apec data privacy pathfinder - data privacy studies...
TRANSCRIPT
___________________________________________________________________________
2010/SOM3/ECSG/SEM/003a Session 1
APEC Data Privacy Pathfinder - Data Privacy Studies: Establishing Accountability Agents -
Thailand
Submitted by: United States
Technical Assistance Seminar - The Establishment and Use of Accountability
Agents in the APEC Cross Border Privacy Rules SystemSendai, Japan
15 September 2010
APEC Data Privacy Pathfinder Data Privacy Studies: Establishing Accountability Agents
Kingdom of Thailand
September 2010
This publication was produced by Nathan Associates Inc. for review by the United States Agency for International Development.
APEC Data Privacy Pathfinder Data Privacy Studies: Establishing Accountability Agents
Kingdom of Thailand
DISCLAIMER
This document is made possible by the support of the American people through the United States Agency for
International Development (USAID). Its contents are the sole responsibility of the author or authors and do not
necessarily reflect the views of USAID or the United States government.
Professor William J. Luddy, Jr. and Attorney Lucy L. Thomson prepared this report for the Asia-Pacific Economic Cooperation (APEC) organization as part of the APEC Technical Assistance and Training Facility (TATF) program.
APEC TATF is managed by USAID with funding and strategic direction from the U.S. State Department Bureau of East Asian and Pacific Affairs, Office of Economic Policy. For further information, please contact Ms. Victoria Waite, Deputy Chief of Party, [email protected].
Contents Introduction 1
Current Data Privacy Environment 4
Background 4 Legal Framework in the Kingdom of Thailand 5
Commentary 10
Overview 10 Selection of the Accountability Agent Model 12 Enforcement Authority 12
Recommendations 12
Further Capacity-Building Opportunities 13
Data Privacy Studies: Establishing Accountability Agents–Kingdom of Thailand INTRODUCTION Thailand is located in the center of the peninsula of Southeast Asia and was founded in the 13th century. It borders on Myanmar, Laos, Cambodia and Malaysia. Its 3,219 kilometers of coastline runs along the Andaman Sea and the Gulf of Thailand. The economy’s typography consists of four main regions. There are high mountains to the north, and a densely populated central plain with a lowland area that extends to the Gulf of Thailand. The upland Khorat Plateau in the northeast drains into the Mun River. The narrow, tropical Isthmus of Kra runs from mainland Thailand to the border with peninsular Malaysia.
Thailand’s population is estimated at 67 million, making it the 19th most populous economy in the world. About 68 percent of the population lives in rural areas and 32 percent live in urban areas. Bangkok, the capital city, has a population of 6.3 million people in its metropolitan area (combining Bangkok and Thon Buri). Other major cities with a combined population of approximately 11 million include Samut Prakan, Nanthaburi, Udon Thani, and Nakhon Ratchasima.
In the first quarter of 2010, the Thai economy surged by 12 percent over the prior year’s first quarter, the highest quarterly growth since 1995. This rapid rise was mostly due to strong exports (up 32 percent) from global growth. This growth continued through the second quarter of the year.1
1 See, U.S. Department of State, Background Note: Thailand (July 28, 2010), available at http://www.state.gov/r/pa/ei/bgn/2814.htm.
The government projected that the Thai economy in 2010 would grow between 5 and 7 percent over 2009. Thailand’s economy relies on the export of automobiles, petrochemicals, and electronics. These sectors grew at a rate of 18.2 percent in 2007. Growth slowed in 2008-09 because of reduced demand for these goods and services. The Royal Thai government and the Prime Minister have looked for ways to expand foreign investment opportunities, focusing on green technology and manufacturing.
2
Thailand has a diversified manufacturing sector, producing computers and electronics, furniture, wood products, canned food, toys, plastics products, gems and jewelry. Thailand is becoming a center for automobile manufacturers in the Association of Southeast Asian Nations (ASEAN) market. High technology products such as integrated circuits and parts, hard disc drives, electrical appliances, vehicles, and vehicle parts are leading Thailand’s growth in exports. Exports of textiles and computer components accounted for 60 percent of GDP in 2006. Japan and the United States are Thailand’s top two export trading partners.2
Total e-commerce transactions in 2008 were valued at Bt 527.9 billion. Of these, business-to-government (B2G) transactions accounted for 55.1 percent of the transactions; business-to-business (B2B) transactions accounted for 36.2 percent; and business-to-consumers (B2C) were 8.7 percent of the total.
