First Published in Bangkok Post on Wednesday, August 16, 2023

With the unstoppable digital boom, Thailand faces a critical question: Is the country adequately prepared to shield its citizens’ personal information from potential misuse?

Due to their rapid growth, digital platform businesses have propelled their value to over 900 billion baht in 2021. Their prowess lies in their capacity to compile and process vast data, enabling them to decode consumer behaviour and create sought-after services. Yet, this advantage raises privacy concerns.

Amid escalating data breaches and privacy infringements, swift government action is essential to fortify data protection against influential digital entities before matters spiral.

Although the 2019 Personal Data Protection Act (PDPA) is in effect, challenges persist. It remains unclear how well this law shields individual privacy given the difficulty in finding the right balance between commerce and personal privacy.

The first challenge is unclear communication with consumers on how their personal data is collected and used.

A Thailand Development Research Institute (TDRI) study reveals businesses using perplexing language and legal jargon, hindering consumers’ comprehension of how their personal data are handled. Moreover,  the use of technology to block access to information unless the consumer agrees to be tracked by a “cookie wall” creates consumer annoyance. As a result, many impulsively give consent without fully grasping the data implications.

Given platforms’ typically free services, users rarely pay close attention to the terms of use, unknowingly playing with their personal data and online browsing habits which have an impact on their privacy. Therefore, the government must mandate that digital platform businesses transparently inform users about personal data usage.

Currently, “super apps” grant users an array of services under one roof. Yet these apps are not clear about how they share users’ personal data with other platforms within the same app. This causes consumer frustration and concerns about privacy infringement.

The second concern is that not all digital platforms have adequate standards to protect personal data as required by the Personal Data Protection Committee in 2022, thus putting personal data at risk.

Lacking specific guidelines to protect consumer rights, many platforms fail to fully understand the required procedures. This results in varying security standards. Some do not offer channels for consumers to exercise their rights. Some offer overzealous measures while others forego all security measures, preferring to deal with risks as they arise.

The third challenge involves the transfer of personal information. Since platforms may send data to companies and countries without data protection standards equivalent to Thailand, it raises legality questions. To resolve this issue, platforms have to bear the costs of ensuring proper handling and obtaining consumer consent.

The Personal Data Protection Act’s exemption of state agencies is the fourth problem. To safeguard “national security” and “public interests,” the Cabinet approved a draft royal decree in July 2022 that would exempt state agencies from adhering to the PDPA.

Although the Cabinet has amended the draft decree to narrow the scope of the exemption and provide data protection measures, citizen privacy is still at risk. The government needs to be more aware of the significance of protecting personal data in the digital era. It should not permit exemptions based on broad, ambiguous justifications like “national security” and “public interests” that compromise citizens’ rights to privacy protection.

It cannot be denied that state agencies are also collecting huge amounts of citizens’ personal data on their platforms. Excluding them from the PDPA then endangers citizens’ privacy. It is, therefore, essential to include measures to minimise the repercussions and provide compensation for privacy violations by state agencies. In short, the law should not allow state agencies to violate citizens’ privacy without being held accountable and responsible.

Moreover, international regulations demand equivalent privacy standards for cross-border data transfers. Making exceptions for state agencies regarding personal data protection suggests that Thailand’s standards do not meet global benchmarks. As a result, Thailand’s digital economy may face negative consequences.

On the other hand, the European Union (EU) and the United Kingdom (UK) are taking significant steps to strike a balance between personal data protection and using data for business purposes. The EU, for example, has provided clear guidelines for communication between service providers and platforms, with specific dos and don’ts. These well-defined guidelines lead to better understanding among service and platform providers, going beyond mere enforcement of rules.

In addition, the UK’s Information Commissioner’s Office (ICO), which is in charge of protecting personal data, is urging the private sector to participate in the development of a “business code of conduct” for use in the industry.

Since the government may not fully understand the practices of the business sector, allowing the private sector to contribute to the development of standards and having the government certify their quality is an efficient way to deal with rapid changes in the digital world that the government cannot keep up with.

Realising that state support is essential for the development of the digital economy,  ICO also provides consultation and collaboration with businesses in a sandbox environment to foster innovation with ICO’s legal guidance.

Furthermore, the  European Union has released a whitelist of nations with sufficient data protection standards for the transfer of personal data which boosts confidence in businesses when they transfer personal data for processing in these countries.

Such collaboration between the government and private sector to protect consumers’ personal data and promote innovation offers valuable strategies for Thailand to address the challenges at home.

To strike a balance between citizens’ privacy and business interests, the government and the Personal Data Protection Committee (PDPC) must expedite the following three measures and immediately stop one damaging move.

First and foremost, release personal data protection guidelines for businesses as soon as possible. The guidelines should include concrete examples of clear and transparent communication with consumers and the need to inform them regularly what practices they should or should not engage in.  The use of personal data by the “super apps” should also be closely monitored to prevent privacy violations.

Secondly, expedite collaborations with businesses to formulate a privacy protection code of conduct as well as establish consultations and dialogues on legal aspects of personal data protection between the government and the industry.

Thirdly, speed up the issuance of government directives for cross-border personal data transfers. Also, publish a list of countries with personal data protection standards on par with Thailand’s.

It is the responsibility of the Personal Data Protection Committee (PDPC) to implement these crucial measures, which it must prioritise as its immediate goals.

Finally, the government must stop the efforts to exempt state entities from personal data regulations. If not, Thailand’s standard for personal data protection will fall below international guidelines. As a result, Thailand will miss out on the chance to fully participate in the global platform economy.

Amid the digital revolution, Thailand faces a pivotal choice: act fast to embrace strong personal data protection or succumb to the officialdom’s resistance to change and lag behind. The path chosen today will shape Thailand’s digital future and determine where it will stand in the global digital arena.