THAILAND
Since May 2019
Pillar Domestic Data policies |
Sub-pillar Requirement to allow the government to access personal data collected
Cyber Security Maintenance Act 2019
Section 64 of the Cyber Security Maintenance Act (CSA) 2019 states that, if it is necessary for the prevention, handling, and reduction of cyber threat risks, the Cyber Security Supervisory Committee (CSSC) shall order State agencies to provide information in their possession and related to cybersecurity maintenance.
Also, in Section 66, the CSSC has the power to carry out or order competent officials to carry out operations, only to the extent necessary for preventing cyber threats, in the following matters:
- to enter a place for inspection upon written notification;
- to gain access to computer data, computer systems, or other related data, make copies, or screening;
- to test the functionality of computers or computer systems;
- to seize or attach, only to the extent necessary, computers, computer systems, or equipment, not exceeding 30 days.
To carry out activities under (2), (3), (4) must file a motion to the competent court. However, in case of emergency and the threat is critical to cybersecurity, the Secretary-General shall take immediate action to the extent necessary for preventing and remedying damage in advance without filing a motion with the Court (Section 68).
Also, in Section 66, the CSSC has the power to carry out or order competent officials to carry out operations, only to the extent necessary for preventing cyber threats, in the following matters:
- to enter a place for inspection upon written notification;
- to gain access to computer data, computer systems, or other related data, make copies, or screening;
- to test the functionality of computers or computer systems;
- to seize or attach, only to the extent necessary, computers, computer systems, or equipment, not exceeding 30 days.
To carry out activities under (2), (3), (4) must file a motion to the competent court. However, in case of emergency and the threat is critical to cybersecurity, the Secretary-General shall take immediate action to the extent necessary for preventing and remedying damage in advance without filing a motion with the Court (Section 68).
Coverage Horizontal
Sources
- https://data.opendevelopmentmekong.net/dataset/329b4f41-f309-4348-9015-23c6f62d5fb4/resource/ea9a61bc-fba9-41ae-9dd0-d31ca5f36ff5/download/843708_0001.pdf
- https://www.krisdika.go.th/librarian/get?sysid=834303&ext=pdf
- https://data.thailand.opendevelopmentmekong.net/th/laws_record/cyber-security-act-b-e-2562-2019
- https://www.lawplusltd.com/2019/03/thailands-cyber-security-act-personal-data-protection-act-passed
- https://www.dataguidance.com/opinion/thailand-new-laws-cybersecurity-personal-data
- Show more...
THAILAND
Since May 2019, entry into force in June 2022
Pillar Domestic Data policies |
Sub-pillar Requirement to perform an impact assessment (DPIA) or have a data protection officer (DPO)
Personal Data Protection Act, B.E. 2562 (2019)
There is no direct provision of the Personal Data Protection Act that requires the data controller to carry out a Data Protection Impact Assessment. However, the data controller must acknowledge the level of risk and severity of the personal data collected, used, and disclosed which may adversely affect the rights and freedoms of the natural persons. In this regard, Section 37(1) of the Act prescribes a mandatory requirement to review appropriate security measures when it is necessary, or when new technology is adopted.
Coverage Horizontal
THAILAND
Since May 2019, entry into force in June 2022
Pillar Domestic Data policies |
Sub-pillar Requirement to perform an impact assessment (DPIA) or have a data protection officer (DPO)
Personal Data Protection Act, B.E. 2562 (2019)
The appointment of a Data Protection Officer (DPO) is a mandatory condition under the Personal Data Protection Act (PDPA). Section 41 of the Act specifies that the data controller and data processor shall designate a data protection officer in the following circumstances: the activities such as collection, use, or disclosure of the personal data.
The DPO's duties include: advise the data controller and data processor, investigate the performance of the data controller and data processor, coordinate and cooperate with the Office or the Personal Data Protection Committee (PDPC) when there are problems and keep confidentiality of the personal data (Section 42).
The DPO's duties include: advise the data controller and data processor, investigate the performance of the data controller and data processor, coordinate and cooperate with the Office or the Personal Data Protection Committee (PDPC) when there are problems and keep confidentiality of the personal data (Section 42).
Coverage Horizontal
Sources
- https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf
- http://www.ratchakitcha.soc.go.th/DATA/PDF/2562/A/069/T_0052.PDF
- http://documents.jdsupra.com/2380c6d9-41fd-48bb-9f78-3fba5aa25e52.pdf
- https://www.dataguidance.com/notes/thailand-data-protection-overview
- Show more...
