In brief
On 25 December 2023, Thailand’s Personal Data Protection Committee (PDPC) published two subordinate regulations regarding cross-border transfer of personal data under the Personal Data Protection Act B.E. 2562 (2019) (PDPA) in the Government Gazette. These two rules are (1) Whitelist Notification; and (2) the Binding Corporate Rules (BCRs) and Appropriate Safeguards Notification, both of which will come into force on 24 March 2024.
Businesses may need to revisit which cross-border transfer option is appropriate for their specific circumstances, particularly considering whether their existing BCRs (for the Office of the PDPC’s approval) or appropriate safeguards (e.g., existing contractual clauses) are in compliance with the requirements set out by these new subordinate rules.
As previously reported here, the PDPC held the latest round of public consultation for its new draft rules on cross-border transfer between late October and early November 2023.
After the window for the public consultation closed on 11 November 2023, the PDPC published two subordinate regulations regarding cross-border transfer of personal data under the PDPA in the Government Gazette on 25 December 2023:
1. Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country Pursuant to Section 28 of the Personal Data Protection Act, B.E. 2562 B.E. 2566 (2023) (“Whitelist Notification“).
2. Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country Pursuant to Section 29 of the Personal Data Protection Act, B.E. 2562 B.E. 2566 (2023) (“BCRs and Appropriate Safeguards Notification“).
Both the Whitelist Notification and BCRs and Appropriate Safeguards Notification will come into force on 24 March 2024. Once effective, both rules will expand the available options for companies to rely on when making a lawful cross-border transfer of personal data outside Thailand under the PDPA. There are three key mechanisms for cross-border transfer under this law, which are: (i) adequacy decision of the destination country (Whitelisted Countries); (ii) BCRs; and (iii) appropriate safeguards (i.e., standard contractual clauses (SCCs), certification, and binding instruments between Thai government agencies and foreign government agencies).
Cross-border Transfer Notifications
Please see below our summary of the key takeaways of the Whitelist Notification and BCRs and Appropriate Safeguards Notification.
1. Definition of “Sending or transferring personal data”.
Both subordinate regulations now set out a definition for the term “sending or transferring personal data,” which is not present in the text of the PDPA itself. The definition provided by the subordinate regulations draws the line between what activities would or would not be considered as sending or transferring personal data and therefore subject to the transfer restrictions under the PDPA, utilizing the same “no third-party access” doctrine as the public consultation version.
That is, data transit or data storage outside Thailand where a third party cannot access personal data is now excluded from the definition of “sending or transferring personal data.” The definition gives an example that the transfer of personal data to a cloud computing service provider would not be deemed as sending or transferring personal data if such transfer has no third party accessing such personal data.
Businesses should revisit their data processing activities and related contracts to determine whether any of them fall within the definition of “sending or transferring personal data” that will trigger the cross-border transfer restrictions under the PDPA, the Whitelist Notification and BCRs and Appropriate Safeguards Notification.
2. Adequacy Decision (Whitelisted Countries)
Generally speaking, under the PDPA, a cross-border transfer can be made to destination countries with adequate personal data protection standards; however, there are certain exceptions. The newly issued Whitelist Notification sets out the criteria for the PDPC to consider whether a destination country or international organization has “adequate” personal data protection standards (e.g., the existence of legal measures in the destination country). However, there is currently no specific country listed by the regulator as a whitelisted country under the new sub-regulation.
Businesses should monitor the whitelisted countries to be assessed by the PDPC, or consider approaching the Office of the PDPC for an adequacy assessment based on the above criteria.
3. Binding Corporate Rules (BCRs)
The BCRs and Appropriate Safeguards Notification sets out the methods for submitting the BCRs to the Office of the PDPC for review and approval (e.g., the binding effect and certain required provisions as mandatory and minimum requirement).
Businesses should revisit their existing BCRs (if any) and determine whether revisions are required to comply with the requirements set out by the BCRs and Appropriate Safeguards Notification.
4. Appropriate Safeguards
The BCRs and Appropriate Safeguards Notification prescribes, in further detail, the appropriate safeguards to be relied upon in case the PDPC does not recognize a particular country as an adequate destination country or where the data controller or data processor does not rely on BCRs. The available appropriate safeguards are standard contractual clauses (SCCs), certification, and binding instruments between Thai and foreign government agencies.
The provisions regarding SCCs are likely to have the most substantial impact on how businesses will choose to comply with the cross-border transfer restrictions under the PDPA in practice.
Compliant SCCs must generally meet one of the two following criteria in order to be deemed valid as an appropriate safeguard for cross-border transfer:
(a) The SCCs are drafted by the parties with binding effect and contain the minimum required clauses as set out in the BCRs and Appropriate Safeguards Notification.
(b) The SCCs are drafted by the parties in accordance with a foreign law or established by an international organization, with the content and provisions on data protection, by relying on (i) ASEAN Model Contractual Clauses for Cross Border Data Flows; (ii) EU Standard Contractual Clauses for the Transfer of Personal Data to Third Countries; or (iii) any other model clauses to be further prescribed by the PDPC.
It is worth emphasizing that the PDPC has a different interpretation of these cross-border transfer options than those adopted by the data protection authorities in other countries or regions, e.g., the European Union. Therefore, businesses may need to first determine if any of their data processing activities meet the definition of cross-border transfer and, if so, to revisit which cross-border transfer option (e.g., SCCs, BCRs, or derogations) is appropriate for compliance with Thai law based on their particular circumstances. Specifically, if a business has already implemented BCRs or SCCs based on the EU SCCs or ASEAN MCCs, such measures should be revisited to ensure compliance with Thai PDPA requirements.
