IfG.CC - The Potsdam eGovernment Competence Center

For the past few months, one of the most widely and hotly discussed issues has been the establishment of the Ministry of Information and Communication Technology (ICT) and the e-government policy. In order to provide e-infrastructure services for Thais, the possibility has been raised of one-stop services by means of information-technology systems as part of the e-government policy. Of particular interest is the idea of using an electronic ID card in the form of a smart card which contains all of your personal information such as personal name, surname, date of birth, address, race, religion, health record, political affiliation, financial credit and other personal data to allow transactions of state infrastructure services requiring such data.

The expectation is that one simple electronic ID card can eliminate delays common in bureaucratic procedures. Though this initiative is praiseworthy, the government should not overlook the significant issue of how to exploit and collect personal data while protecting people's privacy rights under the Thai Constitution.

Most developed countries such as the US, the UK, Japan, Singapore and the EU have enacted a data-protection law in tandem with the use of technology to provide e-infrastructure for their citizens and to support e-business in the private sector.

Prohibited by the data-protection laws of these countries are collection of personal data conducted by business entrepreneurs in surreptitious ways, transferring personal data to a country other than the country of origin, using cookies or Web bugs, sending spam e-mails for direct marketing, cyberstalking (the use of the Internet to engage in repeated threats or harassment), and improper use by government officials of personal data for their own purposes. The lack of a data-protection law must inevitably cause considerable damage to the citizens and violate their right to privacy, a fundamental concept of good governance.

Up to now, Thailand has not had any law per se regulating personal-data protection or the transfer of personal data or a customer's data in business, whether in the private or government sector. Under these circumstances, those wishing to use, collect, transfer or disclose personal data of their customers or employees are allowed to do so freely under contractual obligation, norms or private rules having no legal binding.

The problems arising from the unregulated use of personal data may be far beyond control. So far, the only glimpse of hope for solving this problem is the Personal Data Protection Bill (PDPB), drafted by the National Electronics and Computer Technology Centre (Nectec), which is now under Cabinet review and expected to be promulgated around next year. Under the PDPB, the data-controller, the data-possessor and the data-collector all have legal obligations to comply with the eight principle rules of the PDPB, summarised as follows:

• First Principle - Personal data shall be processed fairly and lawfully (Section 7(1) of the PDPB).
• Second Principle - Personal data shall be obtained only for one or more specified and lawful purpose(s) and shall not be further processed in any manner incompatible with those purposes (Section 7(2) of the PDPB).
• Third Principle - Personal data shall be appropriate, relevant and not excessive in relation to the purpose(s) for which they are processed (Section 10 of the PDPB).
• Fourth Principle - Personal data shall be accurate and, where necessary, updated (Sections 10, 14 and 15, paragraph 3 of the PDPB).
• Fifth Principle - Personal data processed for any purpose shall not be kept longer than necessary for that purpose (Section 17 of the PDPB).
• Sixth Principle - Personal data shall be processed in accordance with the rights of data subjects (Sections 8, 12,13 and 17 of the PDPB).
• Seventh Principle - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against the accidental loss or destruction of or damage to personal data (Section 11 of the PDPB).
• Eighth Principle - Personal data shall not be transferred to a country or territory outside Thailand unless that country or territory ensures an adequate level of protection of the rights and freedom of data subjects in relation to the processing of personal data ( Section 16 of the PDPB).

In addition, the data-controller, data-possessor and data-collector (including the government section) have to obtain and comply with the consent of data subjects or consumers before processing their personal data under the following conditions:

1. Normal data - The data-controller, data-possessor and data-collector have to specify to consumers 1) the purpose of the collection of personal data, 2) the name of the legal provision(s) which authorise(s) the data-controller, data-possessor and data-collector to collect the personal data, and 3) the person(s) or department(s) to which these three entities have to disclose such personal data (Sections 8 and 10).
2. Sensitive data - The three entities have to obtain the consent of consumers to collect their personal data regarding race or ethnicity, political opinions, religious beliefs, philosophical beliefs, sexual preferences, criminal record, health record, etc (Section 9 of PDPB).

In light of the above, to collect personal data from consumers on an ongoing basis, every business entrepreneur and governmental entity is required to comply with the aforesaid regulations. Even though some parts of the PDPB do not meet the standard of the data-protection law required at the international level, it may, so far, be the only shield to protect the privacy rights of Thais.

Subsequently the underlying concept of the aforesaid principles will be further explored, together with a discussion of certain interesting sample cases relating to the Personal Data Protection Law in comparison with Personal Data Protection. To provide a clear picture of the PDPB, we will also discuss its loopholes.

Paiboon Amonpinyokeat

Ittinant Suwanjutha

Paiboon Amonpinyokeat and Ittinant Suwanjutha are lawyers at International Legal Counsellors Thailand Ltd. This is the first of a series.

Quelle: The Nation