In the age of social media, it would be advisable for the companies to establish internal rules that prevent and restrict their employees or contractors from disclosing and handling, as well as limiting their access to, sensitive information…
Part A: Legal Considerations before Personal Information Protection Act
Before 27 May 2019, Thailand had no specific and independent statutory law governing personal information protection. As such, the collection and handling of personal information was governed by the general provisions of tort law under the Civil and Commercial Code (the "CCC"), and in the case where such information is deemed to be trade secret, it may be protected under the Trade Secret Act B.E. 2545 (2002) (the "Trade Secret Act"). Nonetheless, on 27 May 2019, the Personal Information Protection Act was eventually enacted and marked a significant step of data and privacy protection in Thailand. For your information, some key considerations under the CCC and the Trade Secret Act in relation to data protection in Thailand can be found below:
1 The CCC
Section 420 of the CCC stipulates that:
"A person who, willfully or negligently, unlawfully injures the life, body, health, liberty, property or any right of another person shall be deemed to commit a tortious act and bound to make compensation therefore."
Based on Section 420 of the CCC as provided above, the mishandling of another person's personal information could be regarded as a commission of tortious act and subject to compensation for any damage caused to such another person. Based on the Supreme Court precedent (e.g. the Supreme Court Decision Nos. 124/2487 and 4893/2558), the court has recognized that the rights protected under the foregoing provision include the right not to be defamed and the right to privacy. Nonetheless, neither the CCC nor any precedent of the Supreme Court has elaborated on the conclusive types of information, mishandling of which may give rise to a tort liability. The court would generally have a broad discretion in considering whether certain type of information would be protected under Section 420 of the CCC.
Nonetheless, according to the Supreme Court precedent (e.g. the Supreme Court Decision Nos. 1170/2543, 2288/2523 and 4490/2542), although it is not clearly provided for under the CCC, it is apparent that Thai courts have recognized "consent" as a defense to tort liabilities. Accordingly, a person might not be liable for tortious act if consent is duly given for the commission of such act.
Therefore, although it is not certain as to what type of personal information would be protected under Section 420 of the CCC, to be on the safe side, it is advisable for the information collector to obtain consent from the information owner before collecting, using, disclosing or managing their personal information in any manner. In this regard, the law does not require such consent to be made in writing. However, it is advisable for such information collector to obtain prior written consent from the owner of such personal information for good record keeping.
Additionally, we are not aware of any provision of the CCC or any precedent of the Supreme Court which clearly specifies if it is sufficient to obtain a general consent or if the consent must be granted each time before collecting or handling the personal information. To be on the safe side, it would be advisable to obtain the written consent each time before collecting or handling any of the personal information. It is important to note that the information owner's consent may generally be revoked at any time even if it is expressed to be irrevocable.
2 Trade Secret Act
Under the Trade Secret Act, "trade secret" refers to trade information which has not yet been made widely known or is not yet accessible among the persons who are related to such information. It is the information which is commercially useful due to its secrecy and a trade secret controller has taken appropriate measures to maintain its secrecy.
The disclosure, deprivation or usage of trade secret without the consent of the right holder may be regarded as an infringement of trade secret rights under the Trade Secret Act, which may subject the infringer to the liability for damages incurred thereby as well as an imprisonment of up to 1 year and/or a fine of up to Baht 200,000 under Section 33 of the Trade Secret Act.
Part B: Personal Information Protection Act – New Legal Regime of Data Protection in Thailand
1 Background
Previously, a draft of the personal information protection law has been proposed, but was eventually abrogated by the Cabinet in 2015. Subsequently, a new draft was proposed in 2016 (the "2016 Draft"), and thereafter amended several times after public hearings and meetings, as it takes into account its objective to protect the interests of personal information owners as well as to justly accommodate affected parties. Finally, the Personal Information Protection Act B.E. 2562 (2019) (the "PIPA") was published in the Royal Thai Government Gazette on 27 May 2019. The PIPA shall be effective from 28 May 2019 onwards, except for the provisions concerning the protection of personal information, rights of the personal information owner, which also include the duties of the personal information controller, petition, civil liabilities and penalties, which shall come into effect after 1 year has elapsed from the date of publication in the Royal Thai Government Gazette.
