Thailand – New rules for transborder dataflow
The privacy laws in Asia are being transformed and Thailand is no exception – having passed its Personal Data Protection Act in 2019 and brought that law into force in 2022.
The most recent development is the issue of two notifications by Thailand’s Personal Data Protection Committee (“Committee”) in December 2023 to help legitimise cross-border data transfers. In particular:
- the Notification of the Committee Re: Rules of Personal Data Protection for Cross-Border Personal Data Transfer Pursuant to Section 28 of the PDPA (“Adequacy Decision Criteria Notification”); and
- the Notification of the Committee Re: Rules of Personal Data Protection for Cross-Border Personal Data Transfer Pursuant to Section 29 of the PDPA (“Cross-Border Transfer Notification”).
These notifications will take effect on 24 March 2024.
What is a data transfer?
The notifications define the “transfer of personal data” to exclude: (i) the transfer of personal data by an intermediary during the transit of data; and (ii) data storage where no third party can access the personal data. The notifications give the case of a transfer made via the systems of a cloud service provider as an illustrative example.
Adequacy assessment
The origin of the adequacy assessment is Section 28 of the Personal Data Protection Act which permits the cross-border transfer of personal data if the recipient territory has adequate personal data protection standards in line with the criteria issued by the Committee.
The Adequacy Decision Criteria Notification sets out the criteria that the Committee must consider when it decides whether the recipient territory or international organisation provides adequate levels of protection. Namely, the territory or organisation must:
- have legal mechanics that are aligned with Thai personal data protection laws, especially on: (i) the obligation of the data controller to implement appropriate security measures; (ii) appropriate and enforceable data protection measures such that the data subject can exercise its rights; and (iii) effective legal remedies; and
- have an authority responsible for enforcement of personal data protection laws.
This so-called “allowlist” follows the same concept as many other jurisdictions’ cross-border transfer rules which maintain a list of jurisdictions with “adequate” data protection laws, for example, the UK and EU GDPRs, Japan’s Act on the Protection of Personal Information and the Dubai International Finance Centre’s Data Protection Law 2020. Multinational’s policy teams will be interested to hear that data controllers can propose additions to the Thai allowlist.
Other cross-border transfer mechanisms
Cross-border transfer of personal data from Thailand is also permitted under the Cross-Border Transfer Notification when:
- it is a transfer to a data controller or processor within the same group pursuant to the group’s binding corporate rules (“BCR”) which have been approved by the Committee pursuant to the relevant personal data protection laws and the Committee’s notification; or
- the data controller or processor has arranged for appropriate safeguards – such as standard contractual clauses – pursuant to the Committee’s notification.
Binding corporate rules
To approve any proposed BCR, the Committee will consider whether it:
- is legally binding and enforceable on an organisation or individuals in the group, including the related data processor (e.g. service provider), data exporter, data importer, staff, and other persons related to the data exporter and data importer;
- is in line with personal data protection laws;
- sets out clauses recognising personal data protection, data subject rights and laying out a complaint handling process in respect of the personal data to be exported; and
- sets out personal data protection and security measures that are in line with data protection laws and those security measures have minimum standards set out in law,
(together, “Minimum Standards”).
This has been taken from the EU which first proposed BCRs as a method of complying with the cross-border data transfer rules in the 1995 Data Protection Directive. This BCR concept has since been taken on by the UK GDPR as well as regimes in Singapore, Brazil and South Africa.
Appropriate safeguards – SCCs and certification
Alternatively, transfers can take place on the basis of appropriate safeguards. This could be: (i) standard contractual clauses (“SCCs”); (ii) certification on whether the collection, use and disclosure by the data controller or data processor of personal data relating to the cross-border transfer meets the standards designated as acceptable by the Committee; or (iii) a state treaty or agreement.
These appropriate safeguards must also meet the Minimum Standards.
There is a great deal of flexibility as to the form of SCCs that can be used, with exporters having a choice of:
- the data protection provisions as prescribed in detail in the Cross-Border Transfer Draft Notification;
- the ASEAN Model Contractual Clauses for Cross Border Data Flows (whereby the amendments to such contractual clauses must be limited);
- the Standard Contractual Clauses for the Transfer of Personal Data to Third Countries issued under Article 46(1) together with Article 46(2)(c) and Article 28(7) of the GDPR (whereby the amendments to such contractual clauses must be limited); or
- such other SCC approved by the Committee.
The Committee will publish information and details on the ASEAN and GDPR standard contractual clauses, but these two routes to legitimise cross-border transfers could clearly favour multinationals with regional or European footprints, respectively.
With respect to the certification mechanism, the Cross-Border Transfer Notification only contemplates that the certification must be completed in accordance with an acceptability standard to be later prescribed by the Committee (which will align with data protection provisions in the first bullet above). The timing of this is unknown, but certification has recently become a transfer mechanism increasingly contemplated in other Asian markets such as Mainland China.
Conclusion
This development is part of a wider maturing of data protection laws across Asia, such as the recently enacted Personal Information Protection Law in the PRC, new Decree 13/2023/ND-CP in Vietnam and Indonesia’s new law (see Asia privacy developments – What do multinationals need to know?).
More information about the data protection laws in Thailand is available here.