:

Administrative fines apply to:

  • Data Controllers who fail to comply with lawful processing, security standards, or respect for data subject rights.
  • Data Processors who act beyond instructions or fail to maintain required security standards.
  • Representatives acting on behalf of overseas controllers or processors carrying out activities in Thailand.

Violations triggering fines include:

  • Unlawful data processing without valid consent or legal basis.
  • Inadequate responses to data subject rights.
  • Failure to report data breaches promptly.
  • Unauthorized data sharing or cross-border data transfers.
  • Absence of proper organizational security measures.

Authorities Empowered to Act:

The Personal Data Protection Committee (PDPC) and its designated investigating officers have the authority to:

  • Conduct investigations.
  • Summon witnesses and request evidence.
  • Recommend fines for PDPC approval.
  • Issue administrative orders enforceable under administrative law.
close up shot of a typewriter

PDPA Administrative Fine Process:

The administrative fine process is clearly structured into the following key stages:

1. Preliminary Investigation

An investigating officer gathers evidence, interviews involved parties, and assesses whether there are grounds for a violation. If sufficient evidence exists, the officer proceeds with the next step.

2. Notice of Allegations

The alleged violator receives a formal notification, detailing:

  • The alleged facts.
  • Applicable legal provisions breached.
  • The right to submit a defense or clarifications within a stipulated period.

3. Consideration and Decision

The competent authority reviews all evidence, defenses, and mitigating factors. The seriousness of the violation, damages, prior conduct, and cooperation are taken into account when determining the fine amount.

4. Issuance of Administrative Order

An administrative order is issued specifying:

  • The nature of the violation.
  • The amount of the fine imposed.
  • Payment instructions and deadlines.

Failure to comply may result in further legal enforcement actions.

5. Right to Appeal

The fined party may appeal the administrative order in accordance with the Administrative Procedure Act B.E. 2539 (1996).

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

PDPA: Handling Personal Data of Third-Party Representatives in Contractual Communications

Thailand’s Personal Data Protection Act B.E. 2562 (PDPA) regulates how companies, say Company K, which provides building management and outsourcing services, manage personal data. The Subcommittee under the Personal Data Protection Committee has clarified Company K’s obligations regarding consent and lawful bases for data processing in two scenarios: business transactions with representatives and property management services. This analysis details the facts, the subcommittee’s rulings, and the compliance implications.

Factual Background:

Company K operates in building administration and outsourcing, requiring the collection, use, and disclosure of personal data. It raised two issues: (1) When dealing with natural persons or entities, it coordinates with employees or agents, collecting their names, phone numbers, and other personal data – does it need their consent? Given Section 24(3)’s contractual exemption applies only to direct parties? (2) When managing condominiums/villages, either as the legal manager or an outsourced administrator, it handles residents’ data for billing, security, parking stickers, registries, and services—must it obtain consent, or does an exemption apply?

Subcommittee Decisions:

The subcommittee provided rulings on both issues:

  1. Data of Representatives in Business Transactions
    • Case 1: Natural Person as Counterparty: When Company K contracts with an individual (e.g., for goods and services), it can collect their data under PDPA Section 24(3)—necessary for contract performance or pre-contractual steps—without consent. This includes names and contact details for coordination, as the individual is a direct party.
    • Case 2: Representatives of Entities: When coordinating with employees/agents of a legal entity counterparty, these individuals are not parties to the contract, so Section 24(3) does not apply. Instead, Company K can use Section 24(5)—legitimate interests—if the data collection (e.g., names, phone numbers for quotes and documents) is necessary, outweighs data subject rights, and respects reasonable expectations in business contexts. Caution is required to minimize impact and avoid excessive use. For sensitive data under Section 26 (e.g., health and criminal records), additional lawful bases from Section 26 are needed. Consent is not mandatory if these conditions are met.
  2. Data of Residents in Property Management
    • Whether Company K manages a condominium/village as the legal entity (registered under condominium or land allocation laws) or as an outsourced administrator, it processes residents’ data (e.g., for billing, security and parking) under instructions from the condominium/village legal entity. Here, Company K is not a “data controller” (Section 6)—an entity deciding data use—but a “data processor” (Section 40), acting on behalf of the controller (the legal entity). The controller must secure a lawful basis under Sections 24 or 26 (e.g., contract and legal duty), not Company K. As a processor, Company K does not need residents’ consent or a direct lawful basis; it follows the controller’s lawful instructions (Section 40(1)). The controller must establish a data processing agreement per Section 40, paragraph 3, ensuring compliance.
close up of a smart phone with a lock

Implications for Compliance:

Company K can avoid consent in business dealings by leveraging contractual (Section 24(3)) or legitimate interest (Section 24(5)) bases, tailoring its approach to the counterparty’s status, with extra care for sensitive data. In property management, its processor role shifts responsibility to the legal entity, requiring clear agreements to define duties and ensure lawful data handling. This dual framework simplifies Company K’s compliance while upholding PDPA standards.

