IIC Thailand- TRPC Forum: Data Privacy as a Competitive Advantage
2 NOVEMBER 2018
UNIVERSITY OF THE THAI CHAMBER OF COMMERCE, BANGKOK
As an enactment of a general data protection framework in Thailand is on the way, there are pressing questions about its compatibility with the European Commission’s General Data Protection Regulation (GDPR) and other international frameworks, the suitable kind of regulator, benefits that it will bring to the economy as well as Thailand’s role in greater regional harmonization of data protection frameworks in ASEAN. In addressing these issues with audience, there were three panelists representing different stakeholder groups to engage in discussions on privacy frameworks.
The participants agreed that there have been global attempts to seek compatibility with the GDPR. Inside the EU, France has spent a large budget on GDPR compliance. Outside the EU, many jurisdictions have concluded adequacy agreements with the EU to grant the reciprocity of data transfer. Individuals have increasingly changed their mindset to become more data cautious. They also become more aware on how their data is being used.
The draft Thai Bill on data protection is regarded, in many ways, to be aligned with GDPR and other international frameworks on, inter alias, general obligations to process personal data, transparency, data transfer outside jurisdiction, and sanctions for non-compliance. However, there are certain provisions that are under criticism. First, the draft law allows only six-month grace period for businesses to make adjustment to fully comply with the Act, which is argued to be too short in comparison to the GDPR which allows two years grace period. The next issue is that the draft Bill proposes a blanket exclusion for governmental agencies, which means that many provisions shall not apply to them. This could contravene with the core concept of transparency and the participants agreed that there should be exceptions for government agencies only on purposed-based reasons and on necessary circumstances. In addition, Thailand needs to have a data protection authority that is truly effective and independent.
There were also discussions on globally problematic issues such as extraterritoriality. It remains troublesome to prosecute a perpetrator of data breach outside jurisdiction when there is a damage to data subject within your jurisdiction. There was an idea at the forum to conclude the mutual legal assistant agreements (MLAT). However, the practicality of negotiating such agreements are questionable. There has been a proposal on coordination among data protection authority from each jurisdiction in the region similarly to the GDPR model. This coordination model could be developed into a harmonization data privacy rules in ASEAN.
The forum ended with future outlook on privacy relating to Blockchain and Artificial Intelligence (AI). In the near future, Blockchain and AI will mine data on a massive scale of analysis and process. This requires simultaneous exchange of data and will make consent process impossible, not to mention that there will be a large amount of new data created by AI, leading to a question on the ownership of data.
The briefing paper for the meeting is avaialble to download here.
09.00 - 09.15 Registration
09.15 - 09.30 Welcome Address
Assistant Professor Prapanpong Khumon
Director of IIC Thailand's Chapter
9.30 – 12.00 Panel discussion: The opportunity to frame Thailand’s data privacy regulations as a competitive advantage
Thai Netizen Network
Faculty of Law, Thammasat University
Director of Corporate, External & Legal Affairs, Microsoft Thailand
Director, Technology Research Project Corporate (TRPC), Singapore