3
For more than a decade, Thailand has been focusing attention on telecommunications and information technology. In 2004 the Thai government formed a new Ministry of Information and Communications Technology (MICT) to oversee all policy-related work in the electronic commerce field. In 2002, Thailand approved the second phase of its national information technology policy, IT 2010, to serve as a guideline for national IT development in the 21st Century. Known as the Information Technology Policy Framework 2001-2010 – Thailand Vision Towards a Knowledge-Based Economy, it is designed to strengthen Thailand’s telecommunications infrastructure as a means of promoting overall economic development.
4
Promotion of e-commerce to provide entrepreneurs with the opportunity to enter world markets is a “flagship” component of IT 2010. Its goal is to “enhance the competitiveness of Thai entrepreneurs, using e-commerce as a tool for business ventures. E-commerce is to focus on export, trade and services, and domestic consumption, with due attention paid to national interests.” Among the development strategies to achieve this goal is “expediting the legislation necessary to enhance confidence in the electronic system.” This includes accelerating the drafting of the data protection law and revising consumer protection laws in support of e-Commerce.
5
2 U.S. Department of State, Background Note: Thailand, page 3, available at http://www.state.gov/r/pa/ei/bgn/1981.htm.
3 Jirapan Boonnoon, “Thai Internet users turn to e-commerce,” The Nation (May 6, 2010), available at http:/www.nationmultimedia.com.
4 By 2006 the Ministry was to have liberalized the provision of telecommunications services under World Trade Organization guidelines. One aspect of this goal, the proposed privatization of the state-owned telephone companies, has proven to be controversial.
5 The development strategies for the e-commerce sector are spelled out in the IT 2010 executive summary, which notes that,
E-Commerce is a key mechanism in the development of national competitiveness in local and global trade in the age of borderless trade, as of 2000, and in the movement towards a knowledge-based economy. In this regard, e-commerce refers to “the process in which businesses undertake trade and services through all types of electronic media, either in the form of business to consumer (B2C), business to business (B2B), or business to government (B2G) transactions.”
3
Thailand has recently reinforced its goals with respect to Information and Communications Technology (ICT) strategies. The MICT has issued The Second Information and Communications Technology (ICT) Master Plan (2009 – 2013).6
… to use IT in building the nation’s capacity to become self-sufficient and globally competitive, and for developing a knowledge-based society and economy that will lead to better quality of life of the population as a whole.
The stated aim of Thailand’s ICT development strategy is:
There are a variety of Strategies, including placing emphasis on building competitiveness for Thai industries and businesses both domestically and in the global supply chain. In this regard, Thailand seeks to place special emphasis on its competitiveness and to enhancing its comparative advantage in global markets.
The government’s support for expanded ICT infrastructure has already resulted in broader Internet penetration and cheaper access to information for the Thai people. E-commerce is expected to become more widely used in Thailand, particularly to support business-to-business (B2B) collaboration (for supply chain management and e-marketplaces).7 The ICT market in Thailand is forecast to grow by 6.6 percent in 2010.8
Thailand had approximately 8.5 million Internet users in 2006 (13-14 percent of the total population). Internet use is expected to continue its steady rise as a result of government initiatives and lower access charges. By the end of 2005, approximately 40 percent of Internet users had Broadband connections.
9
The Thai government is aware that e-commerce will play a key role in the global market. It is investing heavily to encourage both government agencies and the private sector – including small and medium-size entities – to use e-commerce to increase their efficiency and capabilities for competition in the global market. Its e-Commerce Policy Framework was launched by NECTEC in 2000. Among the policy principles encouraged is the development of infrastructure, including a legal and security base, to enhance e-Commerce growth.
One of Thailand’s goals in its Second ICT Master Plan is to have at least 50 percent of its population be ‘ICT-knowledgeable.’
