business – Khemmapat Trisadikoon

First Published in Tech for Good Institute on Wednesday, August 16, 2023. This article is co-authored by Gunn Jiravuttipong and Khemmapat Trasadikoon, researchers from the Thailand Development Research Institute (TDRI).

Thailand recognises the importance of embracing the digital economy and has taken significant steps to facilitate its growth through national plans, strategic investments, and new digital laws. The Data Protection Act is one area that received significant attention and generated discussion.

This article aims to provide an overview of the country’s developments in data protection, including the current regulations and guidelines, the potential benefits of having a strong data protection regime, and the challenges as Thailand continues to strengthen its data protection practices. The insights shared in this reflection will be valuable not only for Thailand’s progress but also for other nations navigating a similar path.

Overview of the law the Personal Data Protection Act, B.E. 2562 (2019)

The Personal Data Protection Act, B.E. 2562 (2019), also known as the PDPA, was announced on 24 May 2019 but came into full effect on 1 June, 2022. The Personal Data Protection Committee (PDPC) is the primary regulator and has been actively working on developing sub-regulations and guidelines to support the implementation of the PDPA. Several of these sub-regulations and guidelines have already been officially published (see Table).

Table: Sub-regulations and guidelines announced by the Personal Data Protection Commission (PDPC) (as of 14 July 2023)

Sub-regulations	Date
1. Notification of the PDPC on the Exemption from Maintenance of Records Obligation of the Data Controller Which Is a Small Organisation B.E. 2565 (2022)	21 June 2022
2. Notification of the PDPC on the Security Measures of the Data Controller B.E. 2565 (2022)	21 June 2022
3. Notification of the PDPC on the Rules on Consideration for Issuance of Orders Imposing Administrative Fines by the Expert Committee B.E. 2565 (2022)	21 June 2022
4. Notification of the PDPC on the Rules and Methods of Personal Data Breach Notification B.E. 2565 (2022)	15 Dec 2022
5. Notification of the PDPC on the Rules and Methods for Preparation and Maintenance of Records of Personal Data Processing Activities for the Data Processor B.E. 2565 (2022)	17 Dec 2022
6. Rules of the PDPC on the Filing, Refusal of Acceptance, Dismissal, Consideration, and Timeframe for the Consideration of the Complaints B.E. 2565 (2022)	12 July 2022
Guidelines	Date
7. Operational Guideline on Obtaining Consent from Data Subjects under the PDPA (2019)	7 Sep 2022
8. Operational Guideline on the Notification of the Purposes and Details of Collection of Personal Data from the Data Subjects under the PDPA	7 Sep 2022

Source: PDPC website

Draft sub-regulations are being developed to provide further clarity on Data Protection Officers (DPOs) in government agencies and international data transfers. Additionally, sector-specific regulations pertaining to data protection exist in areas such as telecommunications, credit bureaus, payments, and insurance. As of now, there have been no publicly announced court cases regarding the Data Protection Act.

Advantages of a robust data protection framework

The Data Protection Act has been acknowledged by stakeholders as a catalyst for boosting Thailand’s digital economy. Effective implementation of the act is crucial to protecting privacy rights in today’s data-driven economy. It also builds investor confidence, positioning Thailand as an appealing destination for data hubs and enhancing its competitiveness in the global market. Therefore, establishing a robust data protection framework is a vital preparatory step to capitalise on these opportunities.

An example of this potential is Amazon Web Services (AWS) recently announcing plans to invest in data centers and cloud services in Thailand and other ASEAN countries. Furthermore, compliance with international data protection standards facilitates seamless data flows, fostering collaborations and strengthening Thailand’s participation in trade negotiations such as Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), Regional Comprehensive Economic Partnership (RCEP), and the latest Indo-Pacific Economic Framework for Prosperity (IPEF).

Navigating data protection challenges in a dynamic landscape

In early 2023, a significant personal data leak prompted the PDPC to call upon public organisations to assess their readiness in terms of risk and security systems. These incidents, coupled with a series of data breaches, may have adversely affected stakeholders’ confidence in Thailand’s data protection measures.

These security breaches are not unique to Thailand. According to a 2021 Check Point report, the Asia Pacific region experienced a 168% increase in cyberattacks year-on-year, with 59% of businesses reported being victims of cyberattacks. Furthermore, this issue is further compounded by the global cybersecurity workforce gap, which is estimated to be 2.72 million in 2021.

Thus, there is an urgent need for Thailand to establish a robust data protection framework while ensuring data risks are mitigated. Achieving this goal requires an effective data protection framework built on collaboration and continuous learning among all stakeholders to strike the right balance and understand the diverse perspectives of different stakeholders. Regulators, in particular, play a pivotal role in creating a clear policy and regulatory framework, overseeing and collaborating with the public and companies.

