Kritsada Subpawanthanakun: reporter
Kittiya On-in: cover photo
Enforcement of the 2019 Personal Data Protection Act (PDPA) has been postponed for 3 years. A committee member was appointed from the National Security Council as being qualified to protect the national interest. The text contains many exemptions from the law, or do the principles need to make way for the exceptions?
- An important principle in personal data protection is the concept of consent, but the Act has many exceptions which enable the collection of personal data without the consent of the data owner.
- The government postponed enforcement of the 2019 Personal Data Protection Act for 3 years, which is considered unusual, while the private sector has hosted more training on this Act in order to find ways to bypass its provisions.
- Most of the committee members are government officials and former government officials, raising doubts about whether protecting the freedoms of citizens will be important.
- The Act has many exemptions to enforcement, which may impact the protection of personal data.
- Personal data protection laws must be based on a foundation of human rights, not technology. The 2019 PDPA is based more on the latter than on protecting rights.
Enforcement of the 2019 Personal Data Protection Act has been postponed for 3 years and it will come into force on 1 June 2022, unless it is postponed again. The government claimed the reason for the latest postponement was the impact of the COVID-19 pandemic. Then Anusit Kunakorn, former Secretary-General of the National Security Council (NSC), was appointed to the committee as an expert qualified in protecting national benefits. Many parties have questioned the meaning of this appointment.
An important principle of personal data protection laws is the consent of the data owner. Looking only at this principle, the 2019 PDPA is considered to be in line. However, when we look at the detail and its future enforcement, it could be another story altogether, because the law is full of loopholes which allow exemptions to the Act.
The foundational concept may seem to be based on human rights. But Nakorn Serirak, lecturer at the College of Local Administration, Khon Kaen University, and the director of Privacy Thailand, points out why we should be concerned.
The heart of personal data is consent
The basic principle for personal data is privacy, which has many dimensions, such as privacy in one’s home, privacy in communication, or privacy over one’s body. Personal data is another dimension of privacy. So, it often goes along with the principle of consent which is considered to be its basic principle. Nakorn gave further details.
“If you ask what is personal data, it is data that can identify a person. So the word Nakorn may not be personal data, but if it’s Nakorn coupled with the family name Serirak, as well as my date of birth, then it is personal data, because it clearly indicates that it’s me not you.”
How well does Thailand’s PDPA answer the issues?
“If the principle is consent, then the collection, maintenance, oversight, and control [of data] has to be under this principle. The Thai Act is considered to be in accordance with the principle and standards, because all laws across the world are based on this foundation. Infringing on privacy rights in the dimension of data requires consent and there must be an oversight organisation to prevent personal data violations.”
The content of the PDPA is considered to be in accordance with the principle, but the problem may be in the details. For example, although the Act indicates that collecting personal data requires consent, exceptions are also set out. Nakorn explained that, if one is going to adhere to the concept of consent, the law needs to work with this as its basis. On the other hand, if the concept of the overall law is how to collect personal data legally, then various conditions will be listed, then the principle of consent explained at the end. This shows the tone or concept of the law has started to differ from international principles.
“Enforcing the Act must adhere to consent as its major principle, but if the tone of the Act says that consent is the last necessity, then if you want to collect any kind of data you can collect it using this and that reasons, then in the end, if there is no other reason for you to use, then you can seek consent. See? It’s a 360-degrees turn. That’s why it will be a problem – although the principle is like that, in actual enforcement it’s another matter.”
A 3-year postponement is not normal
Nakorn narrated the origin of the Personal Data Protection Act that started in 1996, from a cabinet resolution stating that Thailand should have a personal data protection law. Then, the 1997 Official Information Act was enacted, but there was yet no mention of data in the private sector.
Then when the Personal Data Protection Act was passed in 2019, it was postponed for 3 years. Nakorn observed that this is quite strange, since while the enforcement of the Act was postponed more than once, and the postponement should end this 1 June, the appointment of the committee and office was done immediately, although the Act should be enforced as soon as possible.
“Other Acts are enforced within 60 or 90 days, then announced in the Royal Gazette. But this Act was held up twice. Enforcement it was going to take 1 year. The reason was that the relevant agencies were not ready, high-level technology is required for implementation.
Then, the reason became Covid-19. It was said that this situation raised the investment needed for implementation. Giving these kinds of excuse is why I said something is suspicious. Entrepreneurs aren’t ready, but why are you worried about entrepreneurs? Why aren’t you worried about us whose data is being used and exploited every day?
“In the past 2 years there have been many experts in personal data in Thailand. When Company A says they would like to have training on privacy, on personal data, by Mr. A, an expert in personal data, the main tone comes out in a way that seems to be trying to explain how to collect data without getting fined, arrested or sued. If interpreted in my way, you’re teaching people to violate privacy legally, even though we should be training on what to do so that companies will not violate other people’s privacy.”
Another problem is that some aspects of personal data are protected by one Act but not another. Nakorn provided an example. In the case of a death, the Official Information Act provides protection for the personal data of the deceased, but the Personal Data Protection Act does not.
