The “catch-all” online privacy policies in Thailand
The validity and enforceability of catch-all online privacy policies have been increasingly challenged. In a country like Thailand, which is still in the process of implementing its first general personal data protection law, questions commonly arise as to the degree to which online privacy policies and online consent provided by users can be enforced under the present law (i.e., in the absence of a general personal data protection law).
Thailand’s Constitution generally recognises the principle of privacy protection. It states that “a person shall have the right to privacy”, and “any act which wrongfully violates or affects the rights … or utilisation of personal data in any way is prohibited”. In addition, a number of sector-specific statutes impose personal data protection requirements on parties operating within the telecommunications, securities, banking and other industries.
What is “consent” in Thailand?
In determining which types of implied consent are effectively sufficient, factors such as the timing of the consent provision, the person to whom consent is given or the elements of fraud, deception or misrepresentation, if any, are considered among other related circumstances.
Another key concern is the effectiveness of catch-all provisions, which could fall within the ambit of Thailand’s Unfair Contract Terms Act. If catch-all provisions are considered as unfair by the Thai courts (i.e., they impose an excessive burden which is more than a reasonable person could have anticipated), the Unfair Contract Terms Act enables the courts to intervene by voiding or limiting any unfair terms.
The importance of review