This section of the Article aims to point out major contents of the new legislation.
One of the subject matters of the new legislation is the definition of "personal information" to be regulated. Under the 2016 Draft, the definition of "personal information" explicitly excluded the specification of only the name, position, workplace or business address and specific information of a deceased person (i.e. such information would not be protected under the law). Throughout the few public hearings, such definition was subject to several concerns, such as its vagueness and insufficient specification, and some parties suggested that the information of a deceased person and business contact information should also be protected under the law. Taking the comments into account, the definition of "personal information" proposed under the PIPA (please see Item 2 below) conveys a broad scope, but still explicitly excludes specific information of a deceased person due to problems which may arise in terms of giving consent (i.e. the dead cannot give consent).
In addition, the definition of a "personal information controller" under the 2016 Draft did not clearly specify whether it included persons who operated under the orders of such personal information controller. To fill such gap, the PIPA adds a definition of a "personal information processor" (in addition to the personal information controller) as a natural or juristic person who conducts operations relating to the collection, use or disclosure of personal information under the orders or on behalf of the personal information controller.
2 Personal Information under the PIPA
Under Section 6 of the PIPA, "personal information" is defined as any information relating to a person, which can identify such person whether directly or indirectly, excluding the specific information of a deceased person.
3 Sensitive Information with Additional Protection
Although the PIPA does not specify any information as sensitive, it may be inferred from Section 26 of the PIPA, which requires explicit consent for collection of the information, that the following information may be deemed to be more sensitive than other protected information and thereby granted increased protection personal information relating to nationality, race, political opinions, belief in a creed, religion or philosophy, sexual behavior, criminal record, healthrelated information, disability, labor union information, genetic information, biological information, or any other information which impacts the information owner in the same manner as prescribed by the Personal Information Protection Committee (the "Committee"), subject to certain exceptions (e.g. if the collection of such information is aimed to protect or prevent harm against a person, then it may be permitted without explicit consent). In addition, any mishandling of such "sensitive" information (e.g. any collection thereof without the personal information owner's consent or legal ground) may be subject to more severe punishment under Section 84 of the PIPA, in comparison to an offense of the same nature in relation to other general information under Section 83 of the PIPA.
In light of the foregoing, apart from the information set out above, other additional information may be prescribed by the Committee to also be granted increased protection.
4 Foreign Regulation
Based on the contents of the PIPA, there is no specification regarding the application of any foreign regulation in Thailand. As for the applicability of Thai law (e.g. the PIPA) on an extraterritorial basis (i.e. being applied outside Thailand), please refer to Item 12 below.
5 Exemption of Applicability
Under Section 4 of the PIPA, the scope of the applicability of the PIPA shall exclude the collection, use and disclosure of personal information of a person who collects personal information for personal benefits or for internal family affairs, among others.
6 Right of Personal Information Owner
The rights of the personal information owner are prescribed under Chapter 3 of the PIPA, important examples include:
• the personal information owner has the right to access and obtain copies of the personal information relating to him, for which the personal information controller is responsible, or to request for the disclosure of the means by which such personal information was obtained without his consent.
• the personal information owner has the right to object the collection, use or disclosure of the personal information relating to him at any time in certain circumstances, such as in the case where the personal information is collected, used or disclosed for the purpose of direct marketing.
• the personal information owner has the right to request the personal information controller to delete or destroy, or make unidentifiable the personal information in certain circumstances, such as in the case where the personal information owner withdraws consent for the collection, use, or disclosure of personal information, and the personal information controller has no authority to continue to collect, use, or disclosure such personal information.
• the personal information owner has, among others, the right to obtain the personal information relating to him from the personal information controller, if such personal information is made readable or usable by an automated machine, and may be used or disclosed automatically.
• the personal information owner has the right to request the personal information controller to temporarily refrain from using the personal information in certain circumstances, such as in the case where there is no longer any necessity to keep the personal information in accordance with the purpose of collection thereof, but the personal information owner needs such personal information to be kept in order to make legal claims.
