The Expert Committee (EC) of the Personal Data Protection Committee (PDPC) imposed a THB7,000,000 (around USD212,000) administrative fine on a data controller company on 31 July 2024.  It was the first ever fine for personal data breach in enforcement of the Personal Data Protection Act B.E. 2562 (A.D. 2019) (PDPA).

The EC investigated the data breach incident against the company under the complaints filed by a large number of data subjects affected from the data breach.  In addition to the data breach, the EC also found that the company failed to appoint a Data Protection Officer (DPO), did not have in place adequate data security measures, and delayed in notifying the data breach incident to the PDPC.  Therefore, the EC imposed the fine against the company and ordered it to appoint a DPO, improve its data security measures and conduct training courses on data protection to its staff.  The fine plus the additional enforcement orders have shown that the EC and the PDPC are indeed ready to enforce full and long-term compliance measures against violation of the PDPA.

More Enforcement

In determining the amount of the fine, the EC considered the type and volume of the data breach, the level of its severity and affect against the affected data subjects, and the length and repetition of the breach (Section 90 of the PDPA).  Under Section 84 of the PDPA, the PDPC is empowered to impose an administrative fine up to THB5 million per violation.   The fine of THB7 million against the company this time has suggested that the EC may impose stringent enforcement measures in the future.

Section 72(2) of the PDPA also empowers the EC to investigate suspected violation of data controllers or data processors that may cause damage to data subjects even without a complaint filed by a data subject.  The EC’s order for the company to also appoint a DPO, improve its data security measures and train its staff has shown that the EC has adopted a proactive approach for investigation and implementation of penalties against violations of the PDPA.

Under the PDPC Notification on Rules and Procedures for Issuing Administrative Orders of the Expert Committee B.E. 2565 (2022), decisions of the EC are final and cannot be appealed.

Implications

This first ever administrative fine by the EC has sent a signal to businesses which are data controllers or data processors.  The message is that businesses must fully comply with the PDPA or face proactive investigations and heavy penalties.

Data controllers and data processors must invest in comprehensive data protection measures, including appointing DPOs, implementing strong security protocols, and establishing efficient breach notification procedures. Businesses will need to review and re-evaluate their data processing practices and procedures to ensure that they remain fully compliant with the PDPA and its implementation rules and regulations issued by the PDPC.

Businesses may also expect more industry-specific compliance requirements and their implementations, and be prepared for audits or inquiries by the PDPC even in case no complaint has been filed any data subject.

Challenges

It is reasonable to expect that the PDPC will take stringently and actively enforce the PDPA against data controllers and data processors who fail to comply with the PDPA no matter they are in Thailand or abroad.  The PDPC is likely to continue issuing new guidelines and notifications and enforce them to ensure that businesses are fully compliant with the PDPA at all times.

It is advisable for the businesses that process (collect, use or disclose) personal data of data subjects residing in Thailand to prioritize their data protection / data privacy compliance activities to avoid or mitigate risk of severe penalties and reputational risk.

It was not reported that the company fined for THB7 million by the EC this time was also sued by any affected data subjects.  However, it should be noted that in addition to the administrative fines, violation against the PDPA can also at the same time be subject to criminal and civil liabilities.  The affected data subjects can file civil claims for compensations against businesses who failed to comply with the PDPA and caused damage to the affected data subjects.  They can also file criminal complaints against businesses for violation against the PDPA.

To see the archive of our past newsletters and articles please click here.