The Personal Data Protection Law was designed to protect the right to privacy by establishing minimum standards and obligations for data controllers.¹ However, in certain instances, the Personal Data Protection Law has been weaponized as a new tool for Strategic Lawsuits Against Public Participation (SLAPP) by data controllers wielding both political and business power, exploiting ambiguous legal interpretations or construing legal exemptions too narrowly — particularly the journalistic exemption — to the point where such exemptions become instruments of pressure, obstruction, or punishment of investigative reporting, rather than serving their primary purpose of protecting personal data.²
Strategic Lawsuits Against Public Participation (SLAPP) refer to the use of judicial processes as a strategic tool to impose litigation burdens, psychological pressure, and financial costs upon defendants. Their primary aim is to deter the exercise of free expression and oversight by members of the public, the press, and human rights defenders. Such litigation exploits the imbalance of power and resources to create a climate of fear, ultimately causing defendants — and others who share similar positions — to cease their investigative activities or public participation. This phenomenon is known as the Chilling Effect.³
Because SLAPP suits are not primarily intended to prevail on the merits, but rather to impose burdens and intimidate the opposing party, and because data controllers tend to be large organizations with significant economic or political advantages over their adversaries — coupled with the severity of statutory penalties — personal data protection law has become yet another instrument susceptible to misuse for SLAPP purposes.
Defamation law is the most commonly observed vehicle for SLAPP suits; however, personal data protection law has become an equally convenient and effective instrument for SLAPP for the following key reasons:⁴
In a defamation claim, truth⁵ or a statement made in good faith⁶ is generally protected. However, under personal data protection law, even disclosing true information about the corrupt conduct of a public figure may still constitute a violation if the publisher is deemed a data controller that failed to comply with the law.
The following case studies from the European Union under the GDPR illustrate how personal data protection law may be deployed as a SLAPP instrument:⁷
A group of journalists received a letter from Romania's personal data protection supervisory authority demanding the disclosure of their sources of information, following the publication of a video documenting the misappropriation of EU subsidies.⁸ The supervisory authority threatened to impose a fine of up to EUR 20 million should the sources not be disclosed, demonstrating the use of administrative powers under the GDPR to directly pressure media operations.⁹
A major energy drink company in Hungary filed complaints against Forbes Hungary and Magyar Narancs, alleging that both publications had processed personal data without a lawful basis in reporting on the company's growth and its relationship with the government. Hungarian courts subsequently granted preliminary injunctions ordering the recall of the magazines and the censorship of certain content. These pre-judgment court orders prevented the public from accessing information of potential public interest, achieved through the mechanisms of personal data protection law.¹⁰
The foregoing examples clearly demonstrate instances in which personal data protection law was used as a SLAPP instrument — extending not only to court proceedings but also to regulatory complaints invoking administrative powers to silence the media.
In order to contextualize this issue within Thai society, this article examines the possibility that Thailand's Personal Data Protection Act may be weaponized as a SLAPP instrument, by analyzing the interpretation of the exemptions from its application under Section 4 (1) and Section 4 (3), drawing on case studies from the GDPR.
One of the exemptions from the application of the GDPR is the processing of personal data by a natural person in the course of a purely personal or household activity.¹³ Such processing must have no connection to any professional or commercial activity. Clear examples include communication activities, recording phone numbers in a directory or mobile phone, and online activities conducted within a private sphere.¹⁴ The rationale underlying this exemption is twofold:
Private and family activities fall within the scope of the right to privacy guaranteed under Article 8 of the European Convention on Human Rights (ECHR). Since the purpose of personal data protection law is to reinforce citizens' privacy, it should not intrude upon individuals' private sphere.¹⁵
At the time data protection law was first conceived in 1995, it was believed that the processing of personal data for private purposes was unlikely to cause significant harm to data subjects.¹⁶
Nevertheless, the predecessor to the GDPR — the Data Protection Directive — saw the Court of Justice of the European Union (CJEU) establish a principle of "strict interpretation”, holding that this exemption applies only to the extent strictly necessary.¹⁷ ¹⁸ The landmark judgments establishing this interpretive approach are as follows:
This ruling concerned a website created to provide church members preparing for their first communion with access to relevant information. The website disclosed personal data of the creator's colleagues, and the CJEU held that the case fell outside the personal exemption because the information was published on the internet and accessible by an unlimited number of people ("indefinite number of people").²¹
This ruling concerned the installation by a private individual of a CCTV camera outside his home for the purpose of identifying vandals who had broken his windows. The CJEU held that where the surveillance extended even partially to a public space and was directed outward from the private premises, it fell outside the personal exemption.²²
A man recorded a video while testifying in proceedings brought against him at a Latvian national police station, and subsequently published the footage — which captured police officers in the course of their duties — on YouTube. The CJEU reaffirmed the Lindqvist Doctrine, holding that the case fell outside the exemption because the recording was made in a non-private setting and was disseminated to an unlimited number of viewers.²³
These precedents reveal that the courts have interpreted this exemption quite "narrowly," creating a risk that the exemption may be used as a tool to intimidate people into self-censorship. A plaintiff pursuing a SLAPP suite may invoke the narrow interpretation to argue that expression via social media — which cannot limit the number of viewers — falls outside the personal exemption for data processing, thereby potentially giving rise to legal liability.
