Background
Thailand has been discussing crafting its data protection legislation for over 20 years. But the dawn of IR 4.0, marked by the emergence of new frontier technologies, accelerated the pace for Bangkok to consolidate a legal framework on data privacy and security under the Personal Data Protection Act B.E. 2562 (2019)(PDPA).135 However, progress has been incremental due to the push and pull effects of various internal and external factors.
Published on 27 May 2019, Thailand’s PDPA is the country’s first consolidated law on data protection. Key principles under the PDPA are highly influenced by the European Union's (EU) General Data Protection Regulation (GDPR), especially its extraterritorial applicability.136 The PDPA acknowledges individuals’ right to control how their personal data is collected, stored, processed, and disseminated by data controllers.137 It provides lawful grounds for the processing of personal data and defines the duties and responsibilities of data controllers and data processors.138
Under the PDPA, there is no mandate on data localization, but the data protection obligations apply to all organizations that collect, use, or disclose personal data in Thailand or of Thai residents, regardless of whether they are formed or recognized under Thai law, and whether they are residents or have a business presence in Thailand.139 This means that the extraterritorial effects of the PDPA apply to all data controllers and processors, even if they do not maintain any physical foothold in Thailand.
After the PDPA’s publication in the Government Gazette in May 2019, the Personal Data Protection Commission (PDPC) was established to oversee its enforcement. Composed of 10 members from various fields, ranging from the legal, health, information technology, and human resources, to the military, the PDPC is currently drafting the PDPA’s sub-regulations.140 Upon the PDPA’s enactment on June 1, 2022, businesses were given a grace period of one year to set up new guidelines and establish or adjust their practices to comply with the PDPA.141
Thailand’s PDPA builds on existing and quite similar laws and regulations surrounding data protection and privacy, such as the Computer Crime Act of 2007 (CCA) and the Cybersecurity Act of 2019, which stipulates the specific requirements and obligations on government agencies and private organizations involved in critical information infrastructure to prevent, protect, and manage cyber risks, as well as to employ threat response and detection.142 The PDPA and the Cybersecurity Act are designed to complement one another, guiding businesses, regulators, and government agencies through the unfolding technological transformation in Thailand. Both pieces of legislation are also expected to form the foundation for Thailand’s “standards-based” digital economic base in the short and long haul.143
Despite the momentum surrounding the PDPA, its implementation has faced significant delays. Although it was planned to go into effect in 2021, an amendment to the Royal Decree led to its postponement for another year, moving the enforcement date to June 1, 2022. Internally, this delay stemmed from the setbacks of the COVID-19 pandemic and lack of human capacity at the governmental and institutional level. On the external front, pressure to comply with international regimes—in particular, the EU’s GDPR and the APEC Cross-Border Protection Rules (CBPR)—delayed Thailand fast-tracking the implementation. But amid growing concerns and speculation about another postponement, the PDPA did in fact go live on June 1, 2022.
