GDPR-like Requirements Going Global? Update on Data Privacy Laws in Thailand and Malaysia

Published On May 22, 2019

Joining what seems like a global effort to legislate corporate protection of data, the governments of Thailand and Malaysia are addressing data privacy laws in their own way. Thailand’s legislature passed new legislation while Malaysia’s Ministry of Communications and Multimedia is reviewing a preexisting law to make sure it is up to date. Taking some cues from the EU’s GDPR, new parameters are being set for the handling of sensitive data.

Thailand’s Data Privacy Law

Thailand’s legislature unanimously passed the Personal Data Protection Act on Feb. 28, 2019. The Thai data privacy law applies to organizations based in Thailand as well as to data controllers or processors outside the country that collect, use or disclose the personal data of people in Thailand. Thailand’s new data privacy law includes notification and consent provisions as well as requirements for data breaches and notifications.

More stringent requirements apply to the collection of sensitive personal data, such as biometric or health data. Generally, sensitive personal data may only be collected with the consent of the data subject unless collection is otherwise required by law or in cases of medical emergency. The new law provides for the establishment of a Personal Data Protection Committee to oversee compliance with the requirements of the legislation.

Interestingly, the constitution of Thailand explicitly addresses privacy. The U.S. Constitution, in contrast, does not specifically enumerate a right to privacy. Instead, courts over the years have determined what privacy rights emanate from the Constitution.

Thailand’s new law is subject to royal endorsement and must be published in the Government Gazette. Following publication, a one-year transition period will allow the regulated community time to comply with its requirements.

Malaysia’s Personal Data Protection Act

The Personal Data Protection Department in Malaysia’s Ministry of Communications and Multimedia is in the process of reviewing their Personal Data Protection Act 2010 to ensure its currency in an increasingly data-regulated world. Should updates be necessary, amendments to the existing law, or an entirely new one, may be proposed.

Malaysia’s existing law includes provisions requiring consent from a data subject before personal data is processed. The data privacy law also requires users of data to protect its security and to retain personal data only for the period of time needed to fulfill the purpose for which data has been collected. Data subjects are given access to their personal data and an opportunity to correct any inaccurate or misleading information.

As the landscape of international data privacy requirements become more complex, multinational organizations may want to monitor data privacy law developments in the regions where they conduct business. Organizations that can anticipate the changes will run more smoothly as adherence to the new privacy laws becomes a necessity.