Two mobile phone brands operated by two companies are under scrutiny for potential violations of Thailand ‘s Personal Data Protection Act (“PDPA”). The concerns arise from evidence indicating that both companies have retained a significant amounts of customer data without obtaining proper prior consent from the phone users, referred to as the data subjects under the PDPA. Additionally, the companies have been accused of failing to appoint a data controller, a requirement as prescribed by the PDPA.
Under the PDPA, the Data Controller is defined as a natural person or juristic person who has an authority to process the personal information, such as a company collecting employee data. The Data Controller is bound by a crucial limitation which is to obtain prior consent of data subjects before collecting, using, or disclosing personal data of the data subjects.
In this case, two mobile phones have pre-installed the application in relation to lending money on their devices. This application, which cannot be uninstalled by the users, is capable of accessing users’ personal data, including contact lists and phone numbers. The pre-installation of this application without obtaining explicit user consent violates the rights of the data subjects and raises serious concerns about the potential misuse of unauthorized personal information.
Moreover, the pre-installation of the application on devices by the companies raises significant concerns regarding the violation of the user rights and the data privacy under the Notification of the National Broadcasting and Telecommunications Commission (“NBTC”) on Measures to Protect the Rights of Telecommunications Service Users Related to Personal Data, Rights to Privacy, and Liberty to Communicate through Telecommunications (“Notification”). The Notification outlines the scope of the personal data as the personally identifiable information such as users’ names, addresses, national ID card numbers, telecommunications numbers, usage information, as well as usage data or behaviors in using telecommunications service that could identify the users.
According to the Notification, operators or companies are permitted to use or disclose the personal data for purposes beyond telecommunications services, but only with the explicit consent of the phone users. This provision is designed to protect users’ privacy while permitting the companies to use personal data for other legitimate purposes, provided the individuals involved are fully informed and have given their consent.
In the case of two companies, it is evident that both companies have not obtained the explicit consent from their users for the use and disclose of their personal data for non-telecommunications service purposes. This lack of consent proves as the violation of the Notification which highlight the importance of obtaining prior explicit approval from the users before utilizing their personal data for other purposes.
Mobile phone companies must seek legal advice on personal data protection to fully comply with laws of Thailand.
Two Mobile Phones Face Investigation Over Data Breach Issues_Bangkok Global Law