Tag: Information Technology

on by

NBTC Uplifted Personal Data Protection for Telco Users

Since the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) has been in effect for more than a year, several authorities, including the National Broadcasting and Telecommunications Commission (“NBTC”), have attempted to establish and implement policies in order to comply with the PDPA. Previously, there has been a Notification of the National Telecommunications Commission on Protecting User Rights Regarding Personal Data, Privacy, and Freedom of Communication through Telecommunications Service that became effective on 16 August B.E.2549 (2006) (“Original Notification”) ruling measures to protect user rights through telecommunications service. However, in order to (1) protect the rights of telecommunications service users while operating in parallel with the use of personal data, (2) modernize and improve the user rights protection measures, and (3)  fully and accurately comply with and implement the PDPA, the NBTC considers amending the Original Notification by drafting the Notification of the National Telecommunications Commission on Protecting User Rights Regarding Personal Data, Rights to Privacy, and Freedom of Communication through Telecommunications Service (“Notification”). This Notification was approved at meeting no. 13/2566 on 14 June 2023 and will be published in the Royal Gazette and shall be effective on the following announcement date, in which the Original Notification shall be replaced.

security logo

Examples of the main key contents that have been amended are as follows:

  1. Some terms and definitions have been amended, such as “Personal data of user “Service Provider” “User” and “Collection”.
  2. Although the Original Notification has included the consent matter, this Notification has additionally specified more details, such as (1) the service provider’s obligation to specify the purpose of collecting or processing personal data prior to or at the time of obtaining consent, (2) the consent must be given in writing or electronic means, and (3) the consent request must be made in a clear sentence, not misunderstood, and separate from the main agreement.
  3. In addition to the sensitive personal data such as (1) disabilities and (2) hereditary characteristic that has been specified in the Original Notification, this Notification has included Section 26 of PDPA in order to determine the sensitive personal data matter.
  4. Personal data relating to the use and provision of services for the previous 90 days must be retained. This can be extended to two years on a reasonable basis, such as legitimate interest.
  5. In addition to the written method specified in the Original Notification for exercising the rights under PDPA, the Notification has determined that the user, as a data subject, is able to exercise the same through electronic means. If the service provider fails to comply with the request to exercise rights within 15 days, the user may notify NBTC in writing, demanding the service provider to do so. Please note that the authentication and verification mechanism for the user must be conducted by the service provider prior to exercising the aforementioned right.
  6. The provisions requiring service providers to inform NBTC of a data breach incident within 72 hours, in accordance with the PDPA, have been added.
  7. The service providers (licensee) must prepare a proper measurement to protect users’ rights regarding personal data, the right to privacy, and freedom of communication through telecommunications with the minimum requirements in accordance with this Notification and PDPA in Thai language and other languages in which the license holder operates marketing and send the same to the Secretary of NBTC for further consideration and verification according to NBTC criteria.
  8. The cross-border transfer of data matter under Sections 28 and 29 of PDPA has been added, to which the service provider must comply.
software engineer standing beside server racks

The NBTC further declared that all of these revisions had been adjusted to the present digital economic period, which includes every business engaged in communication, and that this Notification will provide consumers with assurances about the protection of their personal data as well as efficient and fair service. The license holders must acknowledge this Notification in order to prepare for compliance, as personal data protection is a critical issue at the moment, and the failure to comply with this Notification may result in the suspension or revocation of the NBTC licenses.

Author: Panisa Suwanmatajarn, Managing Partner.

on by

Types of Digital Platform Services that are to notify the Electronic Transactions Development Agency

The EU’s Digital Markets Act and Digital Services Act aim to regulate large digital platforms and online services in the EU setting out obligations for gatekeeper platforms to ensure fair and open digital markets. This includes requirements around interoperability, data access, user choice, and many others. As for Thailand, the Royal Decree on Supervision of Digital Platform Operation Requiring a Notification B.E. 2565 (2022) (“Royal Decree”), which was published in the Royal Gazette on 23 December 2022 requires large digital platform service providers to notify the Electronic Transactions Development Agency (ETDA) and comply with certain obligations.

black android smartphone on top of white book

Under the Royal Decree, a large digital platform or specific digital platform is a platform that may cause a risk to financial and commercial stability, credibility, and acceptance in electronic information systems, or damage to the public. As a result, EDTA is considering this matter and drafting an Announcement of the Electronic Transaction Commission Concerning Criteria for Assessing the Level of Impact for the Business Operation of Digital Platform Services (“Announcement“) by virtue of Section 18 (2) of the Royal Decree on Supervision of Digital Platform Services Operation Requiring a Notification, so that digital platform operators can recognize whether their platforms are classified as a specific digital platform. 