Usage and Impact
Despite the drawn-out implementation of Thailand’s data governance regime, its digital economy has grown dramatically over the past decade. In 2018, Thailand’s digital economy accounted for 17 percent of its GDP.144 The digital content industry serves as the main driver of Thailand’s digital economy, mainly comprising gaming, big data, and animation. Characterized as a hyperconnected nation, 69.5 percent of Thailand’s population are online, of which 74.2 percent of those aged between 16 and 64 have purchased a product through e-commerce or have accessed online services.145
Data for the digital economy
Like most countries in Southeast Asia, the COVID-19 pandemic affected Thailand’s economy, which contracted by 0.3 percent in the third quarter of 2021.146 With strict lockdowns and telework set-up, the pandemic forced public and private organizations to migrate to online platforms, which experienced a growth of 300 percent in 2021, alongside increased reliance on cloud services.147 Notwithstanding the aftershocks of the pandemic, and political concerns in the country, the digital economy remains on track to further expand and reach USD57 billion by 2025.148
The steady rise of Thailand’s digital economy is mainly driven by its current economic model, Thailand 4.0. Launched in 2016, Thailand 4.0 focuses on innovation and the adoption of advanced digital technologies powered by big data to devise new engines of growth for the country to overcome the middle-income trap.149, 150 Specifically, it aims to stimulate industrial transformation through the establishment of the Eastern Economic Corridor (EEC) to attract foreign investors and boost productivity in the short- to medium-term.151
With Thailand’s increasing digital connectivity and internet penetration, demand for hyperscale data centers and cloud technology continues to rise. Data centers and the cloud industry will be crucial to support Thailand 4.0 initiatives. Given its rapid pace of digitalization, Thailand’s big data market is expected to grow due to rising investment in the country’s data center market of up to USD1 billion and USD700 million in cloud services by 2026.152
As big data becomes increasingly vital to the success of Thailand 4.0, the Thai parliament’s recent enforcement of the PDPA will be instrumental to ensure sustained growth of its digital economy. Ideally, the PDPA can provide the proper guidelines for businesses on data storage protocols, data logs, and unauthorized access, boosting the upward trajectory of Thailand’s digital economy. With the implementation of the PDPA, businesses and organizations are now legally compelled to adopt adequate policies and procedures to protect against massive data breaches that could expose thousands of personal records. If the PDPA is implemented correctly, large firms and SMEs can potentially avert or minimize possibly unquantifiable reputational damage, resulting in public backlash and loss of investor confidence.
As Thailand vies to become ASEAN’s digital hub, the implementation of the PDPA is a significant step in permitting the movement of critical data within and beyond the country’s borders. The PDPA sets the stage for Thailand to strengthen formal discussions on data flows through mechanisms such as model contractual clauses or equivalency certifications with other countries or jurisdictions. Furthermore, the PDPA’s implementation also enhances Thailand’s competitive standing in the digital economy, putting it in a better position to maintain and even attract more foreign investment from important markets like the EU. As one informant shared, previous bans and restrictions by the EU that impacted Thailand’s fishing and civil aviation industries have been cautionary lessons for the country’s booming tech industry153—making the implementation of the PDPA in line with international data protection regimes like the GDPR a top and urgent priority.
In the foreseeable future, the PDPA’s implementation will help lower the risk of Thailand’s vulnerability to cyber threats. Businesses can mitigate additional costs and even fines. More importantly, it can help the tech industry to truly optimize the benefits and opportunities of cross-border data flows or venture into joint research and development contracts with foreign entities, all of which will benefit the 10 priority industries under Thailand 4.0. At the regional level, Thailand’s productive participation on digital trade could be increased through its membership of the Regional Comprehensive Economic Partnership (RCEP) or by eventual accession to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).
Yet despite the projected benefits and advantages of the PDPA’s enforcement, it remains to be seen how it can be genuinely implemented to deliver practical outcomes, given the lack of human and technical capacity, especially among government agencies and regulators, to guarantee compliance among all concerned.154 Also, as noted, during its initial rollout the private sector faced the complex and dizzying task of implementing and interpreting provisions of the PDPA.155 A 2020 PDPA survey conducted by PwC among private companies in Thailand found that although 75 percent of companies were aware of the PDPA’s policies and procedures, 51 percent were still in the initial stages of implementation and 34 percent were still contemplating how to implement it.156 The majority of companies (60 percent) had not yet appointed a data protection officer, while 30 percent had not even set up a dedicated team for data privacy tasks.157
Interpreting the PDPA was also a major challenge among businesses. Due to the limited guidance available at that time, 46 percent of the surveyed companies were just integrating the new policies on data protection into existing marketing processes or privacy notices. Ensuring compliance under the PDPA will be the next challenge for government and regulatory agencies. As businesses and organizations adjust to the PDPA, it remains uncertain how the government will respond to potentially mounting inquiries due to issues relating to available manpower and expertise—issues that will be further tackled below.
