THAILAND Law and Practice Contributed by: Pranat Laohapairoj, Suphakorn Chueabunchai and Pitchaya Roongroajsataporn, Chandler Mori Hamada
conduct under the PDPA. However, most cases have been discharged or have ceased at the expert committee stage, and there are no court cases regarding personal data that are publicly available in Thailand. In addition to the powers of the expert commit - tee, the PDPA covers three types of liabilities: • criminal liabilities; • administrative liabilities; and • civil liabilities. For criminal liabilities, the authority may pursue a criminal case against any commercial operator who has breached the PDPA. Any use or dis - closure of sensitive data without consent, and which has caused damage to the data subject, carries penalties of imprisonment of up to six months, a fine of up to THB500,000 or both. However, any use or disclosure, if undertaken for undue benefit of the commercial operator, will double the above-stated maximum impris - onment duration and fine amount. In this regard, the relevant director or manager of the juristic person may be subject to the same penalties as the juristic person. As described in 1.3 Enforcement Proceedings and Fines , the PDPC Notification on Adminis - trative Penalties governs the enforcement and criteria relating to administrative liabilities. For civil liabilities, a damaged data subject may bring a civil suit against a controller and/or processor who has wronged them. The PDPA expressly allows the court to award punitive damages, which is generally rare in Thailand, and such damages shall not exceed two times the actual damages (if the court believes the breach is severe). As this civil liability is based on tort law and privacy cases often involve more
than one impacted data subject, class actions are allowed for privacy cases. 2.2 Recent Case Law As described in 1.3 Enforcement Proceedings and Fines and 2.1 General Overview , there have been no significant litigation cases in privacy or data protection law in Thailand, as most cases tend to be resolved at the expert committee level. 2.3 Collective Redress Mechanisms In Thailand, the concept of collective redress exists within the legal framework, commonly referred to as a “class action”. However, its application and procedures remain limited and are still evolving. Victims of data protection vio - lations are entitled to file a case against offend - ers through the class action mechanism, as data protection breaches typically fall under tort claims. In practice, for high-profile cases (affect - ing many individuals), the Office of the PDPC often encourages victims to provide their infor - mation before initiating an investigation and tak - ing appropriate action. 3. Data Regulation on IoT Providers, Data Holders and Data Processing Services 3.1 Objectives and Scope of Data Regulation There are no specific regulations concerning the use of internet of things (IoT) services in Thailand. The providers of IoT services shall be deemed as controllers or processors under the PDPA, depending on whether such service pro - viders are determining the processing activities and fall under the provisions of the PDPA. The role obligations are as follows.
462 CHAMBERS.COM
Powered by FlippingBook