This report focuses on the important aspects of creating a legal infrastructure through which Thailand can move forward with efforts to address data privacy should it decide to implement the APEC Data Privacy Pathfinder. The analysis contained in this report is based on a review of existing laws and regulations, as well as consultations held with officials of the Thai government, civil society, and the private sector. These consultations were very useful in developing an understanding of Thailand’s approach to data privacy and the steps it has already taken to become
6 Members of the MICT’s Electronic Transactions Bureau discussed the update of the original plan and provided a synopsis of this Master Plan. The full text of the Second ICT Master Plan (2009-2013) is available at http://www.mict.go.th/download/Master_Plan.pdf.
7 Doing Business in Thailand: 2010 Country Commercial Guide for U.S. Companies, page 13. 8 National Electronics and Computer Technology Center (NECTEC), National Market Survey. 9 Id.
4
compliant with the APEC Privacy Framework10
Finally, the report reviews the data privacy framework in Thailand and considers an approach for accountability agents and an appropriate enforcement authority that would be consistent with Thailand’s domestic legal regime and its historic approach to regulation. It also formulates a beginning approach for the technical assistance and capacity-building that might be helpful to implement the APEC Data Privacy Pathfinder in Thailand, should it decide to participate fully in the APEC Pathfinder program.
and to participate in the APEC Pathfinder program.
CURRENT DATA PRIVACY ENVIRONMENT This section of the report focuses on the legal framework in Thailand related to privacy to the extent that is relevant to the APEC Data Privacy Pathfinder. In particular, it briefly explores the relevant laws in Thailand with a view towards assessing whether or how they may be used to enforce the APEC Privacy Framework, as well as supporting the establishment of accountability agents and the enforcement authority. This review is necessary to determine whether a particular economy’s current legal infrastructure will enable the key elements of the APEC Data Privacy Pathfinder and, in particular, the accountability agent and enforcement authority. The report also reviews the proposed data privacy legislation that is pending in Thailand’s Parliament.
Background The APEC Ministers have endorsed the APEC Privacy Framework (2004), as well as the APEC Data Privacy Pathfinder (2006). A key issue for APEC member-economies is how each will enforce the APEC Privacy Framework. This is, of course, a matter for domestic law and regulation. However, in developing this legal framework, each member-economy must also take into account the important cross-border aspects of the APEC Data Privacy Pathfinder.
In the context of establishing accountability agents, governments must identify existing law or establish new laws and/or regulations that provide the legal basis for the particular accountability agent model selected for implementation. Generally, there are three approaches for accountability agents. One is a public sector model in which a government agency or regulator serves as an accountability agent. A second model is that of an “accredited” private sector organization or organizations which will undertake the responsibilities of the accountability agent in a particular member-economy. Another model, perhaps a subset of the second, is to authorize professional firms such as, for example, auditing firms, law firms, etc. as accredited accountability agents. A government regulator would accredit private sector entities acting as accountability agents.
10 It should be noted that the APEC Privacy Framework is based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data adopted in 1980, available on the OECD website at http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html. The OECD Guidelines are the foundation for privacy policies and laws in most APEC member-economies,the European Union and in other nations.
5
Accountability agents, whether public or private sector, are responsible for assessing and evaluating those private sector entities that are voluntarily seeking approval to utilize the APEC Privacy seal or trustmark. This assessment entails a careful review11
In addition, a member-economy will also need to establish an enforcement authority. In order to participate in the APEC Pathfinder, a member-economy must identify the appropriate regulator (e.g., a government ministry or a publicly-authorized commission) that will sign the APEC Enforcement Cooperation Arrangement endorsed by the APEC Electronic Commerce Steering Group (ECSG).
of responses to the Pathfinder In-Take Questionnaire that the organization seeking approval submits to an accountability agent. The In-Take Questionnaire contains 51 questions that reflect each of the principles in the APEC Privacy Framework. Once an entity has been approved, it will undergo periodic reviews by the accountability agent to insure that it continues to be in compliance with the APEC Pathfinder. If an entity is found not to be in compliance, whether this is learned through the periodic review or as a result of the accountability agent’s investigation of a complaint, its authority to use the APEC Privacy seal or trustmark may be revoked by the accountability agent.
12
Thailand prepared an APEC Data Privacy Individual Action Plan in 2006 that outlines the sources of Thai law for the APEC Pathfinder and that would form a basis for enforcing the APEC Privacy Framework. The Action Plan focuses on the nine APEC Privacy Principles and identifies Constitutional principles, laws and regulations that address and carry out each principle.
