Regulation Battle
DPDP Act VS DPDP vs PDPA (Thailand): A Data Protection Showdown
Comparing India's DPDP Act 2023 and Thailand's PDPA reveals key differences in their approach to personal data protection, consent, penalties, and cross-border transfers.
DPDP vs PDPA (Thailand): Understanding the Differences
Both India’s Digital Personal Data Protection Act 2023 (DPDP Act) and Thailand’s Personal Data Protection Act (PDPA) aim to protect individuals’ personal data. While they share common goals, their approaches, especially for businesses, have distinct differences. Think of it like comparing two different curries – same core ingredients, but different spices and cooking methods!
Side-by-Side Comparison
| Feature | DPDP Act 2023 (India) | PDPA (Thailand) |
|---|---|---|
| Scope | Digital personal data of Indian residents. Applies to processing outside India if it targets Indian residents. | All personal data (digital & physical) of data subjects in Thailand. Applies extraterritorially if offering goods/services to or monitoring data subjects in Thailand. |
| Consent Model | Consent or “legitimate uses” (specific, predefined purposes like employment, medical emergencies). | Consent or other legal bases (contract, legal obligation, vital interest, public task, legitimate interest). Explicit consent for sensitive data. |
| Children’s Age | Under 18. Requires parental consent or consent from a lawful guardian. | Under 20. Parental/guardian consent needed for minors, or if the minor is unable to comprehend the request. |
| DPO Requirement | Only for Significant Data Fiduciaries (companies identified based on risk/volume of processing). | Required for specific types of processing: large-scale sensitive data, systematic monitoring, public authorities. |
| Max Penalty | Up to â‚ą250 Crore (~$30M USD) for major breaches. Penalties are per specific breach. | Administrative fines up to THB 5 million (~$135K USD). Can include criminal penalties (imprisonment, fines) for certain offenses. |
| Cross-border Transfer | ”Blacklist” model: restricts transfers to specific countries identified by the government as non-adequate. | ”Whitelist” model or specific mechanisms: transfers to countries with adequate protection standards OR Binding Corporate Rules, SCCs, explicit consent. |
| Data Subject Rights | Right to access, correction, erasure (right to be forgotten), grievance redressal, nominee. | Right to access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection, withdrawal of consent. |
| Sensitive Data | No separate category defined in the Act yet, deferred to future rules. | Explicitly defines “sensitive personal data” (e.g., race, health, criminal records) requiring explicit consent or specific legal grounds. |
| Enforcement Body | Data Protection Board of India (DPBI) – a single, independent body. | Office of the Personal Data Protection Committee (PDPC) – main enforcement body. |
Key Philosophical Differences
- Consent vs. Legal Bases: The DPDP Act leans heavily on obtaining clear consent or relying on a limited set of “legitimate uses.” The PDPA, similar to GDPR, provides a broader range of legal bases for processing, including “legitimate interest,” which offers more flexibility for businesses in certain situations.
- Enforcement and Penalties: While both have penalties, DPDP focuses on substantial administrative fines. PDPA, however, can also impose criminal penalties (including imprisonment) for certain serious offenses, indicating a stronger punitive approach in some areas.
- Data Categorization: PDPA explicitly defines “sensitive personal data” (like health or religious beliefs) with stricter rules. DPDP acknowledges the concept but has deferred its definition and specific rules to be notified later, creating some initial ambiguity compared to PDPA’s clarity.
For Companies Operating in Both India and Thailand
If your business handles personal data from both India and Thailand, here’s what you need to remember:
- Tailor Consent Strategies: Don’t use a one-size-fits-all approach. For India, prioritize explicit consent or ensure your processing fits a “legitimate use.” For Thailand, you might have more options, but sensitive data always needs explicit consent.
- Mind the Age Gap: Be extra careful with data from children. India’s age is under 18, while Thailand’s is under 20. Ensure you have the correct parental/guardian consent for each region.
- Cross-Border Transfers are Tricky: PDPA offers standard mechanisms for transferring data out of Thailand. For India, you’ll need to watch for government notifications about which countries are “safe” to transfer data to.
- Review Your DPO Needs: If you process large amounts of data or sensitive data, you might need a Data Protection Officer (DPO) in Thailand. For India, monitor if your company is designated a “Significant Data Fiduciary” as this will trigger DPO requirements.
- Update Privacy Policies: Make sure your privacy policies and notices specifically address the different rights, obligations, and legal bases required by both DPDP and PDPA.
Confused by the differences?
Dual compliance is tricky. Our experts can help you navigate both DPDP vs PDPA (Thailand): A Data Protection Showdown and DPDP requirements.
Book Strategy Call