Data for public policy
Under its Open Government Data model and its related policies and initiatives, the Thai government has begun to harness the value of big data for public policy interventions. In 2013, it established the Digital Government Development Agency (DGA) and the Office of the Public Sector Development Commission (OPDC) to lead its Open Government Data initiative. The DGA is tasked with managing the Open Government Data center that gives easy access to members of the public and private sectors on relevant government data. Under the Open Government Partnership, the Thai government has encouraged the private sector, academia, and civil society to build an ecosystem that promotes the usage of the Open Government Data center.
The DGA coordinates with various government agencies on the selection of high-value datasets and encourages public participation.158 In 2015, the Thai government published its first Open Data Strategy, with 10 principles to guide public sector organizations in releasing government data for public access and consumption. As of May 2022, the Open Government Data of Thailand hosted 5,858 data sets catalogued in various data groups from the economy, finance, and agriculture, to education.
Similarly, the Digital Economy Promotion Agency considers data as a critical component to drive new business models and promote innovative collaboration between the public and private sectors. The Ministry of Digital Economy and Society plans to collate datasets from 20 ministries to create a centralized big data management system to monitor the progress of government projects and combat corruption.159 Government data will be categorized into sensitive or national security data, important data, and general data. The end goal is to create a data analytics system to create a digital ecosystem.160 The government also plans to share the datasets with the broader public, especially the private sector and the local start-up community, so that they can use government data to develop solutions.161, 162
Despite its intent, the Open Government Data initiative has been less successful in attracting public support. The lukewarm approach to using the data center among government agencies at the departmental and provincial levels has militated against their increased adoption of more data-driven policies. Deficiency in the government’s technical and administrative support impedes its usability. The lack of a standardized approach to submitting data in machine-readable formats also inhibits data searchability and interoperability.163
The use of data also played an important role in how the Thai government combatted the spread of COVID-19 within its borders. Thailand’s initial success in its pandemic response was aided by a robust contract-tracing capacity through the Rapid Response Teams, Village Health Volunteers,164 and a mobile application known as MorChana.165 The Department of Disease Control and the Office of the National Broadcasting and Telecommunications Commission used the Bluetooth-powered MorChana to monitor and track the geolocation of individuals, identify high-risk infection sites, and prompt rapid responses from health authorities.166
Although the app was not voluntary, it lacked solid provisions on consent, privacy risk assessment, and encryption, raising a whole range of data privacy and security issues.167 From the onset, the mobile app stated that only public health authorities could access the data. However, the extent of the government’s power to collect, use, or disclose users’ personal data was unclear.168 A comparative study on Southeast Asia’s contact tracing apps showed that MorChana was the most intrusive. It used the greatest number of permissions to access an individual’s mobile phone features—camera, device, app history, location, microphone, photos, media, files, and phone storage—for contact tracing, but did not provide a substantive explanation on its privacy notice.169
Mounting data privacy concerns over MorChana were evident in the very low numbers of the app’s downloads. Addressing data-privacy related issues, the Thai government reconfigured the app. But this was still not adequate to gain public confidence that the new version of MorChana protected their privacy sufficiently.170
Although MorChana as a service was terminated on June 1, key lessons can be drawn about the highly problematic management of data in Thailand. As the PDPA was still not fully enforced at that time, there was no legal oversight on data collected from, and stored by, MorChana. Given the storage of MorChana’s data on U.S.-based Amazon Web Services, there were concerns about the implications of America’s 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act for foreign access to Thai data.171 Conversely, the plan to openly share government data for commercial use with private entities could also be affected by its lack of defined parameters. If not managed under regulatory oversight, this situation could be exploited and result in possible data breaches.
Taken altogether, the delays in implementing the PDPA not only incurred possible monetary losses, but also endangered civil liberties through unwanted surveillance both by the Thai government and, possibly, other external actors using third-party contractors. As the PDPA comes into force, there are high expectations that the public and private sectors will no longer rely on ad hoc rules and procedures mainly influenced by the EU GDPR.172 In the long run, the PDPA’s enforcement could potentially repair public trust. But one must remain only cautiously optimistic given the outstanding challenges, which will be further outlined below.
