Report on the Implementation of the Field Study by the Center for the Promotion of International Economic Partnerships (Thailand, June 25-28, 2019)
Finished

Report on the field survey conducted by the Center for the Promotion of International Economic Partnerships
(Thailand, June 25-28, 2019)


1. status of digital regulation: interest in operating rules of the Personal Information Protection Law

[No protectionist orientation was seen.
　The military government's political system in Thailand in recent years has pointed out the direction and possibility of bringing military secrets as well as other information and data that would fall under the category of state secret information under government control for reasons of national security and public safety. With the formation of the second Prayut administration, the view that the government is still oriented toward a digital protectionist stance as before cannot be dispelled. In reality, however, the government has not taken a clear protectionist stance as in China and Vietnam, but rather has taken a stance of introducing related laws and regulations that conform to global standards with an eye to improving its international standing. Therefore, although there are still concerns about the future operation of digital-related laws and regulations, the Thai government is not currently oriented toward protectionism, as is the case in China, in the form of restrictions on cross-border data transfers and intervention by the government.

[Promoting the strengthening of the legal system].
　For the purpose of promoting digital policy, the Thai government renamed the Ministry of Information and Communication Technology (MICT) to the Ministry of Digital Economy and Society (MDSES) in 2016 and In 2019, the Government of Thailand will take the initiative as the ASEAN chair country, and will promote the formulation of a national digitalization and e-commerce plan centered on this structure, in line with the digitalization concept and e-commerce agreement framework agreed upon in the ASEAN region, At the same time, it has been working to strengthen the legal system, including the development of the Personal Information Protection Law and the Cyber Security Law.

The rules for the operation of the Act on the Protection of Personal Information are noteworthy.
　The Personal Data Protection Act (PDPA) was passed by the National Diet at the end of February 2019 and went into effect at the end of May of the same year. However, since it does not include definitions of the personal information to be covered, handling rules, or specific penalties, it is meant to be a general outline that focuses on principles, and there is a one-year grace period before the Act is applied. In addition, detailed regulations that supplement the general outline are being drafted under the Personal Data Protection Commission (PDPC), which is scheduled to be established, and are planned to be published within two years after the enforcement of the law, but the composition of the commission and its authority have not been clarified. Although the law is based on the GDPR, experts point out that it is unique to Thailand, including its penalties, as it took several years of discussions during the drafting process and revisions to related laws to reach its current form.
　The Cyber Security Law, which was enacted at the same time as the PDPA, has been attracting attention from both the public and private sectors, based on the recognition that its impact on actual business has been minimal so far. One of the reasons for this is the weakness of the government's enforcement system and functions to ensure compliance with the law, and the current situation seems to be a lack of understanding among the private sector as to what measures must be taken to comply with the law.
　Since Thailand has traditionally valued "credibility" between companies and between people as a business practice, many people are reluctant to implement globally adopted information protection measures such as disksramers and file encryption because they are concerned that such measures may inadvertently damage the credibility that has been built up over time. Industry associations representing the private sector are not very active in lobbying activities, and it seems that requests from the private sector and awareness-raising on the part of the government are not necessarily working. The conspicuous absence of official explanations by the government on the purpose and background of the new law has so far forced companies to respond through self-help efforts.

2. impact on industry and business

Reactions to the Personal Data Protection Act (PDPA)
Although the process of drafting the law provided an opportunity to gather industry opinions through experts and industry associations, many have complained that the Thai government rushed the enactment of the law before the spring 2019 elections, and that the law did not reflect the opinions of industry and its contents were not sufficiently examined. The following opinions were heard from government agencies, industry associations, and companies (including Japanese companies).

[Claire] Positive feedback.
- ASEAN is the leader in GDPR compliance, and as the chairing country, it has expressed its willingness to lead ASEAN.
It is also an indication. (government agencies, industry associations, experts)
- I welcome the adoption of GDPR as an opportunity to increase business exchange with Europe. I would like to take this opportunity to learn more about GDPR. (Government agencies, industry associations, local companies)
- Cannot survive under global competition simply by relying on traditional "trust" (government agencies, industry associations)
- Since personal information is increasingly being misappropriated and leaked through mobile phone apps and other means, the enactment of a personal information protection law is long overdue. (Experts, industry associations, local companies)
- Most of the global companies, including Japanese-affiliated companies, have already taken measures to protect personal information in compliance with the GDPR and do not feel particularly affected by the PDPA. (Japanese-affiliated and foreign-affiliated companies)
- Along with the Act, there is growing interest in various fields in the newly enacted Cyber Security Act, and opportunities to learn about the new law are increasing, including study groups and seminars. (industry associations, local companies)

[Claire] Negative.
- Although the law has been drafted over a long period of time, there have not always been many opportunities for exchange of views between the government and industry, and it does not appear that the discussions have been sufficiently thorough to reflect their opinions. (Experts, local companies)
- I can't shake the impression that it was enacted in a rush before the election. (Expert, local company, Japanese company)
- The PDPA is only a general outline, and we will not know how we should prepare as a company until we see the detailed regulations that will be released afterwards. (Local and Japanese companies)
- The detailed regulations are to be formulated by the Personal Information Protection Committee to be established in the future, together with relevant ministries, agencies, and experts, but there are many uncertainties as to whether they will be formulated within the draft contents and deadlines, as the specific composition and authority have not yet been finalized. In addition, we imagine that there will be challenges in terms of actual operation, such as policing. (Industry associations, local companies, Japanese companies, foreign companies)
- It is problematic that criminal penalties are listed as a Thailand-specific article. If the penalties are made more severe as stipulated, companies will be affected in some way. (Industry association, local company)