We don’t know if you’ve noticed this, but every once in a while we’ll write a blog post about GDPR or CCPA or American data law. Yes, we do spend an awful lot of time talking about the law in Europe and the United States. That’s probably not a big surprise, given that this is a data privacy law firm and consultancy, and we’re self-described data nerds.
Thailand’s recent change to its privacy laws are a good example of why this is so, and a good reminder of why it’s a mistake to keep the mindset that “the world revolves around Brussels or Washington.” Thailand already had a fairly comprehensive cybersecurity law that imposed substantial restrictions on internet usage, public commentary, and social media activity. What it did not have, though, was a substantial or complex commercial regime that governed how businesses could make use of personal data.
The new law is, let’s say, “robust,” which is a word I use to describe laws to clients when I don’t want to use the phrase “extremely demanding and complicated and maybe also terrifying.” The existing cybersecurity law, which stemmed from the rather precarious political situation in Thailand, not only comprehensively regulates data and internet usage, it encoded the country’s stringent lese majeste laws onto the internet. (Lese majeste laws restrict speech critical of a country’s leader — in Thailand, for instance, the King.). The new Personal Data Protection Act, though, is much more like the GDPR, including provisions that:
- Restrict the forward transfer of data outside of Thailand;
- Impose obligations related to the processing of sensitive categories of data;
- Require more detailed recordkeeping from controllers and processors;
- Mandate that data subjects have enhanced rights to consent (or not) to the processing of personal data;
- Establish a data representative position (á la the GDPR) for non-Thai controllers, and, the kicker;
- Give the law extraterritorial effect, which means it applies around the globe.
We’re looking at a high level of compliance cost for data processing activities in an already complicated legal environment. And, to reiterate, Thailand is an important economic power in the region – it has a population the size of France and an economy (and US trade sheet) roughly the size of Belgium. It has twenty million cellphone users (many of whom are the app-consuming under 30 demographic), which means it is an extremely ripe market for digital marketing. In other words, Thailand is a growing economy and a growing market in Southeast Asia with a very complicated data law that is difficult for western companies to navigate. Effectively, they’re following the Vietnam model.
Yes, it would be possible to avoid Thailand as a market, just as, I suppose, you could avoid California, or Europe, for that matter. But that strategy forecloses new opportunities and markets and has diminishing returns as privacy laws proliferate worldwide. Also, it makes you look really, really bad.
We come back to the original point, which is that there’s a lot more going on worldwide than simply the GDPR or CCPA. As the progression of data privacy regulations continues, worldwide, you can expect that there will be more laws that resemble GDPR or Thailand’s PDPA, and that the cost of doing business will now, always and everywhere, include limitations on how you process data. And, given that these laws have extraterritorial effect, they cover non-B2B relationships like manufacturers, shipping companies, call centers, etc etc etc. The integrated global supply chain networks that power our economy and our businesses are all data partnerships, and so they all implicate privacy laws. It takes a global view on privacy to understand, and mange them. Do you have one?