Case Study
Data Breaches in the Banking Sector
In August 2018, cyberattackers stole data belonging to more than 123,000 customers from Kasikornbank (KBank) and Krungthai Bank (KTB) in what appeared to be “the first massive data leak to hit [Thai] financial institutions.” The stolen data included corporate client and retail consumer data, but not financial transaction data. Immediate action was taken by the banks following the cyberattack. KTB president Payong Srivanich stated that the bank set up a war room and started inspecting the data breach within 12 hours of detecting the attack. Data breaches like these have prompted the Thailand Banking Sector Computer Emergency Response Team (TB-CERT), a unit under the Thai Bankers' Association (TBA), to investigate how to strengthen the cybersecurity system of the banking sector.
Security experts have raised concerns about Thailand’s lack of readiness in cybersecurity. However, Thailand’s newly enacted PDPA should provide clearer guidance and standards on data protection and security.
Challenges and Prospects
Before the implementation of the PDPA this June, some members of the public and private sectors had developed their own codes of conduct.173 The healthcare sector struggled the most to adopt and comply with the PDPA’s pending implementation, given the long shadow of the pandemic. Migrating to online channels and setting up data protection procedures could impact the healthcare industry’s day-to-day operations. Luckily, SMEs were exempted from the urgency to enforce the PDPA because of their limited size and resources.174 As Thailand anticipated the PDPA’s implementation, parallel discussions that revolved around consent, surveillance, inclusion, and equity also gained momentum—deliberations that will continue as the PDPA seeks to deliver on its promise to raise the bar for data protection.
Gaps in the PDPA guidelines
As digitally savvy citizens, Thais are increasingly becoming deeply concerned about their individual rights to privacy, demanding more transparency from the government and the private sector. As discussed previously, the main impediment to the enforcement of the PDPA was a lack of capacity within the ranks of the government but, additionally, some in the banking and finance sector were also initially resistant to the high standards of data protection involved.175 Fortunately, a sizeable majority in the private sector sees the value of the PDPA, despite their lack of technical understanding on data protection standards. Industry considers the PDPA as a positive development rather than a burden. Companies view the PDPA as an important instrument to maintain and expand their market share within and outside Thailand, especially in the EU. Interestingly, digital brands use the PDPA to set them apart from their competitors and create an image of legally compliant and transparent entities.176
Despite the positive outlook of the private sector and the public on the PDPA’s implementation, there are still major issues with the PDPA itself. On the surface, it appears that Thailand is utilizing the GDPR, both as a compliance mechanism to maintain its market access and digital competitiveness, especially in critical markets like the EU, but also simultaneously using it to project a veneer of legitimacy—that it truly will promote the fundamental digital rights of its citizens. Closer scrutiny reveals that certain provisions in the PDPA afford the Thai government some preferential exemptions, while also allowing it to exercise a relative degree of flexibility to expand its powers should it deem necessary. For instance, the PDPA mandates the outright exclusion of public authorities involved in national security, law enforcement, and the National Credit Bureau.177 The definition of personal data is also unclear as to whether it covers IP addresses and cookie identifiers. Furthermore, the PDPA does not define anonymized or pseudonymized data.178 On the matter of cross-border data transfers, the PDPA has a high penalty for non-compliance, which could result in imprisonment for a term not exceeding one year.179
At the operational level, government officials and employees are not fully equipped to implement the PDPA because of a human capacity shortage. Government agencies are not well-versed on the technicalities of data protection and are still in the very early stages of understanding concepts like data portability. Added to this are the usual bureaucratic challenges which impede intergovernmental co-ordination. High standards are ideal, but without adequate human capacity on the ground to implement them, enforcement becomes weak and fragmented.
