New Thai Law Targets Cross-Border Data Flows

Posted by Written by Muhamad Aziz and Ayman Falak Medina Reading Time: 4 minutes

After the closure of the public consultation period on November 11, 2023, Thailand’s Personal Data Protection Committee (PDPC) issued two subordinate regulations concerning cross-border transfers of personal data, as outlined in the Personal Data Protection Act (PDPA) of 2019. These regulations were officially published in the Official Gazette on December 25, 2023.

The released regulations, encompassing Articles 28 and 29 of the PDPA, delineate crucial aspects and criteria for cross-border personal data transfers. This announcement furnishes enhanced provisions for companies engaged in cross-border operations.

Effective March 24, 2024, both the Whitelist Notice and the Binding Corporate Rules (BCR) and Appropriate Protection Notice have come into operation. These regulations significantly broaden the array of options available to companies for lawful cross-border transfers of personal data outside Thailand, as stipulated by the PDPA.

Whitelist notification

The Personal Data Protection Committee has issued a notification outlining the criteria for safeguarding personal data transmitted to foreign countries under Section 28 of the Personal Data Protection Act, B.E. 2562 B.E. 2566 (2023), known as the “Whitelist Notification.”

As per the Whitelist Notification, any country or organization receiving transferred personal data must uphold sufficient data protection standards consistent with Thailand’s personal data protection laws. Moreover, they must enforce legal measures and possess regulatory bodies ensuring the enforcement of personal data protection. The PDPC is empowered to compile a list of countries or organizations meeting these criteria.

Businesses are advised to keep tabs on whitelisted countries for periodic assessment by the PDPC or reach out to a PDPC office for a compliance evaluation based on the specified criteria.

Furthermore, the notification grants authority to the PDPC Office to refer cases, whether self-identified or submitted by data controllers, to the PDPC for resolution. The PDPC retains the discretion to decide on cases individually or establish a roster of countries or international bodies recognized for maintaining adequate data protection standards.

Binding corporate rules and appropriate safeguards notification

The Personal Data Protection Committee has issued a notification detailing the criteria for protecting personal data transmitted to foreign countries under Section 29 of the Personal Data Protection Act, B.E. 2562 B.E. 2566 (2023), known as the “BCRs and Appropriate Safeguards Notification.”

According to this notification, compliance with Binding Corporate Rules (BCR) involves implementing approved policies aimed at safeguarding personal data exchanged between affiliated businesses or within the same corporate group. Additionally, key requirements include the availability of legal remedies, such as standard contract clauses, certification of standards enforcement by criteria set forth by the PDPC, and binding agreements between Thai and foreign governmental institutions involved in personal data transfers.

BCR implementation entails the establishment of agreed-upon policies to protect personal data transferred within affiliated businesses or the same corporate entity for collaborative business activities.

Businesses are advised to assess their existing BCR, if any, and ascertain whether adjustments are needed to align with the requirements outlined in the BCR and appropriate safeguard notifications.

Furthermore, appropriate safeguards not only serve to protect personal data but also serve to uphold the rights of data subjects, including the provision of effective legal remedies. These safeguards can manifest in various forms, such as standard contract clauses.

Cross-border data transfer requirements

Key to facilitating cross-border data transfers under Article 28 of the PDPA is ensuring that the destination country or international organization receiving personal data from controllers and processors in Thailand maintains an adequate level of data protection. Section 5 of the Adequacy Notice outlines specific factors for assessing protection standards:

  1. Verification of whether the destination country or organization’s legal mechanisms align with Thailand’s personal data protection laws.
  2. Evaluation of the existence of a designated agency or organization tasked with enforcing data protection laws in the destination, ensuring active monitoring and enforcement.
  3. Confirmation of the availability of legal remedies for data owners within the destination country in case of data protection breaches.

The PDPC assesses the adequacy of data protection standards in the destination country or international organization. Under Article 28, Paragraph 3 of the PDPA, the PDPC office may address concerns raised by data controllers or independently gather pertinent information.

Furthermore, the Adequacy Notice stipulates that the PDPC may render decisions on a case-by-case basis or contemplate compiling a list of destination countries or international organizations deemed to uphold sufficient personal data protection standards.

Exceptions to the main requirements of cross-border data transfers

By Article 28 of the PDPA, the prerequisites for adequate data protection standards in cross-border data transfers can be exempted under the following circumstances:

  1. Compliance with the law necessitates cross-border data transfer.
  2. Data subject consent is obtained after informing them of the inadequate personal data protection standards in the destination country or international organization.
  3. Transfer of personal data is imperative to fulfill contractual obligations on behalf of the data subject.
  4. Data transfer is essential to comply with a contract between a Thai-based entity facilitating cross-border data transfer and an overseas entity for the data subject’s benefit.
  5. Sharing data abroad becomes necessary in critical situations to prevent harm to the life, body, or health of the data subject or others, and obtaining consent from the data subject is unfeasible.
  6. Conducting activities of significant public interest, such as collaborating with international organizations for global health research or environmental protection initiatives, necessitates cross-border data transfer.

Conclusion

Thailand has implemented new regulations governing cross-border data transfers, aimed at safeguarding the personal data of Thai citizens when transmitted overseas. These rules mandate that the receiving country or organization maintains sufficient data protection standards. Companies have two avenues to meet these requirements: either transferring data to a country or organization listed by the PDPC or employing PDPC-approved Binding Corporate Rules (BCR). Exceptions to these rules are permitted under specific conditions. It’s incumbent upon companies to verify that the destination country adheres to data protection standards or utilizes an approved transfer mechanism.

 

About Us

ASEAN Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia and maintains offices throughout ASEAN, including in Singapore, Hanoi, Ho Chi Minh City, and Da Nang in Vietnam, in addition to Jakarta, in Indonesia. We also have partner firms in Malaysia, the Philippines, and Thailand as well as our practices in China and India. Please contact us at asean@dezshira.com or visit our website at www.dezshira.com.