The criteria for assessing the impact level of the specific digital platform services according to the Announcement are as follows:

  • Digital platform service, whose transaction value on the platform exceeds one hundred million baht per year.
  • Digital platform service, which its business operator is not applied for commercial registration by the Department of Business Development (“DBD”) and the number of sellers or service providers on that platform who conduct its business in Thailand exceeds one-third of all sellers or service provider on that platform.
  • Digital platform service, which its business operator is not applied for commercial registration by DBD, and the number of users in Thailand (customers, sellers, and service providers in the digital platform are collectively referred to as “Users”) is more than five percent, but not exceed ten percent of the number of people in Thailand.
  • Digital platform service, in which the user can independently perform any act that may cause e ffect the public in the form of the following statements or actions:
  • Illegal statements or acts
  • Any statement or action that may cause negative effects on fundamental human rights, human dignity, respect for privacy and family life, personal data protection, freedom of speech, media independence, discrimination, and consumer protection.
  • Any statement or action that causes negative effects on the rights of the child causing mental illness, impairing the reputation, and unlawful exploit for the user or others.
  • Any statement or action that may cause negative effects on gender or sexual violence includes statements or actions for provoking, violence, hatred, prejudice, and contumely.

on by

Public Entities Required to Designate a Data Protection Officer

Section 41 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) requires public entities listed by the Personal Data Protection Committee (“PDPC”) to designate a Data Protection Officer (“DPO”). Currently, PDPC has drafted “Announcement of the Personal Data Protection Committee Concerning the Data Controller and the Data Processor Who Are Public Entities that Must Designate a Data Protection Officer B.E. ….” (“Announcement”). This Announcement will list the public entities that are required to designate DPO. It is likely that the public entities that process personal data on a large scale or collect sizable numbers of sensitive personal data will be listed under this Annoucement. This Announcement is, however, still undergoing public hearings in which anyone interested can share opinion or provide feedback via the Law Portal provided by the Office of the Council of State and the Digital Government Development Agency.

security logo

According to Section 3 of the PDPA, in the event that there is any specific law governing the protection of personal data in any specific manner, business or entity, the provisions of such law shall be applied. Furthermore, in Thailand, there is a law known as the Official Information Act B.E. 2540 (1997) (“OIC“), which its provisions govern the public entities for the matter related to the collection, disclosure, and security of personal information. Where the said personal information under OIC is considered personal data under PDPA but is only kept by the public entities, as a result, although it can be assumed that personal information is partly governed by the OIC,  the PDPA shall be applied in addition to the rights of data subjects and the relevant penalties, regardless of whether it is repetitious with the same matter in OIC according to Section 3 of PDPA as it aims to ensure the same level of personal data protection for Data Controllers and Data Processors in both public entities and private entities.

software engineer standing beside server racks

In conclusion, the public entities should consider whether the DPO is required based on this Announcement. Plus, such public entities should also consider the PDPA as it might be an additional requirement which they must comply. At the same time, an individual or a private entity also should be aware of this Announcement in order to directly contact the DPO of such public entities regarding personal data protection matters, as the DPO will be the entity’s contact center for personal data protection matters of those entities who may collect, use, or disclose your personal data.

Author: Ms. Panisa Suwanmatajarn, Managing Partner.

on by

The US Internal Revenue Service has developed an IDES platform for International Financial Institutions to file under FATCA

Foreign Account Tax Compliance (“FATCA”) is a rule implemented by the United States with the goal of preventing tax avoidance by US taxpayers using foreign accounts. As the United States collects taxes on a worldwide basis, FATCA requires financial institutions all over the world to transmit accounting records of US taxpayers to the Internal Revenue Service (“IRS”).  This information is used by the IRS to identify taxpayers who may be evading their US tax obligations by hiding assets overseas. FATCA also requires US taxpayers to report certain offshore assets and income on their US tax returns.

