THAILAND will take a hit if the country does not quickly enact its data protection bill, say experts, since worldwide enforcement begins today for the European Union’s General Data Protection Regulation (GDPR).
Multinational firms and some Thai businesses have taken steps to comply with the EU data protection law, whose punitive measures include fines of up to 4 per cent of a company’s global sales turnover or 40 million euros.
Google said starting today its user data would be retained according to users’ settings in compliance with the EU law, while Google Analytics would automatically delete data that is older than the retention period its users have selected.
Google’s approach is similar to that of other foreign and Thai companies that have taken steps to comply with the EU law, which aims to protect the rights of EU citizens regarding their personal data stored and used by businesses around the world.
Thai Airways International, which serves a large number of EU passengers, is subject to the data protection law. The national flag carrier recently required all members of its Royal Orchid Plus programme to renew their membership by agreeing to new terms and conditions consistent with the EU’s GDPR.
Rajiv Bava, chief of corporate affairs and business development for DTAC, one of the country’s major mobile phone operators, said the company has been working towards overall GDPR compliance.
This includes measures to strengthen the rights of its customers such as easy-to-use solutions for customers to consent to processing, and better solutions for internal consent management.
DTAC is also sharing its best practice with the regulators and across industries including healthcare, airlines and tourism.
Paiboon Amonpinyokeat, a cyber-legal expert, said enforcement of the EU data protection law would have a significant impact on Thailand as far as EU citizens’ data is concerned. As a result, Thailand needs to enact its own data protection law so as to avoid problems with the EU, he said.
Regarding the proposed Thai law, Paiboon said the draft approved by the Cabinet earlier this week does not have specific measures to deal with data leaks. The EU law requires that data processors report any leaks within 72 hours.
Paiboon said Thailand could be blacklisted by the EU if there were serious problems regarding compliance. Also, the EU law includes the “right to be forgotten”, and so Thai authorities must be able to comply with this requirement.
E-commerce and other businesses, such as hotels and tourism, could be affected if there are compliance problems, he said, adding that the EU may also impose sanctions on countries that do not have strong data protection laws.
Arthit Suriyawongkul, coordinator of Thai Netizen, said standards in the Thai data protection law are likely to be lower than those required under EU law. Thai businesses that deal with EU customers will need to seek certification on this matter on a case-by-case basis to avoid compliance problems, he said. NTN -EP