New PDPA Subordinate Regulations

According to Section 16(4), 73 paragraph 2, and 90 paragraph 2 of the Personal Data Protection Act B.E. 2562 (2019) or “PDPA”. The PDPA is Thailand’s very first law in relation to protection of personal data and put in place effective remedial measures for data subjects whose rights to be protected if their personal data are violated. The PDPA established the Personal Data Protection Commission or PDPC to govern the PDPA and also established the Office of the PDPC or OPDPC to act on the administrative matters and act as the secretariat of the PDPC.

On 29 June 2022, the two legislations under the PDPA were approved by the PDPA and published in the Royal Gazette on 17 July 2022 namely;

  1. The Criteria for Filing, Refusal of Acceptance, Dismissal, Consideration and Timeframe for Consideration of Complaint B.E. 2565 (2022)
  2. The Qualifications and Prohibitions, Term of Office, Vacate Office, and Other Operations of the Expert Committee B.E. 2565 (2022)

security logo

The Criteria for Filing, Refusal of Acceptance, Dismissal, Consideration and Timeframe for Consideration of Complaint B.E. 2565 (2022)

1. In case that any data controller and the data processor and their employees and contractors breach any provision of PDPA, the data subject is able to report to the expert committee by filing a complaint either in a form of hard copy or electronic (hard copy can be either directly submitted to the PDPC or sent by a registered mail).

2. Details of complaint shall include name, address, phone number, email of the reporter or attorney, copy of the reporter’s ID card, passport or any identity document issued by the government.

In the case that the data subject has authorized the attorney, the power of attorney with a complete specification of assigned duties and correct stamp duty together with the attorney’s certification of a copy ID card, passport, or any identity document issued by the government must be submitted together with the complaint.

The complaint must specify facts and details of the data breach in which the data controller and the data processor and their employees and contractors have committed against any provision of the PDPA and also specify the effect of such breach. All relevant evidence must be attached in order to support such a complaint. Moreover, the reporter must specify the request of ordering the data controller or data processor to comply in accordance with the PDPA. There must be a statement certifying that the statements in the complaint are true.

Please note that the reporter can be data subject, attorney or any person who is the holder of parental responsibility over the child (parents), custodian and curator of the data subject.

3. The competent official shall review the complaint and all evidence within 15 days since they receive such complaint to consider whether they will accept the complaint for further consideration. The competent official will contact the reporter in case of more information is needed. Please note that the competent official will accept the complaint and pass it to the expert committee only if all information is correct and complete. After accepting such complaint, the reporter will receive an acknowledgement receipt and number of complaints.

The matters that the competent official must consider within such 15 days are as follows:

  • Whether the action specified in the complaint is violation of the provisions in PDPA.
  • Whether the complaint has grounds as specified by PDPA and it is reasonable to make a complaint.
  • Whether the expert committee has the authorization to consider the complaint.

The competent official will then pass such complaint to the expert committee for further consideration. After receipt of the complaint, the expert committee will consider such complaint and the results may categorize as follows:

  • Dismissing, if the expert committee considers that it has no ground under the PDPA.
  • Not accepting complaint, if the evidence is incomplete and has not been categorized as a data breach.
  • Setting a conciliation session, if the complaint is seen to be settled by conciliation proceedings
  • Rendering the punishment as an administrative fine.

In the case that the expert committee deems that consideration of such a complaint is an important legal issue, the expert committee shall pass this complaint to the PDPC for further consideration.

The expert committee must inform the reporter of the result of the complaint with its reason in relation to the result.

The Qualifications and Prohibitions, Term of Office, Vacate Office and Other Operations of the Expert Committee B.E. 2565 (2022)