The Enforcement Cooperation Arrangement specifies that the appropriate signatory is the public entity with the legal authority and responsibility to enforce an APEC member-economy’s privacy laws. This agreement describes privacy laws as “those laws, the enforcement of which would have the effect of protecting personal information consistent with the APEC Privacy Framework.” [Emphasis added]. It should be noted that a privacy law enforcement authority is an essential component of any data privacy protection model, not solely the APEC Cross-Border Privacy Rules System. Just as for the accountability agents, establishing the legal framework for the enforcement authority is a critical step in the process of implementing the APEC Data Privacy Pathfinder.
13
Legal Framework in the Kingdom of Thailand
At the present time, the Kingdom of Thailand does not have a specific overarching privacy law14
11 This entails the use of an assessment methodology that is consistent across all economies participating in the APEC Data Privacy Pathfinder.
that provides broad privacy protections and creates a specific privacy enforcement agency or
12 See, http://www.apec.org/apec/news___media/fact_sheets/201006cpea.html. 13 APEC Information Privacy Individual Action Plan-Thailand (2006), available at
http://www.apec.org/apec/apec_groups/committee_on_trade/data_privacy_iaps.html. 14 See, e.g., Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) that
adopted fair information principles and established a Privacy Commissioner. It should be noted that APEC member-economies are not expected to adopt this approach and many have chosen different approaches based on their own legal frameworks. The APEC Pathfinder explicitly recognizes that “one size does not fit all” in this area.
6
commission. Thailand does have a number of laws and regulations on which it might draw for the enforcement of the APEC Privacy Framework, as well as the legal authority for establishing its accountability agents and the enforcement authority in a manner that would be compliant with the APEC Data Privacy Pathfinder. As noted below, however, Thailand currently has a proposed data privacy law pending in Parliament that, along with appropriate implementing regulations, would very likely meet the legal infrastructure needs for implementing the APEC Pathfinder.
The major privacy-related laws and regulations in Thailand are described briefly below.
2007 Constitution of the Kingdom of Thailand Privacy is a constitutionally protected right under two sections of the Thai Constitution.15
A person’s family rights, dignity, reputation or his right to privacy shall be protected. The assertion or circulation of a statement or picture in any manner whatsoever to the public, which violates or affects a person’s family rights, dignity, reputation or the right of privacy, shall not be made except for the case which is beneficial to the public.
Section 34 of the Constitution states:
Section 37 of the Constitution states:
Persons have the freedom to communicate with one another by lawful means. Search, detention or exposure of lawful communication materials between persons, as well as actions by other means so as to snoop into the contents of the communications materials between persons, is prohibited unless it is done by virtue of the power vested in a provision of the law specifically for the purpose of maintaining national security or for the purpose of maintaining peace and order or good public morality.
Thus, the Constitution provides a general basis for the development of privacy laws and regulations in Thailand. Other APEC member-economies have similar types of broad privacy protections included explicitly in their Constitutions or included by judicial interpretations of their Constitutions.
Official Information Act B.E. 2540 (1997) The Official Information Act (OIA) guarantees citizens access to public information. Section 4 of the Act defines personal information as information relating to “the particular private matters” of a person that can identify that person. The Act provides a code of information practices for state agencies to follow when processing personal information. These practices require the agency to ensure that the information system is relevant and necessary to achieve agency objectives; collect information directly from the subject; publish notices about the use of the information; provide for an appropriate security system; notify persons if information is collected about them from a
15 Id. note 13.
7
third party; not disclose personal information to other State agencies or persons without written consent; and provide rights of access, correction and deletion.16
The Official Information Commission (OIC) under the Office of the Prime Minister oversees compliance with the Act. The Thailand APEC Information Privacy Individual Action Plan shows how this law addresses the principles in the APEC Privacy Framework. While the OIA is important in protecting the privacy of personal information collected, used or shared by the government, it does not address the protection of information relating to consumers that is created, used, and shared by private sector businesses. Thus, while the principles embodied in the APEC Privacy Framework are addressed in the OIA, further legislation would be necessary to bring private sector data privacy within the ambit of the OIC.
