Almost one year ago, the Personal Data Protection Act (PDPA) was signed into law. It seemed Thailand was about to have its own data protection law that will safeguard the rights of internet users, similar to how the Europeans have their well-known General Data Protection Regulation (GDPR) law.

The new law had a one-year grace period until May 27, to allow some time for businesses to adapt to the new realities. 

However, the cabinet has announced on May 12 that the grace period will be extended for another year, because “not all sectors are ready yet” and “due to COVID-19.”  

Even with the extended grace period, it’s worth looking into the law that may become a reality, one year from now. 

Who’s covered by this law?

Everyone who resides in the country is covered by this law. This includes tourists and expats.

Also, if you are outside of Thailand, but the business that asks for your data is located in Thailand, then you are covered.

However, the law only protects data of the living. Deceased people are not covered.

What counts as personal data?

This law is written to protect your personal data. But what counts as personal data?

Namely, every piece of information that can be used to identify a person, can be considered personal data. 

This includes obvious things like name, phone number, email address and home address. But it also covers the not-so-obvious ones, such as the combination of age, occupation and hometown that can be used as a clue to identify a person.

What are your rights?

In a nutshell, this law gives you a range of powers to say “yes” or “no” when someone wants to make use of your data, such as collecting and sharing.

No one can collect, use or share your data without your explicit consent, which you can give in writing or by clicking or swiping “I agree” on a website or an app. You may also take back your consent at any time. 

Once you have given consent for a person or a business to use your data, they would become your data controller.

A data controller is also required to give you a “privacy notice” when asking for your consent, which mainly consists of an explanation of why they need your data, how long they will keep the data and whom they may share your personal data with. 

This notice is like a promise that a data controller must keep, once they have your data.

Here are some other important rights that you should know about:

1. You have the right to access your data or obtain a copy of your data.
2. You have the right to object to the collection, use or sharing of your personal data and request for its deletion or suspension of its use.
3. You have the right to request deletion and destruction of your personal data when you withdraw your consent. You may also request for its use to be suspended, instead of deleted. 
4. You have the right to make sure your personal data is accurate and request for its use to be suspended if it’s not.

That’s nice, but how can I make use of these rights in the real world?

These rights mean you no longer have to put up with people, who got hold of your data and use it without your permission.

You’ll be able to tell cold-callers, who try to sell you insurance or credit cards, to remove your number from their systems- and by law, they would have to comply. The law is quite clear on giving you the power to object the use of your data for direct marketing purposes.

If you are signing up for a new website account, you’ll be able to refuse if the website is trying to collect your data and sell it to other people. And still, you’ll be able to use the website. This is because the law requires that businesses do not ask for your data as a condition to provide services.

This also means you will need to squint and read the fine print before giving consent. But the law also dictates that “privacy notices” must be in plain language and must not mislead you of its true purpose in collecting, using or sharing your data. 

But of course, there are loopholes

Unfortunately, there are also plenty of exceptions in this law.

Some of them are fair. For example, there is an exception where doctors must know your medical history. Or, the collection of your personal data is required to make sure you keep up your end of a contract.

But many exceptions leave room for businesses, and especially government bodies, to wiggle.

For one, the collection, use or sharing of personal data without consent can be exempted if it is done for the sake of “public interests.” Obviously, this has a broad interpretation and gives a lot of leeway for the government to justify themselves for using your data.

Secondly, data controllers can reject most of the data requests, although they have to provide justification and keep records of the rejection.

In case there are disputes where data controllers refuse to comply with the data requests, data subjects have the right to complain to the Office of the Personal Data Protection Commission that will set up committees to resolve these disputes.

However, how the disputes will be resolved remain to be seen, at least until the law takes effect. Perhaps a year from now.