In more detail

Under the PDPA, there are three key options for cross-border transfer, which are: (i) Whitelist countries; (ii) Binding corporate rules (BCR); and (iii) Appropriate safeguards (e.g., SCCs).

In September 2022, the PDPC published a previous version of the Draft Appropriate Safeguards Notification ("2022 Draft Version") to seek public comments. A year later, in preparation for another round of public consultation, the PDPC revised and issued the following new draft subordinate rules regarding data transfer:

(1) (Draft) Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country pursuant to Section 28 of the Personal Data Protection Act, B.E. 2562 (2019) B.E. …. ("Draft Whitelist Notification")
 
(2) (Draft) Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country pursuant to Section 29 of the Personal Data Protection Act, B.E. 2562.
(2019) B.E. ….("Draft BCR and Appropriate Safeguards Notification").

Please see our summary of the key takeaways from each new draft rule below.

Draft Cross-border Transfer Notifications

1. Adequacy Decision (Whitelisted country)

The Draft Whitelist Notification concerns the PDPC's adequacy decisions and sets out the criteria for the PDPC to consider before recognizing a third country or international organization as an "adequate" destination country or international organization for the transfer. To make such a determination, the PDPC will have to consider certain factors, such as the existence of equivalent data protection laws and data protection supervisory authorities. A data controller may approach the Office of the PDPC to propose countries for the adequacy assessment.

2. Binding Corporate Rules (BCR)

The Draft BCR and Appropriate Safeguards Notification reflects the same concept as the 2022 Draft Version. The key difference is that the new draft rule explicitly sets out the channels for submitting the binding corporate rules to the Office of the PDPC for approval (while the previous draft version did not), including some minor changes to the criteria for approving the rules.

However, companies should carefully assess the definition of cross-border transfer of personal data (as explained below), to revisit its existing BCRs and determine whether further revisions are required.

3. Appropriate Safeguards (SCCs)

Some key differences include, among others:

• Fewer clauses: While the SCCs under the 2022 Draft Version included several clauses similar to those found in the EU SCCs (e.g., local law and practice clause, data exporter's right to suspend or terminate the transfer), the new draft law removed most of those clauses. This results in the inclusion of fewer clauses in a transfer contract when compared with the 2022 Draft Version, but it does not necessarily mean that further revisions to the companies' SCCs, if already executed, are not required. This is because there are some clauses in the new draft law that still deviate from the EU SCCs.
• ASEAN Model Clauses and EU SCCs: The 2022 Draft Version did not specifically refer to any non-Thai SCCs. However, the new draft law now explicitly lists ASEAN Model Contractual Clauses and EU SCCs as recognized appropriate safeguards under the PDPA. Modifications to the clauses are only permitted under specific circumstances.

Despite such recognition, it still remains unclear how these safeguards will be properly implemented in Thailand. Localization is likely required, given the differences in the legal interpretation between Thai PDPA regulators and non-Thai regulators.

• No requirement to certify compliance to the Office of the PDPC: Although the 2022 Draft Version required a controller/processor to certify that the measures taken are in compliance with the SCCs and to also submit such measures to the Office of the PDPC, this same requirement has been left out of the new draft law.
• Definition of "transfer of personal data": The Draft BCR and Appropriate Safeguards Notification draws the line between what activities are or are not considered the transfer of personal data, and uses cloud service as an example. The new key criteria for making such a determination is now what we call the "no third-party access" doctrine. That is, data transit or data storage outside Thailand where a third party cannot access personal data is now excluded from the definition of transfer of personal data. This is important since no transfer in the first place would mean there are no cross-border transfer requirements to be triggered.

For example, if a data controller stores personal data in a data center located outside Thailand and no third party other than the controller itself can access such data, this will not be considered a data transfer under the PDPA. However, the revised definition results in broader circumstances to be deemed cross-border transfer, where companies need to revisit their cross-border activities and related contracts to determine whether additional measures/contract revisions are required.

The public consultation was held between 27 October - 10 November 2023. The Thai version of these two draft laws are now available on Thailand's National Law Portal.

Again, it is worth emphasizing that the PDPC has a different way of interpretation than those adopted by the data protection authorities in other countries or regions, e.g., the European Union. Therefore, business operators may need to revisit which cross- border transfer option is appropriate for their particular circumstances, including considering if any further actions are needed (e.g., localization of the existing SCCs to meet Thai law requirements). If your business has already implemented BCRs or SCCs, please revisit this again for compliance.

We will be closely monitoring the developments in this matter and will keep you updated.