Key Takeaways:

  • Contractual Base for Direct Parties: Section 24(3) exempts consent for natural person counterparties, covering pre and post-contract data.
  • Legitimate Interest for Agents: Section 24(5) supports collecting representatives’ data without consent, if necessary and balanced, with Section 26 for sensitive data.
  • Processor Role in Management: As a processor, Company K does not need consent or a direct basis; the controller (legal entity) bears that duty.
  • Agreements Are Key: Section 40 mandates controller and processor agreement to align outsourced data handling with PDPA.

This ruling enables Company K to streamline operations under PDPA, distinguishing its roles and leveraging exemptions effectively.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

PDPA: Personal Data in Medical Certificates Defined by the Medical Council

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA), effective June 1, 2023, governs the handling of personal data, including sensitive health information, with exemptions for medical purposes. The Subcommittee under the Personal Data Protection Committee has addressed the Medical Council’s inquiry about its standardized medical certificate forms, balancing professional standards with privacy compliance. This analysis outlines the facts, the subcommittee’s rulings, and the compliance implications.

Factual Background:

The Medical Council, established under the Medical Profession Act B.E. 2525 (1982), regulates medical practice standards per Section 7, including two medical certificate forms: (1) a health check certificate (2561/2018 version) and (2) a driver’s license certificate (2564/2021 version). Each form has two parts: Part 1, completed by the patient (e.g., name, address, congenital diseases), and Part 2, completed by the doctor. Part 1 ensures accurate health history for first-time patients without prior records. The council seeks clarification on PDPA compliance for patient self-reported sensitive data, third-party disclosure by patients, and form improvements.

close up photo of a stethoscope

Subcommittee Decisions:

The subcommittee ruled on three issues:

  1. Patient Self-Reported Sensitive Data in Part 1
    • Healthcare facilities, as data controllers, collect health data (e.g., congenital diseases) under PDPA, Section 26(5)(a), exempt from consent when necessary for legal duties (e.g., Medical Profession Act B.E. 2525 (1982)), preventive medicine, occupational health, diagnosis, treatment, or healthcare system management. Alternatively, Section 24(3) applies for patient-doctor contractual obligations, or Section 26(5)(a) for professional confidentiality. The council’s forms—requiring patients to input and sign off on personal data like name, address, and health history—fit these exemptions. Collection is lawful if limited to what’s necessary for the certificate’s purpose (e.g., epilepsy history for driving safety, per transport regulations). For new patients lacking records, self-reporting ensures accuracy, avoiding misleading certificates. Thus, this aligns with PDPA, Sections 24 and 26, provided data is purpose-specific and proportionate, per Section 22.
  2. Disclosure to Third Parties by Data Subjects
    • The National Health Act B.E. 2550 (2019), Section 7, deems health data confidential, barring disclosure that harms the individual unless consented or legally mandated. PDPA Section 26 and Section 27(1) echo this, prohibiting controllers from disclosing health data without explicit consent, except under exemptions. However, neither law restricts data subjects (patients) from sharing their own data. PDPA Section 30 grants data subjects access to their data, implying freedom to disclose it (e.g., to employers, and authorities). Thus, patients can share their certificates with third parties without PDPA or National Health Act violations, as this is their prerogative, not the controller’s action.
  3. Recommendations for Certificate Forms
    • Health data’s sensitivity (potentially impacting rights and freedoms) requires recipients (e.g., employers, and agencies) to secure it per PDPA, Section 37. The subcommittee suggests the council add guidance on forms or issue best practices for certificate use, ensuring third parties handle data appropriately and align with collection purposes. This enhances compliance without altering the forms’ structure, maintaining their professional utility.

Implications for Compliance:

The council’s forms comply with PDPA by leveraging medical exemptions, requiring only necessary data, and allowing patient disclosure flexibility. Healthcare facilities must ensure purpose-driven collection, while third-party recipients bear security duties. Adding guidance strengthens the ecosystem, aligning professional standards with privacy protections.

