The National Broadcasting and Telecommunications Commission (NBTC) has recently released a new Notification on Measures to Protect the Rights of Telecommunications Service Users Related to Personal Data, Rights to Privacy, and Liberty to Communicate through Telecommunications (“Telecommunications Data Protection Notification“). This Telecommunications Data Protection Notification repealed and replaced the existing NTC (National Telecommunications Commission, now the NBTC) notification on data protection, which had been applicable to telecommunications business operators since 2006. While the new Telecommunications Data Protection Notification has been updated and revised to align with the Personal Data Protection Act, B.E. 2562 (2019) (PDPA), the notification contains provisions specific to the telecommunications business sector.
Key changes from the previous NTC notification include but are not limited to (i) the revision of the definition of personal data; (ii) expansion of the allowed use of personal data to include non-telecommunications services purposes upon the consent of data subjects; (iii) restrictions pertaining to sensitive personal data; (iv) right to opt-out; and (v) the data breach incident notification obligation. These changes are deemed to offer better business opportunities for telecommunications operators and other businesses dealing with the personal data of telecommunications users in Thailand.
In more detail
Since 2006, telecommunications business operators have been required to comply with the Notification of the National Telecommunications Commission on Measures to Protect the Rights of Telecommunications Service Users Related to Personal Data, Rights in Privacy, and Liberty to Communicate through Telecommunications. This notification was issued under the Telecommunications Business Act B.E. 2542 (1999) (TBA) to regulate the processing of telecommunications users’ personal data, which mainly restricted the processing of telecommunications users’ personal data for the benefit of operating telecommunications services without the consent of the users.
Thailand has been taking steps to strengthen its personal data protection legal framework. As a result, the PDPA was issued in 2019. To align with the PDPA, the NBTC has updated its existing notification on telecommunications personal data protection.
The NBTC came up with the first draft of the new notification and organized a public hearing in late 2022. After the hearing process, several updates were made to the draft before it was finalized and published in the Royal Gazette on 4 September 2023. This new Notification came into effect for telecommunications business operators on 5 September 2023.
Key details and changes are as follows.
- Personal data in scope
The definition of personal data under the Telecommunications Data Protection Notification has been updated to align with the PDPA. However, the language of the definition is still different and specific to the telecommunications business. The scope of personal data included in this Notification is limited to personally identifiable information such as name, address, National ID card number, telecommunications number, usage information, as well as usage data or user’s behavior in using telecommunications service that could identify the users.
This change makes it clearer that information such as usage and user behavior information would be considered personal data only if it could identify the users, which is in line with the definition of personal data under the PDPA.
- Scope of personal data usage
Previously, telecommunications business operators were only allowed to use personal data for the purpose of operating telecommunications services and with consent from the data subjects.
This new NBTC Notification loosens this requirement and allows operators to use personal data for purposes other than the operation of telecommunications business, upon consent from the data subjects.
- Use of sensitive personal data
The previous NTC notification only prohibited the collection of personal data related to disabilities (with exemptions where it is for the purpose of serving the disabled persons appropriately), hereditary traits, and data that may explicitly affect the feelings or cause damages or affect the liberty of the users.
However, the Telecommunications Data Protection Notification now includes a broader range of sensitive personal data such as race, ethnicity, sexual behavior, political opinions, religious beliefs, and criminal records, which is in line with the PDPA.
Telecommunications operators can use such sensitive personal data under specific conditions.
- Rights to opt-out of receiving information
The Telecommunications Data Protection Notification also regulates the sending of marketing information by telecommunications operators, e.g., providing a channel for the service users to opt-out from receiving information or the service. This could also be the Thai government’s effort to mitigate unwanted SMS, scams, and fraud, which has been a major issue in the telecommunications business in Thailand for the past few years.
- The data breach reporting obligation
Under the previous NTC notification, the NBTC did not prescribe a specific reporting obligation following a data breach incident. The current TBA requires the telecommunications business operators or the NBTC to terminate the breach and notify the users without delay.
Under this new NBTC Notification, the telecommunications business operators would be obligated to notify the NBTC within 24 or 72 hours, as the case may be, and also notify the users without delay. Therefore, this would be an additional reporting obligation imposed on the telecommunications business operators.
This new NBTC notification also sets out the obligations, including security measures, interception, rights of the data subjects, etc.
Although this Telecommunications Data Protection Notification generally eases restrictions on the use of personal data by telecommunications business operators, those business operators should note that there are additional obligations under the Telecommunications Data Protection Notification on top of the PDPA for personal data from telecommunications services. This Notification must also be taken into consideration when operating a telecommunications business in Thailand or dealing with personal data from telecommunications users.
These changes may offer better business opportunities and flexibility in relation to the use of personal data for telecommunications operators and other businesses.
For more information, please contact us.