On 25 December 2023, the long-awaited notifications of the Personal Data Protection Committee (the "PDPC") on cross-border transfer of personal data were finally published on Thailand's royal gazette.
These notifications are:
- The PDPC Notification Re: Criteria on Protection of Personal Data transferred to third countries pursuant to Section 28 of the Personal Data Protection Act B.E. 2562 (as amended) (the "PDPA") B.E. 2566 (2023) (the "Section 28 Notification"); and
- The PDPC Notification Re: Criteria on Protection of Personal Data transferred to third countries pursuant to Section 29 of the PDPA B.E. 2566 (2023) (the "Section 29 Notification").
When do these notifications come into force?
Both the Section 28 Notification and Section 29 Notification will come into force on 24 March 2024.
How do these notifications affect business operators?
Any business operator that needs to transfer personal data out of Thailand are subject to cross-border transfer restrictions under the Thai PDPA. These two notifications provide more clarity on how to comply with such restrictions, in particular, how to avail of the available exemptions (e.g., standard contractual clauses ("SCCs"), binding corporate rules ("BCRs")), which has been a long-standing matter of question among business operators and practitioners.
It is important that business operators follow these notifications and adhere to the restriction to avoid administrative fine of up to Baht 5 million (approximately USD 150,000) as well as criminal liabilities (in certain limited circumstances) i.e., imprisonment of 1 year and/or a fine of up to Baht 1 million (approximately USD 30,000).
What is the Cross-border Transfer Restriction?
As a brief overview, the PDPA requires that any cross-border transfer of personal data only be transferred to whitelist jurisdictions/international organisations having an adequate level of protection. The whitelist jurisdictions/internal organisations are to be announced by the PDPA based on their "adequacy decision". We expect that the notification setting out specific "whitelist" jurisdictions/international organisations is to be released later on.
There are certain limited exemptions to this restriction: (i) consent, legal compliance, contract necessity, contract performance, vital interest, public interest (in line with "derogations" under the EU's General Data Protection Regulation (the "GDPR")) (the "Circumstance-specific Exemptions"); (ii) BCRs, and (iii) appropriate safeguards, including SCCs. Each exemption can pertain extensive details to be considered and should be applied with caution.
Will the cross-border transfer restriction become effective as a result of these notifications?
No. Based on the PDPA, cross-border transfer restriction will technically become effective only if the PDPC announces whitelist jurisdictions/internal organisations (which are yet to be announced — timing unknown as of the date of this article). However, it is prudent that business operators make the necessary preparations to ensure they qualify for the available exemptions based on these notifications in advance.
Key considerations addressed in the notifications
The notifications sought to address the following questions:
- What constitutes "personal data transfer"?
- Are there any carved-out activities e.g., data transit between computer system/networks, data storage not accessible by third parties (such as sending data by cloud computing service providers)?
- What factors need to be considered in determining whether a jurisdiction or an international organisation has "adequate level of protection"?
- What are the criteria and procedures to approve BCRs?
- What qualifies as other appropriate safeguards, amongst other SCCs, under the PDPA?
- How SCCs can be harmonised with other key jurisdictions?
In the meantime, some questions remain unanswered, if not intentionally silent, e.g.
- No further elaboration on the Circumstance-specific Exemptions, and no clear requirement to take preference of other exemptions over the Circumstance-specific Exemptions like the GDPR.
- No further information is given on certification that can be obtained from accreditation bodies so that cross-border transfer is PDPA-compliant. We expect that the PDPC will issue another separate notification in this regard later on.
This article does not and is not intended to constitute a legal advice. You should not use or otherwise rely on its contents without obtaining qualified legal advice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.