From September 1, 2021, foreign e-Service providers and e-Platform operators must register for and pay VAT in Thailand.

After approximately a decade drafting general personal data protection laws and formulating a regime to protect personal data and privacy rights, Thailand finally issued the country’s first unified personal data protection legislation in 2019. The public was surprised when the draft Personal Data Protection Act (PDPA) was published for the final round of hearings. The draft PDPA largely adopted the preeminent personal data protection standards as expressed in the European Union’s General Data Protection Regulation (GDPR). The government expressed its objective to enhance personal data protection standards in Thailand to meet international standards, which would permit cross border transfers of personal data to Thailand, without any material limitations. The PDPA, which was finally published in the Government Gazette in May 2019, also established a new independent regulator, the Personal Data Protection Commission (PDPC), tasked with enforcing the PDPA. All members of the commission must possess the qualifications required by the PDPA. The PDPA was enacted with a grace period of one year for the requirements relating to the processing of personal data—which would provide businesses with sufficient time to adjust their practices to ensure compliance with the new requirements. It is a significant undertaking for businesses to adjust from having no general law on data protection to being required to meet high international data protection standards comparable to those in the GDPR. GPDR concepts that were incorporated into the PDPA include (1) purpose limitation, (2) transparency, (3) lawfulness and fairness, and (4) data minimization. When collecting personal data, data controllers are required to establish a lawful basis to allow for such collection and processing of personal data. The lawful bases for general personal data are also similar to those under the GDPR, with concepts such as contractual necessity, legal obligation, legitimate interest, vital interest, and consent. Special types of

On February 1, 2021, through Thailand’s Ministry of Digital Economy and Society, the Office of Personal Data Protection Commission announced that it will arrange public hearing sessions for the first set of subordinate regulations under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). Subordinate regulations on the following topics will be covered during the consultations: Consent Privacy notices Responsibilities of data controllers Cross-border data transfers Data protection officers Security measures Compliance processes Sensitive personal data It is anticipated that the draft subordinate regulations will be circulated (in Thai) to registered attendees ahead of the sessions. Participation by video conferencing will be available. In addition, at the First ASEAN Digital Ministers’ Meeting on January 21 and 22, 2021, the ASEAN Data Management Framework (DMF) and the Model Contractual Clauses for Cross Border Data Flows (MCCs) were approved in order to promote the secure free flow of data between ASEAN countries, including Thailand. The development of the Thai PDPA is expected to factor into these DMF and MCC initiatives, potentially allowing businesses in Thailand to transfer data between neighboring countries within the region, in addition to the permitted transfer between countries whitelisted under the European General Data Protection Regulation (GDPR). These initiatives were led by the Singapore Personal Data Protection Commission, and more details are expected in due course. Prior to the PDPA effective date on June 1, 2021, substantial further developments are expected to give further clarification and guidance for businesses, and to ease their compliance concerns. For more information on this development, or any other aspect of data protection in Thailand, please contact Tilleke & Gibbins’ data protection team led by Athistha (Nop) Chitranukroh ([email protected]).

Members of Tilleke & Gibbins’ technology team contributed the Vietnam chapter of the recently published Data Protection Laws of the World (10th Edition), a widely consulted handbook to privacy and data protection laws across more than 100 different jurisdictions.