Key Takeaways:

  • Exemptions Enable Self-Reporting: Patient data in Part 1 is lawful under Section 26(5)(a) or Section 24(3) for medical purposes, no consent is needed if necessary (Section 22).
  • Patient Disclosure Is Unrestricted: Patients can share certificates freely per Section 30, unbound by PDPA or National Health Act restrictions on controllers.
  • Guidance Enhances Security: Adding recommendations ensures third-party compliance with Section 37, safeguarding sensitive data.
  • Necessity Rules Collection: Data must match certificate purposes (e.g., driving safety), balancing medical needs with privacy.

This ruling affirms the council’s approach, integrating PDPA exemptions with medical practice while suggesting proactive steps to protect data downstream.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

PDPA: Announcement on Administrative Fine Guidelines Seeks Public Comments

The Personal Data Protection Committee (PDPC) is set to issue a new announcement concerning the “Guidelines for Issuing Administrative Fine Orders by the Expert Committee.” Before finalizing, the PDPC is inviting public comments to ensure that the guidelines are comprehensive and effective. This article outlines the key elements, issues, and principles involved in this draft announcement.

Background and Principles:

Under Sections 74 and 90 of the Personal Data Protection Act B.E. 2562 (2019), administrative enforcement measures must align with the law governing administrative procedures. The current draft aims to repeal the definition of “administrative fine enforcement officer” and introduce a new definition for “administrative enforcement officer,” ensuring consistency with existing laws.

Key Issues:

Revised Definitions: The draft proposes to repeal the term “administrative fine enforcement officer” and introduce “administrative enforcement officer,” aligning with administrative laws.

  • Clear Procedures: Specifies detailed procedures for issuing fines and enforcing measures such as seizure, attachment, or auction.
  • Consideration Factors: Lists factors like severity of violation, size of operations, and impact on data subjects to consider when imposing fines.

Key Elements:

  • Administrative Enforcement Officer:

Defined as an official or employee of the Office of the Personal Data Protection Committee appointed by the Secretary-General.

Responsible for implementing measures like seizure, attachment, and auction.

  • Fine Definition:

Refers to the administrative fine ordered by the Expert Committee.

  • Notification Methods:

Allows for electronic notifications under urgent circumstances or if preferred by the affected party.

  • Factors for Consideration:

Includes details of the offense, severity, size of operations, effectiveness of the fine, benefits to data subjects, extent of damages, history of fines, responsibility levels, ethical codes, remedies, compensation payments, reasons and limitations, and other relevant facts.

  • Issuing Orders:

Non-severe cases may involve warnings or corrective actions.

Severe cases or ineffective initial orders will result in administrative fines.

  • Enforcement Actions:

If the obligated party fails to pay the fine, enforcement officers will issue a written notice demanding payment within no less than seven days.

Failure to comply can lead to seizure, attachment, or auction of property.

Public Consultation Period:

pink white black purple blue textile web scripts

The PDPC invites stakeholders and the public to review the draft and provide feedback from 20 February to 6 March 2025. This consultation period aims to gather diverse insights to enhance the effectiveness and fairness of the guidelines.

Conclusion:

By aligning with administrative laws and considering public input, the PDPC aims to strengthen data protection enforcement in Thailand. All interested parties are encouraged to participate in this crucial consultation phase to shape robust data protection measures.

This draft announcement underscores the PDPC’s commitment to ensure that administrative enforcement actions under the Personal Data Protection Act are consistent, clear, and effective. Your participation in the public consultation can significantly contribute to achieving these goals.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Thailand New Draft Digital Platform Economy Act

The outbreak of the COVID-19 pandemic has significantly altered consumer behavior, leading to a surge in reliance on digital platforms for activities like shopping and food delivery. This shift has played a pivotal role in the rapid growth of the digital economy, both in Thailand and globally. Citizens have become increasingly dependent on these platforms, which offer convenience and ease in daily life. As digital platforms now cover almost every facet of modern existence, the government has recognized the need to regulate these services to ensure economic and social stability, enhance credibility, and mitigate any potential risks to the public at large.