This exemption operates on different principles from the personal exemption, as the GDPR requires each Member State to determine in its domestic legislation the scope of the journalistic exemption,²⁵ provided that the framework be limited to what is necessary to maintain a balance between the right to personal data protection and freedom of expression.²⁶ The right to personal data protection is not an absolute right and must be balanced against other fundamental rights in accordance with the principle of proportionality.²⁷
However, the journalistic exemption is designed to protect the role of the media as a "Public Watchdog"²⁸ — monitoring the conduct of state authorities and disseminating political information.²⁹ In the context of a digital society, the CJEU has adopted a “broad interpretation” of the term "journalism"³⁰ to encompass "Citizen Journalism" aimed at generating content that stimulates public debate.³¹ The landmark judgments establishing this principle are as follows:
This ruling concerned the collection of tax data for publication through print media and an SMS system. The court held that even where profit is derived from such information, if the purpose is to disseminate information or opinions to the public, the processing qualifies as a journalistic activity and is accordingly exempt.³²
This ruling concerned the recording and online publication of police officers in the performance of their duties. The court held that such activity may qualify as a journalistic activity if it is intended to expose irregularities or stimulate criticism of a state agency's operations, and the processing is accordingly exempt — subject, however, to a proportionality assessment balancing freedom of expression against the right to privacy by the national court.³³
Nonetheless, uncertainty in the application of this exemption remains a gateway for SLAPP suits, as individual EU Member States maintain different standards. For instance, Austria restricts the definition of "media" to traditional mainstream outlets,³⁴ while the United Kingdom applies a three-part test: (1) the data in question must be processed with a view to publishing journalistic material; (2) the data controller must reasonably believe that publication would be in the public interest, having regard to the particular importance of the public interest in freedom of expression; and (3) the data controller must reasonably believe that compliance with the specified GDPR provision would be incompatible with their journalistic purposes.
The legislative intent of the Personal Data Protection Act B.E. 2562 (2019) (PDPA) is not merely to protect the rights of data subjects through the recognition of various statutory rights, but also to establish standards for the effective governance of personal data as a whole.⁴¹ However, within the context of SLAPP suits — which characteristically do not seek to prevail on the merits but rather to impose litigation burdens and costs upon the defendant — the exemption provisions of the PDPA carry the risk of being exploited as instruments of intimidation through uncertain interpretation, particularly the exemption for the collection, use, or disclosure of personal data for personal or household activity under Section 4 (1), and the journalistic exemption under Section 4 (3).
At present, no clear judicial precedent exists in Thailand concerning the application of these exemptions. Only guidance from the Personal Data Protection Committee Office (PDPC) is available as a preliminary reference point — particularly on the question of personal data processing for personal activity. In this context, the PDPC has established that if an activity is not systematic or regular in nature for any particular purpose while acting as a data controller, that activity is exempt from this Act.⁴²
One noteworthy aspect is the PDPC's position on the online publication of civil registration data by a close associate of the Minister of the Ministry of Digital Economy, which suggests that PDPC has a tendency to interpret the Section 4 (1) exemption broadly⁴³ — in contrast to the European Union's approach of construing a household exemption narrowly. As for the journalistic exemption under Section 4 (3), while no directly relevant advisory opinion has yet been issued, an examination reveals that the condition requiring compliance with "professional ethics" indicates a legislative intent to confine the scope of this exemption within professional standards. This may result in the provision being interpreted more strictly and narrowly than the European approach — potentially excluding citizen journalism.
Personal or Household Exemption | Journalistic Exemption | |
European Union | Narrow | Broad |
Thailand | Broad | Narrow |
The Personal Data Protection Act B.E. 2562 (2019) (PDPA) is susceptible to misuse as a SLAPP instrument, as any meaningful scrutiny into matters of public concern unavoidably necessitates the processing of personal data. Moreover, the PDPA carries more severe penalties than ordinary defamation law, creating incentives for plaintiffs to deploy it as a vehicle for imposing litigation burdens that suppress free expression.