We reflect on Thailand’s experiences and highlight three primary challenges in the foreseeable future.

1. Creating industry-aligned regulations and guidelines that are fit-for-purpose

Industry standards and the co-creation of guidelines play a vital role in PDPA compliance. Even before the law entered into force, legal academics from Chulalongkorn University created a data protection guideline and continued to develop into specific areas. Additionally, sector associations, such as those in the financial, banking, and insurance, have made efforts to develop sector-specific guidelines.To further promote compliance and best practices, the PDPC has engaged the Thailand Development Research Institute (TDRI) to conduct public hearings and consult with seven sectors.

This collaboration aims to create case studies and identify best practices in data protection. The demonstrated interest from stakeholders indicates their readiness and the opportunity for the PDPC to establish legally binding codes of conduct, similar to leading jurisdictions. Such engagements can enhance clarity in regulatory compliance.In the era of rapidly emerging technologies and evolving business models, collaboration with all stakeholders becomes crucial. Regulators must navigate the technical aspects and strike a balance between business practices, individual rights, and other public benefits.

Future collaboration may encompass topics like algorithm transparency and the automation of systems that collect consumer behavior data.

2. Establishing a robust regulatory authority

To enhance enforcement and foster confidence in safeguarding personal data, it is crucial to prioritise adequate funding and the recruitment of qualified personnel. Thailand faced challenges during the initial enforcement of the Personal Data Protection Act (PDPA) in 2019, resulting in two one-year postponements.

The law eventually came into full effect on 1 June 2022, amidst the complexities and demands imposed by the COVID-19 pandemic on both public and private organisations, as well as the regulatory body. These postponements had implications for the appointment of the commissioner and the approval of sub-regulations. Adequate funding and recruitment of qualified personnel are crucial for strengthening enforcement efforts and building trust in personal data protection. While staff and budget constraints are common challenges in data protection agencies in other countries, the PDPC currently operates with a workforce below its target of 210 personnel.

However, there are plans to recruit approximately 49 more staff this year. Ongoing efforts are being made to secure a budget allocation of 99 billion baht to support the operations of the PDPC. These resources are vital for the PDPC to effectively fulfil its responsibilities and enforce the provisions of the PDPA.

3. Establishing a clear framework for regulatory exemption and divergence

Thailand’s PDPA was drafted closely aligned with the EU’s General Data Protection Regulation (GDPR), sharing many core principles with minor differences. Recognising the diverse landscape of businesses in Thailand, certain exemptions have been put in place to support small and medium-sized enterprises (SMEs) in mitigating the compliance burden.

However, Thailand faces a challenge of fragmentation in interpreting the data protection law, particularly in the context of existing sector-specific regulations such as in the financial on sensitive data collected before PDPA was enforced. There is a need for clarity on which law takes precedence and applies in specific scenarios.

Furthermore, the current draft sub-regulations being considered include provisions for exemptions to the Personal Data Protection Act (PDPA) specifically for select public agencies. Additionally, the precise frameworks for these exemptions and how they will be implemented remain ambiguous. This lack of clarity may result in a divergence in Thailand’s standard of personal data protection. Consequently, this divergence could potentially jeopardise the country’s inclusion in the European Union’s whitelist and impede data transfer across borders with countries that maintain equivalent data protection standards. To prevent such implications, it is crucial for the government to approach the issue of exemptions with utmost caution.

Any exemptions granted must undergo thorough evaluation and alignment with the overarching objective of establishing a robust data protection framework in Thailand.

Conclusion

Overall, enforcing the PDPA in Thailand requires addressing challenges related to state capacity, exemption and divergence, and industry standards. By prioritising adequate resources, aligning with international standards, and actively collaborating with the private sector, Thailand can strengthen its data protection framework and enhance compliance, fostering trust and facilitating the secure and responsible use of personal data.

First Published in Bangkok Post on Wednesday, June 9, 2022

For the past two years, Thailand’s tourism industry has been in a coma due to the Covid-19 pandemic. To revive the economy, the government has now relaxed Covid-19 control measures to reopen the country. Big hotels now have a chance to recover but for a majority of small hotels, however, it is already too late — many of them had their fate sealed by outdated laws regulating hotels that made it near impossible for them to gain an operating licence.

Ask operators of small hotels and hostels, and they will pour out the same grievances; the laws regulating hotels not only favour big hotels and discriminate against small operators, but they also prevented small players from receiving state assistance during the pandemic.

For example, when the government launched the Sandbox Programme to revive the tourism industry last year, small hotel operators cried foul with only big hotels eligible for the programme. Small hotel operators petitioned Prime Minister Prayut Chan-o-cha for intervention for they, too, desperately needed help.