To comply with FATCA’s objective, the US government enters into intergovernmental agreements (“IGA”) with other country governments to make it possible for taxpayers’ accountant information exchange to occur without violating those contracting parties’ internal regulations and for both parties to mutually assist in taxation benefits.

The IGA includes the following models:

  • Model 1: IGA in which the party gathers information on US citizens from financial institutions inside its jurisdiction and reports it to another party via an automated system. Model 1 is divided into two systems;
    • Model 1 A (Reciprocal): Both parties agree to transfer information back and forth via the automated system.
    • Model 1 B (Non-Reciprocal): The parties agree to provide the information to the US government in exchange for none in return.
  • Model 2: IGA in which the state parties agree to implement legislation permitting and compelling financial institutions to communicate information via an automated system.

Thailand has chosen International Data Exchange Service (IDES) as a tool for financial institutions information collecting in Thailand, and this method is known as M1O2.

green and white line illustration

Currently, from 5 June through 30 June 2023 (Eastern Standard Time in the United States), the US Internal Revenue Service (IRS) will provide the IDES system for Thai financial institutions to trial receiving and transferring simulated data to the IRS. Financial institutions which did not register in the IDES system may register to participate by 1 June 2023 at 5:00 p.m. (Eastern Standard Time in the United States). Additionally, there is no need to re-register if the financial institutions have already registered in the IDES system. However, the new password must be validated before 1 June 2023 to ensure that it does not expire during the test. Also, ensure that the certificate used to send and receive data is valid for the length of the test, as financial institutions will be unable to modify their passwords or upload certificates during the test.

Author: Ms. Panisa Suwanmatajarn

on by

The USTR keeps Thailand on the Watch list, yet appreciates Thailand’s progress

On April 26th, 2023, the Director General of Thailand’s Department of Intellectual Property (“DIP”) revealed that the United States Trade Representative (“USTR”) announced the annual status review of Intellectual Property (“IP”) protection of the United States trading partners or the Special 301 Report published under Section 301 of the Trade Act of 1974. Thailand is still on the Watch List (“WL”) this year, along with 21 other nations.

USTR has recognized Thailand’s progress in IP protection and enforcement, particularly the amendment of the Copyright Act to include a notice and takedown procedure, allowing the copyright owner to inform the platform and have the counterfeit items removed. Thailand also updates the Technological Protection Measure (“TPM”) to extend the expiration date of photoprotection.

Furthermore, Thailand has entered into bilateral cooperation with the World Intellectual Property Organization Copyright Treaty (“WCT”) to preserve licenses in the digital era. USTR has also applauded Thai intra-agency efforts in IP protection and enforcement, such as the Thai Customs IPR Recordation System (“TCIRs”) and the signing of memorandums of understanding (MOUs) with e-commerce platforms to report online counterfeit goods.

birds eye view photo of freight containers

Apart from DIP’s progressive operations such as Smart DIP, Fast Track System for Trademark Registration, and so on, DIP also contributes to ASEAN’s protection and enforcement against IP infringement by nominating themselves to be the president of the ASEAN Network of Intellectual Property Enforcement Experts (ANIEE). The objective of being president is to drive economic growth through IP by establishing appropriate standards between Thailand and trading partners and protecting Thai entrepreneurs’ IP, to make ASEAN aware of the importance of IP protection and enforcement so that Thai products can be properly and timely protected, to provide opportunities and trade fairness under modern technology, as well as to improve ASEAN’s general IP image and ensure that Thai products exported to ASEAN will be protected and capable of competing without facing IP infringement.  Thailand has been promoting experiences, knowledge, and success paths to the ASEAN region such as by associating with the ASEAN e-Commerce platform and creating the Protection and Enforcement against IP Infringement handbook and increasing the operational capacity of law enforcement agencies.

