Search for:

Thailand: New draft laws on cross-border data transfer – Now open for public consultation

By , , , and 6 Mins Read

In brief

On 27 October 2023, Thailand’s Personal Data Protection Committee (PDPC) published for public consultation two new pieces of draft subordinate rules regarding cross-border transfer of personal data. These two draft rules, namely: (1) Draft Whitelist Notification and (2) Draft Binding Corporate Rules (BCR) and Appropriate Safeguards Notification, upon becoming effective as binding laws, will serve to expand the available options for making a lawful transfer of personal data outside Thailand in compliance with the Personal Data Protection Act B.E. 2562 (PDPA).

Stakeholders may provide comments on the drafts until 10 November 2023. Therefore, businesses may need to revisit which cross- border transfer option is appropriate for their cross-border transfer, particularly the compliance of the existing BCRs or Appropriate Safeguards (e.g., Standard Contractual Clauses (SCCs)) (if already executed).

In more detail

Under the PDPA, there are three key options for cross-border transfer, which are: (i) Whitelist countries; (ii) Binding corporate rules (BCR); and (iii) Appropriate safeguards (e.g., SCCs).

In September 2022, the PDPC published a previous version of the Draft Appropriate Safeguards Notification (“2022 Draft Version“) to seek public comments. A year later, in preparation for another round of public consultation, the PDPC revised and issued the following new draft subordinate rules regarding data transfer:

(1) (Draft) Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country pursuant to Section 28 of the Personal Data Protection Act, B.E. 2562 (2019) B.E. …. (“Draft Whitelist Notification“)
 
(2) (Draft) Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country pursuant to Section 29 of the Personal Data Protection Act, B.E. 2562.
(2019) B.E. ….(“Draft BCR and Appropriate Safeguards Notification“).

Please see our summary of the key takeaways from each new draft rule below.

Draft Cross-border Transfer Notifications

Capture

1. Adequacy Decision (Whitelisted country)

The Draft Whitelist Notification concerns the PDPC’s adequacy decisions and sets out the criteria for the PDPC to consider before recognizing a third country or international organization as an “adequate” destination country or international organization for the transfer. To make such a determination, the PDPC will have to consider certain factors, such as the existence of equivalent data protection laws and data protection supervisory authorities. A data controller may approach the Office of the PDPC to propose countries for the adequacy assessment.

2. Binding Corporate Rules (BCR)

The Draft BCR and Appropriate Safeguards Notification reflects the same concept as the 2022 Draft Version. The key difference is that the new draft rule explicitly sets out the channels for submitting the binding corporate rules to the Office of the PDPC for approval (while the previous draft version did not), including some minor changes to the criteria for approving the rules.

However, companies should carefully assess the definition of cross-border transfer of personal data (as explained below), to revisit its existing BCRs and determine whether further revisions are required.

3. Appropriate Safeguards (SCCs)

Some key differences include, among others:

  • Fewer clauses: While the SCCs under the 2022 Draft Version included several clauses similar to those found in the EU SCCs (e.g., local law and practice clause, data exporter’s right to suspend or terminate the transfer), the new draft law removed most of those clauses. This results in the inclusion of fewer clauses in a transfer contract when compared with the 2022 Draft Version, but it does not necessarily mean that further revisions to the companies’ SCCs, if already executed, are not required. This is because there are some clauses in the new draft law that still deviate from the EU SCCs.
  • ASEAN Model Clauses and EU SCCs: The 2022 Draft Version did not specifically refer to any non-Thai SCCs. However, the new draft law now explicitly lists ASEAN Model Contractual Clauses and EU SCCs as recognized appropriate safeguards under the PDPA. Modifications to the clauses are only permitted under specific circumstances.

Despite such recognition, it still remains unclear how these safeguards will be properly implemented in Thailand. Localization is likely required, given the differences in the legal interpretation between Thai PDPA regulators and non-Thai regulators.

  • No requirement to certify compliance to the Office of the PDPC: Although the 2022 Draft Version required a controller/processor to certify that the measures taken are in compliance with the SCCs and to also submit such measures to the Office of the PDPC, this same requirement has been left out of the new draft law.
  • Definition of “transfer of personal data”: The Draft BCR and Appropriate Safeguards Notification draws the line between what activities are or are not considered the transfer of personal data, and uses cloud service as an example. The new key criteria for making such a determination is now what we call the “no third-party access” doctrine. That is, data transit or data storage outside Thailand where a third party cannot access personal data is now excluded from the definition of transfer of personal data. This is important since no transfer in the first place would mean there are no cross-border transfer requirements to be triggered.

For example, if a data controller stores personal data in a data center located outside Thailand and no third party other than the controller itself can access such data, this will not be considered a data transfer under the PDPA. However, the revised definition results in broader circumstances to be deemed cross-border transfer, where companies need to revisit their cross-border activities and related contracts to determine whether additional measures/contract revisions are required.

The public consultation was held between 27 October – 10 November 2023. The Thai version of these two draft laws are now available on Thailand’s National Law Portal.

Again, it is worth emphasizing that the PDPC has a different way of interpretation than those adopted by the data protection authorities in other countries or regions, e.g., the European Union. Therefore, business operators may need to revisit which cross- border transfer option is appropriate for their particular circumstances, including considering if any further actions are needed (e.g., localization of the existing SCCs to meet Thai law requirements). If your business has already implemented BCRs or SCCs, please revisit this again for compliance.

We will be closely monitoring the developments in this matter and will keep you updated.

Categories:
Author

Kritiyanee joined Baker McKenzie in 2013 and is a partner in the Intellectual Property and Technology practice. She has experience in data protection, cyber security, and complex technology matters.

Drafted the legal article “the Future is Now and Its Challenges Present: How to determine IP ownership and plan for regulatory compliance in the era of Artificial Intelligence (AI) and the Internet of Things (IoT) symbiosis” published in the Intellectual Property and International Trade Court Law Journal.

Drafted the legal article “Ready or not, Here It Comes - Blockchain and Its Legal Implications” published in the Intellectual Property and International Trade Court Law Journal: Special 20th Anniversary Issue.

Author

Nont is a partner in Baker McKenzie Bangkok's Intellectual Property and Technology practice group. He has more than 25 years of experience representing a wide range of business and institutional clients in various Intellectual Property (IP) and Technology matters.

He is a Certified Information Privacy Professional Europe (CIPP/E) by the International Association of Privacy Professionals (IAPP) and is a regular contributor at events held by international and local associations on TMT issues including personal data protection laws, cybersecurity laws and many other related topics.

Author

Pattaraphan joined Baker McKenzie in 2011 and is a Partner in the Intellectual Property and Technology practice. Before joining Baker McKenzie, she worked at the National Broadcasting and Telecommunications Commission (NBTC) as a legal officer. Pattaraphan is also one of the very few Thai lawyers that is a Certified Information Privacy Professional/Europe (CIPP/E).

Author

Abe is a principal in our Singapore office. His main areas of practice include patents, trade secrets, copyright, and transactional IP for international and domestic clients. With over eleven years of legal experience as a lawyer and over ten years of technical experience as an engineer in the US and Canada, Abe is able to provide commercially oriented legal and technology-specific advice on a wide range of IP issues. Before joining our Singapore office in 2016, Abe was a lawyer in our Baker McKenzie offices in the US (where he passed the US patent bar examination and qualified as a US Registered Patent Attorney (limited recognition)) and Thailand.

Author

Aue-angkul Santirongyuth is a Legal Professional in Baker McKenzie, Bangkok office.

Related Posts