Today, the Future of Privacy Forum (FPF) and the Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the tenth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in Thailand, including:
notice and consent requirements for processing personal data;the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); andstatutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
Thailand’s Data Protection Landscape
Thailand’s Personal Data Protection Act (PDPA) provides the main requirements under Thai law relating to the collection, use, and disclosure of personal data and establishes Thailand’s Personal Data Protection Commission (PDPC), a government agency tasked with supporting the development of personal data protection in Thailand.
Though the PDPA was passed in May 2019, it did not take effect immediately, and there have been a number of major developments in relation to the PDPA throughout 2022. In January 2022, the Thai