In response to this, Thailand initially enacted the Royal Decree on the Operation of Digital Platform Service Business Subject to Prior Notification B.E. 2565 (2022) (“Royal Decree”), which regulates and imposes obligations on digital platform service operators. These operators, such as Shopee or Lazada, manage platforms that connect business users and consumers through data networks to facilitate electronic transactions. However, recognizing the evolving landscape, the Ministry of Digital Economy and Society (“MDES“) has proposed the Draft Digital Platform Economy Act B.E. …. (the “Draft Bill”), which aims to expand regulation to include a broader range of platform services not covered under the Royal Decree, also known as, digital media services.

The Draft Bill seeks to regulate various digital platform services more comprehensively, promoting fair trade, encouraging self-regulation, and supporting operators in adopting good governance principles. Below are the key aspects of the Draft Bill.

laptop screen displaying ai interface at night

Categorization of Digital Media Services

The Draft Bill defines Digital Media Services as any service provided over a computer network, internet system, or telecommunications network that acts as a medium between the sender and the data receiver. It categorizes these services into three types, each with distinct legal responsibilities for the operators:

  1. Mere Conduit Service: This refers to the provision of electronic data transmission services or access to an electronic communications network. Mere conduit providers are not liable for illegal activities during data transmission, as long as they can prove they neither initiated the data nor altered it in any way.
  2. Caching Service: Caching services involve temporary data storage for faster transmission. Providers are not held responsible for illegal activities, provided they meet the terms for data access and follow standard industry practices.
  3. Hosting Service: Hosting services provide data storage on behalf of users. These providers are only held accountable if they are aware of illegal content stored and fail to take action by either removing or blocking access to it.

General Obligations for Digital Media Services Platform Operators

Under the Draft Bill, platform operators are required to comply with obligations prescribed in Chapter 3 of the Draft Bill, which includes notifying the users of their rights and obligations, as well as the risks associated with using digital media services; providing a complaint resolution channel that responds within 24 hours and reports on the investigation outcome within 60 days; disclosing advertising information, publishing clear terms and conditions, as mandated by the law, and appointing a point of contact to liaise with the Electronic Transactions Development Agency (“ETDA“).

Very Large Online Platform (VLOP)

The Draft Bill introduces the concept of Very Large Online Platforms (“VLOP“). To qualify as a VLOP, a platform must meet one of the following criteria:

  1. A net income (before expenses) of over 1,000 million Baht per year from the provision of services in Thailand.
  2. More than 6 million active users per month.
  3. Poses a high risk to the economic or social security of Thailand, as determined by the ETDA.

VLOPs are subject to additional obligations, such as reporting data to the ETDA, tracking business users’ activities, suspending services for users engaged in serious illegal activities, and submitting annual transparency reports.

Core Platform Services & Gatekeepers

Chapter 5 of the Draft Bill defines core platform services and identifies platform operators that act as “gatekeepers” to other service providers. Core platform services currently include 10 types of digital media services such as online search engines, video-sharing services, cloud computing, and online advertising services, among others. A platform operator may be classified as a gatekeeper if it meets three criteria:

  1. Significant impact on the economy, with annual income (before expenses) exceeding 7 billion Baht.
  2. Serves as a critical gateway for business users to reach end users, with more than 15 million consumer users and 10,000 business users annually.
  3. Has the power to limit competition from other platform service providers, maintaining a dominant position.

Gatekeepers are subject to additional responsibilities, such as ensuring fair treatment of business users, facilitating free communication between consumers and businesses, preventing unfair practices that hinder competition, and more.

ETDA and Digital Platform Economy Committee’s Power to Enforce Data Platform’s Compliance

In order to enforce the Draft Bill effectively, the Draft Bill grants ETDA various powers to enforce compliance, including but not limited to the power to request data from platform operators to assess compliance, power to access and inspect platforms’ computer systems and physical premises if there is reasonable suspicion of illegal activities, the power to impose fines, service suspensions, or even criminal charges for severe violations.

close up photo of mining rig

Regulatory Transition

To ensure a smooth transition in the enforcement of this Draft Bill from the existing Royal Decree, the Draft Bill includes a grandfather clause allowing the platform operators who have already submitted notification under the Royal Decree to be deemed to have been notified under this Draft Bill as well. Nonetheless, they are required to update their information to align with the new requirement within 120 days of its enactment. Whilst the Royal Decree shall cease to be effective on the enforcement date of this Draft Bill, the sub-ordinate regulations issued under the Royal Decree shall remain in effect for as long as they do not conflict with the Draft Bill, or the new-subordinate regulation to be issued under the Draft Bill. 