THAILAND
Since June 2007, last amended in January 2017
Since August 2007
Since August 2007
Pillar Domestic Data policies |
Sub-pillar Minimum period for data retention
Commission of Computer-Related Offences Act 2007
Notification of the Ministry of Information and Communications Technology regarding Computer Traffic Data Retention Criterias of Service Providers 2007
Notification of the Ministry of Information and Communications Technology regarding Computer Traffic Data Retention Criterias of Service Providers 2007
Section 26 of the Commission of Computer-Related Offences Act 2007 (so-called Computer Crimes Act 2007) (amended 2017) defines 'computer traffic data' as data in relation to the communication of computer system or the origin, time, duration, type of service, or else related to the computer system. The Act requires a service provider to retain computer traffic data for not less than 90 days from the date when the data was entered into the computer system. If necessary, the competent official may order any service provider to retain computer traffic data for a period exceeding 90 days but not exceeding 2 years as a matter of an individually exceptional case and on an ad hoc basis. Also, the service provider shall maintain client data which is necessary for identifying the client since their first use of service and shall maintain such data for not less than 90 days as from the ending date of service. Those who fail to comply with this measure shall be liable to a fine not exceeding 500,000 Thai Baht (approx. USD 14,000).
The Notification on Computer Traffic Data Retention Criteria for Service Providers in 2007 provides detailed information regarding this matter. For example, the computer traffic data must be maintained under secured measures using centralized log server, data archiving, or data hashing (Clause 8). Moreover, the service providers - telecommunication and broadcast carrier, access service provider, host service provider, content service provider - need to retain the information as the law required (Clause 5).
The Notification on Computer Traffic Data Retention Criteria for Service Providers in 2007 provides detailed information regarding this matter. For example, the computer traffic data must be maintained under secured measures using centralized log server, data archiving, or data hashing (Clause 8). Moreover, the service providers - telecommunication and broadcast carrier, access service provider, host service provider, content service provider - need to retain the information as the law required (Clause 5).
Coverage Telecommunication and broadcast carrier, access service provider, host service provider, and content service provider
Sources
- https://www.krisdika.go.th/librarian/get?sysid=766928&ext=pdf
- https://www.krisdika.go.th/librarian/get?sysid=809768&ext=pdf
- https://www.krisdika.go.th/librarian/get?sysid=556460&ext=pdf
- https://www.krisdika.go.th/librarian/get?sysid=766868&ext=pdf
- https://www.krisdika.go.th/librarian/get?sysid=809777&ext=pdf
- https://www.krisdika.go.th/librarian/get?sysid=561153&ext=pdf
- Show more...
THAILAND
Since November 2002
Pillar Domestic Data policies |
Sub-pillar Minimum period for data retention
Credit Information Business Operation Act B.E. 2545 (2002)
Section 17(6) of the Credit Information Act requires that a credit information company or a person assigned to process information shall set up a system of recording and reporting the result of every access to the credit information. The information record must be kept for at least 2 years from the date of access to the information.
Coverage Financial sector
Sources
- http://web.krisdika.go.th/data/outsitedata/outsite21/file/CREDIT_INFORMATION_BUSINESS_OPERATION_ACT,B.E._2545.pdf
- https://www.krisdika.go.th/librarian/get?sysid=809805&ext=pdf
- https://www.krisdika.go.th/librarian/get?sysid=571417&ext=pdf
- https://www.krisdika.go.th/librarian/get?sysid=725246&ext=pdf
- Show more...
THAILAND
Since August 2006
Pillar Domestic Data policies |
Sub-pillar Minimum period for data retention
Notification of the National Telecommunications Commission regarding Telecommunications Service Users' Rights Concerning Personal Information Rights to Privacy and Freedom of Communication 2006
The Notification on Telecommunications Service Users' Rights 2006 issued by the National Telecommunications Commission (NTC) states that the licensed telecommunications service providers must retain their users' data for the last three months after the service is terminated (Clause 8). The personal data of telecommunication users includes the factual information that can identify the individual user, usage details, subscriber number and behavioural activity in the use of telecommunication services. In case of necessity, the service provider may require to extend the period of data retention but will not exceed two years.
