The Deferral of PDPA enforcement to 2022

On 5th May 2021, the cabinet has approved the deferral of the full enforcement of the Personal Data Protection Act (PDPA) from June 2021 to June 2022.  The deferring Decree has been reviewed and approved in principle by Cabinet.

Three key points to note : 

  • The deferral mechanism is the same used in 2020 which is the draft deferring Decree refers to a list of entities and businesses (22) which will not be subject to the PDPA until 1 June 2022. (It is believed that the current deferral is just an extension of last year’s – i.e. the same list).
  • Security standards for personal information (a kind of interim measure) need to be adhered to.  These are believed to be the same as for 2020.
  • PDPC establishment, government readiness was never legally deferred and is not now.

Reported developments:

  • Chula is preparing draft regulations.
  • TDRI is preparing sector specific guidelines.
  • UTCC is doing a five-year master plan with one year, three year and five year horizons.


Seven areas which will be covered by information practice included; Tourism, Public health, Education, Retail, Transportation, Real Estate, and Government.

If the law is to be resolved, in addition to the criminal penalty issue, extra-territoriality and the need for representatives also need to be addressed.

EABCs Digital Economy/ICT group has been involved in the development of a PDPA since 2015. In 2021 EABC made a submission on some of the subsidiary legislation plans following public hearings in February, has engaged with the Secretary-General of the PDPC will be holding further sessions on this matter.  This second deferral affords the opportunity to engage on next steps including resolving open issues, subsidiary legislation and a road map. For participation, please contact Ms. Pimwan Pongsuwan, Policy Manager ([email protected])