Dr. Khumon, Vice Dean at the School of Law, University of the Thai Chamber of Commerce, Thailand, and Advisor to the Secretary-General of the Personal Data Protection Committee of Thailand, joined Grab’s public policy podcast series, Grab Conversations on Air, for a mini four-part series on Data Protection.
Speaking with Shivi Anand, Grab’s Regional Public Policy Manager, they discuss Thailand’s regulatory perspectives on Data Protection.
Listen to the full Episode 2 podcast on Spotify
Transcript of podcast
Shivi Anand
Today we have with us Dr. Prapanpong Khumon – Dr. Khumon is Vice Dean at the School of Law, University of the Thai Chamber of Commerce, Thailand. In addition to his academic work, he also acts as Advisor to the Secretary-General of the Personal Data Protection Committee of Thailand. Dr. Khumon leads a number of research projects, including one on ASEAN cross-border personal data protection. He has also published a number of scholarly articles on cross-border data protection and trade in services in international journals, including the law and development review and Asian Journal of WTO and International Health Law and Policy. Welcome Dr. Khumon.
Dr. Khumon
Thank you. And hello to everyone. Hello to our listeners. Pleasure to have the conversation here today and thanks for the invitation.
Shivi Anand
Thanks so much for joining us today. It’s great to have you here. Could you give us a quick background of your work in data protection in the Southeast Asia region?
Dr. Khumon
Of course, like you mentioned that I am an advisor to the Secretary-General of the Thai Personal Data Protection Committee. So we call that PDPC. Since I am an advisor, I give them consulting and recommendations on legal aspects as well as policy aspects, and that also includes the cross-border data flows. Recently the ASEAN Data Protection and Privacy Forum’s fourth meeting was held in Thailand in 2020. That was the forum that enabled us Member States to share key developments in data protection areas and that also includes collaboration on cross-border data flows among our same Member States. So that concludes my introduction in personal data protection and also the area of cross-border data flows.
Shivi Anand
Got it. Thank you so much. To jump right into the conversation, we know that data is one of the key enablers of the digital economy and free flow of data internationally fuels innovation and growth. And we also learned at previous sessions that the transfer of data across international borders allows for even the most basic digital services to be made available to users, which could be as simple as ordering a product or service from a supplier sitting in Indonesia while I am in Thailand, and also paying for this order and shipping the order for fulfilment. But the cross-border data regulatory landscape is a little fragmented, with some countries adopting data localisation positions that require data to be stored within the physical jurisdiction of the country, and other countries advocating for trusted and open cross-border data flows. Can you share an overview of what this cross-border data flow landscape looks like in Thailand and what are some of the benefits and risks of this particular regulatory policy in your view?
Dr. Khumon
Of course. And that actually resonates with the question that you ask about the importance of cross-border data flows. When we talk about innovations that can come from having free flow of data, but also realising that many jurisdictions, especially in ASEAN have restrictions on the cross-border data flows, this can be a hurdle for innovation to grow. I want to share this experience for Thailand. Thailand is one of the major economies in Asia. So Thailand realised the importance of being able to mobilise data across borders to foster innovation for economic growth. So in our digital master plan, we as a country want to move from being a labour intensive country to becoming a data-driven economy. In order for us to become a data-driven economy, being able to mobilise data across borders becomes very important. And seeing that, very interestingly, Thailand’s economy is made up of large proportions of small and medium enterprises and based on research and recent findings, the economic contributions of those enterprises is expected to grow to trillions worth of economic creation and economic growth to the Thai economy if SMEs can go fully digital by being able to mobilise data across borders. So for that reason our digital master plan includes the plan to have free flow of data because that’s so important for Thailand to become a fully data-driven economy.
At the same time when we talk about the landscape of different countries adopting different scenarios and different aspects of data flows, some of the jurisdictions have restrictions such as data localisation. Thailand just launched the Personal Data Protection law, enforced recently in June 2022. Our approach in the law fosters cross-border data flows but the law also maintains some restrictions.
In order for data flows to be safeguarded and maintain privacy, there needs to be certain criteria based on global standards. We have a checklist of the criteria for businesses to actually check whether the destination countries have passed, at least in order to maintain the standards. Obviously we don’t want data to be transferred to jurisdictions where they don’t have data privacy or protection laws. Other criteria would be for those destination countries that don’t have any privacy laws or protection measures of any kind, businesses in Thailand can use contractual options which allow for businesses to negotiate contracts with the partner overseas in the destination country to actually put criteria for collection of data. So once the contract has been done, you can actually transfer data overseas while affording privacy. That also resonates with the ASEAN initiatives as well, which I believe we will talk about as well.
Shivi Anand
Thank you so much for that. It’s so interesting that you mentioned that Thailand is interested in moving from being a labour-intensive economy to a data-driven economy, and I believe that goal is shared by a number of other countries in the Southeast Asia region as well. I wanted to focus on something that you mentioned about tools that have been adopted across the ASEAN region to ensure that cross-border data flows happen in a way that maintains the privacy and security of data. Could you shed some light on what tools have been adopted by ASEAN at a regional level?
Dr. Khumon
Of course. I think it’s very important that ASEAN realises the importance of free flow of data because when we are together we actually make up very large economies. So economic growth depends very much on data being able to cross borders. So there have been a lot of initiatives in ASEAN but the most prominent one which was passed in 2018 was the ASEAN Framework on Digital Data Governance. Within that framework lie the four pillars that would make ASEAN digital integration happen. The first pillar is about improving the ASEAN landscape concerning the data ecosystem. The second pillar is focusing on the cross-border data flows mechanism which we are going to focus on. The third pillar is focusing on the technologies and the use of those technologies to make digitalisation happen. And the fourth pillar is to harmonise the legal and policy landscape concerning data protection.