State surveillance and censorship
Harmonization of the PDPA guidelines with existing laws, such as the Cybersecurity Act and the Computer Crime Act (CCA), presents another challenge, particularly over the contentious issues of censorship and surveillance. Thailand’s passage of the Cybersecurity Act in 2019 faced resistance from civil liberty advocates, internet companies, and business associations.180 The controversial internet security law, decried as “cyber martial law,” allows the National Cybersecurity Committee to summon individuals for questioning, as well as enter any private property without a court order, in case of actual or anticipated “serious cyber threats.”181
Critics claim that this law would allow Thailand’s military-led agencies to access private data, computer networks, and devices. The law would also afford the government the ability to further censor critics and easily categorize them as threats to national security.182 Opponents argue that the CCA imposes unnecessary limits on freedom of expression and curtails individual rights to information. Similarly, it is also highly intrusive, compelling business organizations to provide information on the online activity of their staff and clients.183
The alleged excessive use and abuse of data-driven technologies for surveillance and censorship stretches as far as Thailand’s Southern Border Provinces. Human rights activists have cited the increasing use of biometric registration to conduct monitoring and racial profiling of ethnic Malay Muslims.184 The proliferation of surveillance technologies, combined with militarization of the area, have led to further mistrust among members of the ethnic minorities of the government’s deployment of biometric technologies for data collection.185 One informant said that he hoped the PDPA would serve as a check and balance to the cybersecurity law and the CCA, arguing that the law would be critical for supplying regulatory and judicial oversight against possible abuse of power, particularly in terms of seizing personal data and surveillance.186
Inclusion and equity
As public policies become increasingly reliant on datasets collected through smart censors and e-government service delivery platforms, some ethnic or tribal communities are not able to productively participate, due to low or no knowledge of connecting to or using ICT networks and infrastructures.187 This eventually results in poorly designed, or worse, discriminatory public policies, because data points and indicators are sourced through flawed and partial processes. The exclusion of indigenous groups not only aggravates their impoverished conditions, but also further complicates sensitive issues on customary rights to land ownership.188
With their plight left unheard and often neglected in national laws and policies, indigenous communities have become more proactive in asserting their rights to land, territory, and natural resources. Through a network of ethnic community partnerships across the Mekong region, in collaboration with non-governmental organizations and academic experts, over 80 villages across Thailand have started to produce their own community maps.189 The proactiveness of indigenous communities in the land-mapping process helps ensure that data collated in hard-to-reach villages are reflected and aggregated at the national level. Highlighting the indigenous communities’ agency is critical. It helps correct, at the very onset, the propagation of stereotypes that are often linked to data or images captured and disseminated through new media or open-source tools like geo-tags. These stereotypes often then go on to be perpetuated by government census bureaus or external parties such as international donor partners.
On female empowerment, Thailand’s promulgation of the 2015 Gender Equality Act was a significant step in closing the gender data gaps that have consequences in the formulation of gender-responsive policies. However, the bill’s impact has been limited due to its “exemption for possible gender discriminatory practices for reasons of religious principles or national security.” Deeper criticisms of the law stem from its absent definition of “gender, gender status, gender orientation, violence from sexual cause and sexual assault,”190 which puts members of the Lesbian, Gay, Bisexual, Transgender, Queer, and Intersexed (LGBTQI) Community at the higher risk of gender-data exclusion and discrimination.191 It raises the barriers for the LGBTQI community to assert their rights to health, education, and work, while failing to provide legal barriers against harassment, bullying, and discrimination.192
Whereas Thai universities, workplaces, and media organizations have become increasingly tolerant of gender diversity, government online portals and services will need to improve their gathering and dissemination of sex-disaggregated data.193 Embedding clearer definitions of gender in the country’s Open Government Data initiatives, as well as in other existing public-private partnership programs, can better contribute to meaningful policy dialogue on health, education, financial, and digital inclusion based on historical and accurate data.
