How to Comply With Thailand’s PDPA (Personal Data Protection Act)?

The Internet is becoming more and more accessible around the world. As the penetration is increasing, so is the concern for data privacy. Countries all over the globe are coming up with their privacy laws. The motive of all such laws is to protect citizens from privacy violations. The publisher must respect the concern. Now Thailand has also come up with its privacy law called PDPA (Personal Data Protection Act). In this post, we’ll see what PDPA is and how publishers can comply with it.

What is PDPA?

PDPA is Thailand’s data protection privacy law. The name is identical to Singapore’s privacy law, so please don’t be confused. It was approved by the Thai National Legislative Assembly in February 2019. Initially, it was supposed to become effective on 28th May 2019 with a grace period of 1 year. But few days ago, the Assembly postponed the enforcement for a year to give the publishers and other companies to take all the necessary steps by the end of 2020.

PDPA is supervised by the Ministry of Digital Economy and Society. The main body of supervision is the Office of Data Protection Committee. It’s highly inspired by Europe’s GDPR, that’s why you’ll observe many similarities between the two. The advantage of the similarities is that if you’re fully compliant with GDPR then following PDPA won’t be a demanding task for you.

The PDPA grants the following rights to the Thai users:

• The right to be informed about the purpose of collecting and processing the data.
• The right to withdraw the given consent.
• The right to non-discrimination for not providing consent.
• The right to access and obtain the data collected from them.
• The right to object the collection, use, and disclosure of their data.
• The right to restrict the use of their data.
• The right to correction of their data.
• The right to transfer their data to another data controller.
• The right to have their data erased, destroyed, or anonymized. 

Before moving forward, it’s important to understand a few basic terms used in most of the privacy laws::

Data Subject: Any user whose data is being collected. For example, your website visitors.

Personal Data: Any information that can be used directly or indirectly to identify a person. For example, name, address, email address, etc.

Data Controller: Any person or entity that has the authority to make decisions on the collection, usage, or disclosure of personal data. For example, a publisher that collects the personal data of the users on the website.

Data Processor: Any person or entity that processes the collected data on behalf of the data controller. For example, third parties that process the data given by the data controller for analytical purposes.

Does the Law Apply to You?

PDPA applies to data controllers and data processors inside as well as outside Thailand. The data controller and data processor residing inside the country will come under the purview of the law even when the collection, usage, and disclosure of the Personal Data is undertaken outside of Thailand.

The data controller and processor residing outside the country will come under the jurisdiction of the law only when goods and services are being offered to data subjects in Thailand. Also, the controller and processor will be responsible if the monitoring of data subjects’ behavior has taken place within the country’s boundary.

In a nutshell, if you’re dealing with the data belonging to the people in Thailand then you need to follow PDPA. There is an exception for ‘small enterprises’ but the criteria is not set yet. Soon we may have the information about the exact size of an exemptible company (number of employees, turnover, etc) 

In case of a security breach, the controller of the data has to notify the Office of Data Protection Committee within 72 hours of becoming aware of the breach. If the rights and freedom of the data subjects are at high risk then the data subject has also to be notified.

Noncompliance with the law can attract administrative fines, criminal penalties, punitive damage, and class-action lawsuits from data subjects. The administrative fines can go up to 5 Million Thai Baht. Criminal penalties can bring you up to 1 year of jail and or fines up to 1 Million Thai Baht. The punitive damage can be up to twice the amount of actual damage.

How Publishers Can Comply with PDPA?

These are the main action items for publishers to comply with PDPA::

• The opt-in consent method has to be implemented. You can do it yourself or you can take the help of a Consent Management Platform.
• The privacy policy has to declare how and why the data will be collected from the data subjects and how the data will be used or disclosed by the controllers and processors. If you aren’t sure how to write a policy then there are lots of privacy policy generator tools out there. You have to enter your details and the policy will be generated. You can then copy and paste it on your site. It is a one-time task. 
• PDPA also requires publishers to appoint a Data Protection Officer if the data collection and processing is being done at a “large scale”. The term “large scale” has not been defined yet.

By now you must have understood why we said that if you’ve done all the arrangements for GDPR, most of the work is already done for you.

Similarities and Differences Between PDPA and GDPR

It will be helpful to know the differences and similarities between the two laws because if you have already made the arrangements for GDPR, then it’ll be easy for you to decide the additional changes that you need to make for PDPA. So let’s discuss them.

Similarities:

•  Any set of data that, by itself or combined with other data, could identify a person is considered as personal data by both the laws.
• The territorial scope of both laws is the same. In both cases, it doesn’t matter where your headquarter is located.
• A Data Processing Officer is required by both the laws in the case of large companies.
• The rights of the data subjects are similar in both laws.
• Both laws require opt-in consent.
• The notification of data breach has to be sent within 72 hours in both laws.
• The legal bases for data collection are the same in GDPR as well as PDPA.

Differences:

• In PDPA, parental consent is required when the data subject is aged below 10 yrs. With GDPR, the age restriction is 16 yrs.
• PDPA does not exclude anonymized data whereas GDPR does.
• The penalties are different for both laws.

How to Change the Ad Setup to become Compliant?

Publishers who have already implemented other privacy laws like GDPR, CCPA must have understood that they have to make changes in the privacy policies in the same way they did earlier. If you are starting from scratch then you can refer to our CCPA compliance post. It will guide you with the implementation as well as steps for making Google Analytics as well as prebid’s compliance with the law. The steps are the same even when the laws are different.

Online Privacy laws are one of the raising concerns for the publishers. If you’re curious to know more about how you can deal with different upcoming and existing Privacy Laws for the Publishers, we have made a guide for you!

What’s Next?

Make sure you are stating the rights of the data subjects in your privacy policy. Set-up an opt-in process. Make the arrangements for situations when a user can ask for his/her personal data (instructions are available in the CCPA post mentioned above). If your site attracts children then you can set up your line items so that interest-based ads aren’t being served to them. You can refer to our COPPA compliance article for all the necessary steps.