Latest News & Insights

Athentic Consulting’s team of experienced experts bring you the
latest news and insights in law and regulations.

Is Consent Always Required?: Unraveling the Privacy of Personal Data Sharing on Social Media

The use of social media has become one of the main activities of people’s daily routines. Have you ever wondered whether posting pictures or status updates on social media, which may include information identifying a specific individual, or sharing personal data online requires the publisher to obtain consent from the relevant individual or data subject before sharing on social media? Before addressing this question, the first thing to consider is in which cases the use of social media falls under the scope of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).

To consider whether certain social media activities fall under the scope of PDPA, it is important to assess whether the user or the publisher of personal data can determine the purposes and means of collecting, using, or disclosing personal data. For instance, recording a video that captures images or voices of other individuals and editing it into a vlog for YouTube would be considered a case where the publisher determines both the purpose and means of processing personal data, making them a data controller under the PDPA.

However, even if the publisher is a data controller under the PDPA, not all social media activities in daily life will fall within the scope of the PDPA, as it specifies that the collection, use, or disclosure of personal data by an individual for personal benefit or household activities is exempt from provisions of the PDPA. For example, using a personal social media account to share family pictures or pictures from a birthday celebration with friends. These activities are done solely for personal purposes and, thus, are not subject to the PDPA.

Nevertheless, when collecting or sharing personal data through a personal social media account, it is necessary to consider the purpose and context of the disclosure because some activities may still fall under the scope of the PDPA. For instance, an influencer shares a photo of themselves with a product on their personal social media account as part of a marketing contract. The photo is taken in a public space and includes other individuals in the background; therefore, the influencer’s use of personal data extends beyond purely personal purposes. As a result, this case would not be exempted, and the influencer must fulfill their obligations as a data controller under the PDPA.

Evidently, the use of social media in some cases may fall under the scope of the PDPA. When determining whether consent is required from data subject before sharing their personal data on social media, the PDPA has provided legal bases for the collection, use or disclosure of personal data as follows:

  1. Contract
  2. Legal obligation
  3. Legitimate interests
  4. Public task
  5. Vital interests
  6. Historical document, research, or statistics; and
  7. Consent

When selecting an appropriate legal basis, it is essential to consider the purpose for which the data is collected, used, and disclosed. It is evident that not every case will require consent from data subject, as other legal bases can be relied upon for lawful data processing. In other words, if other valid legal bases can be applied, there is no need to obtain consent. For example, if an influencer has a contractual agreement with a brand allowing their image to be used for product advertisements on social media, the legal basis of contract performance can be applied for the processing of their personal. In this case, there is no need to obtain consent for using the influencer’s image.

It can be concluded that when using social media in a way that involves the disclosure of personal data, obtaining the data subject’s consent is not always required. However, if no other legal basis under the PDPA can be applied, consent must be obtained before processing personal data. To obtain a valid consent under PDPA, the requirements are as followed:

  1. Consent can be obtained in either written or electronic form
  2. Consent must be obtained before or at the time of collecting personal data
  3. The data subject must be clearly informed of the purpose of consent, together with other required details under the PDPA
  4. The request of consent must be in an easily accessible and an intelligible understandable form, using clear and plain language without ambiguity or misleading information
  5. The consent must be freely given by the data subject, and must not be a condition for service provision. It must also be clearly distinguished from terms and conditions of the service
  6. The data subject has the right to withdraw consent at any time, and the withdrawal of consent must be as easy as giving consent unless there is a restriction of the withdrawal of consent by law, or the contract which gives benefits to the data subject; and
  7. If the withdrawal of consent has any effect to the data subject in any manner, the data subject must be clearly informed of these effects.

When obligated to comply with the PDPA from activities conducted on social media as both a social media user and data controller under the PDPA, these practices should be followed:

  1. Consider the necessity of using personal data: if there is no need to use such data, consider cropping or blurring the images to ensure that the data is not identifiable or make it difficult to identify the individual
  2. Notify the data subject: inform all the details required by the PDPA, such as the purposes of collecting, using, or disclosing personal data
  3. Consider the appropriate legal basis: apply appropriate legal basis for the processing of personal data. If no other legal basis can be applied, consider consent as legal basis and obtain consent according to the requirements outlined above.
  4. Respect the rights of the data subject under the PDPA: provide channels for data subjects to exercise their rights; and
  5. Consider appropriate security measures: implement appropriate security measures, such as setting up password to prevent unauthorized access, alteration, or disclosure of personal data.

As mentioned above, it can be concluded that the PDPA does not apply to disclosure of data on social media in every context. In cases where social media users are obligated to comply with the PDPA, obtaining consent is not always necessary, as other legal bases may be applicable depending on the purpose of personal data processing. Nonetheless, social media users, as data controllers, are still obligated to strictly adhere to the principles of the PDPA to ensure the security of personal data and to protect the privacy rights of data subjects. 

Kanoknun Chanataradhamma
Lead - Legal Technology Counselor
Supanuch Meelarp
Senior - Legal Technology Counselor
Parita Meksan
Legal Technology Counselor
About ATHENTIC News & Insights Our Services Contact us Career