It may be worth noting that the personal information owner may revoke his consent given for the collection, use or disclosure of personal information at any time, subject to certain exceptions.
7 Consent
Under Section 19 of the PIPA, a personal information controller may only collect, use or disclose personal information if the consent from the personal information owner has been provided before or at the time of such collection, use or disclosure. The request for such consent shall be made explicitly, in writing or via electronic system, unless the nature of the consent does not so permit. In seeking such consent, the personal information controller must notify the personal information owner of the objective of such collection, use or disclosure. In addition, the seeking of such consent must be distinguished from other statements and shall be in a form or statement which is easily accessible and comprehensible, and is in simple language. The Committee may prescribe a form therefor.
In seeking consent from the personal information owner, the personal information controller shall, to the utmost, consider the freedom of the personal information owner in giving consent. In concluding an agreement, including the provision of services, there shall be no conditions imposed on the giving of consent for the collection, use, or disclosure of personal information which is not necessary or related to the execution of the agreement including the provision of services.
The consent given by the personal information owner may be revoked at any time whereby the revocation of consent shall be as easily done as the giving thereof, unless there is a limitation to revoking such consent under a law or contract which benefits the personal information owner. The revocation of consent shall not affect the collection, use or disclosure of personal information which the personal information owner has previously given consent for in accordance with the provisions of Chapter 2 of the PIPA.
Other criteria and conditions for giving consent may vary in the case where the personal information owner is a minor, an incompetent person or a quasi-incompetent person, pursuant to Section 20 of the PIPA. In the case where the personal information owner is a minor who has not become a sui juris by marriage or who lacks the capacity of a sui juris under Section 27 of the CCC (i.e. by the minor's legal representative or court order, the permission to act has been refused or revoked), in the case where the minor gives consent for an act which is not an act that he can do by himself under Section 22, Section 23, or Section 24 of the CCC (i.e. acts to acquire rights or to be free from duties, acts which are strictly personal, and acts which are suitable for his condition in life and are required for his reasonable needs), consent must be obtained from the legal representative who is entitled to act on behalf of the minor. In the case where the minor is not over 10 years of age, consent must be obtained from the legal representative who is entitled to act on behalf of the minor.
These aforementioned conditions shall also apply to the revocation of such consent, notification to the personal information owner, exercising of the rights of the personal information owner, filing of complaints by the personal information owner, and any other acts relating to personal information owners who are minors, incompetent persons, or quasi-incompetent persons under the PIPA.
8 Collection, Use and Disclosure of Personal Information
8.1 Collection of Personal Information
The collection of personal information is specifically governed under Chapter 2 Part 2 of the PIPA (i.e. Sections 22 – 26 of the PIPA). Under Section 22 of the PIPA, personal information may only be collected within the necessary extent under the lawful objective for such collection. Section 23 of the PIPA provides the details of which the personal information controller is required to notify the personal information owner before or when collecting such personal information such as objective of the collection, the personal information to be collected, the duration of the collection and etc., except where the personal information owner has already been informed of the details.
Under Section 24 of the PIPA, the personal information controller may collect the personal information only when consent of the personal information owner is granted. However, an exemption to the consent requirements is available for certain cases; for example, the personal information is collected for achieving the objective relating to the categorization of historical documents or archives for public benefit, or for research or statistical purposes which have sufficient protective standards to protect the rights and freedom of the personal information owner, as to be prescribed in the Notification of the Committee, for protection or prevention of harm against a person, or for the performance of an obligation under an agreement in which the personal information owner is a party, or in compliance with a request made by the personal information owner prior to entering into an agreement, among other exceptions.
The personal information controller is also prohibited from collecting the personal information from other sources than the personal information owner himself, subject to certain exceptions (e.g. such collection has been informed to the personal information owner without delay within 30 days from the date of the collection and the personal information owner has consented), pursuant to Section 25 of the PIPA. Moreover, as introduced in Item 3 above, certain personal information under Section 26 may not be collected without the explicit consent of the personal information owner, subject to certain exceptions.
