THAILAND Trends and Developments Contributed by: Pranat Laohapairoj, Suphakorn Chueabunchai and Pitchaya Roongroajsataporn, Chandler Mori Hamada
judgments in past cases. Before mid-2024, no company had been fined for late reporting of a breach incident, although statistically speak - ing most companies report long after 72 hours from discovery, simply because it normally takes many days for the companies to become aware of a breach or an attack. Further days or even weeks are needed to analyse and pinpoint whether any person in Thailand has been par - ticularly affected, and if so, whether such impact rises to the level that must be reported to the PDPC. It may also take a few more days for the companies to consult with external experts on what to do. However, it appears that the PDPC has recently adopted a stricter stance on late notifications. To date, the PDPC seems to be increasingly focused on the supporting reasons behind such delays, to the extent that a com - pany has already been fined for delayed report - ing data breach, placing greater emphasis on the diligence and timeliness of companies in addressing breach incidents. Previously, the PDPC has been very understand - ing. As long as a report is filed properly and expediently (to the extent possible), questions from the PDPC are satisfactorily answered when asked, and the report-makers do not act unrea - sonably or tardily, the PDPC will show leniency. This, however, is because the PDPC would like to allow operators in Thailand to understand the law and to have enough time to adjust well to the legal requirements, whether on internal train - ing of employees regarding understanding and avoiding risks, or on the documentation side. Nowadays, following the full implementation of the PDPA and the issuance of a number of sub - ordinate regulations, the PDPC has adopted a more proactive approach to enforcement. When cases are reported, the PDPC promptly initiates some actions including investigating the case, ordering companies to provide clarifications, or
co-ordinating with relevant authorities to under - take necessary actions. Notably, the PDPC has established the “PDPC Eagle Eye” to specifically address data breach incidents. This complaint centre not only focuses on investigating and responding to breaches but also aims to edu - cate and alert the public, monitor compliance, and manage complaints effectively. Moreover, in 2024, Thailand witnessed its first penalty case under the PDPA. The PDPC imposed a maximum administrative fine of THB7 million on a major online retail company in Thailand for failing to comply with key data protection requirements under the PDPA. These violations included the failure to appoint a Data Protection Officer (DPO) and to implement ade - quate security measures, which resulted in data leaks that were subsequently exploited in call centre scams. Furthermore, the company failed to report the data breach within the timeframe specified under the PDPA. This landmark case initiates a significant step in demonstrating the government’s commitment to enforcing data protection laws, fostering public trust in online transactions and government initiatives that require personal data for identity verification. A third positive note is that most companies, especially those belonging to a global opera - tion or those with routine contacts with offshore companies that hail from jurisdictions with rele - vant data protection and privacy law, have been much more careful regarding transfer of personal data. Most companies have been comparatively more reluctant about such transfer, and this has manifested in discussions during business meet - ings as well as in execution of documents to cover transfer of data for any particular project. Some companies have even gone so far as to re-train their project personnel on PDPA require - ments prior to commencement of each project.
471 CHAMBERS.COM
Powered by FlippingBook