However, the USTR remains concerned with unauthorized film recordings, online counterfeit and pirated goods, impersonation royalty collection rights, and delays of criminal and civil proceedings, causing Thai to stay on the WL. To solve these concerns, Thailand is in the process of developing an IP Work plan with the US to shift out of WL. Thailand has proposed the idea to the United States, and the current procedure is for the United States to examine it. DIP will work as promptly as possible to bring Thailand out of the WL of the USTR annual status review in the future.

Author: Panisa Suwanmatajarn, Managing Partner.

on by

PDPC’s Guideline for Data Controller and Data Processor

The Personal Data Protection Committee (“PDPC“) has announced the Guidelines for Data Controller and Data Processor

Re: Case studies extracted from this discussion on the enforcement of the Personal Data Protection Act, B.E. 2562 (2019) (“PDPA“) includes sample actions of each specific case as a scenario for all relevant parties under PDPA, including the Data Controller, Data Processor, Data Subject, and other relevant persons to consider and apply. This guideline also aims to put in place effective remedial measures for Data Subjects whose personal data and rights must be protected as well as to prevent any data breach by the PDPA, with the samples of scenarios as follows:

  • Does the bank need to obtain consent from minors aged 7 to 20 in order to collect and/or use their facial recognition for mobile banking transactions? As we all know, face recognition is classified as sensitive personal data in a type of biometric data in which its data arises from the use of technics or technology related to the physical or behavioral dominance of the person under Section 26 of the PDPA, in which consent is required only if other legal bases such as Contract, and Legal Obligation cannot be applied. Furthermore, the procedure for obtaining minor consent must be in accordance with PDPA sections 19 and 20.
  • Is consent required when a bank introduces new products to a minor for marketing purposes? If this is the case, can minors freely consent on their own behalf? Since the collection of personal data for marketing purposes is not considered an activity under the legal basis of a contract for opening a bank account, and if such personal data was not collected for the purpose under Sections 24(1) – 24(6) of PDPA, such as Vital interest and Legal obligation then the consent of the minor must be obtained, and the consent of the holder of parental responsibility over the child may also be required as the case by case according to Section 20 of PDPA. 
software engineer standing beside server racks
  • If the limited company operates its trading and service business and enters into an agreement with an individual business partner. Furthermore, that company would like to collect personal data such as the name, phone number, and other information of a business partner’s employee in order to contact him/her directly for matters related to operating in accordance with an agreement. In this case, the Data Controller cannot apply the legal basis of “Contract” to such an employee, but the legal basis of “Legitimate interest” might be applied if the data processing does not override the fundamental rights of the said employee, as a Data Subject.
  • What are the advantages and disadvantages of appointing an outsourced Data Protection Officer (“DPO”)? Is it necessary for the company to set up a separate department to handle this specific task? The Data Controller might appoint the DPO depending on its suitability and necessity of the Data Controller complying and responsible with the duty as mentioned in Section 42 of the PDPA. Furthermore, DPO cannot be dismissed or terminated due to his/her performing duty under PDPA, plus, DPO should be a person who can report directly to executives of the Data Controller or Data Processor. As a result, it is the internal matter of the company to select the DPO as they deemed appropriate.

In conclusion, to assist the government agencies and private companies in answering all concerns and questions regarding PDPA compliance, the PDPC has assigned the Sub-Committee to gather all such questions and concerns and propose the same, along with the recommended answer, to the PDPC for further consideration, and later provide those correct answers and consultations to the government agencies and private companies. In the future, all of those inquiries may be published as sample scenarios, just as they were in this guideline.

Author: Panisa Suwanmatajarn, Managing Partner.

on by

Official Fees Exempted for the Digital Civil Registration Service

The Ministry of Interior has proposed the draft Ministerial Regulation Prescribing on the Operation of Digital Civil Registration System. This draft is to exempt service fees for the digital civil registration service system to lighten the cost load for citizens.

Currently, the Department of Provincial Administration has provided services on the digital civil registration system via D. DOPA application and BORA Web Portal (thportal.bora.dopa.go.th). Fee exemption has been granted from the past year until 12 March 2023 for certain services, such as notification of relocation, certifying a copy of house registration, registration record and birth registration.

