United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
Thailand’s Ministry of Digital Economy and Society has released the latest draft of the Personal Data Protection Bill (PDPB). This bill intends to protect the data privacy of individuals. The PDPB’s submission to the Council of Ministers of Thailand for approval is still pending. If approved in its current form, the PDPB will be enacted one year after being officially published in the Royal Gazette.
In Thailand, the basic right to privacy is provided in its constitution and is recognized and implemented through industry-specific legal requirements related to privacy protection and information technology (IT) security obligations. Examples include the Financial Institutions Businesses Act (2008) and the Telecommunications Business Act (2001). There are several new obligations and offenses in the sector-specific rules and rights under the Civil and Commercial Code of Thailand (CCC) and the Thai Penal Code.
In general, workplace privacy violations may be challenged by an injured party as tort actions in accordance with the provisions of the CCC. These violations include unlawful wrongdoing, unauthorized disclosure, or leaking of personal information that causes damages to employees. Under Thai tort law, employees have the burden to prove both causation and the extent of the damages suffered from the wrongful act in question. This is because Thai courts determine remedies and compensation based on the direct or foreseeable consequences of the wrongful act. Criminal actions related to defamation or illegal disclosure of secrets may be separately pursued. As a result, employers in Thailand may want to obtain consent from employees to be subject to their privacy and data collection policies (including CCTV monitoring and monitoring of an employees’ computer usage and online activities) prior to granting them laptops or personal computers.
In the draft PDPB, the overarching prerequisite for any kind of personal data collection, usage, or disclosure by data controllers or data processors is consent. The prescribed methods by which consent can be obtained are in writing or through electronic means, unless it is impossible to do so. To request consent from data subjects, the data controller would be obligated to notify data subjects of the specific purpose for any personal data collection, usage, or disclosure prior to or at the time of collecting such data. Data subjects would be given the right to withdraw such consent at any time, and the data controller would be obligated to notify the data subject in the case that such withdrawal would materially affect the data subject. A notable exception to the requirement of having to obtain prior consent is data sought per the terms agreed to under a contract or during the performance thereof. Unauthorized personal data collection, usage, or disclosure, and associated penalties thereto under the draft PDPB, would apply to individuals and juristic persons acting as data controllers or data processors across Thailand and potentially abroad.
Comment
The extent to which the above requirements regarding the collection, usage, and disclosure of employees’ personal data would apply remains unclear. Similarly, the draft law is somewhat ambiguous as to the limits to which employers may rely on exceptions to consent in the context of contractual and statutory obligations. The PDPB would be one of the key pieces of legislation to significantly impact business operators, not only from the perspective of internal management of the workforce, but also from the viewpoint of maintaining customer relationships.
Written by Kraisorn Rueangkul of DFDL and Roger James of Ogletree Deakins