Online Privacy Policies in Thailand: Designing and Implementing an Effective Policy

The “catch-all” online privacy policies in Thailand

In many countries, it is mandatory for site operators to have an online privacy policy in place. Catch-all online privacy policies, whereby operators may collect, use and share a wide range of users’ personal information are widely used by site operators. They are designed to obtain broad agreement from users in respect to processing any personal data that is collected.

The validity and enforceability of catch-all online privacy policies have been increasingly challenged. In a country like Thailand, which is still in the process of implementing its first general personal data protection law, questions commonly arise as to the degree to which online privacy policies and online consent provided by users can be enforced under the present law (i.e., in the absence of a general personal data protection law).

Thailand’s Constitution generally recognises the principle of privacy protection. It states that “a person shall have the right to privacy”, and “any act which wrongfully violates or affects the rights … or utilisation of personal data in any way is prohibited”. In addition, a number of sector-specific statutes impose personal data protection requirements on parties operating within the telecommunications, securities, banking and other industries.

What is “consent” in Thailand?

However, as Thailand lacks a general personal data protection law, there are no regulatory requirements on online privacy policies or on obtaining individual consent from users to process personal data. This means that there are no requirements on specific forms of consent (e.g., in writing, express consent, required by Thai law, etc.). Therefore, certain types of implied consent in online privacy policies may be acceptable and may constitute a privacy policy agreement with the users under Thai law.

In determining which types of implied consent are effectively sufficient, factors such as the timing of the consent provision, the person to whom consent is given or the elements of fraud, deception or misrepresentation, if any, are considered among other related circumstances.

An online privacy policy with an opt-in requirement (i.e., users are required to expressly click “I agree” after scrolling down to the end of the privacy policy terms during the process of site registration), arguably obtains a user’s consent to create an effective online privacy policy agreement between the site operator and its users. However, it should be noted that a minor — generally deemed to be a person aged less than 20 years old — who enters into a contractual transaction without parental consent could make the transaction voidable.

Another key concern is the effectiveness of catch-all provisions, which could fall within the ambit of Thailand’s Unfair Contract Terms Act. If catch-all provisions are considered as unfair by the Thai courts (i.e., they impose an excessive burden which is more than a reasonable person could have anticipated), the Unfair Contract Terms Act enables the courts to intervene by voiding or limiting any unfair terms.

There are no Supreme Court decisions on unfair catch-all online privacy policies, so it is difficult to ascertain to what degree the court will exercise its discretion when an online privacy policy term is found to be unfair. To err on the side of caution, online privacy policies should provide clear and precise explanations of the specific types of information collected, the specific activities for which the information is being used and with whom the information is shared.

The importance of review

Site operators should also keep their online privacy policies up to date with current practices. Onlinee privacy policies are not one-sided agreements — operators can enforce a policy against users, and users can enforce against operators. Therefore, if an operator has an obligation under its online privacy policy to notify affected data subjects about any material changes to personal data handling practices, and there has been a change in the handling practices (e.g., the location of the stored data or the third party vendor handling the collected data has changed), but the operator has failed to notify the affected data subjects, the operator could be seen as having broken the online privacy policy. Although monetary damages arising from such a breach would most likely be minimal, the breach could possibly cause reputational damage to the site operators and/or owners.

Site operators should regularly review their online privacy policies to ensure they are in line with current practices and do not dissuade users from interacting with their sites. An effective online privacy policy can help mitigate exposure to liability in operating a site. An ineffective online privacy policy, on the other hand, could lead to costly legal actions and a tarnished reputation.


1
Leave a Reply

Please Login to comment
1 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Simon Vetterli Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Simon Vetterli
Guest
Simon Vetterli

Hi
It is a very important article, especially as not many companies are using it in practice. Only a small amount of companies are realizing this concern.
I am interesting to get more official law and ways how to do it.
Regards, Simon

Enjoyed the article?

Get notified of new articles and relevant events.

Thanks for subscribing!

Pin It on Pinterest

Share This