“If there is a problem, then which state agency is responsible for deciding? Information about the deceased at a private hospital, of course, needs to approach the Office of the Personal Data Protection Committee under the new Act. Then if the death is at Siriraj Hospital, the law says that if there is another law in effect, then use that law, unless the regulations, penalties, complaints, compensation say to refer to a law with a higher level of protection. But the question is, in actual practice, will the information go to the Office of the Official Information Committee at the Office of the Prime Minister or to the Personal Data Protection Committee at the Ministry of Digital Economy and Society?”
Suppose that information about the deceased was infringed on, was sold – can the victim use the compensation mechanisms according to the 1997 Official Information Act which contains no criminal charges, while the 2019 Personal Data Protection Act contains criminal charges but does not protect personal data of the dead?
Or in the case of sensitive data which may lead to discrimination, such as on religion, ethnicity, political views or gender orientation, Nakorn said that, on principle, this cannot be collected in any case, but in Section 26, there are many exceptions which allow this.
Most Personal Data Protection Committee members are government officials
Out of the 16 Personal Data Protection Committee members, 6 are from governmental agencies: the Permanent Secretary of the Ministry of Digital Economy and Society, the Permanent Secretary of the Office of the Prime Minister, the Secretary-General of the Council of State, the Secretary-General of the Consumer Protection Board, the Director-General of the Rights and Liberties Protection Department and the Attorney-General.
The Chair and qualified members are recruited and appointed from those with knowledge and expertise in various fields, such as personal data protection, consumer protection, information and communication technology, sociology, law, public health, finance or other fields.
The term “other fields” is another point where Nakorn sees the law opening a loophole for the state to appoint a member from a field they choose. In the past, Anusit Kunakorn, former Secretary-General of the National Security Council, was appointed as an expert member in protecting national benefit and he himself cannot answer what this means.
From the entire list, Nakorn expresses the opinion that the Committee is like a government agency and he is not certain that they will abide by the principle of prioritizing the protection of citizens freedom .
Opening loopholes for the law to be unenforceable
Section 4 also stipulates that this Act cannot be used for the following:
- The collection, use or disclosure of personal data for the personal benefit or family activities of the person collecting the data.
- The operation of state agencies responsible for maintaining state security, including state financial security, or protecting the safety of citizens, as well as responsibilities related to the prevention and suppression of money laundering, forensic science or cybersecurity.
- Persons or legal persons that use or disclose personal data collected only for the purpose of mass media businesses, arts or literature in line with professional ethics or public benefits.
- The House of Representatives, Senate and Parliament, including committees appointed by said bodies which collect, use or disclose personal data in line with the responsibilities and authorities of the House of Representatives, Senate, Parliament or committees, on a case by case basis.
- Court legal procedures and the operations of officials in the judicial process, legal execution and property deposit, including criminal justice procedures.
- Data operations of the National Credit Bureau and its members, in accordance the Credit Information Business Act.
In the next paragraph of the same Section, there is another point: ‘exemption to the enforcement of this Act, in part or whole, by a Personal Data Controller in any form, affair or agency similar to a Personal Data Controller in Paragraph 1 or for any other public benefit shall be stipulated by Royal Decree.’
“This Act is not to be applied to data operations by the National Credit Bureau and its members in accordance with the Credit Information Business Act. When we take a look at the Credit Information Business Act, we see that its members include banks. So this Act does not affect banks, which is very funny.
“When I give talks and meet lawyer friends, I would ask them about this point. Do they understand this to mean that banks are exempted? 50:50. Half of the lawyers will say exempted, the other half say not exempted. However, nowadays it seems that all banks adhere to this Act. There has been an announcement from the Bank of Thailand setting out guidelines on operations relevant to personal data. A code of good governance on overseeing customer data was announced, which is a very good standard. However, whenever there is a case where someone sues a bank for violating the PDPA, I think the bank’s legal department would likely fight on Section 4 (6), claiming that they do not fall under this Act.”
The Personal Data Protection Act needs to be based on the concept of human rights
Because of the content of the Act discussed above, and the current political situation where violations of the people’s rights and freedoms are a common occurrence, it is worrisome whether the 2019 Personal Data Protection Act is going to become a tool of the people to protect rights or a tool of the government to violate rights.
The question is, is the thinking behind this Act based on human rights or just about technology Nakorn said:
“Placing it inside the MDES has already clearly shown that they see this as an issue of technology. It’s Data Technology. They don’t see it as a law protecting people’s rights. I once proposed in my research that it needs to be in the form of an independent organisation, like in Germany, where it’s clear that the organisation reports to the Senate, connecting it to an oversight mechanism run by an organisation elected by the people.
“I proposed many models. For example, if it is to stay as a state organisation, then it should be with the National Human Rights Commission. Since it’s been placed with MDES, that’s the end of it. If the organisation has no independence to look after the people, it will tilt – tilt towards the state.”
On 7 April, Prachatai English recorrected Nakorn's opinion about the law concept in the 4th paragraph.