Series
Blogs
Series
Blogs
The privacy laws in Asia are being transformed and Thailand is no exception – having passed its Personal Data Protection Act in 2019 and brought that law into force in 2022.
The most recent development is the issue of two notifications by Thailand’s Personal Data Protection Committee (“Committee”) in December 2023 to help legitimise cross-border data transfers. In particular:
These notifications will take effect on 24 March 2024.
The notifications define the “transfer of personal data” to exclude: (i) the transfer of personal data by an intermediary during the transit of data; and (ii) data storage where no third party can access the personal data. The notifications give the case of a transfer made via the systems of a cloud service provider as an illustrative example.
The origin of the adequacy assessment is Section 28 of the Personal Data Protection Act which permits the cross-border transfer of personal data if the recipient territory has adequate personal data protection standards in line with the criteria issued by the Committee.
The Adequacy Decision Criteria Notification sets out the criteria that the Committee must consider when it decides whether the recipient territory or international organisation provides adequate levels of protection. Namely, the territory or organisation must:
This so-called “allowlist” follows the same concept as many other jurisdictions’ cross-border transfer rules which maintain a list of jurisdictions with “adequate” data protection laws, for example, the UK and EU GDPRs, Japan’s Act on the Protection of Personal Information and the Dubai International Finance Centre’s Data Protection Law 2020. Multinational’s policy teams will be interested to hear that data controllers can propose additions to the Thai allowlist.
Cross-border transfer of personal data from Thailand is also permitted under the Cross-Border Transfer Notification when:
To approve any proposed BCR, the Committee will consider whether it:
(together, “Minimum Standards”).
This has been taken from the EU which first proposed BCRs as a method of complying with the cross-border data transfer rules in the 1995 Data Protection Directive. This BCR concept has since been taken on by the UK GDPR as well as regimes in Singapore, Brazil and South Africa.
Alternatively, transfers can take place on the basis of appropriate safeguards. This could be: (i) standard contractual clauses (“SCCs”); (ii) certification on whether the collection, use and disclosure by the data controller or data processor of personal data relating to the cross-border transfer meets the standards designated as acceptable by the Committee; or (iii) a state treaty or agreement.
These appropriate safeguards must also meet the Minimum Standards.
There is a great deal of flexibility as to the form of SCCs that can be used, with exporters having a choice of:
The Committee will publish information and details on the ASEAN and GDPR standard contractual clauses, but these two routes to legitimise cross-border transfers could clearly favour multinationals with regional or European footprints, respectively.
With respect to the certification mechanism, the Cross-Border Transfer Notification only contemplates that the certification must be completed in accordance with an acceptability standard to be later prescribed by the Committee (which will align with data protection provisions in the first bullet above). The timing of this is unknown, but certification has recently become a transfer mechanism increasingly contemplated in other Asian markets such as Mainland China.
This development is part of a wider maturing of data protection laws across Asia, such as the recently enacted Personal Information Protection Law in the PRC, new Decree 13/2023/ND-CP in Vietnam and Indonesia’s new law (see Asia privacy developments – What do multinationals need to know?).
More information about the data protection laws in Thailand is available here.