Conclusion

The Draft Bill represents a proactive step toward regulating the rapidly expanding digital economy in Thailand. By establishing clear guidelines for digital platform operators, categorizing services, and introducing additional obligations for large and influential platforms, the Draft Bill aims to foster fair competition, ensure consumer protection, and maintain economic stability. As digital platforms continue to play an integral role in modern society, this legislation will be crucial in balancing innovation with accountability, ensuring that the digital economy can thrive in a secure and sustainable manner. As such, the passage of the Draft Bill will likely have far-reaching implications, not only for platform operators but also for the broader economy and society.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Data Privacy: Criminal Penalties Imposed by the Court Raise Concerns of Practice

Recent decisions by the Phuket Provincial Court have garnered significant attention from data privacy practitioners. These rulings have highlighted critical issues concerning the enforcement of Thailand’s Personal Data Protection Act (PDPA) and its implications for criminal penalties.

Overview of the Cases

In two related cases, the offenders allegedly obtained personal data from online gambling platforms and advertised the sale of this data on social media. The personal data involved includes names, phone numbers, email addresses, and account identification numbers. The offenders were found guilty under several laws, including the Computer-Related Crime Act, the Gambling Act, the PDPA, and the Penal Code.

Application of Section 80 of the PDPA

A notable aspect of these decisions is the application of Section 80 of the PDPA, which was used as a basis for determining the punishments for the offenders. Section 80 states:

“Any person who comes to know the Personal Data of another person as a result of performing duties under the PDPA and discloses it to any other person shall be punished with imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.”

The court’s interpretation of Section 80 is significant as it expands the enforceability of criminal sanctions and imprisonment to conduct beyond the violation of sensitive personal data outlined in Section 79 of the PDPA. Traditionally, Section 80 was thought to apply only to competent officials who disclose personal data learned while performing their duties under the PDPA. Consequently, the elements of damages and intention were not included in the legal text.

However, the court’s decisions to criminalize the two offenders under Section 80 allow for general data controllers to face imprisonment penalties. This interpretation could lead to broader applications of criminal sanctions, moving beyond just sensitive personal data violations under Section 79 of the PDPA, which requires specific elements such as intention and damages for enforcement.

a stainless steel handcuff

Analysis of Sections 79 and 80 of the PDPA

Section 79 of the PDPA focuses on the unauthorized disclosure of sensitive personal data. For a violation occurring under this section, there must be elements of intention and resultant damages. The penalties under Section 79 are designed to address severe breaches involving sensitive data, emphasizing the need for intention and actual harm.

Section 80, on the other hand, addresses the unauthorized disclosure of personal data in a broader sense. Initially, it was interpreted to apply primarily to officials handling personal data as part of their duties. The court’s recent rulings have expanded this interpretation, suggesting that any data controller could be subject to criminal penalties for disclosing personal data, even if the data is not classified as sensitive and without the traditional elements of intention and damages.

Implications and Future Developments

This shift in interpretation has sparked debate among scholars and data privacy practitioners regarding its appropriateness. Some argue that expanding the scope of Section 80 to include general data controllers could lead to excessive criminalization, while others believe it is necessary to enhance data protection enforcement.

In response to these developments, the Ministry of Digital Economy and Society is pushing to increase penalties for the illegal trading of personal data. They propose raising the maximum imprisonment term from one year to five years by amending the Royal Decree on Measures to Prevent and Suppress Technology Crimes B.E. 2566 (2023). A draft amendment to the Royal Decree is currently under consideration by the Council of State and is expected to be submitted to the Cabinet for further review and approval soon.

These court’s rulings, being those of the court of first instance, signify a potentially transformative period for data privacy enforcement in Thailand, with significant implications for data controllers and practitioners alike.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

A draft Announcement on the Additional Duties for Digital Platform Services in Specific Goods Market Categories

A draft Announcement on the Additional Duties for Digital Platform Services in Specific Goods Market Categories

The Electronic Transaction Development Agency (“ETDA”) has conducted a public hearing on the subordinate regulations under the Royal Decree on the Operation of Digital Platform Services Business that are Subject to Prior Notification B.E. 2565 (2022) (“Royal Decree”), a draft Announcement on the Additional Duties for Digital Platform Services in Specific Goods Market Categories as prescribed in Section 18 (2) of the Royal Decree B.E. …. (the “Draft Bill”). The Draft Bill has recently undergone public consultation, where comments and feedback provided therein may be reflected in the further revision of the Draft Bill. Nonetheless the following summarizes the initially proposed provisions.