Coverage Telecommunications sector
Sources
- https://www.nbtc.go.th/getattachment/law/กิจการโทรมนาคม/ประกาศ/ประกาศ-กทช-เรื่อง-มาตรการคุ้มครองส...
- https://www.nbtc.go.th/law/law_noti/ประกาศ-(1)/ประกาศ-กทช-เรื่อง-มาตรการคุ้มครองสิทธิของผู้ใช้บร...
- https://iclg.com/practice-areas/telecoms-media-and-internet-laws-and-regulations/thailand
- Show more...
THAILAND
N/A
Pillar Cross-border data policies |
Sub-pillar Participation in trade agreements committing to open cross-border data flows
Lack of participation in agreements with binding commitments on data flows
Thailand has not joined any agreement with binding commitments to open transfers of data across borders.
Coverage Horizontal
THAILAND
Since May 2019, entry into force in June 2022
Pillar Domestic Data policies |
Sub-pillar Framework for data protection
Personal Data Protection Act, B.E. 2562 (2019)
The Personal Data Protection Act provides a comprehensive regime of data protection in Thailand and it is the first consolidated legislation providing general data protection within Thailand. The Act is based on the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and contains many similar provisions, although they differ in areas such as anonymisation. More specifically, the Act introduces obligations for data controllers and data processors including lawful grounds of data collection, use, and disclosure, restrictions on data transfers to foreign countries, and requirements for breach notification, as well as rights for data subjects. The Ministry of Digital Economy and Society and Personal Data Protection Committee have released draft secondary laws and guidelines to clarify the provision of the Act in areas such as data security, data transfers to foreign countries, as well as requirements for data protection officer appointment and the conducting of Data Protection Impact Assessments.
Coverage Horizontal
THAILAND
Since May 2019, entry into force in June 2022
Pillar Cross-border data policies |
Sub-pillar Conditional flow regime
Personal Data Protection Act, B.E. 2562 (2019)
According to Part 3 of the Personal Data Protection Act 2019 (PDPA), transferring data outside Thailand is only allowed if the destination country has adequate data protection standards or approaches. There are four exceptions to the adequacy requirement in the law, as follows:
- A data subject's consent to transfer has been obtained;
- Specific statutory exemptions apply;
- The receiving organization provides suitable protection measures that enable the enforcement of data subject's rights;
- The receiving organization has put in place a "personal data protection policy" applicable to overseas data transfers.
According to Section 16(5) of the Act, the Personal Data Protection Committee (PDPC) has the power to announce and establish criteria for providing protection of personal data that is sent or transferred to a foreign country, including the list of adequate jurisdictions.
- A data subject's consent to transfer has been obtained;
- Specific statutory exemptions apply;
- The receiving organization provides suitable protection measures that enable the enforcement of data subject's rights;
- The receiving organization has put in place a "personal data protection policy" applicable to overseas data transfers.
According to Section 16(5) of the Act, the Personal Data Protection Committee (PDPC) has the power to announce and establish criteria for providing protection of personal data that is sent or transferred to a foreign country, including the list of adequate jurisdictions.
Coverage Horizontal
THAILAND
Since December 2010
Pillar Telecom infrastructure and competition |
Sub-pillar Presence of independent telecom authority
Act on the Organization to Assign Radio Frequency and to Regulate the Broadcasting and Telecommunications Services B.E. 2553
According to the Act on the Organization to Assign Radio Frequency and to Regulate the Broadcasting and Telecommunications Services B.E. 2553, the executive authority for the supervision and administration of services in the telecommunications sector in Thailand is the National Broadcasting and Telecommunications Commission. It is reported that the National Broadcasting and Telecommunications Commission is independent from the government in the decision-making process.
Coverage Telecommunications sector
THAILAND
Since November 2002
Pillar Cross-border data policies |
Sub-pillar Ban to transfer and local processing requirement
Credit Information Business Act 2002
The Credit Information Business Act 2002 specifically covers the collection and processing of credit information. Chapter 2 states that only a credit information company has the right to operate the credit information business (section 9). Section 12 of the Act states that "No credit information company or information controller or information processor carrying on or operating the business in the Kingdom shall operate, control or process information outside the Kingdom."
