- About Us
- Legal Services
- Family Law
- Property
- Marriage
- Immigration
- Contact
- Payments
Thai’s are indifferent to privacy and personal data. Here we look at Public Privacy and Digital Accountability. This issue carries little social or political weight. People are more than happy to share their data in resumes, application forms and other types of forms. Phone numbers and identification number’s people don’t think much about sharing this. See why there has been a massive clamp down on crypto currency exchanges as well as why there are so many online scams.
This indifference continues today and it has been going on for decades. Then Thailand entered the digital age and things had to change. Your foreign clients and investors require international privacy as well as cyber security standards. The Thai government woke up to data protection as well as that it is not a luxury but ethical issue. There is little interest from the public about this. There are no debates on how and where their data is stored. Likewise see the articles under insights. This fits together with the Public Privacy and Digital Accountability article.
We recall that Thai immigration data was used as a test in March 2016. More that 106 million travelers data was exposed. That was the first time that data privacy became an issue as it remained the the news for weeks.
Last year Thailand has increased enforcement of its Personal Data Protection Act (PDPA). Likewise they imposed significant fines on several public and private entities for data breaches, inadequate security, and failure to report incidents.
The transformation that followed gave birth to Thailand’s modern privacy regime, most notably the Personal Data Protection Act (PDPA) B.E. 2562 (2019), and set the stage for a broader cultural shift toward digital accountability. This is where Public Privacy and Digital Accountability starts.
Before the arrival of the internet in Thailand. There was a nature of openness. Be this the tax or identification cards. Departments used to share the data between each other. Surveillance was rare and data misuse stemmed from negligence rather than intent.
Thai society is different from the West in a number of ways. Thai tend to value convenience and community ties over procedural privacy. Likewise shopkeepers might keep handwritten ledgers of customers’ debts. Also schools displayed student records publicly. Another example is where employers required exhaustive personal documentation. This without any fear of the legal repercussion.In Thailand privacy was cultural issues not a legal issue. This has always been defined by discretion, not data governance.
I recall in the early 2000 with the arrival of e-commence. Thailand had no data laws, either being collected or for sale. The first laws protecting data arrived later and this was mainly in sectors on the economy. The first two where banking and telecommunication. Consumer protection rather than privacy was an issue. Likewise we first got the Computer Crimes Act win 2007 which addressed cyber crime and did not deal with the data itself.
Remember in the early 2000 in Thailand. Much like the rest of Asia it entered a boom phase. So in light of this Thailand was mainly a domestic-facing economy and most foreign companies handled sensitive data offshore. Likewise a cultural shift has to occur and this occurred one generation later. Note that the Personal Data Protection Act (PDPA) B.E. 2562 only came into being in 2019. So without economic pressure or a strong civil society movement privacy reforms remained low. This is why there was a delay on the Public Privacy and Digital Accountability.
Thailand for many years has wanted to be the Asian hub for many industries. Thailand has a go at being a cannabis hub, medical hub, crypto hub as well as a logistics hub and more. For this Thailand would need a cultural shift to adapt to the rest of the world. The globalized world take data seriously. Now with multinational partners who operated under strict data protection regimes — particularly the European Union’s General Data Protection Regulation (GDPR) and Japan’s Act on the Protection of Personal Information (APPI).
Foreign clients demanded compliance with the contracts and the privacy clauses in them. For the medical industry, with patient data being important. Without these many of the Thai companies would have been excluded from many international contracts. There have been ransomware attacks but nothing serious. We recall from January 2021 where a ransomware attack at a Thai Hospital was affected. This affected the patient data retrieval.
Exposure to the issues of data breaches become the catalyst for change. Privacy moved from being an abstract moral issue to an economic necessity. Ministries as well as regulators in Thailand recognized that without a credible privacy framework, Thailand would risk being seen as a “data-unsafe” jurisdiction. This type of label which might deter investment. hence we now have Public Privacy and Digital Accountability.
In 2019, after years of consultation and comparative study. Thailand enacted its first data protection law . This being the Personal Data Protection Act (PDPA). This one might argue that this was influenced heavily by the GDPR. Thee PDPA was designed to balance international expectations as well as with local realities. This offering flexibility to SMEs with gradual enforcement and a more pragmatic move by the Personal Data Protection Committee (PDPC).
The PDPA B.E. 2562 (2019) marked a milestone for Thailand when it came to the protection of personal data. It established very clear definitions of personal data with lawful bases for processing. Likewise it has obligations for both data controllers and data processors.This for the first time, Thai citizens were legally recognized as data subjects with rights to access, rectification, erasure, and objection.
Key features include:
Consent requirements : There needs to be requirements for data collection and processing.
Data breach notification : There is the obligation to inform people within 72 hours.
Restrictions on cross-border transfers : This unless adequate protection exists or consent is obtained.
Penalties : This is for noncompliance, including civil, criminal, and administrative sanctions from the government.
However, the law’s implementation faced delays — officially postponed twice — as both government and private actors struggled to build compliance systems. The law only came into full enforcement in 2022, giving Thailand’s digital economy three years to prepare. The Public Privacy and Digital Accountability helps sell Thailand as a destination.
The PDPC, was established under the Ministry of Digital Economy and Society. This ministry became the central regulatory body. Likewise it began issuing sub-regulations on the consent forms for customers. Also set the security standards, and cross-border transfers. Enforcement remains cautious. This however is gradually strengthening. This has been done with fines issued against hospitals, telecom firms, and marketing agencies that mishandled personal data.
While the PDPA sets the legal boundaries in Thailand. This also introduced a much deeper cultural concept in Thai culture: digital accountability. Those who now collect the data can also be held responsible for for their digital conduct.
Digital accountability in Thailand operates on three levels:
Organizational Accountability — Firstly a company must document compliance through internal policies. Likewise there is the risk assessments that the company has completed. This including data-protection audits. Likewise Data Protection Officers (DPOs) are mandatory. This for companies that hendle sensitive data or large-scale processing.
Regulatory Accountability — Secondly the PDPC’s enforcement actions as well as public guidance. They also need to name the violators to serve as a deterrence and transparency mechanisms.
Public Accountability — Thirdly civil society, media, and citizens are increasingly aware of their rights. Likewise there will be social pressure as well as online complaints. Lastly class-action lawsuits reinforce accountability even where regulators act slowly.
This evolution in Thailand marks a large shift from reactive enforcement toward a “culture of accountability”, . We can see that Thailand is mirroring trends seen in Japan, South Korea, and the EU.
Thailand’s data privacy path cannot be understood without acknowledging the external drivers that shaped it. It was mainly globalization that brought this about. The European Union, through its GDPR adequacy framework, created a global benchmark. No digital economy can ignore this. Even the Asian giants Japan, South Korea, and Singapore all adjusted their laws to align with it, and Thailand followed suit to maintain regional competitiveness.
Moreover, ASEAN digital trade initiatives, such as the ASEAN Data Management Framework and the Cross-Border Privacy Rules (CBPR), encourage interoperability among member states. Thailand’s has to continuously refine its domestic laws to participate in the framework to meet transnational standards.
Multinational corporations ranging from banks to healthcare providers also apply internal compliance pressure. There are many Thai subsidiaries which are part of global companies. They have to meet the same privacy obligations as their headquarters. This creates a trickle-down effect in Thailand, where even local suppliers are expected to conform. The trickle down of Public Privacy and Digital Accountability starts here.
Hence, Thailand’s privacy laws started with both a response to globalization and a tool for it. This helps reassure investors that digital operations within the country meet international norms of transparency and fairness.
The information contained in our website is for general information purposes only and does not constitute legal advices. For further information, please contact us.