Thailand
Answer ... The Personal Data Protection Act (PDPA) limits what companies (in the role of data controllers) can do with people’s personal data, to the extent that they must:
- inform the data subjects of the purpose of the collection, use or disclosure of their personal data; and
- obtain their consent either in writing or by electronic means.
Such consent must not be obtained fraudulently – for example, by misleading the data subject about how the information will be used. The use or disclosure of personal data in a manner that differs from the purpose to which the data subject initially consented is prohibited unless:
- it is permitted by law; or
- the data controller informs the data subject of the new purpose and obtains their amended consent.
A data subject may withdraw his or her consent at any time, unless restricted by law or any agreement that is beneficial to him or her. If a data controller fails to comply with the provisions of the PDPA, the data subject may request that his or her personal data be deleted, destroyed, suspended or anonymised.
Thailand
Answer ... Certain service providers in these sectors may be categorised as critical information infrastructure providers and may thus be subject to the Cybersecurity Act BE 2562 (2019). The Cybersecurity Act was published on 27 May 2019 with the aim of introducing legal safeguards to:
- protect national security in cyberspace, including through a cybersecurity risk assessment plan; and
- prevent and mitigate cybersecurity threats that may affect the stability of national security and the public interest (eg, the economy, healthcare, international relations, government functions).
The TMT sectors are covered by the Cybersecurity Act, as this is intended to protect Thailand’s national security systems from cyber-related threats and crime. The Cybersecurity Act broadly defines ‘cyber’ as any information or communications from a computer network, a telecommunications network or the Internet. It focuses on the safety of government computer systems and authorises government entities and officers to implement its provisions. A National Cyber Security Committee created under the act will be responsible for all national security matters connected with the government’s data and computers.
Cyber threats are categorised into three levels under the Cyber Act as follows:
- Non-critical: Any threat that may negatively impact on the performance of a government computer system.
- Critical: Any threat to a government computer system related to national infrastructure, national security, the economy, healthcare, international relations, the functions of government or similar which may cause damage to or impair a government computer system.
-
Crisis: Any threat more significant than a critical-level event, which may have a widespread impact such as:
-
- causing the government to lose control of a computer system; or
- presenting an immediate threat to the public that could lead to mass destruction, terrorism, war or the overthrow of the government.
On 11 December 2021, to help determine the severity of cyber risks, the National Cyber Security Committee issued the Notification of the Cyber Security Committee Re the Types of Cyber Threats and Measures to Prevent, Withstand, Evaluate and Suppress Cyber Threats, 2021, to characterise and assess each cyber threat level based on a variety of parameters. The cyber threat level is determined by analysing situations, repercussions, dangers and trends that may result from cyber threats in various cases, in light of the following variable factors:
- the impact on equipment or the system;
- the impact on data in the system;
- system recovery tendencies; and
- the impact on customers or service users.
All four variables should be evaluated when defining each level of cyber threat. If multiple variables or characteristics of cyber threats are found, the highest level of cyber threat should be used to determine the level of cyber threat. In addition, the operators of critical information infrastructure, in collaboration with the regulators, may consider additional evaluation variables and cyber threat characteristics to provide instructions on how to accurately define the level of cyber threat.
Thailand
Answer ... The PDPA has been in force since June 2022. However, the Personal Data Protection Committee has not yet issued sufficient ancillary laws to provide more clarity and specific details on this legislation. Thus, in practice, certain areas of the data protection laws remain unclear, including matters such as:
- the data representative and its obligations and responsibilities; and
- cross-border data transfers.