Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.
posted 1 week ago
Recent decisions by the Phuket Provincial Court have garnered significant attention from data privacy practitioners. These rulings have highlighted critical issues concerning the enforcement of Thailand’s Personal Data Protection Act (PDPA) and its implications for criminal penalties.
Overview of the Cases
In two related cases, the offenders allegedly obtained personal data from online gambling platforms and advertised the sale of this data on social media. The personal data involved includes names, phone numbers, email addresses, and account identification numbers. The offenders were found guilty under several laws, including the Computer-Related Crime Act, the Gambling Act, the PDPA, and the Penal Code.
Application of Section 80 of the PDPA
A notable aspect of these decisions is the application of Section 80 of the PDPA, which was used as a basis for determining the punishments for the offenders. Section 80 states:
“Any person who comes to know the Personal Data of another person as a result of performing duties under the PDPA and discloses it to any other person shall be punished with imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.”
The court’s interpretation of Section 80 is significant as it expands the enforceability of criminal sanctions and imprisonment to conduct beyond the violation of sensitive personal data outlined in Section 79 of the PDPA. Traditionally, Section 80 was thought to apply only to competent officials who disclose personal data learned while performing their duties under the PDPA. Consequently, the elements of damages and intention were not included in the legal text.
However, the court’s decisions to criminalize the two offenders under Section 80 allow for general data controllers to face imprisonment penalties. This interpretation could lead to broader applications of criminal sanctions, moving beyond just sensitive personal data violations under Section 79 of the PDPA, which requires specific elements such as intention and damages for enforcement.
Analysis of Sections 79 and 80 of the PDPA
Section 79 of the PDPA focuses on the unauthorized disclosure of sensitive personal data. For a violation occurring under this section, there must be elements of intention and resultant damages. The penalties under Section 79 are designed to address severe breaches involving sensitive data, emphasizing the need for intention and actual harm.
Section 80, on the other hand, addresses the unauthorized disclosure of personal data in a broader sense. Initially, it was interpreted to apply primarily to officials handling personal data as part of their duties. The court’s recent rulings have expanded this interpretation, suggesting that any data controller could be subject to criminal penalties for disclosing personal data, even if the data is not classified as sensitive and without the traditional elements of intention and damages.
Implications and Future Developments
This shift in interpretation has sparked debate among scholars and data privacy practitioners regarding its appropriateness. Some argue that expanding the scope of Section 80 to include general data controllers could lead to excessive criminalization, while others believe it is necessary to enhance data protection enforcement.
In response to these developments, the Ministry of Digital Economy and Society is pushing to increase penalties for the illegal trading of personal data. They propose raising the maximum imprisonment term from one year to five years by amending the Royal Decree on Measures to Prevent and Suppress Technology Crimes B.E. 2566 (2023). A draft amendment to the Royal Decree is currently under consideration by the Council of State and is expected to be submitted to the Cabinet for further review and approval soon.
These court’s rulings, being those of the court of first instance, signify a potentially transformative period for data privacy enforcement in Thailand, with significant implications for data controllers and practitioners alike.
posted 2 hours ago
posted 1 day ago
posted 1 day ago
posted 2 days ago
posted 2 days ago
posted 3 days ago
posted 3 days ago
posted 3 days ago
posted 5 days ago
posted 5 days ago
No results available
ResetFind the right Legal Expert for your business
Sign up for the latest advisor briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.