New legislation, or possibly a Royal Decree, could provide the legal basis for Thailand to implement the APEC Pathfinder Cross-Border Data Privacy Rules System under the auspices of the OIC. Other governments have developed models that combine the ‘freedom of information’ aspects of a regulator’s responsibility, which the OIC currently has, with functions that are related to the protection of personal data privacy in the private sector (i.e., for business entities and other non-governmental organizations.) In the U.K., for example, the Information Commissioner’s Office is an independent regulatory agency reporting to Parliament and has responsibility for the U.K. Data Protection Act of 1998 and the U.K. Freedom of Information Act of 2000.17
Consumer Protection Laws
It is our understanding that at least one of the proposed data privacy protection laws currently pending in the Thai Parliament would combine the functions in this way.
There are a number of Consumer Protection laws in Thailand and other laws that include consumer protections. Thailand’s Constitution contains two provisions related to consumer protection as well. Section 61 of the Constitution provides that an autonomous consumer protection organization would be entrusted with consumer protection responsibilities.18
The Consumer Protection Board (CPB) has overall responsibility for four consumer protection laws:
Section 84 provides that the Thai government shall regulate business activities for free and fair competition, antitrust, and for consumer protection.
• The Consumer Protection Act, B.E. 2522 (1979 and subsequent amendments) • Direct Sales and Direct Marketing Act, B.E.2545 (2002) • The Product Liability Act, B.E. 2551 (2008)
16 APEC Information Privacy Individual Action Plan, at 2; see also, N. Serirak, Towards Personal Data Protection: A Proposed Model for the Development of ‘Right to Know’ in Thailand, 11 THAMMASAT REVIEW 115 (2006). [Provides an extensive review of the OIA and its relationships to individual data privacy].
17 See, http://www.ico.gov.uk/what_we_cover.aspx. 18 Section 61 also provides rights to protect concerning information provided in connection with products
or services, as well as a right to make a complaint for consumer redress.
8
• Consumer Case Procedure Act, B.E. 2551 (2008)
There are a variety of other consumer protections provided for in other laws that are administered by government agencies other than the Consumer Protection Board, for example, the Electronic Transaction Act of 2001, the Trade Competition Act of 1999, and the Law on Credit Bureau.
The key responsibilities of the CPB, in addition to its ‘educational’ and product safety programs, are to handle complaints received from consumers and to institute legal proceedings when an infringement of consumer rights is found. The Office of the Consumer Protection Board is the governmental authority that acts as the Secretariat for the CPB. It collaborates with other Ministries where the missions intersect, e.g., with the Office of the Information Commission. Finally, it collaborates with industry groups in setting standards in a number of areas and issuing its seal when those standards are met, for example, the CPB Fair Contract Seal.
For purposes of the APEC Pathfinder, there are certain provisions of the Consumer Protection Act that merit consideration. The Act addresses five basic consumer rights: the right to be informed, the right to choose, the right to safety, the right to redress, and the right to fair contract terms. Chapter II, Part 2 (Advertising) and Part 2 bis (Contracts) contain provisions that relate to what might be referred to as false and deceptive practices. Further, the Act appears to permit the CPB to develop and promulgate regulations related to consumer transactions. From a legal analysis viewpoint, it may be possible for the CPB to incorporate the principles of the APEC Privacy Framework into its regulations related to advertising and consumer contracts that might be applied at least to web-based consumer transactions. These privacy regulations could be applied to the “contracts” (i.e., website user agreements and terms of use agreements). The CPB could then regulate websites based on an “unfair and deceptive practices” model without the need for new legislation.
However, while it may be possible to use the current legislation in this manner, it may be difficult to bring all of the necessary entities or types of transactions (e.g., exchange of employee data across borders or business process off-shoring activities) within the regulations’ coverage. Based on the operation of the Thai legal system as well, this approach may be inappropriate. Nevertheless, consideration of these issues in new legislation could provide the CPB with a role in the overall APEC Pathfinder program should Thailand decide that it wishes to participate in it.
