The Personal Data Protection Act became law in May last year with a one-year transition period. It was intended to imitate the European Union’s General Data Protection Regulation and included clauses on consent and rights of data subjects as well as ways to prevent data abuse.
But days before the grace period ends on May 27, a decree in Thailand’s Royal Gazette effectively delayed it by exempting 22 types of agencies and businesses until the end of May 2021.
The list spans all government agencies, international organizations, and virtually all kinds of businesses, such as tourism, telecommunications, technology and banking.
“Many organizations are facing difficulties during the pandemic, so they cannot fully adapt to comply with the law yet,” Puttipong Punnakanta, Thailand’s Minister of Digital Economy and Society, said on Friday.
“We also need more time to conduct stakeholder hearings in order to issue follow-up regulations, as that has been interrupted at this time.”
When enforced, the law will apply not only to companies located in Thailand, but also those overseas which collect, use, or disclose personal data of subjects in the country, specifically for advertisements and “behaviour monitoring”.
The law already exempts national security and cybersecurity agencies, parliament and the senate, and credit information companies and their members, from compliance.
Critics said the data protection delay is worrying as the government ramps up contact tracing efforts to contain the spread of the coronavirus.