On August 21, 2024, Mr. Prasert Jantararuangtong, the Minister of Digital Economy and Society, along with the executive team of the Office of the Personal Data Protection Commission (PDPC), held a press conference to announce an administrative fine of 7 million baht imposed on a major private company. This fine is in response to a data breach linked to the operations of call center scams, a significant national issue over the past two years.
The data breach incident began when customers of the private entity received immediate phone calls from scammers impersonating employees of the company right after making online purchases. As a result, affected customers, as a data subjects, filed complaints with the PDPC. Despite warnings from the commission’s experts to comply with the Personal Data Protection Act (PDPA), the company failed to take corrective actions or provide any remedy to the affected individuals.
The second expert committee of the PDPC therefore issued the maximum administrative fine totaling 7 million baht. This fine was based on three key violations of the PDPA:
1. Failure to Appoint a Data Protection Officer (DPO): The company, which handles and uses personal data of over 100,000 data subjects as part of its core business operations, did not appoint a DPO as required by Section 41 of the PDPA. This resulted in a fine of 1 million baht.
2. Lack of Adequate Security Measures: The company failed to restrict access to data and lacked appropriate security measures for its servers, violating Section 37(1) of the PDPA. This resulted in a fine of 3 million baht.
3. Delayed Notification of Data Breach: The company did not respond to complaints or report the data breach within the required timeframe, violating Section 37(4) of the PDPA. This resulted in a fine of 3 million baht.
In addition to the administrative fine, the second expert committee ordered the company to improve its data security measures, update its security protocols to match evolving technologies, and conduct employee training. The company is required to report these corrective measures to the PDPC within seven days of receiving the order.
Mr. Siwarak Siwamoksatham, Secretary General of PDPC, further elaborated on the PDPC Eagle Eyes project, which is a proactive inspection team, and the PDPA Center, a unit dedicated to providing consultation and handling complaints. Plans are underway to expand these initiatives across various regions nationwide. He also mentioned that the PDPC has been supporting and overseeing the PDPA compliance through DPOs in each organizations by implementing checklists to ensure adherence to the PDPA.
In conclusion, the PDPC emphasized the critical importance of personal data protection, urging all public and private entities to take it seriously. Negligence in this area can lead to severe legal consequences and a significant loss of trust from customers and the public.
This case marks the first fine imposed by the Personal Data Protection Committee (PDPC) since the Personal Data Protection Act, B.E. 2562 (2019) came into effect on June 1, 2022. It demonstrates a serious enforcement of the law and could be seen as the end of the "grace period" for compliance. It also represents a response to the persistent problem of phone scams that have troubled the country for an extended period.
According to the PDPC Regulation on Submission, Non-Acceptance, Dismissal, Consideration, and Timeframe for Complaint Consideration, B.E. 2565 (2022), the Expert Committees, which are mandated by law, have specific duties to consider complaints, examine the actions of data controllers and processors, and mediate personal data disputes. Currently, there are four Expert Committees, with Committee No. 2, which focuses on technology, being responsible for this case.
The Expert Committee can decide to order corrective actions or issue warnings in cases deemed non-serious or impose administrative fines in serious cases, as outlined in the PDPC notification on Criteria for Imposing Administrative Fines, Sections 8 and 9. The decision is based on the following factors:
1. Details of the violation, whether intentional or negligent, or lacking reasonable caution.
2. The severity of the conduct.
3. The size of the business of the data controller or processor.
4. The effect of the administrative fine in mitigating the damage.
5. The benefits that the data subject will receive from the administrative penalty and the broader impact on related businesses or activities.
6. The value of the damage and the severity of the violation.
7. Previous levels of administrative fines and enforcement measures used.
8. History of previous administrative penalties.
9. The level of responsibility and standards of operation at the time of the violation.
10. Compliance with ethical codes, business practices, or security standards.
11. Remedies and compensation provided to the data subjects.
12. Other relevant facts.
During the press conference, it was mentioned that the Expert Committee issued a warning for corrective action, but the data controller ignored it. As a result, a subsequent administrative fine was imposed. This case suggests that after considering all 12 criteria, the Committee deemed the violation non-serious. Alternatively, it could be interpreted that it was a serious case, but because it occurred during the initial grace period, the Committee started with a warning. Information about this consideration should be made public to establish a standard for evaluating the severity of future penalties.
Later, the Expert Committee No. 2 ordered the maximum administrative fine of 7,000,000 baht for violating three key provisions of the Personal Data Protection Act:
1. Failure to Appoint a Data Protection Officer (DPO): The company collected and used the personal data of over 100,000 customers as part of its core business operations without appointing a DPO, violating Section 41, resulting in a fine of 1,000,000 baht.
Government agencies or business organizations, whether acting as data controllers or processors engaged in activities involving the collection, use, or disclosure of personal data, must appoint a Data Protection Officer (DPO) if they meet the following criteria:
1. Regular monitoring of personal data or systems.
2. Processing of large amounts of personal data.
According to the press conference, the customer's data was used in core activities, such as search engine operations and online commerce. By law, the term "core activities" refers to operations that are essential and significant to achieving the main objectives or goals of a data controller's or processor's business or mission. In this case, selling goods online involves regular monitoring of personal data or systems.