  1. The PDPC shall appoint a group(s) of expert committees in accordance with their expertise. Each group consists of one chairperson and at least 4 members.
  2. A person to be appointed as chairperson of the expert committee and its members must have qualifications such as being Thai nationality, not lower than 25 years old, not being bankrupted or having been previously dishonestly bankrupted, not being an incompetent or quasi-incompetent person, not having been previously fired, dismissed or discharged from official service, government agency or state enterprise or private agency on the ground of dishonest performance of duties or having committed severe wrongful conducts.
  3. Moreover, the chairperson and members shall be vacated from office if death, resignation, imprisonment by the court verdict, disqualification as specified above or dismissing by the PDPC due to failure to pass the performance evaluation or commit disgraceful.
  4. The chairperson of the expert committee and the members shall hold office for a term of four years.
  5. The meeting of expert committee shall consist of one-half of all members to constitute a quorum. The decision of the meeting shall be made by a majority of votes and each has one vote. In the case of equal votes, the chairperson shall have the casting vote. The meeting may be taken placed by an electronic mean.
  6. Any member who has any interest in the matter being considered in the meeting must inform all members regarding such interest prior to the meeting and such member shall be prohibited from attending such meeting.
  7. The Secretary-General of PDPC shall appoint a maximum of two secretaries to each expert committee.
  8. If there is a joint meeting of more than one expert committee. The chairperson of the expert committee holding the most senior level shall preside over the meeting. This joint meeting of the expert committee shall all consist of not less than 6 members and the members attended the meeting must be from all committee invited to attend the meeting in order to constitute a quorum.

AI and Intellectual Property Protection

AI or Artificial Intelligence is an intelligent machine that could perform task and mimic some human ability which make a difficulty to future role of human. Currently, some AI could perform an artwork, but the following question is that if AI or non-human creature could generate artworks independently, will intellectual property law protect this non-human creativity.

high angle photo of robot

According to Berne Convention for the Protection of Literary and Artistic Works, there is no definition of the term “author”; however, it is known that in many counties including Thailand, the subject of the authorship needs to have skill labor and thus human ship is required. Importantly, artistic mind is a crucial part of the artwork which is an ability that AI or non-human creators cannot approach. For example, the starry night showing a dimness of night sky with a dark blue shade contrast with a yellow color interpreted the emotion turbulence of the artist called “Van Gogh”.

In United State, the protection under copyright law is not expanded to non-human creator. As a result, non-human author is unable to hold an ownership of the work. This statement was mentioned in Naruto, the monkey, selfies case. The case began with the accusation of PETA, the animal-right nonprofit organization, claimed that the photo shot by the monkey “Naruto” should not be owned by the defendant or the photographer. PETA claimed that the creativity should be upon humanity; thus, the organization requested that the defendant should pay for a royalty fee to the place where monkey lives. However, The US court disagreed and affirmatively ordered that animal was not capable to file a lawsuit since they were not legal persons under the copyright’s protection in the US. It could therefore imply from this decision that non-human creator could not hold the ownership of copyright. Only legal persons that the US copyright law recognize.

Interestingly, Australia court was the first country mentioning about the possibility of recognition of AI as an inventor. The judge had ruled that since the definition under Section 2C of the Interpretation Act 1901 does not include the term “inventor” as a person so AI could be an inventor. However, the higher court rejected this judgment and brought back to the decision that the copyright holder should be owned by a natural human.

man in black suit sitting on chair beside buildings

Under Thai legal system, the current Copyright Act defines the term “author” as a “person” who makes or creates any work which means that intellectual property law in Thai currently protects only human’s work. It is therefore reflected that there is currently no intellectual property protection over non-human inventor including AI.

Author: Panisa Suwanmatajarn – Managing Partner, The Legal Co., Ltd.

Announcement of Ministry of Digital Economy and Society Re: Procedures on Notifying, Suspending of Publishing of Computer Data and Exporting Computer Data from System

The Cabinet acknowledged a draft Announcement of Ministry of Digital Economy and Society Re: Procedures on notifying, suspending of publishing of computer data and exporting computer data from system B.E. …. (“Announcement”) prior to its enforcement as proposed by the Ministry of Digital Economy and Society.

Key issues of draft Announcement are as follows:

black android smartphone on top of white book
  • It is to cancel the Announcement of Ministry of Digital Economy and Society Re: Procedures on Notifying, suspending of publishing of computer data and exporting computer data from system B.E. 2566 (2017)
  • The Announcement has added new definitions of terms which are “Social Media” and “Location of Illegal Data” to be in compliance with those other announcements.
  • Determining types and characters of services of service provider or social media provider being able to prove of compliance with this Announcement so that it will not be fallen under the offence of cooperation or consent in conducting the offence.
    • Service provider that is an intermediary operating service such as routing, artificial intelligence, transitory communication – mere conduit where the intermediary does not involve or contribute such as  transmitting of such computer data, making permanent copy of computer data, storing with public access at a later stage, no editing of data by the service provider and no remuneration, directly or indirectly, from publication, duplicate or modifying of such illegal data.
    • Service provider operating for storing or system caching in a computer network controlling transmission of all data from users or outsider or computer network or artificial intelligence or operating of computer network or automatic artificial intelligence with no involvement or control from service provider.
    • Service provider operating reserving of computer data in its own computer system or network where the information residing on system or network at direction of user without the service provider awareness of the illegal activity and without receiving any remuneration.
    • Service provider operating technical service for information location tools without linking to illegal source and that there is no remuneration or benefit involvement, directly or indirectly, from publication of such illegal computer data.
    • Online social media provider in communication or exchange of information between persons through technology or social network by posting, editing, publishing of computer data through service provider or outsider or automatically through computer system or artificial intelligence and the service provider does not get involved and not receive any benefit, directly or indirectly, from that illegal publishing, copying or editing of data.
    • Service provider other than (1) (2) (3) (4) (5) giving service of other internet access or connect manner through computer network.
white switch hub turned on
  • Determining notice & takedown policy arranged by service provider to avoid being charged on the ground of cooperating, consenting or acknowledging of offence.
    • Advance notice & take down policy or take down notice in writing is required to be arranged and informed to the public so that the public is able to report to the service provider to suspend or delete publication of illegal data from the computer system.
    • Upon discovery of any service provider or online social media provider publishes illegal data, the service user or outsider can notify the service provider or online social media to suspend publication or erase of illegal data through a daily report or complaint to the police officer or through a complaint form provided by the service provider or online social media.
    • Once the service provider or online social media provider receives the complaint form, it needs to take action in order to suspend the publication of illegal data and make a copy of thereof and send the same to the relevant persons under its control immediately except having reasonable ground or under force majeure event. However, it needs to be acted no later than 24 hours.
  • Determining standard measures according to the industry itself to suspend distribution or delete illegal data by order of the officer.
  • Determining appealing procedures and revocation of officer’s order in case the service provider or social media provider disagree to the order or exercise the right to argue against the officer’s order.
  • Determining litigation procedures in case that service provider or social media provider does not conduct any action according to order to suspend publication, erase or modify the illegal data. The officer must gather the relating evidence of the commission of crime and report the case to the police officer and coordinate with National Broadcasting and Telecommunication Commission or related authorities for further proceedings.

This draft Announcement aims to amend procedures on notification, suspension of publication of illegal computer data for more convenience, quality and suitability to modern technology along with notice & takedown policy or self-report. In addition, it determines more involvement of the officer to tackle the complaint and non-compliance of the service provider which reduces burden of the people or the injured party in complaining to the service provider themselves or the officer.

New Sub-Regulations under Thailand Personal Data Protection Act

As the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) has already been enforced, the sub-regulations specifying details of the same are in process of being released. Therefore, every organisation must always well precaution of their duties as a controller or processor regarding keeping, utilising, storing, and transferring of these data which may cause effect to the data subject and may lead to future damage.

security logo

Under this article, we will talk about brief details of sub-regulations issued by the virtue of the PDPA which are  

  • Under the PDPA, data controller and data processor are responsible for keeping record of collection and utilisation of personal data. As such, the announcement by the PDPA Committee effective on 21 June 2022 lay out conditions and how to conduct record of data collection and utilisation. The record must include name of the data controller, name of data processor, DPO including its contact details, types, characters, and purposes of collecting and processing of data and detail of security measures. The form of record can be made in a paper or electronic which can be accessible easily by the relevant officer and data controller once request.
  • However, such above mentioned keeping record is exempted under the announcement by the PDPA Committee effective also on 21 June 2022. The announcement determines the characters of small businesses to be exemption from performing the same such as small and medium enterprises, cooperatives, foundations, or family businesses under their relevant laws. However, if such activities concern sensitive data or may cause effect to the rights and freedom of data subject, the record is still required
black android smartphone on top of white book
  • In addition, the data controller must arrange for security measures which states under the announcement of the PDPA Committee effective on 21 June 2022 in which such measures shall cover keeping, collecting, using, and disclosing of personal data and include necessary organizational measures, technical measure, or physical measures.
  • Lastly, if the controller or processor fails to uphold their duties under the PDPA, they shall be subject to civil, criminal and/or administrative sanctions. For the administrative sanctions, the PDPA Committee also launches its announcement effective on 21 June 2022 specifying details that the data subject is entitled to conduct once its right under the PDPA has been breached, how the PDPA officer/specialized Committee can proceed to consider and issue its administrative order and administrative penalties that the PDPA officer/specialize Committee can issue  against the data controller or processor who fails to conduct according to the PDPA.