To provide public services effectively, conveniently and appropriately under the current situation, it is appropriate to exempt service fees for two types of services as follows:

1) Services according to the Ministerial Regulation Prescribing Fees and Exempting Fees Related to Civil Registration B.E. 2562 (2019) such as providing and certifying a copy of house registration, birth and death registration which currently charge at the rate of 10 THB per copy and notification of birth, death and relocation which currently charge at the rate of 20 THB per copy.

2) Services according to the Ministerial Regulation Prescribing Non-Thai Citizens to Comply with Civil Registration B.E. 2562 (2019) such as notification of birth, death and relocation which currently charge at the rate of 20 THB per copy.

Now the cabinet has given its approval and the draft will soon become effective.

on by

Thailand PDPA – DPO Qualifications

The Personal Data Protection Act B.E. 2562 (2019) (“PDPA“), which became effective on 1 June 2022, specifies the rules and restrictions that Data Controller and Data Processor must adhere to. One important rule and regulation regarding the Data Protection Officer (“DPO“) is specified in Section 41 of PDPA that “The Data Controller and the Data Processor shall designate a data protection officer…” Therefore, many organizations might wonder, what is a DPO? What is its responsibility? And what qualifications are required to become one?

A DPO is a person who is responsible for the data protection of all personal data collected, used and disclosed by a legal entity, whether it is internal personal data or third-party personal data collected by the legal entity. Section 42 of the PDPA specifies the duties of the DPO as follows:

  1. Providing advice to the Data Controller and Data Processor, as well as all employees and service providers of those parties involved in the data processing, in order to ensure PDPA compliance, such as providing them with PDPA information and training sessions, particularly to those who directly operate with data processing, in order to ensure adherence to the legal entity’s privacy policy and follow the rules and regulations pertaining to the personal data protection.
  2. Monitoring the operation and the performance of the parties mentioned in item 1 regarding personal data collection, use and disclosure to be in accordance with the PDPA.
  3. Coordinating with the regulator, the Personal Data Protection Committee (“PDPC”) on any issues that arise in relation to item 2 such as a data breach.
  4. Maintaining the confidentiality of personal data known and acquired while performing the duties.

There are no officially announced sub-regulations governing DPO qualification; the PDPA only specifies the duties of the DPO as mentioned above. As a result, the following is only a guideline by Thailand Data Protection Guidelines regarding this such matter, which Data Controller and Data Processor should consider.

person marking check on opened book
  1. Having background knowledge of the PDPA and other applicable laws
  2. Understanding of technologies, IT, and data security measures. The DPO may need to fully understand this matter because the IT system and technological capabilities may be involved in personal data collection, use, disclosure and processing in order to perform its obligations in terms of technology under the PDPA.
  3. DPO should not be a person who directly benefits from collecting personal data, and DPO shall not be able to audit its own actions involving the collection, use or disclosure of personal data. As a result, the duties of the DPO and those who process personal data should not overlap.
  4. Good communication and collaboration skills with internals, externals and regulators because the DPO must collaborate with all departments within the organization and the PDPC pertaining to PDPA matters. Furthermore, the DPO should be the person who has direct access to the executives because many aspects of PDPA compliance may need to be taken urgently.
  5. DPO is not required to be an employee of the legal entity for which he or she works.

After the designation of a DPO by legal entities, the Data Controller and the Data Processor are also required by Section 41 paragraph 5 of the PDPA to inform the PDPC and Data Subject of the information, i.e. DPO’s information, contact address and contact channels. Plus, Any Data Controllers and Data Processors who are in the same affiliated business or group of undertakings and designate the same jointly DPO must also provide a list of all Data Controllers and/or Data Processors with whom such DPO works for. For the contact channel for informing the said information, it can be sent to PDPC via an email and telephone number as specified in the Announcement of the Office of the Personal Data Protection Committee Concerning Electronic Channels for Contacting the Office of Personal Data Protection Committee B.E. 2562 (2019) For an obligation to inform the Data Subject of the DPO’s information as mentioned above, this can be included in the privacy notice or privacy policy published by the Data Controller and Data Processor, as the same matter is also required by Section 23 (5) of the PDPA. Despite the fact that no sub-regulation regarding DPO qualifications has been announced, all Data Controllers, Data Processors, DPOs and other relevant parties should keep an eye on these upcoming regulations in order to comply with the PDPA and designate an appropriate DPO for your legal entity because DPO shall play an important role and directly affect your legal entity’s compliance with PDPA.