8.2 Use and Disclosure of Personal Information
The use and disclosure of personal information is governed under Chapter 2 Part 3 of the PIPA (i.e. Sections 27 – 29 of the PIPA). Persons to whom the personal information is disclosed to in the foregoing manner shall not use or disclose the personal information for other purposes than the consented objectives.
The use and disclosure of personal information by transferring such information to a foreign country is also governed under the PIPA. Details on this will be further explained in Item 11 below.
9 Security System Requirement
The current PIPA does not expressly specify the criteria and requirements for the security system to be adopted by the personal information controller or personal information processor. However, by virtue of Section 16(6) of the PIPA, the Committee has the authority to further prescribe measures and guidelines with which the personal information controller and/or personal information processor may be required to comply.
10 Measures on Leakage of Personal Information
The PIPA does not indicate a specific measure to be taken in the case of a leakage of personal information.
However, under Section 80 of the PIPA, any person who discovers another person's personal information in consequence of his compliance under the PIPA, and discloses it to other persons, shall be subject to punishment. It may also be worth noting that the Committee has the authority to further prescribe measures to be taken in the case of a leakage of personal information, by virtue of Section 16 of the PIPA.
11 Transfer of Personal Information to Foreign Countries
Section 28 of the PIPA provides that in the case where the personal information controller sends or transfers personal information to a foreign country, the recipient country or international organization of such personal information shall have a sufficient personal information protection standard, in accordance with the Notification to be prescribed by the Committee, subject to certain exceptions. In the case where there are issues relating to the adequacy of the personal information protection standard of the recipient country or international organization, such issue shall be presented to the Committee who shall preside over such matter. The judgment of the Committee may be revised if there is new evidence to prove that the foreign country has improved its personal information protection standard to be sufficient.
At present, the Committee has not issued any regulation regarding the personal information protection standard mentioned above.
Section 29 of the PIPA provides an exception to the foregoing provision - in the case where the personal information controller or personal information processor in Thailand has prescribed a personal information protection policy for the purpose of sending or transferring the personal information to a personal information controller or personal information
processor overseas, who is an affiliate operating a joint business, if the said policy has been examined and certified by the Committee, the sending or transferring of the personal information under the said certified policy may be proceeded without complying with Section 28 of the PIPA above. The examination and certification criteria of the personal information protection policy shall be later prescribed by the Committee.
In this regard, where there is not yet any such judgment by the Committee pursuant to Section 28, or the personal information protection policy under Section 29, the personal information controller or personal information processor may send or transmit personal information overseas without complying with Section 28 of the PIPA, if the personal information controller or personal information processor arranges for an appropriate protection measure whereby the rights of the personal information owner may be enforced, as well as an efficient legal remedy measure in accordance with the criteria and procedures to be prescribed by the Committee.
12 Requirement for Server in Thailand
The provisions of the PIPA do not explicitly specify a requirement for a server in Thailand. However, Section 5 paragraph 1 of the PIPA prescribes that the PIPA shall be applied to the collection, use or disclosure of personal information by a personal information controller or personal information processor located in Thailand, whether or not such collection, use or disclosure is conducted in Thailand. Under Section 5 paragraph 2 of the PIPA, in the case where the personal information controller or personal information processor is located outside Thailand, the PIPA would apply to the collection, use or disclosure of personal information of the personal information owner located in Thailand under the following operations of such personal information controller or personal information processor: (1) offering a good or service to the personal information owner located in Thailand, whether or not such owner made any payment; and (2) monitoring the behavior of the personal information owner which occurs in Thailand.
Part 3: Practical Approach
With the growth of social media like FaceBook, Instagram and Twitter, personal information or any other confidential information may be disclosed and accessed more easily. Thereby, it would be advisable for the companies to establish internal rules that prevent and restrict their employees or contractors from disclosing and handling, as well as limit their access to, sensitive information. Also, the companies should install security system and adopt security measures to protect the confidentiality of the sensitive information they are possessing. With respect to the contents of the PIPA, it may be worth noting that there are certain legal grounds for the state to collect, use and disclose the personal information without being subject to the provisions of the PIPA.
Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.