Coverage Credit information companies
Sources
- https://www.krisdika.go.th/librarian/get?sysid=809805&ext=pdf
- https://www.imolin.org/doc/amlid/Thailand_Credit%20Information%20Business%20Act.pdf
- https://www.krisdika.go.th/librarian/get?sysid=571417&ext=pdf
- https://www.lexology.com/library/detail.aspx?g=b64c3413-1a36-4452-ae97-afcce941c991
- https://www.lexology.com/library/detail.aspx?g=a817a4c1-5f6b-472b-8b8a-264a37990808
- Show more...
THAILAND
Since March 2022
Pillar Telecom infrastructure and competition |
Sub-pillar Signature of the WTO Telecom Reference Paper
WTO Telecom Reference Paper
Thailand has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.
Coverage Telecommunications sector
Sources
- https://docs.wto.org/dol2fe/Pages/FE_Search/FE_S_S009-DP.aspx?language=E&CatalogueIdList=283388,4362,11329,3888,46782,8369&CurrentCatalogueIdIndex=5&FullTextHash=&HasEnglishRecord=True&HasFrenchRecord...
- https://docs.wto.org/dol2fe/Pages/FE_Search/FE_S_S006.aspx?Query=(@Symbol=%20gats/sc/*)%20and%20((%20@Title=%20thailand%20)%20or%20(@CountryConcerned=%20thailand))&Language=ENGLISH&Context=FomerScript...
THAILAND
N/A
Pillar Telecom infrastructure and competition |
Sub-pillar Functional/accounting separation for operators with significant market power
Lack of mandatory functional separation for dominant network operators
Thailand does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, accounting separation is mandated.
Coverage Telecommunications sector
THAILAND
Since August 2011
Since May 2019
Since May 2019
Pillar Telecom infrastructure and competition |
Sub-pillar Maximum foreign equity share for investment in the telecommunication sector
Notification of the National Broadcasting and Telecommunications Commission regarding Schedule of Prohibitions of Foreign Dominance Behavior 2011
Notification of the National Broadcasting and Telecommunications Commission regarding Schedule of Prohibitions of Foreign Dominance Behavior (No.2) 2019
Notification of the National Broadcasting and Telecommunications Commission regarding Schedule of Prohibitions of Foreign Dominance Behavior (No.2) 2019
The Foreign Dominance Notification in 2011 introduces foreign dominance criteria in the telecommunication sector by taking into account elements such as shareholding, management control, and supply relationship. The schedule of Prohibitions of Foreign Dominance Behaviors includes prohibited behaviors includes dominance by shareholders, voting rights, controlling power, legal relationships with sources of funds and loans, intellectual property agreements, procurement agreements, joint business operations, and transfer pricing. Nevertheless, the Notification does not apply to the telecoms business having status as a state-owned enterprise license (Clause 5/1 is added by the Foreign Dominance Notification (No.2) in 2019).
Coverage Telecommunications sector
Sources
- https://www.nbtc.go.th/getattachment/law/กิจการโทรมนาคม/ประกาศ/ประกาศ-กสทช-เรื่อง-การกำหนดข้อห้าม...
- http://www.nbtc.go.th/getattachment/News/Information/48435/ประกาศ-กสทช-เรื่อง-การกำหนดข้อห้ามการกระทำที่มีลั...
- http://www.weerawongcp.com/data/know/42.pdf
- https://dtac.listedcompany.com/misc/ShareholderMTG/AGM2014/20140225-DTAC-AGM2014-ENC06-EN-02.pdf
- Show more...
THAILAND
Reported in 2018, last reported in 2020
Pillar Telecom infrastructure and competition |
Sub-pillar Presence of shares owned by the government in telecom companies
Presence of shares owned by the government in the telecom sector
The majority of the telecommunications infrastructure, such as the national broadband network and most submarine cable landing stations, is owned by the Government through state-owned enterprises (SOEs). The main SOEs in the telecommunications sector are TOT Public Company Limited and CAT Telecom Public Company Limited.
Coverage Telecommunications sector
Sources
- https://otcc.or.th/wp-content/uploads/2020/02/TRADE-COMPETITION-ACT-B.E.-2560-EN-article_20190221100346.pdf
- https://otcc.or.th/wp-content/uploads/2020/02/article_20190221100332.pdf
- https://www.wto.org/english/tratop_e/tpr_e/s400_e.pdf
- http://documents1.worldbank.org/curated/en/991791530850604659/pdf/Thailand-Economic-Monitor-2018-Beyond-the-Innovation-Paradox.pdf
- https://www.set.or.th/set/companyholder.do?symbol=INET-F&ssoPageId=6"
- Show more...