Author: Panisa Suwanmatajarn, Managing Partner.

on by

Royal Decree To Prevent Call Center Scams

A call center scam is a type of fraud that occurs when a caller, posing as a representative from a legitimate business or government agency, attempts to trick the person on the receiving end into giving away personal information and/or money. The scammer may claim to be providing a service such as a customer service, technical support, or debt collection. They may also offer products or services at a discounted rate in order to convince the person to provide payment information. The scammer may also request additional personal details such as social security numbers or bank account information by claiming that this is necessary for the transaction to be completed. In some cases, the scammer may even ask for money to be wired directly to a “Horse Account”. Once the person has provided the requested data or money, the scammer typically disappears without providing any of the promised services or products. The Horse Account is usually opened for the purpose of receiving money from the victim. The money will stay in the Horse Account only for a few seconds or so, then it will be transferred to another account of scammer.

Online threats that come in the form of call centers, deceiving them to click on various links to steal money from bank accounts are considered a cybercrime. Seriously, many people were affected and caused damage to the country’s economy. According to the statistics of scams online in the period of March 2022 – October 2020, deceiving the public online by transferring money costs around 22,000 billion baht which averages 800 cases a day. 

Recently, the cabinet has approved in principle of draft Royal Decree on Measures for Prevention and Suppression of Technology Crime (“Draft Royal Decree”) which was proposed by the Ministry of Digital Economy and Society.

This draft Royal Decree serves the purpose to prevent and suppress the public from defrauding by transferring funds and also to penalize the offenders by having a “Crime Prevention and Suppression Technology Committee” mechanism in order to determine the prevention guideline, stipulating the authorized institution to access the exchange information, authorize the power to the financial institutions and entrepreneurs to exchange the information on  accounts and transactions of clients including authorizing the power to telecommunication services to exchange the services information among  the Royal Thai Police, Anti-Money Laundering Office and the authorized institutions. Moreover, this draft Royal Decree stipulates an exemption from Personal Data Protection Act B.E. 2562 (2019) regarding transferring data and accessing data in order that government institutions, financial institutions or entrepreneurs can order the National Broadcasting and Telecommunications Commission to establish a database system regarding registration information, messages and logfile from Mobile Network Operator for investigation. It is worthwhile to note that not only Thailand suffers from telephone scams but also other countries like the US. In 2019, President Trump signed the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act to become enforced. Telephone companies will now be required to use a system called SHAKEN/STIR, which helps protect people from scam calls. If a call is potentially suspicious, it will be marked as “scam likely” or “spam likely”, enabling consumers to quickly recognize and ignore robocalls.

on by

Embracing the Use of Digital ID Card

Thai people can now access government services with their digital ID. Thanks to Section 14 of the Digital Public Service Act B.E. 2565 (2022). To use this service, you are required to present a physical ID card to the registrar at any registration division of district office for verifying the information and then you need to download the application namely “D. DOPA”. The following is required to do:

  1. Select “self-registration” and accept the terms and conditions of the service;
  2. Submit a front and back of a physical ID card, verify the information and confirm;
  3. Take a selfie of your full face and confirm;
  4. Set the password; and
  5. Consent to upload the information and fill out a consent form under Personal Data Protection Act B.E. 2562(2019.).
code projected over woman

The digital ID card is a useful and innovative way to verify a person’s identity quickly and securely. It eliminates the need for physical identification cards, which can easily be lost or stolen and keeps personal information safe from unauthorized access. With the digital ID card, users can authenticate their identity with a simple scan of their phones or other devices using biometric authentication such as facial recognition or fingerprint scanning. The system is also secure and reliable with data stored in an encrypted format that prevents tampering or manipulation. With this technology, businesses can quickly and efficiently verify one’s identity and streamline their operations. Additionally, the digital ID card can be used to improve customer services by providing quick and seamless access to information.

Author: Panisa Suwanmatajarn, Managing Partner.