A rapid development of information technology has raised concerns in society across the globe, especially regarding data, as things in the current era are data-driven. The European regional interaction to this issue resulted in a landmark regulation known as the General Data Protection Regulation (“GDPR”),1 a model footstep that many countries follow in this field. Thailand also models its law after the GDPR, enacting its own data protection law in 2019, the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), which will be introduced to the reader in this article.
- What are the principles of the PDPA?
The PDPA entails three principles: (1) the processing of another person’s “Personal Data”2 is prohibited unless being permitted by law; (2) when processing Personal Data, if permitted, it must be conducted appropriately; and (3) violations of these principles are subject to legal penalties including civil penalty, criminal penalty (imprisonment for up to one year, or a fine not exceeding 1,000,000 THB (≈ 30,000 USD), or both), and administrative penalty (administrative fines up to 5,000,000 THB (≈ 150,000 USD)). The PDPA also only applies to businesses and entities (such as courts) and protects only the data of natural persons.3 The permitted activities are listed in section 4 of the PDPA, such as for trial and adjudication of courts, operations of data undertaken by a credit bureau company, etc.4 In all cases, the security protection of Personal Data must be ensured.
- Is the data processing restricted? How?
The short answer is yes – and not only the data processing, but also the data collecting, are restricted under the PDPA. As a general principle, Personal Data could not be collected, used, or disclosed by the Data Controller5 unless the consent is given or permitted by the PDPA or other laws.6
In collecting Personal Data, the PDPA sets forth that the Data Controller must inform the data subject of the details specified by law, such as the purpose of the collection for use or disclosure.7 However, it was exempt from the duty to inform except if the data subject already knows of such details. The source of Personal Data is also limited to the data subject as a direct source unless exempted by law.8 For example, the hospital needs to collect health data, e.g., drug allergies of the patient who massively bled due to the car crash and had passed out, so consent could not be given, and if the surgery is not immediately performed, the patient would die.9
The use and disclosure of data are restricted, where Personal Data shall not be disclosed by the Data Controller without the data subject’s consent unless that Personal Data is collected under an exception provided by law.10 The Data Processor11 also has following duty: carry out the activities related to the collection, use or disclosure of Personal Data only pursuant to the instruction given by the Data Controller; provide appropriate security measures against Data Breach, and if there is, notify the Data Controller; and prepare and maintain records of personal data processing activities in accordance with the rules set by the Personal Data Protection Committee (PDPC).12
- Is a legal basis or consent required?
Yes, under the PDPA, obtaining consent is a fundamental requirement unless a legal basis permits the data collection or processing as an exception. Thus, consent is the primary requirement for most personal data-related activities.
As a general principle, consent must be obtained from the data subject prior to the time of the data collection or processing, as the case may be. In obtaining consent, there must be a request.13 The law specifies that such a request must be explicit and placed in a manner that is clearly distinguishable from the other matters, in an easily accessible and intelligible form, using clear and plain language, and does not deceive or mislead. This consent must be freely given where the entering into the contract, including any provisions of the service, shall not be a condition to obtaining consent. It is also a must that the data subjects have the right to withdraw consent at any time, and this process must be as simple as a mechanism for obtaining consent.
The stricter requirement is being imposed where explicit consent is required when the subject matter is sensitive information including racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, and biometric data.14
- Outstanding decisions of courts: the drafting weakness?
Before the walkthrough, I would like to introduce the reader to provisions relevant to the criminal penalty of the Data Controller: Section 79 and Section 80 of the PDPA.
Section 79 states that
[a]ny Data Controller who [unauthorizedly use or disclose Personal Data without the consent of the data subject or disclose Personal Data for any purpose other than the purpose previously notified in the request] … which relates to the [Sensitive Personal Data] in a manner that is likely to cause other person to suffer any damage, impair his or her reputation, or expose such other person to be scorned, hated, or humiliated, shall be punished with imprisonment for a term not exceeding six months, or a fine not exceeding five hundred thousand Baht, or both.
Section 80 states that
[a]ny person who comes to know the Personal Data of another person as a result of performing duties under this Act and discloses it to any other person shall be punished with imprisonment for a term not exceeding six months, or a fine not exceeding five hundred thousand Baht, or both.
Now, in the Phuket Provincial Court Decision Red (decided) case 1087/2566, the court held:
The defendant organized and facilitated gambling activities through electronic media. The defendant has collected personal information such as full names, phone numbers, bank accounts, and other financial details, which are Personal Data, as that information can directly or indirectly identify individuals. Therefore, the defendant is the Data Controller, meaning that the defendant holds the authority to decide on the collection, use, or disclosure of such Personal Data collected in the course of the gambling business. Because the defendant disclosed this Personal Data without obtaining consent, especially by selling such Personal Data to an undercover agent, the defendant is guilty under Section 80 of the PDPA.
However, if read Section 79, which imposes penalties on the Data Controller who processes sensitive data in comparison to Section 80 of the PDPA, it can be seen that the elements of Section 79 require that such processing is in a manner likely to cause harm. Both sections impose the same level of penalty. This raises a question of whether the court interpretation that “[a]ny person who comes to know the Personal Data of another person as a result of performing duties” includes Data Controller is correct or not? On the one hand, it could be viewed that Section 80 applies to general Personal Data. In contrast, Section 79 applies specifically to sensitive data, therefore requiring a more specific requirement, but would that not create a paradox where the unauthorized disclosure of general data is easier to penalize than sensitive data, while the law intends to provide special protection to sensitive data? On the other hand, should Section 80 be limited to only state officials under this Act, but would that not create a vacuum where there is no criminal penalty for the case of unauthorized disclosure of general data? This vagueness is a result of drafting weakness, which allows me to leave this as a question open for all the readers without a clear answer.
* LL.B., International Program in Business Law, Faculty of Law, Thammasat University; LL.M. in Intellectual Property, Maurer School of Law, Indiana University Bloomington; Visiting Scholar (Apr 2025 – Jul 2026), Ostrom Workshop, Indiana University Bloomington; email: norravich.limpanukorn@gmail.com
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2 Personal Data Protection Act B.E. 2562, Section 6. (“Personal Data” means any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular.)
3 See Personal Data Protection Act B.E. 2562, Section 3.
4 See Personal Data Protection Act B.E. 2562, Section 4(1) – (6).
5 Personal Data Protection Act B.E. 2562, Section 6. (“Data Controller” means a Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.)
6 See Personal Data Protection Act B.E. 2562, Section 19.
7 See Personal Data Protection Act B.E. 2562, Section 23(1) – (6).
8 See Personal Data Protection Act B.E. 2562, Section 25; For exceptions, see Personal Data Protection Act B.E. 2562, Sections 24 and 26.
9 See Personal Data Protection Act B.E. 2562, Section 26(1).
10 Personal Data Protection Act B.E. 2562, Section 6. (“Data Processor” means a Person or a juristic person who operates in relation to the collection, use or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller.)
11 See Personal Data Protection Act B.E. 2562, Section 27.
12 See Personal Data Protection Act B.E. 2562, Section 40.
13 See Personal Data Protection Act B.E. 2562, Section 19.
14 See Personal Data Protection Act B.E. 2562, Section 26.