In 2018, after the framework had been launched there was a working group set up to put together all the details of how the mechanism on ASEAN cross-border flows is going to be. In the period between 2018 to 2020, ASEAN has formalised the tools to enable businesses to perform cross-border data flows into a ‘track system’. The first track is the Model Contractual Clauses or MCCs. Like the name suggests, the contractual clauses are a model for businesses to negotiate with trading partners or businesses in other jurisdictions in ASEAN. The MCCs are very useful because they can work across countries, even in those that don’t have data protection laws. If two negotiating parties have the contract in place, you can enforce privacy protection by way of contract enforcement without having to rely on data protection authorities or any type of protection law. The second track is the certification track where ASEAN was working on the criteria for getting businesses certified for their practices on data protection. So if the businesses get certified that means the businesses are ready to move data across borders because they have policies in place that are good enough to protect the privacy of data. The first track, ASEAN MCCs, have been adopted since 2021 so they are ready for adoption. The second track on certification, compared with other regions, we are fast forwarding quite a bit. ASEAN’s initiative on this matter is very important for economic growth.
Shivi Anand
Got it, very clear that at the ASEAN level there are two specific tracks – the contractual track and the certification track that companies can adopt to make sure that their cross-border data flows are taking place in accordance with regional regulation and making sure that users have the assurance of the data’s privacy and security during the process as well.
I did want to switch our perspective a little bit to small and medium-sized businesses. You mentioned that if I were a small business owner in Thailand looking to expand into other markets in the region, I would basically be able to build in model contractual clauses or obtain an ASEAN level certification if I wanted to continue operations that require transfer of data across borders. How resource-intensive or onerous do you think these types of requirements would be on small and medium-sized businesses?
Dr. Khumon
In general in ASEAN, the working scheme is the MCCs since the certification scheme is yet to be completed and the criteria needs to be built in more detail. It’s quite important for the ASEAN MCCs to become known or popularised to the public. Actually, I talk about this in many discussion forums that capacity building is very important. It’s those forums about capacity building that a Member State can actually host to lay out the SOPs to many participating organisations that are interested in transferring their data overseas. Then the Government can explain what it takes to be accustomed to the MCCs, what is an MCC, etc. If the government can distil the guidelines to a practical level that businesses can look at and then say, “Okay, I know what I can do now with those MCCs”.
Now what often happens is that when we ask governments, they get together and they come up with this one very wonderful initiative. But most of the time the communications between this regime and practical adoption at the SME (Small and Medium Enterprises)-level is missing. So that is the missing link. So if governments can have a capacity-building scheme or a forum that can connect the link and digest all the initiatives down to the practical level for SMEs to take up, I think that would be a really wonderful thing for SMEs to make use of these developments. Not only digesting the initiatives of ASEAN schemes but also prohibitions on domestic laws as well. For example, Thailand now has launched the Data Protection law but many SMEs are still struggling to actually understand the content or the obligations under the law, especially when it comes to cross-border transfer requirements under the law, even though Thailand’s requirements resonate with international standards but still, there are legal prohibitions that are difficult for SMEs to digest. So capacity building forums can actually help a lot for SMEs to take up those requirements in a very easy language and then can actually make use of those obligations and initiatives to benefit their businesses.
Shivi Anand
Got it. I think that’s great advice for both governments as well as small and medium-sized businesses who are looking to scale into international markets. Something else that you mentioned also piqued my curiosity. You mentioned that Thailand has its own data protection law and legal requirements associated with that. Similar to Thailand, other countries in the region are also developing their own standards and requirements to address the challenges of data privacy and security. You did mention that there are some harmonisation efforts going on at the ASEAN level to make sure that businesses don’t have to necessarily understand and comply with seven to eight different types of regulations, if they do want to operate in the region successfully. Could you talk a little bit about what these efforts on harmonisation look like?
Dr. Khumon
Okay, so since the harmonisation of the legal aspects is the fourth pillar of the Framework on Digital Data Governance of the ASEAN, we have the ASEAN Data Protection and Privacy Forum which has been hosted four times now and the fifth time is going to be in Vietnam. So in this forum, ASEAN member states send their representatives that are directly responsible for data protection to exchange ideas and find harmonisation. What we have found is that more and more ASEAN member states are launching personal data protection laws. We have Singapore, Malaysia, Philippines, Thailand and Indonesia just passed it, which is incredible. And Vietnam and Brunei are coming because they’re drafting the privacy law now.
So what we see are a lot of similarities when we talk about transfer mechanisms in the law. One of the features is that we all have contractual clauses as the basis for transfer of data. With the ASEAN MCCs, this feature allows member states to standardise the contractual format for businesses to take up. Another feature is the adequacy decisions or adequacy requirements which means that basically there is a checklist in your own country, which is the data exporting country, for the destination country to meet before the businesses can transfer data overseas. If the destination country can successfully pass the checklist, then transfers can be made. So this is a good opportunity for ASEAN member states to try to harmonise all the criteria for the checklist so that member states who are launching their laws later can adopt the same criteria. So that means that we are all affording standard and adequate protection while making data transfers.
Shivi Anand
Got it, really interesting. So I’m taking away three main channels that have been used to ensure harmonisation in the ASEAN region. One is the contractual clauses or MCCs, the second would be certification which is still underway and yet to be operationalized, and then the third would be more of a bilateral tool which is adequacy decisions between two countries which would allow country-wide protection for all businesses to transfer their data to the partner countries.
Super interesting conversation. It’s given me a lot to think about, Dr. Khumon and I’m sure our listeners out there have a lot of food for thought as well. Thank you so much for taking the time to talk to us and for sharing your perspective on this really important topic. Thank you!
Dr. Khumon
My pleasure. Thank you so much for having me.
