What is PDPA, and when will it come into effect in Thailand?.

PDPA refers to Personal Data Protection Act BE 2562 (2019). It is a law that was published in May 2019 regarding data protection and is expected to come into effect as from June 1, 2022. It has previously been postponed twice due to Covid-19 concerns. Its acronym is similar to similar laws enacted in Singapore. It is the first law in Thailand that addresses this issue and is expected to create challenges for businesses that operate in online environments, both before and after the law goes into effect. This is due to the wide scope and many requirements that these businesses will need to comply with. The PDPA document is made up of seven chapters and 96 sections. However, with the enforcement of the law having been twice postponed, companies should have had enough time to work on what is needed for full compliance. What is PDPA? There has been much concern around how websites are able to collect personal data from online users and share this with others. PDPA seeks to regulate this activity and provide websites with guidelines on how they should collect consent from the said online users before processing their personal data. As part of gaining this informed consent, the online users must be notified of what data is being collected, how it will be used, and by whom. The personal data must only be used for the expressed purposes alone. This law will apply not just to Thai websites but also to any foreign body that is doing business with online users accessing their websites from Thailand. The penalties for violating the PDPA can include fines of up to THB 5,000,000 and imprisonment for a term of up to one year. These penalties have been regarded by some as too severe. The Federation of Thai Industries (FTI) chair, Supant Mongkolsuthree, pointed to the prison sentence as being harsher than similar laws in other countries and global practice. He has called on the government to consider amending the penalties to the law and only allow for fines as other countries do. When the law was passed in 2019, legislators chose to give affected businesses a one-year grace period to adjust to its requirements. The first and second postponements were granted to allow both private and public sector organisations time to prepare their internal processes and account for the disruption being caused by the pandemic. *Example of how a pop up may appear on websites *visitors should have the option to opt out if they wish To comply with the PDPA, websites are expected to:

• Present online users with a cookie banner that informs them that data will be collected, what kind of data, who is doing the collecting and how long it will be stored.
• Prevent cookies from activating until when online users have consented to their use.
• Allow users the option to deny the use of the cookies.
• Provide a means for users to change or withdraw consent for cookies.
• Only store user consents for up to 5 years as per the law.

This procedure ensures that right from when online users arrive on the site they are given the right to decide if cookies should be used. If they reject the cookies, their decision should be respected and the cookies not activated. What is Personal Data? It is important to understand what constitutes personal data as per the PDPA. This refers to any information that can be used to identify a specific person, directly or indirectly. This data may include, but is not limited to, their name, address, ID number, phone number, and email address. Additional data that the PDPA has also classified as protected includes:

• Biometric data, genetic data and health records
• Gender, sexual orientation and disability status
• Racial, ethnic and religious membership
• Trade union data and political affiliations

As long as the data collected by a website can be used to identify a particular person, then the online user is protected by the PDPA. Websites can collect personal data if there are legal grounds for this, including, due to legal obligations, legitimate interest, public interest or consent. What is Consent In PDPA? Before websites can collect, store, and begin processing data from online users, they are required by PDPA to acquire consent from the user. This consent must be freely given and recorded in written or electronic format. Websites are expected to make their request for this consent in a simple and non-deceptive manner that is distinct from other content on the site. Professional cookie banners are commonly used to present such requests to online users. The standard is to provide online users with a choice of “Yes” or “No” when it comes to granting permission for cookies to be used in tracking their activity and collecting data. Cookies Most online users will be familiar with the use of cookies when visiting websites. They are used by websites to collect personal data on online users and process this for use in digital marketing campaigns. Some of the most common data collected include geo-location, IP addresses, device ID, and online activity. When the data is processed, it is then used for such actions as remarketing campaigns. If an online user matches the profile of online audiences to be targeted by certain advertising campaigns, they will begin to see the ads running as they browse the webpage and website. The same information may again be used to target ads upon repeat visits to the same or affiliated sites. *You may be using tools like Google analytics to create audiences based on website visitors. The data controller or processor bears the responsibility for collecting consent from online users before cookies are allowed from third parties to start collecting this data from the site. Cookies Challenges Business Face In Complying With PDPA  In 2020, auditing firm PriceWaterhouseCoopers (PWC) Thailand conducted a survey to determine the readiness of businesses in complying with the PDPA by the earlier June 2021 deadline. Their study found that though many businesses were aware of the PDPA requirements, most were far from ready for its enforcement. Some ascertained that they would need a year or more to become compliant, particularly when it came to implementing new processes and policies. There is also still some concern over the harsh penalties attached to the PDPA, with many asserting that such business laws should not have criminal penalties attached. However, some note that the punishment is in keeping with the EU’s General Data Protection Regulation. If you’re not sure what you need to do in order to comply with the upcoming PDPA changes, get in touch with one of the team at Phoenix Media and we’ll be able to assist.