The security of Thai citizens and their personal information is protected under a number of laws, including the Privacy Law B.E. 2540 (1997), which extends to protect the personal data of any Thai person and foreigners with a residence in Thailand.
The right of an individual to privacy is protected under the Constitution, which states that people are entitled to protection from undue exploitation and interference with their privacy, as long as it does not violate the rights of others. This right can be enforced by a court under the Thai Civil and Commercial Code.
In addition to this, the PDPA also contains provisions which protect the right to privacy of personal data. These provisions provide a series of rights for individuals to access their personal data and to ask to have it erased, destroyed or anonymized. The right to privacy can be enforced against a controller, processor or service provider that has unlawfully collected, used or disclosed the person’s personal data.
Computer Crimes and Internet Frauds
Despite the government’s recent focus on cybersecurity, computer crimes and internet frauds still pose significant risks to Thai citizens. For example, in March 2016, a cyber attack resulted in the theft of over Baht 12 million from ATMs across Thailand. The criminals exploited a flaw in the system that allowed them to steal the money.
As a result, a number of laws have been introduced in order to address the threat of these types of cyber incidents. One such law is the Cybersecurity Act which was approved in May 2019.
The Act gives the government broad powers to seize computers and systems, as well as data relating to alleged cyber crimes. It also allows authorities to monitor and track any alleged cyber attacks, although it does not allow them to do so in the absence of a court warrant.
However, while the Act provides these powers to the Thai government, it also comes with a number of concerns about judicial oversight and potential abuses of power. Civil liberties groups and internet companies have voiced their objections to the legislation, arguing that compliance burdens could drive foreign businesses out of the country.
In addition, the PDPA requires that a controller or processor have an appropriate policy in place to ensure that the personal data they process is secure and is only used for specific purposes. It also establishes eight principles that broadly align with the GDPR and other established data protection laws.
The PDPA is a significant development in the Thai data protection regime and is expected to provide strong standards for personal data. It is based on the EU GDPR and reflects a number of unique Thai perspectives, particularly as it regards consent.
It applies to all organizations that collect, use or disclose personal data of Thai citizens or residents and is extraterritorial. This extraterritorial scope of the PDPA significantly expands the jurisdiction of the law.
Penalties for Non-Compliance
Under the PDPA, a controller or processor who processes personal data in breach of its obligations is subject to a fine that can reach THB 5 million or imprisonment of up to five years. It is also a criminal offence for any person to intentionally or negligently misrepresent or misstate any information that may affect the rights of the data subject.