The Joint Standing Committee on Commerce, Industry and Banking (JSCCIB) is calling for the postponement of full enforcement of the Personal Data Protection Act (PDPA), scheduled to come into force on June 1, because businesses are unprepared to comply, particularly small and medium-sized enterprises (SMEs) that remain stymied by economic woes.
According to a PDPA readiness survey by the Thai Board of Trade and the University of the Thai Chamber of Commerce, only 8% of almost 4,000 businesses interviewed said they have taken measures to be fully compliant with the law, while 31% indicated they have not even started the process of compliance.
The survey found making records of processing activity was the most difficult part of the PDPA compliance, with 36.8% of the businesses surveyed citing this issue, followed by making sure all internal departments understand the PDPA, according to 12.1% of respondents.
TWO-YEAR POSTPONEMENT
"JSCCIB sent letters about such concerns to the government in November last year and April this year, asking for the postponement of the PDPA for at least two years so all stakeholders would be ready to comply. The enforcement of the PDPA has a crucial impact on them," Atip Bijanonda, vice-chairman of the Board of Trade, told the Bangkok Post.
While the PDPA is scheduled to be enforced at the beginning of next month, more than 20 subordinate laws have yet to be devised, he said.
Even if the subordinate laws are rolled out in time, businesses still need time to comply with them, said Mr Atip.
The PDPA, which was published in the Royal Gazette in 2019 with a one-year grace period, was already postponed twice because of the pandemic.
Once implemented, it is expected to upgrade personal data protection in Thailand.
During the two-year deferral of the full enforcement of the PDPA, businesses lacked clear compliance guidelines as the Personal Data Protection Committee (PDPC) was not established during that time and related subordinate laws were not rolled out, he said. The PDPC was established in January this year.
According to Mr Atip, the law has created compliance burdens for SMEs as they struggle to recover from the economic impact of the pandemic.
The Office of the PDPC should have a panel dealing with complaints, while the most important issue is to raise public awareness of the PDPA, he said.
EXPLOITATION CONCERNS
Mr Atip also expressed concerns about some ill-intentioned people who may step in to exploit businesses that are unprepared for compliance by demanding money from them in exchange for not blowing the whistle to regulators.
He said strict enforcement of the PDPA would make it more difficult for big data analytics and the country's digital transformation.
"Thailand's PDPA was derived from the EU's General Data Protection Regulation, including some measures that are too strict," said Mr Atip.
Supant Mongkolsuthree, honorary chairman of the Federation of Thai Industries, said the biggest concern among businesses is the jail sentence for the management board.
The PDPA creates a greater burden for businesses at a time when they are fighting against the pandemic and a weak economy, he said.
"If a lot of PDPA-related lawsuits are pursued, this could affect foreign investor confidence and they might focus on doing business in Vietnam or Indonesia instead," said Mr Atip.
In the short term, the Office of the PDPC may consider rolling out legislation postponing full enforcement for another two years, or at least deferring punishment. In the long run, the PDPA may have to be reviewed and amended, he said.
The government should act as a business promoter, not a regulator creating obstacles to doing business, said Mr Atip.
GRACE PERIOD
Thienchai Na Nakorn, chairman of the PDPC, told the Bangkok Post that despite the PDPA timeline for June 1, some sectors will receive a grace period to comply with the law to minimise the impact on their operations.
He said the committee already set up a legal subcommittee to iron out subordinate laws while rushing to form at least three subcommittees responsible for receiving and vetting complaints.
Mr Thienchai acknowledged concerns raised by the JSCCIB and business operators about compliance with the law.
"If the law is misused or exploitation takes place, businesses can report this to the PDPC Office," he said.
Regarding jail terms, Mr Thienchai said this will only happen in cases where management intentionally broke the law, such as selling the personal data of customers.
"If businesses invest in proper protection measures and they encounter data leaks, there is no need to worry about a jail term," he said.
However, if data owners are adversely affected by the leakage of their data, they can count on criminal codes to file lawsuits, which contain both fines and prison sentences.
According to Mr Thienchai, the PDPA will create confidence among foreign business operators, particularly those from Europe, in conducting business in Thailand.
Singapore and the Philippines have also ushered in laws on a par with the Thai PDPA, which include jail terms, he said.