Such misuse, however, runs contrary to the true legislative intent of the Act, as the PDPA is aimed at establishing standards for the effective governance and protection of personal data — not at suppressing oversight or societal and civic engagement. Accordingly, the central mechanism lies with the regulatory authority (the PDPC), which has a role in communicating and fostering an accurate public understanding of the purposes of this legislation, so as to prevent the judicial process from being exploited in bad faith in the future.
Furthermore, in an era of digital society, where the boundaries between private and public space are increasingly blurred by the expansion of the internet, private individuals may publish factual information through social media in ways that straddle both the "personal activity" exemption and the "journalistic" exemption. The author therefore submits that regulatory authorities and courts should construe both exemptions consistently, in order to strike a balance between the right to privacy and the freedom of the people in the digital age.
Reference :
¹ Legislative Note to the Personal Data Protection Act B.E. 2562 (2019).
² Melinda Rucz, The GDPR Enters the SLAPP Scene: GDPR Proceedings as Emerging Forms of Strategic Litigation against Public Participation, EUR. LAW BLOG (2022), https://www.europeanlawblog.eu/pub/the-gdpr-enters-the-slapp-scene-gdpr-proceedings-as-emerging-forms-of-strategic-litigation-against-public-participation/release/1.
³ Sarinee Achavanuntakul, SLAPP Suits and Corporate Responsibilities under UNGPs, iLaw (Oct. 16, 2025).
⁴ Rucz, supra note 2.
⁵ Section 330 of the Criminal Code provides that, In case of defamation, if the person prosecuted for defamation can prove that the imputation made by him is true, he shall not be punished. But he shall not be allowed to prove if such imputation concerns personal matters, and such proof will not be benefit to the public.
⁶ Section 329 of the Criminal Code provides that, a person, in good faith, expresses any opinion or a statement: (1) by way of self-justification or defense, or for the protection of a legitimate interest; (2) in the status of being an official in the exercise of his functions; (3) by way of fair comment on any person or thing subjected to public criticism; or (4) by way of fair report of the open proceeding of any Court or meeting, shall not be guilty of defamation.
⁷ Id.
⁸ OCCRP Strongly Objects to Romania’s Misuse of GDPR to Muzzle Media, OCCRP, https://www.occrp.org/en/announcement/occrp-strongly-objects-to-romanias-misuse-of-gdpr-to-muzzle-media (last visited Feb. 27, 2026).
⁹ English Translation of the Letter from the Romanian Data Protection Authority to RISE Project, OCCRP, https://www.occrp.org/en/feature/english-translation-of-the-letter-from-the-romanian-data-protection-authority-to-rise-project (last visited Feb. 27, 2026).
¹⁰ IPI Contributor Márton Bede, In Hungary, GDPR Is the New Weapon against Independent Media, IPI.MEDIA (Nov. 2, 2020), https://ipi.media/in-hungary-gdpr-is-the-new-weapon-against-independent-media-2/.
¹³ Article 2(2)(c), GDPR.
¹⁴ Recital 18, GDPR.
¹⁵ Bart van de Sloot, Home Is Where the Heart Is: The Household Exemption in the 21st Century, 14 JIPITEC – J. INTELLECT. PROP. INF. TECHNOL. E-COMMER. LAW 34 (2023).
¹⁶ Id.
¹⁷ František Ryneš v Úřad pro ochranu osobních údajů, Case C-212/13.
²¹ Bodil Lindqvist v Åklagarkammaren i Jönköping, Case C-101/01.
²² František Ryneš v Úřad pro ochranu osobních údajů, Case C-212/13.
²³ Sergejs Buivids v Datu valsts inspekcija, Case C-345/17.
²⁵ Article 85, GDPR.
²⁶ Recital 153, GDPR.
²⁷ Recital 4, GDPR.
²⁸ Observer and Guardian v. the United Kingdom (ECtHR 1991).
²⁹ Natalija Bitiukova, Journalistic Exemption under the European Data Protection Law (Jan. 30, 2020), https://papers.ssrn.com/abstract=3531977.
³⁰ Recital 153, GDPR.
³¹ Bitiukova, supra note 28.
³² Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy, Case C-73/07.
³³ Sergejs Buivids v Datu valsts inspekcija, Case C-345/17.
³⁴ Bitiukova, supra note 28.
⁴¹ Legislative Note to the Personal Data Protection Act B.E. 2562 (2019).
⁴² Advisory Opinion No. 8/2567, Re: Police Station H's Inquiry Regarding Compliance with the Personal Data Protection Act.
⁴³ https://www.facebook.com/share/p/1BUtiADWYk/
