On the last day of February 2019, Thailand’s National Legislative Assembly finally approved its long-pending draft Personal Data Protection Act (the “TH PDPA”). After the royal endorsement (which is usually a formal procedure), the law is expected to be published within a couple of weeks.
Heavily affected by the EU General Data Protection Regulation (“GDPR”), the TH PDPA entitles data subjects the right to delete, in addition to other rights that are usually provided in other jurisdictions. Also, the TH PDPA will apply not only to companies located in Thailand, but also overseas companies which collect, use, or disclose personal data of subjects in Thailand, specifically for advertisements and “behavior monitoring.” This extraterritorial effect would no doubt increase the burden of compliance for a multinational company, provided that it targets the Thai data subjects. This is also quite similar to the GDPR.
A Personal Data Protection Committee will be established to enforce compliance with the TH PDPA. That said, the law provides a one-year grace time for enterprises to prepare the compliance of it.