Navigating Enhanced Data Protection: In-Depth Insights into Amendments to the PDPA

Effective March 24, 2024, the recent amendments made by the Personal Data Protection Committee to Sections 28 and 29 of the Personal Data Protection Act introduce nuanced changes that merit a closer examination. Let’s delve into the specifics of these amendments for a comprehensive understanding.

Section 28: Elevating Data Protection Standards for International Transfers

Section 28 now places a stronger emphasis on safeguarding personal data sent abroad. The receiving destination country or organization must not only adhere to adequate data protection standards but also align with Thai laws. The exceptions are clear-cut, allowing data transfers without adhering to these standards in specific circumstances, including legal compliance, informed consent, contractual obligations, and activities in the public interest.

An insightful amendment empowers the Personal Data Protection Committee with the authority to act judiciously. This includes a more explicit definition of “cloud computing service provider.” The expanded definition encompasses entities responsible for maintaining or storing data for others in various forms, from Infrastructure as a Service (IaaS) to Function as a Service (FaaS).

Section 5 reinforces the principle that the receiving country or organization must meet sufficient data protection standards, relying on factors outlined in Sections 1 and 2 of this announcement.

Section 29: Strengthening Safeguards for Affiliated Businesses

Section 29 introduces robust measures for affiliated businesses involved in the international exchange of personal data. Binding Corporate Rules (BCRs) and safeguards, such as standard contractual clauses, take center stage to ensure secure global data exchange. The importance of having approved policies for affiliated businesses is underscored, aligning with stringent data protection standards.

An illuminating amendment defines key terms and categorizes items into two distinct groups. Group 1 outlines the requirements for the Personal Data Protection Policy for sending data to affiliated businesses. Group 2 focuses on Appropriate Safeguards, with specific attention to companies within the same business group.

Implications and Recommendations: A Call to Action

The amendments signify a significant shift toward more stringent data protection standards. Organizations are urged to adapt promptly, ensuring compliance and fortifying their data protection strategies. These changes underscore a collective commitment to transparent and accountable data management in our increasingly interconnected digital world.

As organizations navigate these amendments, it is crucial to recognize the broader implications and actively engage with the changes to safeguard personal data effectively.

Liabilities for Non-Compliance with the PDPA

Enforcement of the Personal Data Protection Act

Cyber Security and Directors Liability