26 June 2019

Data Blast: New laws in Thailand and Maine…

New laws in Thailand and Maine, plus Pennsylvania’s Criminal History Records Information Act violated, and Belgium is consulting…

Thailand passes new Data Protection Law

Thailand’s Personal Data Protection Act (‘PDPA’), passed by the National Legislative Assembly in February, went into effect on May 28th 2019, upon publication in the Government Gazette.

The Thai government openly and deliberately sought to replicate the GDPR, in order to demonstrate Thailand’s adequate level of data protection, making it easier for European Commission to make an adequacy decision. Where an adequacy decision has been made, personal data can flow from the EU to a third country without any further safeguard being necessary.

The PDPA provides a one-year grace period, after which provisions concerning personal data protection, data subject rights, complaints, and liabilities and penalties will take force, in order to allow businesses time to prepare and implement the controls necessary for compliance.

The following are the key provisions of the PDPA:

  1. Establishment of a National Data Protection Authority to enforce PDPA compliance;
  2. Extraterritorial Effect: PDPA provisions apply to the collection, use or disclosure of personal data of data subjects in Thailand conducted by controllers and processors outside Thailand;
  3. Consent: collection, use or disclosure of personal data will require subject consent, which must be express, and either in writing or through an electronic means;
  4. Data subject rights: subjects are entitled to make subject access requests, and request the destruction or anonymization of his or her personal data;
  5. Personal data transfers: controllers are expressly prohibited from disclosing or transferring personal data to third parties, except where consent has been obtained. Where the transfer is to a country or institution outside of Thailand, it may only take place where the country or institution has an adequate level of protection;
  6. Sensitive personal data: the PDPA establishes a separate category for sensitive personal data, in line with those sensitive personal data outlined in the GDPR.

In the future, the Thai legislature’s approach in mirroring the GDPR is likely to become more common. Data-reliant businesses operating in countries that have not achieve EC adequacy are at a significant disadvantage, and business-friendly governments the world over will seek to provide local companies the even playing field such a decision provides.

Maine passes bill regulating broadband providers

On May 30th 2019, the House of Representatives and Senate of the state of Maine passed a bill preventing internet service providers (ISPs) from selling the data of customers in Maine without that customer’s confirmatory consent, subject to certain exceptions.

The bill forbids ISPs from using, selling, disclosing or permitting access to customers’ information where express consent has not been given, except for where doing so is required to: a) comply with court orders, b) provide the service from which such information is derived, c) advertise the ISP’s communications-related services to the customer, d) initiate billing for and collect payment for broadband services, e) protect users from fraudulent or unlawful use of the services, and f) provide geolocation information concerning customers in connection with emergency situations.

Belgium Regulator launches consultation on Direct Marketing

On June 12th 2019, the Belgian Data Protection Authority launched a public consultation on direct marketing with a view to updating its Recommendation No. 02/2013 of January 30, 2013 on direct marketing (the French consultation is here, and the Dutch version here).

The bill requires ISPs to take reasonable steps to protection customer information from unauthorised use, and mandates they provide a notice outlining the customer’s rights and their obligations under the new law, both at the point of sale and on its public website. It also prevent ISPs from refusing customers who decline to provide consent, and from offering discounts or charging penalties based on a customer’s choice regarding consent.

This step by Maine is just the latest example of state legislatures taking action in providing Americans data privacy rights more in line with those afforded under the GDPR. This follows on from the June 2018 passage by the California legislature of the California Consumer Privacy Act, which was similar to the GDPR in many respects.

Pennsylvania County faces $68 million in damages over criminal data publication

On May 28th 2019, a Pennsylvania jury found that Bucks County wilfully violated Pennsylvania’s Criminal History Records Information Act (‘CHRIA’) and awarded the statutory minimum $1,000 to each of the roughly 68,000 class members, resulting in potential damages of $68 million.

At issue was Buck County’s ‘Inmate Lookup Tool’ featuring protected information, including information concerning tens of thousands of individuals’ arrests records who had been incarcerated in the county’s facilities. The suit was filed in 2012, when a class representative discovered that information pertaining to his 1998 expunged arrest had been made publicly available, and sought actual and punitive damages under s. 9183 of the CHRIA, as well as injunctive relief.

The CHRIA governs the use of criminal history record data by criminal justice agencies, and s. 9183 provides aggrieved parties a range of exemplary and punitive damages between $1,000 and $10,000, provided the violation is found to be wilful.

The Plaintiff was granted class certification and summary judgment in relation to liability by the district court, and both decisions were affirmed by the Third Circuit Court of Appeals. The jury was left to determine whether Bucks County had wilfully violated the CHRIA, and if so what punitive damages were to be awarded. The jury found that the County wilfully violated the CHRIA, awarding the statutory minimum damages.

While the decision to award damages in this case was made by a jury, as opposed to a regulator, certain fundamental data privacy lessons can be observed. In the GDPR era, data minimisation, as well as ensuring that data is kept in secure and out of public view, is fundamentally important.

For more information please contact Partner, James Tumbridge at