The “Catch-all” Policy in Thailand
In many countries, it is mandatory for site operators to have a privacy policy in place. Catch-all privacy policies, whereby operators may collect, use, and share a wide range of users’ personal information, are widely used by site operators. They are designed to obtain broad agreement from users in respect to processing any personal data that is collected.
The validity and enforceability of catch-all privacy policies have been increasingly challenged. In a country like Thailand, which is still in the process of implementing its first general personal data protection law, questions commonly arise as to the degree to which an online privacy policy and online consent provided by users can be enforced under the present law (i.e., in the absence of a general personal data protection law).
Thailand’s Constitution generally recognizes the principle of privacy protection. It states that “a person shall have the right to privacy,” and “any act which wrongfully violates or affects the rights … or utilization of personal data in any way is prohibited.” In addition, a number of sector-specific statutes impose personal data protection requirements on parties operating within the telecommunications, securities, banking, and other industries.
What Is “Consent” in Thailand?
However, as Thailand lacks a general personal data protection law, there are no regulatory requirements on privacy policies or on obtaining individual consent from users to process personal data. This means that there are no requirements on specific forms of consent (e.g., in writing, express consent, required by Thai law, etc.). Therefore, certain types of implied consent in privacy policies may be acceptable and may constitute a privacy policy agreement with the users under Thai law.
In determining which types of implied consent are effectively sufficient, factors such as the timing of the consent provision, the person to whom consent is given, or the elements of fraud, deception, or misrepresentation, if any, are considered among other related circumstances.
An online privacy policy with an opt-in requirement (i.e., users are required to expressly click “I agree” after scrolling down to the end of the privacy policy terms during the process of site registration), arguably obtains a user’s consent to create an effective privacy policy agreement between the site operator and its users. However, it should be noted that a minor—generally deemed to be a person aged less than 20 years old—who enters into a contractual transaction without parental consent could make the transaction voidable.
Another key concern is the effectiveness of catch-all provisions, which could fall within the ambit of Thailand’s Unfair Contract Terms Act. If catch-all provisions are considered as unfair by the Thai courts (i.e., they impose an excessive burden which is more than a reasonable person could have anticipated), the Unfair Contract Terms Act enables the courts to intervene by voiding or limiting any unfair terms.
There are no Supreme Court decisions on unfair catch-all privacy policies, so it is difficult to ascertain to what degree the court will exercise its discretion when a privacy policy term is found to be unfair. To err on the side of caution, website privacy policies should provide clear and precise explanations of the specific types of information collected, the specific activities for which the information is being used and with whom the information is shared.
The Importance of Review
Site operators should also keep their privacy policies up to date with current practices. Privacy policies are not one-sided agreements—operators can enforce a policy against users, and users can enforce against operators. Therefore, if an operator has an obligation under its privacy policy to notify affected data subjects about any material changes to personal data handling practices, and there has been a change in the handling practices (e.g., the location of the stored data or the third party vendor handling the collected data has changed), but the operator has failed to notify the affected data subjects, the operator could be seen as having broken the privacy policy. Although monetary damages arising from such a breach would most likely be minimal, the breach could possibly cause reputational damage to the site operators and/or owners.
Site operators should regularly review their privacy policies to ensure they are in line with current practices and do not dissuade users from interacting with their sites. An effective privacy policy can help mitigate exposure to liability in operating a site. An ineffective policy, on the other hand, could lead to costly legal actions and a tarnished reputation.