The factor of monitoring data subjects within jurisdiction is a key element in determining the applicability of the Personal Data Protection Act (PDPA) in Thailand. It extends the law's reach to data processing activities involving individuals physically present in Thailand, regardless of the data controller or processor's location.

Text of Relevant Provisions

PDPA, B.E. Section 5:

"This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data Processor that is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not.

In the event that a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the following activities:

(1) the offering of goods or services to the data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subject;

(2) the monitoring of the data subject's behavior, where the behavior takes place in the Kingdom of Thailand."

Analysis of Provisions

The PDPA explicitly extends its jurisdiction to data controllers and processors located outside Thailand when they engage in monitoring the behavior of data subjects within the country. This provision is designed to protect Thai residents' privacy rights, regardless of the geographical location of the entity processing their data.The law applies in two specific scenarios:

1. When the data controller or processor is located within Thailand, regardless of where the data processing occurs.
2. When the data controller or processor is outside Thailand, but their activities involve:a) Offering goods or services to data subjects in Thailandb) Monitoring the behavior of data subjects in Thailand

The phrase "

the monitoring of the data subject's behavior, where the behavior takes place in the Kingdom of Thailand

" is particularly significant. It indicates that any form of behavioral tracking or profiling of individuals physically present in Thailand falls under the PDPA's jurisdiction, even if the entity conducting such monitoring is based abroad.This provision reflects a growing trend in data protection laws worldwide to extend territorial scope based on the location of data subjects rather than the location of data processors. It aims to ensure that individuals' rights are protected in an increasingly globalized digital economy where data can be processed anywhere in the world.

Implications

The extraterritorial reach of the PDPA has significant implications for businesses operating internationally:

1. Global companies must comply with Thai data protection laws when monitoring individuals in Thailand, even if they have no physical presence in the country.
2. Online businesses targeting Thai consumers or tracking their behavior must ensure PDPA compliance, regardless of where they are based.
3. Companies engaged in behavioral advertising, user profiling, or any form of online tracking must be particularly cautious when their activities involve Thai residents.
4. Non-compliance can lead to legal consequences and reputational damage, even for companies without a direct presence in Thailand.
5. Businesses may need to implement geolocation technologies to identify when they are interacting with Thai residents and adjust their data practices accordingly.
6. Companies may need to appoint local representatives or data protection officers to handle PDPA compliance matters in Thailand.

This provision underscores the importance for international businesses to adopt a global approach to data protection compliance, taking into account the specific requirements of each jurisdiction where their data subjects are located.