The Draft Bill imposes additional obligations on Digital Platform Services (DPS) that pose risks to financial and commercial security, reliability, and creditability in data message systems, or potential harms to the public, as prescribed under Section 18 (2) of the Royal Decree as follows:

  1. Registration, Authentication, and Verification of the Business Users: The DPS is required to put in place an authentication and verification of the identity of the person who offers goods or services to consumers through a digital platform service (“Business User”). The authentication and verification may be by means of a collection of information or the use of an authentication system having a reliability standard of no lesser than the Identity Assurance Level (IAL2);
  2. Maintaining Record of Registry: The DPS is required to maintain a record of registry for Business Users, it may be required to submit such record to ETDA periodically or upon request.
  3. Obligations in Relation to the Products that Are Subject to Specific Quality Standard: Certain types of products may be subjected to a specific quality standard under the law relating to industrial product standards, foods, medicines, or cosmetic products (“Products with Specific Standards”). In this regard, the DPS is required to (1) have in place a policy regarding the advertisement or sale of the Products with Specific Standards. Such policy must be specified in the terms and conditions of the DPS; (2) prohibits the sale and advertisement of products that are restricted by the law; (3) requires the Business User to submit relevant permits or approvals in relation to the Products with Specific Standards; (4) display information relating to the Products with Specific Standards onto the platform; (5) provide a channel for users to verify accuracy of information relating to Products with Specific Standards against the government agency database; and (6) display a symbol or message indicating that such products are Products with Specific Standards.
  4. Obligations in relation to the Unlawful Sale or Advertisement of Products with Specific Standards: Apart from the preventive mechanisms prescribed above, the DPS is also required to (1) put in place a notice-and-takedown mechanism for the users to notify the DPS of unlawful Products with Specific Standards; (2) put in place a remedial measure for the users; and also (3) maintain a record of users who reviewed the Products with Specific Standards on the platform.

Under this Draft Bill, the DPS is required to specify the penalties for Business Users who fail to comply with the aforesaid obligations, the level of penalty is left open for public opinion on whether there shall be a written warning and grace period for correction, or Business Users failure to comply shall be subjected to termination of service by the DPS without prior notification.

Subject to the result of public consultation under this round, there may be an additional round of public consultation before finalization.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Data Privacy – Thailand Draft Exemption for Small Organizations Acting as Data Processors

The Thailand Personal Data Protection Act B.E. 2562 (“PDPA“) governs personal data processing and defines the roles and responsibilities of parties involved in such activities. Under the PDPA, a “Data Processor” is defined as a person or entity that processes personal data on behalf of another party. Since Data Processors do not have authority over processing activities, the Personal Data Protection Committee (“PDPC“) has determined it necessary to reduce certain regulatory burdens for smaller entities. Consequently, the draft Announcement on the Exemption for Small Organizations Acting as Data Processors (“Draft“) has been prepared and is undergoing public consultation through 14 November 2024.

Data Processor obligations are prescribed under Section 40 of the PDPA. Specifically, Section 40 (3) requires Data Processors to record personal data processing activities according to PDPC – prescribed criteria and methods. The Draft exempts the following types of organizations from this obligation:

  • Small and medium enterprises, as defined by the Small and Medium Enterprise Promotion Act B.E. 2543 (2000)
  • Community enterprises, as defined by the Community Enterprise Promotion Act B.E. 2548 (2005)
  • Social enterprises, as defined by the Social Enterprise Promotion Act B.E. 2562 (2019)
  • Cooperatives, as defined by the Cooperative Act B.E. 2542 (1999)
  • Foundations, associations, religious organizations, and non-profit organizations
  • Condominium associations, as defined by the Condominium Act B.E. 2522 (1979)
  • Individuals conducting household activities in a non-commercial capacity
  • Individual data processors (as distinct from organizations or larger entities)

(collectively referred to as “Small Size Data Processors“).

person in white long sleeve shirt using macbook pro

However, this Draft exemption does not apply to personal data processing activities that:

  • Pose risks to the rights and freedoms of data subjects
  • Involve regular or systematic collection, use, or disclosure of personal data (as opposed to occasional processing)
  • Involve the processing of sensitive personal data

Additionally, the exemption does not apply to any Small Size Data Processor that is required to appoint a Data Protection Officer, also known as, DPO.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles