Thailand: Sectoral Exceptions Regulated by Other Laws

The Personal Data Protection Act (PDPA) of Thailand includes sectoral exceptions, explicitly exempting certain operations from its applicability. This measure is taken to avoid redundant regulation where specific sectors are already governed by stringent data protection laws. Such exemptions ensure that these sectors are not burdened with overlapping compliance requirements.

Text of Relevant Provisions

Referenced Provision(s):

"This Act shall not apply to: ... (6) operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business."

Original (Thai):

"พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคลนี้ไม่มีผลบังคับใช้กับ: ... (6) การดำเนินการของบริษัทข้อมูลเครดิตและสมาชิกตามกฎหมายที่ควบคุมการดำเนินงานของธุรกิจข้อมูลเครดิต"

Analysis of Provisions

The PDPA explicitly states in Section 4(1)(6) that it does not apply to "operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business." This provision indicates that data processing activities conducted by credit bureaus are exempt from the PDPA because they are already regulated under a specific legal framework designed for credit bureau operations.

Further supporting this exemption, Section 3 of the PDPA delineates situations where sector-specific laws prevail over the PDPA. It ensures that while sector-specific regulations are primary, the PDPA applies additionally in areas such as data collection, use, disclosure, and the rights of data subjects if the sector-specific law lacks comprehensive provisions in these areas.

PDPA, B.E. Section 3:

"In the event that there is any sector-specific law governing the protection of Personal Data in any manner, any business or any entity, the provisions of such law shall apply, except: (1) for the provisions with respect to the collection, use, or disclosure of Personal Data and the provisions with respect to the rights of data subjects including relevant penalties, the provisions of this Act shall apply additionally, regardless of whether they are repetitious with the above specific law;"

Original (Thai):

"ในกรณีที่มีกฎหมายเฉพาะภาคส่วนที่ควบคุมการคุ้มครองข้อมูลส่วนบุคคลในลักษณะใดๆ ธุรกิจหรือหน่วยงานใดๆ ให้ใช้บทบัญญัติของกฎหมายดังกล่าว ยกเว้น: (1) บทบัญญัติที่เกี่ยวข้องกับการเก็บรวบรวม การใช้ หรือการเปิดเผยข้อมูลส่วนบุคคล และบทบัญญัติที่เกี่ยวข้องกับสิทธิของเจ้าของข้อมูล รวมถึงบทลงโทษที่เกี่ยวข้อง ให้ใช้บทบัญญัติของพระราชบัญญัตินี้เพิ่มเติม ไม่ว่าจะซ้ำซ้อนกับกฎหมายเฉพาะภาคส่วนหรือไม่ก็ตาม"

PDPA, B.E. Section 4:

"This Act shall not apply to: ... (6) operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business."

Original (Thai):

"พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคลนี้ไม่มีผลบังคับใช้กับ: ... (6) การดำเนินการของบริษัทข้อมูลเครดิตและสมาชิกตามกฎหมายที่ควบคุมการดำเนินงานของธุรกิจข้อมูลเครดิต"

Implications

The implications of this sectoral exception are significant for businesses in Thailand. Credit bureaus and their members are not subject to the PDPA's requirements as long as they adhere to the specific regulations governing their operations. This reduces the compliance burden for credit bureaus by preventing duplicative regulation and ensuring they follow a unified set of rules tailored to their industry.

For businesses outside the credit bureau sector, understanding these exceptions is crucial for compliance strategies. They need to be aware that even if certain sector-specific laws apply, the PDPA might still impose additional requirements, particularly concerning data collection, usage, and the rights of data subjects. Therefore, a comprehensive legal assessment is necessary to determine the full scope of applicable regulations.

In summary, the PDPA's sectoral exceptions highlight the law's flexibility in harmonizing with existing sector-specific regulations, ensuring both comprehensive data protection and practical compliance frameworks for specialized industries.