According to its Voluntary National Review of the 2030 Agenda for Sustainable Development, Thailand boasts of marking milestones under the UN Sustainable Development Goals (SDGs).194 However, it has also acknowledged the limitations of its self-formulated SDG indicators, based on the availability and quality of data from civil registration, vital statistics, censuses, and surveys, as well as information from open data systems, big data and remote sensing.195 This judgement is further corroborated by the Voluntary National Review’s exposition of Thailand’s prevailing challenges in gathering complete, secure, and impartial data across its geographically and ethnically diverse population. Therefore, the PDPA’s implementation will be fundamental to anchor Thailand’s approach in developing inclusive and equitable policies to propel a sustainable digital economy.
Conclusion
After much delay and anticipation, Thailand’s PDPA is now online. However, to fully harness the benefits of its newly-minted data governance regime, Bangkok will still need to address fundamental issues in the pipeline; from clarifying provisions of consent and training human personnel, to addressing the need for more inclusive digital development. Amid rising concern over state surveillance, the enforcement of the PDPA could help repair the deteriorating trust deficit between the government and the local Thai population. There is cautious optimism that the PDPA can insulate Thai citizens from unwarranted government censorship and the private sector’s mismanagement of users’ data.
But as Thailand positions itself as a regional contender in the rapidly growing internet economy, the larger question that looms over Bangkok is how it will evolve from being a follower to becoming a trendsetter in the international standards landscape. The formulation and the implementation of the PDPA is a good starting point, showing Thailand’s ability to draw best practices from international standards like GDPR and applying its distinct modifications. The longer-term challenge for Thailand is how it can capitalize on digital economic integration to assert its agency, as well as preserve a level of autonomy, while reacting to unfolding international norms on data governance.
Selected Legal Instruments Related to Data Protection in Thailand
- Cybersecurity
Cybersecurity Act of 2019 (CSA) - Cybersecurity
Cyber Crime Act - Data Protection
Personal Data Protection Act 2019 - Privacy
Computer Crime Act 2007 - E-Commerce
Electronic Transactions Act of 2001 - E-Commerce
Direct Sale and Direct Marketing Act - E-Commerce
Consumer Protection Act of 1979 - E-Commerce
Unfair Contract Terms Act of 1997 - E-Commerce
Payment Systems Act of 2017
Endnotes
135 Personal Data Protection Act B.E. 2562 2019 [Unofficial Translation], May 27, 2019.
136 “General Data Protection Regulation,” Regulation (EU) 2016/679 of the European Parliament and of the Council,” April 27, 2016.
137 Kowit Somwaiya and Paramee Kerativitayanan, “Thailand’s Cyber Security Act and Personal Data Protection Act Passed,” Law Plus, March 11, 2019.
138 Ibid.
139 Ibid.
140 Stakeholder consultation.
141 “Personal Data Protection and Cybersecurity Laws to Encourage Thailand’s Digital Transformation,” Tilleke & Gibbins, February 11, 2021.
142 Ibid.
143 Ibid.
144 “Digital, Creative, and Startup Ecosystem,” Thailand Board of Investment, September 2019.
145 “Data Center and Cloud Service in Thailand,” Thailand Board of Investment, accessed June 5, 2022.
146 Panithan Onthaworn, “Thai economy contracts in the third quarter due to pandemic effects,” Thai Enquirer, November 15, 2021.
147 “Thailand’s digital economy likely to account for 30% of GDP by 2030: DES minister,” The Nation Thailand, November 17, 2021.
148 Suchit Leesa-Nguansuk, “Trillion baht online economy in sight,” Bangkok Post, November 15, 2021.
149 “Digitalizing Thailand,” Reuters Plus, accessed June 5, 2022.
150 “Thailand 4.0,” Royal Thai Embassy, Washington D.C., accessed June 5, 2022.
151 Bonggot Anuroj, “Thailand 4.0 – a new value-based economy,” Thailand Board of Investment, accessed June 5, 2022.
152 “Thailand Data Center Market – Investment Analysis and Growth Opportunities 2021-2026,” Research and Markets, June 2021.
