THAILAND Law and Practice Contributed by: Pranat Laohapairoj, Suphakorn Chueabunchai and Pitchaya Roongroajsataporn, Chandler Mori Hamada
Non-Serious Offences The expert committee may issue orders to rem - edy, stop, suspend or seize related processing activities, or it may carry out any other acts to stop/minimise the damage within a specific time. 1.4 Data Protection Fines in Practice On 21 August 2024, the expert committee issued a maximum administrative fine of THB7 million to a major online retail company in Thailand for failing to protect personal data, as required by the PDPA. The company had collected data from over 100,000 customers but did not appoint a data protection officer (DPO) or implement ade - quate security measures, leading to data leaks to call centre scams. Additionally, the company failed to report the data breach promptly, violat - ing several provisions of the PDPA. The expert committee ordered the company to improve its security measures, arrange for staff training and report all remedy measures back to the Office of the PDPC. This case marks the first major administrative fine imposed under the PDPA, highlighting the government’s commitment to enforcing data protection laws and enhancing public trust in online transactions and govern - ment projects that require personal data for Thailand has introduced the Draft Royal Decree on Business Operations that Use Artificial Intel - ligence Systems (the “Draft Royal Decree”), influenced by the EU AI Act, for public hearings in 2022 to regulate AI based on risk levels. The Draft Royal Decree mandates that providers of high-risk AI systems implement various meas - ures, such as a risk management system, data governance, record-keeping and cybersecu - rity measures. Apart from the controlling side, Thailand has also introduced the Draft Act on Promotion and Support for Artificial Intelligence identity verification. 1.5 AI Regulation
to enhance AI development through regulatory sandboxes and support from relevant authori - ties. These draft regulations aim to build trust in AI systems along with ensuring the protection of personal data by enforcing stringent data pro - tection measures and compliance requirements. Unfortunately, since these drafts are still under development by the responsible authorities, the current safeguards for the protection of per - sonal data in the context of AI systems will be governed by the provisions of the PDPA. This existing legal framework will continue to protect personal data until the AI-specific regulations are finalised and enacted, thereby ensuring a seamless transition to more specialised AI data protection standards. 1.6 Interplay Between AI and Data Protection Regulations Implementation of the primary concept of AI reg - ulation in Thailand derived from the Draft Royal Decree, as mentioned in 1.5 AI Regulation , will significantly impact data protection in relation to AI systems by imposing strict requirements on AI system providers to ensure data security and transparency. The regulations will mandate comprehensive data governance and risk man - agement practices, aligning with the PDPA to safeguard personal data. The authors believe that the regulations will complement the PDPA in the future to ensure that AI systems will be developed and deployed responsibly while pro - tecting individuals’ data privacy.
2. Privacy Litigation 2.1 General Overview
As described in 1.3 Enforcement Proceedings and Fines , the PDPA provides the expert com - mittee with an enforcement power to issue an administrative order for addressing any mis -
461 CHAMBERS.COM
Powered by FlippingBook