1. Introduction
Thailand’s Personal Data Protection Act (“PDPA”) took effect on June 1st, 2022. The legislation aims to protect the personal information of data subjects. This brief specifically focuses on the cross-border transfers of personal data under the PDPA.
On December 25th, 2023, the Personal Data Protection Committee (“PDPC”) published notifications on cross-border transfers of personal data in Thailand’s royal gazette. These notifications include the Criteria on Protection of Personal Data transferred to third countries under Section 28 of the PDPA (2023) (the “Adequacy Notification”) and Criteria on Protection of Personal Data transferred to third countries under Section 29 of the PDPA (2023) (the “Non-adequate Countries Notification”). The Enforcement date of these notifications is March 24th, 2024.
2. Cross-Border Data Transfer Under the PDPA
The PDPA does not define the cross-border transfer of personal data. However, the PDPC’s Adequacy and Non-adequate Countries Notifications provide that cross-border data transfer comes into play when data is sent from Thailand to another country physically or through a computer system or network. For example, a cross-border transfer of data occurs when a server located in Thailand processes and transmits data to a cloud service provider based in another country for processing, use, or disclosure. Generally, there are certain legal requirements that a data controller or processor needs to comply with when sending or transferring data abroad.
The Adequacy Notification outlines that the following scenarios of data transfer do not qualify as cross-border data transfer and, therefore, the requirements of cross-border data transfer would not apply to them:
- When personal data is passing through a system (such as an email server) without being accessed or altered.
- When data is stored temporarily or permanently on a cloud server located abroad where no third party has access to it.
3. Requirements of Cross-Border Data Transfer
The key requirement for cross-border transfer of data, as per Section 28 of the PDPA, is that the destination country or the international organization that receives personal data from data controllers and processors in Thailand must have an adequate level of data protection. According to Section 5 of the Adequacy Notification, assessing the adequacy of protection standards involves careful consideration of the following factors:
- Ensuring that the destination country or international organization has legal measures or mechanisms in place that mirror Thailand's personal data protection laws.
- For instance, ensuring that the destination country has enacted comprehensive data protection legislation.
- Assessing whether there is a designated agency or organization responsible for enforcing data protection laws in the destination country to ensure that the data protection framework is actively monitored and enforced.
- For instance, the existence of a data protection authority with the power to investigate and penalize non-compliance would suffice.
- Verify if there are legal remedies available for data owners in the destination country, providing individuals with recourse in case of data protection violations.
- For instance, having a legal framework and legal avenues that allow individuals to file complaints and seek compensation in case of data breach.
The PDPC assesses the adequacy of data protection standards of destination countries or international organizations. In this regard, Section 28, Paragraph 3 of the PDPA enables the PDPC's office to review issues submitted by data controllers or independently gather relevant information. Additionally, the Adequacy Notification specifies that the PDPC may make decisions on a case-by-case basis or consider establishing a list of destination countries or international organizations with sufficient standards of personal data protection.
4. Exceptions to Key Requirements of Cross-Border Data Transfer
As per Section 28 of the PDPA, the adequate data protection standard requirement for cross-border transfer of data may be exempted in the following situations:
- Where the cross-border data transfer is taking place for compliance with the law. It could include situations such as the disclosure of specific personal data for legal investigations mandated by the law.
- Where the consent of the data subject has been obtained after he/she has been informed of the non-adequate personal data protection standards of the destination country or international organization. It could include instances where an organization transfers personal data to an international research institution located in a non-adequate country after informing the data subject about the destination country's insufficient data protection standards and obtaining explicit consent.
- Where the transfer of personal data is essential to fulfilling contractual obligations on behalf of the data subject.
- Where the transfer of personal data is essential for compliance with a contract between a person/entity based in Thailand making the cross-border data transfer effective, and another person/entity based abroad for the interests of the data subject. It could include a contract with an international organization to improve services for the benefit of data subjects.
- Where sharing data abroad is necessary for a critical situation to prevent harm to the life, body, or health of the data subject or others, and the data subject is unable to provide consent.
- Where it is necessary to carry out the activities concerning substantial public interest. It can include collaborating with an international organization for global health research or environmental protection activities.
5. Mechanisms for Transfer of Cross-Border Data to Non-adequate Countries
The Non-adequate Countries Notification prescribes, in further detail, two primary mechanisms available to data controllers or processors for the transfer of personal data to countries deemed non-adequate by the PDPC:
- Binding Corporate Rules: Multinational corporations with subsidiaries in Thailand and a non-adequate country can transfer personal data across borders. This is permissible after a thorough review and certification of their personal data protection policy, known as Binding Corporate Rules (BCR) approved by the PDPC. These BCRs serve as an internal code of conduct, ensuring consistent and compliant handling of personal data within the corporate network.
- Appropriate Safeguards: Data can be transferred to a non-adequate country from Thailand, if there are appropriate safeguards in place ensuring data subjects have effective legal remedies and their rights can be enforced. These appropriate safeguards include the following:
- Certification Ensuring Appropriate Safeguards: As an appropriate safeguard, a certification can be obtained from the PDPC ensuring that the personal data transferred to a non-adequate country is handled in accordance with Thai law. The certification would reinforce the legal enforceability of the safeguards in place.
- For example, these certifications might be employed when a Thai institution acquires certification from the PDPC to transfer personal data to a non-adequate country for specified purposes.
- Legally Binding Instruments: Legally binding instruments may serve as appropriate safeguards for cross-border data transfer to non-adequate countries. It would ensure that data protection standards are maintained across borders.
- A legally binding instrument may serve as an appropriate safeguard if the Thai government establishes a bilateral agreement with a non-adequate country to facilitate the secure exchange of personal data for law enforcement purposes.
- Code of Conduct: A code of conduct, approved by the PDPC, for cross-border transfer of personal data may serve as an appropriate safeguard when sending personal data to non-adequate countries.
- If a consortium of international businesses operating in Thailand adopts an approved code of conduct for cross-border data transfers it becomes a guiding framework for ensuring data protection compliance across diverse business operations.