Electronic Commerce Legal Framework As noted earlier in this report, the Ministry of Information and Communications Technology has developed a 2009-2013 Master Plan for IT development in Thailand. Among its goals are to increase Thailand’s trade development and business opportunities using ICT both domestically and in global markets. With the lead of the MICT, Thailand has enacted legislation and put in place a series of Royal Decrees that have enhanced and strengthened its electronic commerce legal framework. Thailand’s primary e-Commerce laws covering electronic transactions and
9
electronic signatures are based on international standards, i.e., the United Nations Model Laws for electronic commerce.19
Thailand’s Electronic Commerce Act establishes an Electronic Transactions Commission in Chapter 5 of the Act. Among the important powers of this Commission are:
(1) To make recommendations to the Cabinet to lay down policies for promotion and development of electronic transactions including solving relevant problems and obstacles;
….
(3) To make recommendations or give advice to the Minister to issue Royal Decrees pursuant to this Act.
….20
In addition, Chapter 3 of the Act regulates ‘service’ businesses involved in electronic transactions.
21
In the event where it is necessary to maintain financial and commercial stability, or for benefit of strengthening the credibility and acceptance of electronic transactions systems, or to prevent damage to the public, a Royal Decree prescribing the service business relating to electronic transactions which shall be subject to prior notification, registration or license shall be issued. [Emphasis added].
It states that
These provisions in the Electronic Transactions Act may provide another avenue for creating the legal infrastructure should Thailand chose to implement the APEC Pathfinder. Since the primary focus of the Pathfinder is data privacy, it may be possible in the context of electronic transactions for Thailand to develop a Royal Decree that would implement the legal framework necessary for the Pathfinder. It could draw on provisions in other laws as well (e.g., the Constitution and the Consumer Protection Law) that are relevant to privacy. The Royal Decree could designate the appropriate governmental agencies (Ministries or Commissions) to be responsible for its implementation.22
19 These were developed by the United Nations Commission on International Trade Law in 1996 and 2001, respectively. See, http://www.uncitral.org/uncitral/en/uncitral_texts/electronic_commerce.html. Thailand currently has in force the following: Electronic Transactions Act, B.E. 2544 (2001) (including an amendment, the Electronic Transactions agency and e-Document Act), Computer Related Crime Law, the Royal Decree on Electronic Transactions in the Public Sector, the Royal Decree to Regulate e-Business Services Relating to e-Transactions under the Electronic Transactions Act, and the Royal Decree Regulating e-Payment Service Providers. Currently pending are the Royal Decree Regulating Certification Authorities and a Royal Decree on Security Policy for Electronic Transactions (the latter was approved by the Cabinet in July 2010).
This approach might obviate the need for separate legislation in this area.
20 Electronic Transactions Act B.E. 2544 (2001), as amended, § 37. 21 Id., § 32. 22 Id., third full paragraph in § 32.
1 0
Draft Privacy Data Protection Act Ongoing development of Thailand’s ICT and information society initiatives since the 1990s has led to a variety of legal developments, most notably those in the electronic commerce domain described above. These initiatives included drafting legislation related to data privacy. The first draft of a Privacy Data Protection Act was undertaken by the newly-created Ministry of Information and Communications Technology (MICT).23 After review by a number of government organizations, the Office of the Official Information Commission drafted another version. By 2009 the Cabinet had sent a proposed Privacy Data Protection Act to Parliament. At about the same time, a number of MPs in Parliament also submitted what is considered to be a very similar draft law.24
The provisions of the proposed Privacy Data Protection Act, as described to us by various sources, appear to provide much of the necessary framework to implement the APEC Pathfinder in Thailand. The proposed law would regulate the collection, retention and sharing of personal data. It is based on eight principles: consent, notice, purpose specification, use limitation, accuracy, access, security, and enforcement. The holder of a personal data record is prohibited from using or disclosing personal data to third parties without consent. Thus, the basic principles of the APEC Privacy Framework appear to be included in the statutory language. Although prepared in 2006 and predating the current version of the proposed Privacy Data Protection Act, Thailand’s APEC Information Privacy Individual Action Plan provides an example of how the draft law would address the principles in the APEC Privacy Framework.
