May 28 was the day when the 2019 Personal Data Protection Act (PDPA) went into effect after it was published in the Royal Gazette on May 27, 2019, despite criticism that its provisions would not protect personal data, as the Act’s title claims.
What is the Personal Data Protection Act and why does Thailand need it?
Some 20 years ago, information technology was introduced in Thailand for the first time. This is when computers began playing a role in many occupations and later began storing personal data. This gave rise to discussions about how personal data can be protected from abuse. Thus, the idea of enacting personal data protection law was introduced in Thailand.
Since then, 23 years have passed and the PDPA was enacted and will be fully enforced in 2020.
The essence of the PDPA is to protect all personal data, such as people’s educational background, financial status, health records, criminal record, work record and other personal data like fingerprints, voice, identification card number or numerical data of other documents. The law stops people from using this data for any kind of benefit without consent from the data subject.
Now when we contact different public or private agencies and organisations, we have to provide personal data to carry out any sort of transaction. For instance, when we open a bank account, we have to provide personal information, including a copy of our ID card, our street address and telephone numbers. This information is for opening a bank account, but it can also be used for commercial purposes by being sold or disclosed to other agencies or organisations. For instance, we can receive phone calls from people offering to sell products, even though we have never had any contact with these organisations before – this kind of practice is clear violation of our privacy.
The PDPA tackles this problem by requiring all private and public organisations or agencies holding our personal data to promise not to use this information without our consent.
The law requires both public and private agencies or firms that keep a lot of personal data to have their own “Data Protection Officer”. Such officers may be employees of the concerned organisations or may be outsourced workers tasked with protecting this personal data from being leaked to outsiders and from being used in activities that has not been given consent by the data subject.
The purposes of the law sound good, because it aims to protect personal data and we have never had such protection before. But when it is looked at closely, certain details such as Article 4, can be of concern as it exempts six types of operations:
- Collecting, using and disclosing personal data for the sake of data subject’s own interest or activities of their family;
- Operations of government agencies in charge of maintaining national security, including the state’s financial stability or public safety;
- Preventing and suppressing money laundering;
- Forensic science investigations and cyber security;
- Using or disclosing personal data for journalistic, arts and cultural works in accordance with ethics of the professional organisations or for public interest;
- Deliberations by the House of Representatives, the Senate and Parliament in accordance with their authority, court proceedings, and judicial process as well as operations by the Credit Bureau and its members.
These exemptions have been slammed by academics, who say the law does not really protect people’s personal data.
Does the law really protect personal data?
Many countries have already enacted a personal data protection law. For instance, in the ASEAN region, this law has been implemented in Indonesia, Malaysia, the Philippines, Vietnam and Thailand, while in the West, it is in place in the United States and the European Union (EU).
The EU enforced the General Data Protection Regulation (GDPR) on May 25, 2018, and its Article 2 allows personal data to be used for operations related to maintaining security and public safety.
The same principles have been applied to Thailand’s PDPA, and though the details may be different, its intentions are the same. Therefore, though the law is not yet perfect, it cannot be said it does not provide protection to the people. The PDPA’s related subordinate laws and regulations still need to be enacted to clarify its implementation and to ensure it really meets the public’s needs.
However, the enactment of the PDPA is the first step in protecting the fundamental rights of the Thai citizen, compared to before when there was no such law. This law is bound to be amended and improved in the future, once the country enters the digital economy era fully, when information will play a key role in steering the economy
Society, in the meantime, must learn and deliberate on how the law can be amended, and decide on what kind of information can be used and disclosed so it can serve the Thai society more wholly in the future.
ที่มา : ETDA / 10 ตุลาคม 2562
Link : https://www.etda.or.th/content/personal-data-protection-act-protect-or-not.html