153 Stakeholder consultation.
154 Stakeholder consultation.
155 Stakeholder consultation.
156 “Most companies are aware of PDPA requirements but aren’t yet ready for its enforcement,” PwC Thailand, 2020.
157 Ibid.
158 “ยินดีต้อนรับ - Open Government Data of Thailand.” Data.go.th, Accessed June 6, 2022, https://data.go.th/.
159 Komsan Tortermvasana, “Big data panel to direct country’s digital transformation,” Bangkok Post, March 1, 2018.
160 Ibid.
161 Wen Chuan Tan, “How Thailand is using big data to power the government,” Tech in Asia News, October 18, 2018.
162 Komsan Tortermvasana, “Public records online by 2021,” Bangkok Post, March 28, 2017.
163 OECD, “Promoting open government data in Thailand,” in Open and Connected Government Review of Thailand, (OECD, February 17, 2022).
164 R. Lerdsuwansri, P. Sangnawakij, D. Bohning, D. Sansillapin, W. Chaifoo, Johnathan A. Polonsky, and Victor J. Del Rio Vilas, “Sensitivity of contact-tracing for COVID-19 in Thailand: a capture-recapture application,” BCM Infectious Diseases 22, article no. 101 (2022).
165 Kevin Shepherdson, “How intrusive are contact-tracing apps in ASEAN?,” Tech in Asia News, June 23, 2020.
166 “Contact tracing apps in Thailand: a new world for data privacy,” Norton Rose Fulbright, May 11, 2020.
167 Ibid.
168 Ibid.
169 Kevin Shepherdson and Lyn Boxall, “A Comparative Review of Contact Tracing Apps in ASEAN Countries,” Data Protection Excellence Network, June 2, 2020.
170 “Thailand: Key Findings,” DigitalReach, February 18, 2021.
171 Ibid.
172 Stakeholder consultation.
173 Stakeholder consultation.
174 Stakeholder consultation.
175 Stakeholder consultation.
176 Stakeholder consultation.
177 Stakeholder consultation.
178 Alexis Kateifides et al., “Comparing privacy laws: GDPR v. Thai Personal Protection Act,” OneTrust DataGuidance, December 18, 2019.
179 Alexis Kateifides et al., “Comparing privacy laws: GDPR v. Thai Personal Protection Act,” 5.
180 Patpicha Tanakasempipat, “Thailand passes internet security law decried as ‘cyber martial law’,” Reuters, February 28, 2019.
181 Ibid.
182 Ibid.
183 UNESCO Office Bangkok and Regional Bureau for Education in Asia and the Pacific, “Assessing internet development in Thailand: using UNESCO’s Internet Universality ROAM-X Indicators,” UNESCO Digital Library, 2021, 6.
184 Nithin Coca, “Surveillance of minority Muslims in southern Thailand is powered by Chinese-style tech,” Coda, June 30, 2020.
185 Ibid.
186 Stakeholder consultation.
187 Rebecca L. Root, “While aid focuses on refugees, Thailand’s hill tribes are forgotten,” Devex, April 20, 2022.
188 “Indigenous Data Sovereignty: of the people, by the people, for the people. Experiences from the Mekong,” Open Development Mekong, July 12, 2019.
189 Ibid.
190 “Alternative Report on Thailand’s Implementation in Compliance with the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW) by the National Human Rights Commission of Thailand,” Protection International, July 5, 2017, 3.
191 “Thailand’s Gender Equality Act Five Years On,” Thai Enquirer, December 29, 2020.
192 “People Can’t Be Fit into Boxes: Thailand’s need for legal gender recognition,” Human Rights Watch, December 2021.
193 Ibid.
194 “Sustainable Development Goals,” Open Development Thailand, July 9, 2018.
195 “Thailand’s Voluntary National Review on the Implementation of the 2030 Agenda for Sustainable Development,” Sustainable Development United Nations, June 2017, 70.