On August 17, 2023, the Thai government rolled out a royal decree that provides certain exemptions to data controllers’ obligations under the Personal Data Protection Act B.E. 2562 (PDPA). The royal decree, which will come into effect after the lapse of 150 days from its publication in the Government Gazette, reflects the government’s ongoing quest to strike a balance between privacy, state interests, and the data protection regulatory burden on organizations.

The royal decree seeks to clarify the circumstances in which data controllers—including business operators and state agencies—are exempt from certain PDPA requirements on the collection, use, and disclosure of personal data and data subject rights. In doing so, it establishes three foundational pillars in considering exemptions:

• Collection or requests for personal data are to be for the public interest pursuant to the purpose and scope prescribed by any law authorizing a state agency to carry out a certain action, without imposing an undue burden on the data controller responsible for disclosing the personal information.
• Data controllers can share personal data without the data subject’s consent if legally authorized state agencies request it and specify the statutory provisions granting authority to request the data.
• Data subjects and data controllers of requested personal data must have the right to submit complaints to the PDPA’s Expert Committee or seek its expertise for clarification or determination.

Under the three foundational pillars, data controllers will be partially exempted from certain requirements under the PDPA when the following state agencies request personal data:

• The National Anti-Corruption Commission or other government entities with mandates aligned with anticorruption laws;
• The Revenue Department, Customs Department, Excise Department, or other governmental units operating under taxation laws;
• Local governmental bodies recognized by the Personal Data Protection Committee (PDPC), or any government unit with mandates as per the laws related to land and building taxation;
• The Secretariat of the Cabinet, executing responsibilities as defined by the laws concerning the royal prerogatives of the monarch; and
• State agencies acting in line with laws concerning significant public interests.

The exemption further extends to the collection, use, and disclosure of personal data by data controllers for international legal matters, covering deportation, extradition, and combating transnational organized crime.

Even with certain provisions exempted, the core duties of data controllers in ensuring data security and accuracy of personal data remain. Data controllers are still obligated to implement security standards meeting the criteria to be set forth by the PDPC within 120 days of publication of the royal decree in the Government Gazette. In certain circumstances, data controllers must also promptly act on a state agency’s instruction to correct and update data subjects’ personal data.

For more details on any aspect of compliance with Thailand’s data protection laws and regulations, please contact Tilleke & Gibbins data privacy specialists Nopparat Lalitkomon at [email protected] or Gvavalin Mahakunkitchareon at [email protected].