Additionally, as more than 100,000 customer records were breached, it implies that the processing involved a large scale of personal data. According to PDPA Notification on Appointing a DPO Section 6, the agency, being a data controller, was required to appoint a DPO. Failure to do so resulted in a violation of Section 41, subject to an administrative fine of 1,000,000 baht under Section 82.
2. Lack of Adequate Security Measures: The company did not implement proper access control and lacked adequate server security measures, violating Section 37(1), which resulted in a fine of 3,000,000 baht.
In addition to privacy principles, such as the preparation of legal documents and obtaining consent, personal data protection laws also require the implementation of security measures, which is a crucial part of personal data protection. The minimum standards that controllers must provide include four types of measures:
Furthermore, data controllers are required to implement comprehensive measures covering three aspects:
These measures must take into account the level of risk based on the nature and purpose of data processing, as well as the likelihood and impact of any potential data breach.
During the media interview, the Expert Committee clarified that the company failed to implement appropriate access control, which could include inadequate user access management measures. This violates the minimum standards for data security.
Additionally, the company lacked adequate server security measures, which may mean there were no appropriate organizational, technical, or physical measures in place as required by law. Therefore, when the data controller is obliged to implement adequate security measures but fails to do so, it violates Section 37(1) and is subject to an administrative fine of 3,000,000 baht under Section 83.
3. Failure to Notify Data Breach within the Legally Specified Timeframe: The company failed to respond to complaints and delayed reporting the data breach, violating Section 37(4), resulting in a fine of 3,000,000 baht.
According to the PDPC’s Announcement on Criteria and Procedures for Notifying Personal Data Breaches, Sections 5 and 9, data controllers are required to:
1. Upon becoming aware of or being notified of a personal data breach, verify whether the breach actually occurred.
2. Assess the risk of the personal data breach.
3. Determine whether the breach poses a risk to the rights and freedoms of individuals:
3.1 If there is no risk, there is no need to notify the PDPC, but the breach must be recorded.
3.2 If there is a risk, the breach must be reported to the PDPC within 72 hours of becoming aware of it.
4. Assess whether the risk poses a serious threat to the rights and freedoms of individuals. If it does, the breach must also be reported to the data subjects.
If there are necessary reasons causing a delay in notifying the PDPC beyond 72 hours, the data controller must provide a justification and relevant details to show unavoidable reasons for the delay, but it must not exceed 15 days from the time of awareness.
Therefore, when the company, acting as a data controller, becomes aware of or is notified of a personal data breach but fails to assess the risk or reports it to the PDPC later than 72 hours without a valid reason, or the delay exceeds 15 days, it violates Section 37(4) and is subject to an administrative fine of 3,000,000 baht under Section 83.
Apart from enhancing security measures to keep pace with evolving technology, the Expert Committee also mandated that the company raise awareness and communicate policies, guidelines, and data protection measures to relevant personnel. This should consider
(1) The nature and purpose of data collection, use, and disclosure.
(2) The level of risk.
(3) The resources required.
(4) The feasibility of implementation.
The company must organize training on the updated security measures and is required to inform the PDPC of these corrective measures within 7 days of receiving the order. This 7-day period may serve as a standard for each organization to report progress on addressing legal gaps to the PDPC.
The PDPC has implemented proactive services for the public, including PDPC Eagle Eyes, for proactive monitoring, which can be followed at PDPC Eagle Eyes Facebook Page, and the PDPA Center, a service center for receiving complaints and providing legal advice and guidance on PDPA.
To ensure your organization has guidelines and procedures for managing personal data breaches, ATHENTIC CONSULTING offers the following risk management services:
1. Data Protection Officer (DPO) Advisory Services: Acting as an internal or outsourced DPO to provide legal advisory services on personal data protection, monitoring internal compliance, and coordinating with the PDPC or data subjects in case of a data breach.
2. Legal Documentation and Gap Analysis on Security Measures: Assessing security measures for each system or server to identify initial risks and address them promptly, as well as analyzing legal gaps related to privacy and security measures to develop a suitable IT Security Policy for your organization.
3. PDPA Platform for Managing Data Breaches: Our affiliated company provides a comprehensive platform for managing personal data, including a Data Breach Notification system that supports everything from breach verification and risk assessment to notifying the PDPC or data subjects.
4. Attack Surface Management Services: Providing vulnerability assessments for digital assets in your organization to effectively manage and mitigate cyber threats.
5. Threat Intelligence Services: Collecting, analyzing, and utilizing information on cyber threats to prevent and respond to potential attacks, thereby minimizing the impact of such incidents.
6. Data Loss Prevention (DLP) Advisory Services: Implementing systems and processes to prevent unauthorized access, extraction, or leakage of critical or confidential information from the organization, thereby reducing the risk of data loss and ensuring compliance with data security regulations.
Other services provided by ATHENTIC CONSULTING can be found at https://www.athenticconsulting.co.th/th/our-services#pdpa-wrapper
