The Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) marked a significant shift in data privacy regulations in Thailand, drawing inspiration from the EU’s GDPR while incorporating specific provisions to fit Thailand’s socio-economic context. Notable adaptations, such as regulations specific to credit bureau companies and exemptions for certain public authorities, reflect a localized approach that balances global data standards with national interests.
Developments in Regulations Related to PDPA Non-Compliance
Although enacted in 2019, the PDPA’s penalty framework remained largely unchanged until recent updates from the Personal Data Protection Committee (PDPC), authorized under Section 16(4) of the PDPA. In 2022, the PDPC issued the Announcement of the PDPC Regarding the Criteria for Consideration of Issuing Orders and Administrative Fines Ordered by the Expert Committee B.E. 2565 (2022), which was subsequently used to adjudicate one of the most significant cases in Thailand to date. Key considerations now include:
✓ The scope of the announcement applies to any process involving the assessment of administrative penalties for data controllers, data processors, or any individuals violating the PDPA or failing to comply with the expert committee’s orders.
✓ Communication of administrative orders to the offender must be done in writing via a reliable electronic format, or alternatively, by phone, email, or other methods requested by the offender.
✓ The announcement outlines the factors and circumstances to be considered when determining PDPA compliance penalties, including but not limited to:
⦾ Intent, negligence, or carelessness in data protection failures
⦾ Severity of the offense and the business scale of the data controller or processor
⦾ Financial impact on offenders and benefits to affected data subjects
⦾ Past offenses, adherence to ethical practices, and post-breach mitigation efforts
These considerations aim to tailor enforcement measures, balancing punitive actions with accountability and the rights of data subjects.
Current Penalties for Non-Compliance Under the PDPA
The PDPA imposes both administrative and criminal liability for non-compliance.
Figure 1. Civil liability under the PDPA.
Figure 2. Criminal liability under the PDPA.
Figure 3. Administrative liability under the PDPA.
Recent Landmark Case: JIB Thailand
The case of JIB, a major Thai IT distributor with annual revenues exceeding THB 6 billion, serves as a milestone in PDPA enforcement. Following numerous customer complaints regarding a personal data breach valued at THB 30,000, JIB was issued the maximum administrative fine of 7 million baht for:
1. Failing to implement sufficient security measures, including access control and authorization (PDPA Section 37(1)),
2. Neglecting to notify the PDPC and failing to take swift action despite being aware of the breach since 2023 (PDPA Section 37(4)),
3. Delaying the appointment of a Data Protection Officer (DPO), as required for operations handling extensive personal data (PDPA Section 41(2)).
Although JIB appointed a DPO in April 2024, this was after substantial data leakage had occurred, showing intent to circumvent compliance. The PDPC mandated JIB to overhaul its data protection measures and submit regular progress reports to ensure sustained adherence to the PDPA.
JIB was further ordered to enhance its data protection framework through the following measures:
1. Implementation of Enhanced Data Protection Measures: JIB must upgrade its organizational, technical, and physical safeguards for managing personal data within 30 days of receiving the administrative order.
2. Strict Compliance with PDPA Requirements: JIB is required to fully comply with PDPA regulations and implement protocols to prevent future breaches.
3. Ongoing Progress Reporting: JIB must submit progress updates on the implementation of these improvements every 7 days from the issuance of the administrative order.
On 27 August 2024, JIB published an update on its Facebook page detailing the actions and plans it has implemented to comply with the PDPA orders, demonstrating its commitment to achieving full compliance with data protection regulations. This landmark case has set a significant precedent for private organizations acting as data controllers, emphasizing the importance of appointing a DPO and rigorously adhering to legal data protection obligations. It has also raised consumer awareness of personal data rights and the available means for enforcement.