The law would create an “enforcement authority” known as the “Personal Data Protection Commission.” It is likely that regulations could be promulgated to create an appropriate accountability agent model in Thailand if this were not created explicitly in the law. Further, the Enforcement Authority would be a new “Personal Data Protection Commission.” The Office of the Official Information Commission would serve as the “Secretariat” for this new Commission. It would also have the power to establish a “data processing certification mark” for those private sector entities that met a set of standards established by the Commission.
COMMENTARY
Overview The importance of cross-border data privacy protection in international trade development has increased significantly over the past decade. The Thai government began considering data privacy in the 1990s when the National Information Technology Committee (NITC) began drafting legislation related to data privacy, as well as various aspects of electronic commerce.25
23 MICT was created in 2005 as part of a governmental reorganization.
24 Proposed drafts of the Privacy Data Protection legislation were restricted and unavailable in English since neither had a First Reading.
25 P. Ramasoota, Ph.D., Introduction to Data Privacy Law in Thailand, THE MEDIA POLICY CENTER (1 March 2010), at 2. [At footnote 4 in her paper, Professor Ramasoota notes that, “NITC was hosted by the
1 1
Because of its ties to the European Union as a trading partner, Thailand was well aware of the importance of data privacy protection and, therefore, included it as part of its “information society” agenda.26
At this time, Thailand has not made a decision to proceed towards implementation of the APEC Pathfinder Cross-Border Data Privacy program. Since at least 2006, Thailand has participated in varying degrees in the APEC Pathfinder efforts and had completed an Individual Action Plan describing how Thailand’s legal regime, including the pending privacy data privacy law, would accommodate the APEC Privacy Framework.
As noted above, Thailand’s Parliament is considering at least one and possibly two similar pieces of data privacy legislation.
27
The APEC Data Privacy Pathfinder provides to Thailand and to other APEC member-economies the opportunity to participate in an enabling data privacy approach that seeks to protect privacy rights while facilitating cross-border data flows that are important to the efficient functioning of global supply chains and business development. During the consultation meetings held during this mission, the importance of developing a data privacy regime that would provide competitive advantages to Thailand’s trade development efforts and to Thai businesses seeking to enhance and increase their international business activities were noted by government officials and private sector representatives.
Thailand has been an Observer in the Pathfinder initiatives and is considering whether it should participate more fully.
Following are some of the considerations that Thailand’s policymakers may wish to take into account in deciding whether to move forward with the APEC Pathfinder.
• Enhanced opportunities for cross-border business development and the possible reduction in barriers to trade by implementing a data privacy legal framework that is adaptable to international standards, such as the APEC Pathfinder.
• Enhanced strategic positioning of Thailand’s business development efforts as noted in its Second Master Plan for IT Development (2009-2013).
• Competitive advantage for Thai industries seeking access to global supply chain networks.
• Enabling SMEs in Thailand to access global market opportunities.
• Participation in a flexible and enabling framework for data privacy.
• Enhanced data privacy protection for consumers/citizens involved in domestic and cross-border transactions.
• Possibilities for both multi-lateral and bilateral capacity building and technical assistance opportunities for implementation of the APEC Pathfinder in Thailand.
technocratic National Electronic and Computer Technology Center (NECTEC) of the Ministry of Science, Technology and Environment.”
26 Id. 27 Supra, note 13.
1 2
Selection of the Accountability Agent Model Each accountability agent model (public versus private sector) identified in the APEC Data Privacy Pathfinder was discussed during the consultations in Thailand. Based on Thailand’s background, electronic commerce development, and overall regulatory approach, there seemed to be a strong sentiment that the public sector model for accountability agents would be consistent with Thailand’s needs in this area.
As noted above, the pending Privacy Data Protection Act does not address the possibility of a government-centered accountability agent model directly. It is possible, however, that an accountability agent function could be created under the regulatory powers (e.g., Royal Decree) that exist or will be determined by the new data privacy law. It appears that Thailand could house the accountability agent functions within one of several different government entities. For example, accountability agents could be implemented under the auspices of the Ministry of ICT, the Consumer Protection Board, or the Official Information Commission, which could likely develop programs that would fulfill the needs for the accountability agents under the Pathfinder.
It is also possible that Thailand may wish to consider an independent Commission or Board that might serve as accountability agents. If this latter approach were taken, it might be helpful to include this function with the enforcement authority.