The state authorities argued that most small hotels were not eligible because they did not have an operating licence. But not having the licence is not their fault, smaller operators claimed. The crux of the problem is that the laws regulating hotels make it next to impossible for small operators to obtain a licence.

For starters, laws governing hotels do not differentiate between big and small businesses. They have fixed, uniform standards that require high investment for all hotels regardless of business size. While big hotels with money can meet such requirements, most small hotels and those run by local communities cannot.

“Without an operating licence, they cannot get emergency assistance from the government when hit by the pandemic. Worse, they are considered illegal businesses.”

The smaller operators’ requests for more flexible and timely regulations to fit local conditions and adapt to changes have been rejected. Without an operating licence, they cannot get emergency assistance from the government when hit by the pandemic. Worse, they are considered illegal businesses.

At present, hotel operators are governed by the 2004 Hotel Act, the 1990 Town and Country Planning Act and the 1979 Building Control Act. Apart from being outdated, the standards required by these laws are based on the operations of large hotels. When small operators cannot meet the legal requirements more suited for big hotels such as noise control, the size of a water treatment system, and parking spaces, they are denied the licences.

Similarly, the building law is designed for the construction and safety of large buildings. Many small hotels, meanwhile, are renovations of old homes or commercial buildings. Although the authorities at the Department of Public Works and Town and Country Planning have adjusted some requirements to accommodate small buildings, the changes still do not cover many types of accommodation such as boathouses or treehouses.

The tourists’ increasing preference for cosy accommodations with quaint charms has led to the mushrooming of boutique hotels and small hotels across the country. The locals finally have a chance to benefit from tourism, not only big investors. The outdated laws, however, make it very difficult for them to obtain an operating licence.

According to the Department of Provincial Administration, there are 30,000 registered hotels nationwide. Meanwhile, over 60,000 hotels are listed on the Online Travel Agency website.

Apart from specifying the size and structure of the buildings, hotel laws also require a separation between the operators’ homes and hotel areas. They also prohibit homestays to have more than four rooms and receive more than 20 customers.

These rules affect homestay businesses where the owners live on the same premises. It also prevents homestays from growing, thus making it difficult for the owners to improve their venues and services.

Furthermore, hotel laws specify in detail what services must be provided. When small hotel customers only need clean rooms to stay in, this rule on mandatory services has put an extra financial burden on small hotel operators.

In 2019, the government initiated a temporary solution for small hotels, giving them two years to improve their premises so they comply with the laws and file for a licence. The grace period expired in August last year.

The reprieve was no use, however, because it came when the country was hit by Covid which almost wiped out the whole tourism industry. Small hotels, struggling to survive, simply have no resources to develop their operations and file for the licence within the deadline.

Instead of forcing small operators to comply with outdated laws, the government must overhaul the laws that prevent small players and local communities from benefiting from the tourism industry.

True, the hotel and building laws aim to protect customers and the public but the situation has changed and the laws are now out-of-date. They must be modernised to help small hotels conduct business.

Changing the rules and regulations here and there does not suffice, however. The laws governing the tourism industry must be comprehensively revamped.

First, since the grace period for applying for the operating licence is over, the government should consider issuing an emergency decree to extend the reprieve. This will give the operators more time to develop their premises and apply for the licence.

For a long-term solution, the government must overhaul the laws and ministerial regulations that affect small hotel operations and licensing. Building standards and other requirements should accommodate a wide range of accommodations, especially small hotels and special categories such as boathouses and treehouses.

With tourism markets becoming more niche, hotel laws should support the operations of small hotels to answer the customers’ particular needs. Unnecessary requirements and rules should be lifted. Importantly, the laws on hotel operations and building control should not be implemented separately, not combined in one package to govern the hotel industry as it is now.

Importantly, the oversight authority should be in the hands of local governments instead of being centralised by the Department of Provincial Administration. The local administration bodies understand better local conditions and can provide faster remedies when problems occur. Also, local governments have more incentives to support tourism in their jurisdictions much more so than the officialdom based in Bangkok.

Such a legal overhaul will help small hotels develop and expand their businesses. For not having to meet large hotel standards will give them more resources to improve their venues and services in other ways. The customers will then have more high-quality choices for their different tastes and needs.

Modernising the laws is necessary if Thailand wants to recover from the pandemic quickly. Importantly, the legal overhaul will ensure that tourism benefits will be distributed fairly to all players, especially local communities. After all, it is the duty of the government to ensure fair play and prevent the law from aggravating injustices.

Khemmapat Trisadikoon

ป้ายกำกับ: business

Unfair Laws in Tourism Need Overhaul