Thai Cabinet Approves Draft Personal Data Protection Exemptions for Specific Activities

In July 2022, the Thai cabinet approved in principle a royal decree exempting some businesses and other entities from parts of the Personal Data Protection Act B.E. 2562 (PDPA).

The draft royal decree proposes to exempt certain business operators and activities from the requirements of the following portions of the PDPA:

• Chapter II: Personal Data Protection – Consent, notification, cross-border transfer of the personal data requirements, etc.
• Chapter III: Rights of the Data Subject – Requirements and criteria on data subject rights.
• Chapter V: Complaints – Requirements on the submission of complaints to the Office of the Personal Data Protection Commission.
• Chapter VI: Civil Liability – Conditions in relation to the civil liability of a data controller or data processor.
• Chapter VII: Penalties – Administrative and criminal penalties.

The proposed exemptions would apply to three main categories of business operators and activities:

1.Data controllers acting on government requests in adherence with specific laws for the following purposes:

• State security and public safety. Exempted operations include activities intended to safeguard state security, intelligence, and information relating to national security, as well as efforts to maintain fiscal and economic security and public security. Also exempt are prevention and suppression of certain criminal activities, such as money laundering, drug trafficking, transnational threats and terrorism, transnational crime, and human trafficking; activities to bolster anticorruption or cybersecurity efforts; and actions relating to public health, sanitation to prevent epidemics, and protection of public life, health, and property.
• Taxation. Exempted activities include those related to tax collection under laws that are the responsibility of the Revenue Department, Customs Department, or Excise Department. This also extends to any action relating to the enforcement of taxation fees or duties, and actions related to social security, the performance of obligations, or international cooperation.
• Risk mitigation, monitoring, and surveillance. These purposes include monitoring and providing measures to mitigate remedial damage caused by threats to national security. Qualifying actions in this category are conducted by competent officials and government agencies in accordance with laws to prevent public disasters or threats that may affect the public.

2.Processing of personal data for government organizations for the public interest or for compliance with international agreements.

3.Processing of personal data for domestic or international court proceedings (e.g., by judges, public prosecutors, inquiry officials, legal professionals, government organizations, or other relevant officials).

By Tilleke & Gibbins, Thailand, a Transatlantic Law International affiliated firm. 

For further information or for any assistance please contact thailand@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.