Enforcement Authority In addition to selecting the accountability agents under the Pathfinder program, a member-economy must designate an “enforcement authority” that is responsible for enforcing that economy’s data privacy laws and that would sign the APEC Enforcement Cooperation Arrangement. Currently, Thailand does not have a data protection authority for private sector entities. It is our understanding, however, that under the proposed data privacy law being considered by the Thai Parliament, the Official Information Commission might be assigned this responsibility.28
RECOMMENDATIONS
Given the enforcement powers that are being contemplated by this proposed law in Thailand, it seems clear that Thailand would be well-positioned to meet this requirement of the Pathfinder.
Following are a series of beginning recommendations for consideration based on our review of the legal materials available to us, as well as the discussions held with public officials and private sector representatives. We are hopeful that they will provide helpful guidance for continuing efforts in this area. (These recommendations assume that Thailand might wish to implement the APEC Pathfinder).
28 Supra at n. 17. As noted earlier, there are existing models, such as that in the U.K., where the government agency responsible for access to public information is also the one responsible for personal data protection.
1 3
• Thailand should continue its participation in the APEC Data Privacy Pathfinder and may wish to become more involved as it finalizes its legislative framework, including data privacy protections applicable to the private sector.
• Review the text of the proposed Privacy Data Protection Act (PDPA) to ensure that it includes those elements that will enable participation in the APEC Data Privacy Pathfinder. Thailand may also wish to consider how other elements of its current legal infrastructure might accommodate the requirements of the APEC Pathfinder.
• Determine the appropriate government agency within which the public sector accountability agent(s) should be located.
• Consider more direct involvement in the cross-border and governance (Project 8) aspects of the Pathfinder.
• Review cost studies related to regulatory impacts with a view toward finding those models that will minimize costs to both the government and the private sector.
• Determine the appropriate government agency within which the public sector accountability agent(s) should be located.
• Develop flexible enabling regulations and policies and procedures to implement the APEC Data Privacy Framework and the Thai accountability agent(s) and the enforcement authority program.
• Prepare an organizational strategy for government implementation of the APEC Data Privacy Pathfinder and develop agency expertise in the areas of the APEC Privacy Framework.
• Develop policies, regulations, and procedures for implementing the accountability agent(s) and enforcement authority functions of the Pathfinder.
• Continue the public consultation process with a broad range of business and consumer groups for development of the accountability agent(s) program.
• Create and implement broad communications and education programs that will effectively inform businesses of the benefits of the accountability agent(s) program and raise the public’s awareness of the importance of data privacy in the online environment and to build confidence in the accountability agent(s) and enforcement authority program.
FURTHER CAPACITY-BUILDING OPPORTUNITIES At the present time, Thailand may benefit from additional technical assistance, particularly in finalizing its data privacy legislation and developing the regulatory framework for the accountability agents and enforcement authority program, as it prepares for implementation of the APEC Data Privacy Pathfinder. Specific areas for consideration include:
• ICT enhancements to create automated systems to reduce processing time in the work of accountability agents and the enforcement authority.
1 4
• Assistance in further developing the regulatory legal framework for the Pathfinder, particularly as it relates to cross-border and governance (Project 8) programs for Thailand.
• Education, communications, and organizational strategies for both the public and private sectors, as needed.
Careful drafting of the data privacy law and regulations is important to achieve a legal framework that is compliant with the APEC Privacy Framework and the APEC Data Privacy Pathfinder. This should take into account not only domestic law but also standards established in other APEC member-economies. These considerations should be included in the regulatory scheme to ensure that the legal structure will fully support the enforcement elements of the accountability agents and enforcement authority program.
The cross-border aspects of the accountability agents program may be of importance in developing both the regulatory regime and in implementing the APEC Data Privacy Pathfinder program. This is an area specifically identified during the consultation meetings.
Development of programs that will enhance the “agency expertise,” both legal and management, for operating the accountability agents and enforcement authority program will be important. This will ensure consistency in decision-making processes, including those in the dispute resolution area, as well as for building confidence among business entities, consumers, and others whose personal data may be subject to the APEC Pathfinder Cross-Border Data Privacy Rules. Having this type of expertise will also provide consumers with the “trust” that will be central to the success of Thailand’s accountability agents and enforcement authority program.