Thailand delays data law by a year as COVID-19 stalls preparations

BANGKOK (CNA) – Thailand has given businesses another year to comply with a new personal data protection law due to the impact of the coronavirus crisis on their preparations.

The Personal Data Protection Act became law in May last year with a one-year transition period.

It was intended to imitate the European Union’s General Data Protection Regulation and included clauses on consent and rights of data subjects as well as ways to prevent data abuse.

But days before the grace period ends on May 27, a decree in Thailand’s Royal Gazette effectively delayed it by exempting 22 types of agencies and businesses until the end of May 2021.

The list spans government agencies, international organisations, and virtually all kinds of businesses, such as tourism, telecommunications, technology and banking. “Many organisations are facing difficulties during the pandemic, so they cannot fully adapt to comply with the law yet,” Thailand’s Minister of Digital Economy and Society Puttipong Punnakanta said on Friday.

An employee holds out a special registration code for a visitor to enter a shop at the Siam Paragon shopping mall as it reopened after restrictions to halt the spread of the COVID-19 coronavirus were lifted in Bangkok. PHOTO: AFP

“We also need more time to conduct stakeholder hearings in order to issue follow-up regulations, as that has been interrupted at this time.”

When enforced, the law will apply not only to companies located in Thailand, but also those overseas which collect, use, or disclose personal data of subjects in the country, specifically for advertisements and “behaviour monitoring”.

The law already exempts national security and cybersecurity agencies, Parliament and the senate, and credit information companies and their members, from compliance.

Critics said the data protection delay is worrying as the government ramps up contact tracing efforts to contain the spread of the coronavirus.