Although the Personal Data Protection Act (“PDPA”) has been fully enforced since June 2022, marking a significant turning point in Thailand‘s approach to handling personal data, misconceptions regarding the law are still common among businesses and the general public. Even though they are frequently used in joking tone, these statements reveal that the law is still not well understood. This lack of understanding can lead to interpretations or applications of the PDPA that deviate from its original intent.
For instance, consider the issue of taking photos in public places that unintentionally affect the individuals captured in them. This includes situations such as a good citizen recording an argument and sharing the video on social media, or a kiss-cam at a concert displaying images of couples without their consent. While these incidents could appear amusing or lead to short public debates, they can negatively impact the individuals involved.
Therefore, this article seeks to learn from these two case studies and pose a more general legal question: “Who should be held legally responsible when photos or videos taken in public lead to negative effects to the individuals appearing in them?” rather than getting into the specifics of those people’s personal lives.
Although the PDPA provides broad protection for any act involving personal data pursuant to Section 5, paragraph one of the PDPA which specifies that the PDPA applies to the “collection, use, or disclosure of personal data” (also known as “processing of personal data”) Section 4(1) establishes specific exemptions. This provision is derived from Article 2(c) of the General Data Protection Regulation (GDPR) of the EU, which exempts individuals who process personal data for purely personal or household activity are exempt from scope of both the GDPR in the EU and PDPA.
However, while Section 4(1) provides an exception for such instances, a more comprehensive and nuanced approach may be required to assess what processing for household activities or personal benefit actually includes. The rapid growth of social media has made it increasingly easy, which makes it simple for everyone to share their own or others’ personal data with the wider community. This raises an important concern: if a private individual shares personal data online without restricting access to only close friends or family still regarded as processing for household or personal use?
In practice, this makes it challenging to enforce data protection laws against actions taken by private individuals. As a result, it is crucial to determine whether a certain activity counts as household or personal processing. Considerations to be made include:
These criteria are derived from the Bodil Lindqvist case (Case C-101/01, CJEU, 6 November 2003), in which the Court of Justice of the European Union (CJEU) established a precedent regarding the so-called household exception. According to the Court, this exception must be applied strictly, limiting its application to activities that are purely personal or household activities, like snapping pictures for personal purposes or sharing the images with a small circle of relatives. It is evident that it does not cover circumstances in which personal data are published online for commercial purposes or in a way that allows unrestricted public access.
Similarly, the Office of the Personal Data Protection Committee (PDPC) has previously addressed an inquiry regarding the posting of photos or messages on a personal Facebook account. The PDPC explained that it must be considered whether such actions are carried out systematically or on a regular basis for a specific purpose. If the activity is not systematic or regularly conducted, it does not fall within the scope of the PDPA. However, the person posting the content may still be subject to liability under other laws, such as the Computer Crimes Act B.E. 2550 (2007), the Criminal Code provisions on defamation, or civil liability under the Civil and Commercial Code.
In summary, the PDPA does not consider whether personal data are publicly available or where they originate. If the information can identify an individual either directly or indirectly it qualifies as personal data and remains protected under the law, even if shared in public spaces or on social media. Activities that are truly meant for household or personal use are the one of exemption, and these do not include disclosing personal data to the public that is accessible without restriction on a systematic or regular basis.
In the first scenario, the person who is recording and sharing a video of an argument may fall under the exception under Section 4(1) of the PDPA, but only if the processing of personal data is carried out for personal benefit or household activities. However, this exception does not apply if the video is made publicly available on a regular or continuous basis without access restrictions, for example, by creating an online page that regularly posts video clips accessible to the general public. The Court of Justice of the European Union (CJEU) has clearly ruled that sharing personal data on public media in this manner cannot be regarded as a personal activity, and therefore, such actions remain subject to data protection laws. Furthermore, under other applicable laws, such behavior may result in liability depending on the circumstances and consequences, particularly if it affects the people who are being recorded.
On the other hand, the act would be regarded as a legal and acceptable processing of personal data if the good citizen records the video or photos with the intention of presenting them to government authorities as evidence in a court case, without making them publicly available. In such a case, the purpose aligns with the principles of necessity and legality under the PDPA, and therefore, it would not constitute a violation of the law.
This case differs significantly from the first one, as it involves the commercial use of personal data, which cannot be exempted under Section 4(1) of the PDPA. At this point, the concert organizer acts as a data controller with a clear commercial objective: displaying attendees’ photos on the Kiss-Cam screen to enhance the event’s atmosphere and advance the organizer’s financial interests.
According to Section 24 of the PDPA, such processing is permitted only if it is supported by a valid legal basis. Two possible legal basis could be applicable in this situation:
Consent — obtaining explicit consent from the data subjects (the attendees whose photos are displayed), or
Legitimate Interest — relying on the organizer’s legitimate commercial objective, as long as it doesn’t conflict with the rights and liberties of the people involved.
However, it takes considerable consideration to assert legitimate interest. The data controller must balance the potential benefits against any possible effects on the rights and liberties of the data subjects. It also needs to consider the expectations of the personal data subject. ensuring that the processing is both necessary and proportionate.
Therefore, if the concert organizer does not include a clear privacy notice or cannot provide a legal basis for processing, the display of attendees’ images on the Kiss-Cam would constitute unlawful personal data processing. Under the PDPA, the concert organizer would be held legally responsible as the data controller in this scenario.
It can be observed that posting photos or videos on online platforms still raises privacy concerns that individuals must take into account. Such actions should be evaluated based on the five factors discussed above. Moreover, even if they are exempt from the PDPA on the grounds of being conducted for purely personal or household activities, they may still constitute violations under other applicable laws.
References:
