II. Legal framework
Constitutional protection for privacy
There are provisions enshrined in the 2007 Thai constitution relating to privacy. Three aspects of privacy can be found in this constitution; namely, physical privacy, information privacy and communications privacy. For physical privacy, there are provisions on liberty of life, person, dwelling, and travelling. For instance, section 32, which deals directly with right and liberty in life of a person, reads:
A person shall enjoy the right and liberty in his life and person. search of person or act affecting the right and liberty under paragraph one shall not be made except by virtue of the law."
Section 33, a guarantee of liberty of dwelling, reads:
A person is protected for his peaceful habitation in and for possession of his dwelling. The entry into a dwelling without consent of its possessor or the search of a dwelling or private place shall not be made except by order or warrant issued by the Courts or there is a ground as provided virtue of the law."
Section 34, a guarantee for liberty of travelling, reads:
A person shall enjoy the liberty of travelling and the liberty of making the choice of his residence within the Kingdom."
Information privacy and personal information is endorsed by section 35, which reads:
A person's family rights, dignity, reputation and the right of privacy shall be protected. The assertion or circulation of a statement or picture in any manner whatsoever to the public, which violates or affects a person's family rights, dignity, reputation or the right of privacy, shall not be made except for the case which is beneficial to the public. Personal data of a person shall be protected from the seeking of unlawful benefit as provided by the law."
There is also a provision that endorses communications privacy in section 36 which prohibits disclosure of communications between persons. Section 36 reads:
A person shall enjoy the liberty of communication by lawful means. The censorship, detention or disclosure of communication between persons including any other act of disclosing a statement in the communication between persons shall not be made except by virtue of the law specifically enacted for security of the State or maintaining public order or good morals."
In 2001, in a historic court case that set a precedent for recognition of privacy in Thai society, the Administrative Court ordered the Anti-Money Laundering Office (AMLO), an independent organisation of the state, to pay compensation to five non-governmental organisation (NGO) activists as a result of the AMLO's unlawful probing into the activists' financial transactions. The Administrative Court ruled that the AMLO had breached the appellants' privacy and had no legal right to investigate their financial transactions, which are considered private information.1
Statutory protections for privacy
As of the beginning of 2012, Thailand still has no comprehensive legislation on privacy or protection of personal data; in other words, it has no sui generis law on privacy. Although there are a number of articles in different pieces of legislation and the constitution that address matters related to privacy in its multifarious dimensions, these provisions mainly deal with privacy in conjunction with other rights and legal protections. There are no direct stipulations about violation of privacy per se, since abuses have typically been framed in terms of trespass, defamation, or breach of trust or confidence instead.
There are, however, provisions in the 1997 Official Information Act,2 which mainly governs information management by state agencies. In part, the Act mentions personal information that is subject to the prohibition of disclosure as written in section 15 of the law. This section provides exceptions to the disclosure function provided that "the disclosure thereof will endanger the life or safety of any person" and this same section prohibits the disclosure of "medical report or personal information if the disclosure will unreasonably encroach upon the right of privacy."3
Section 17 of the same Act also protects the individual's interest if it is deemed that there is worthy cause to disclose personal information kept in government records. It reads:
In the case where a State official is of the opinion that the disclosure of any official information may affect the interests of a person, the State official shall notify such person to present an objection within the specified period ."4
In this law, information privacy appears under the section "Personal Information and Data".5 This section contains five articles that clearly imitate the eight basic fair information principles of the OECD's Guidelines for the Production of Privacy and Transborder Flow of Personal Data. Yet, this rather progressive law (given that it was enacted almost 15 ago) still contains loopholes when it comes to privacy. For instance, access to and disclosure of personal information in government files is prohibited, but with a rather extended list of exemptions addressed primarily to government bureaucracies the court, government officials, and/or government agencies and departments that are identified as the appropriate authorities by other laws or by subsequently enacted royal decrees.
In a separate development, as Thai policy-makers were being caught up in the "information society" discourse in the early to mid-1990s, there was then a clear policy direction to promote widespread diffusion of information and communication technologies (ICTs). This policy direction gave rise to a technocratic initiative to create laws that address automatic information processing and electronic commerce. Starting in 1998, six ICT-related laws were drafted by a working group under the National Information Technology Committee (NITC)6 law project.7 Draft data protection law was also part of the project, inspired by a pressing need to accommodate the European Union's Directive on Transborder Data Flows and on the Protection of Individuals in relation to the Processing of Personal Data.8
After much delay due to frequent changes in government and political instability, the Cabinet, under the Thaksin Shinawatra administration9 in August 2006, agreed in principle to enact the data protection law and forwarded the law to parliament for a reading. Unfortunately, this process was abruptly halted after the coup of 19 September 2006, when the military junta dissolved parliament and toppled the civilian government of Prime Minister Thaksin Shinawatra, leader of the highly popular Thai Rak Thai Party. Under the volatile political circumstances of the ensuing few years, the tabling of the law did not emerge again until November 2009 under the administration of Prime Minister Abhisit Vejjajiva from the Democrat Party. Then, two draft laws on data protection were submitted to Parliament. One was developed from the original draft written during the Thaksin government, after having gone through a reading and some modifications made by the Council of State, while the other was submitted by a group of MPs from the ruling Democrat Party. The main provisions of the two draft laws were reportedly very similar. There are few, quite minor, differences with respect to the number of data protection commissioners. On 6 October 2009, the Cabinet agreed in principle to forward both draft laws for House reading. The next step would be to appoint commissioners for the reading of the draft law. With other legislative priorities and the seemingly lukewarm nature of the data protection legislation, the draft law was kept on the waiting list and has not yet made it to the House Commission's reading phase (as of January 2012).
Supervisory Authority for privacy laws and complaints
In the absence of a sui generis law on privacy, a supervisory authority on privacy is indeed not viable in Thailand. In case of suspected privacy violations, the affected parties who believe their privacy has been breached may forward their case to the Administrative Court or, if the case is telecommunications-related, the National Broadcasting and Telecommunications Commission (NBTC). As stated in the Act on Organisation to Assign Radio Frequency and to Regulate the Broadcasting and Telecommunications Services B.E. 2553, the NBTC is obliged to "protect right and liberty of the people from being exploited by the operators; protect individual right of privacy and freedom to communicate by means of telecommunications "10
The Data Protection Draft Law (2009 version) has, however, proposed a "Personal Data Protection Commission" to be set up under the law, with the following duties:
- To forward comments and recommendations to the Prime Minister on matters related to personal data protection;
- To outline policy, measures, and approaches related to data protection, particularly criteria for data controllers that wish to qualify for the "Data Protection Standards" (Data Trustmarks); and
- To work closely with the Official Information Commissioners in creating a list of "personal data controllers."
Civil society advocacy relating to privacy
Key civil rights activists in Thailand have shown their concerns over online privacy issues, focusing mainly on the absence of data protection laws. Rights activists stress the need for a regulatory mechanism and legal measures establishing personal data protection in Thailand. It merits notice, however, that to date there is not a single NGO whose work principally addresses privacy or privacy-related matters. Privacy issues are usually couched under the rubric of consumer protection or civil rights violations. According to leading consumer rights advocates, Thai consumers are generally unaware of and inactive in putting pressure on record-keeping organisations to enforce privacy safeguards. Although a significant number of consumers are perturbed by direct marketing practices, there has not been a viable movement to protest or seek remedies to the issue. Similarly, on the civil rights front, civic groups have touched lightly on privacy threats under the prolonged enforcement of the Emergency Decree during the politically volatile period of 2010-2011. A case in point was the mass protests in downtown Bangkok during March to May 2011. Identification cards of red-shirt protesters were reportedly impounded by state officials, while surveillance cameras installed in different corners of public thoroughfares captured photos of their political participation and speech without their knowledge or consent. However, without a standing law on privacy there is no ground to press charges or even file complaints in the above cases.
The work of civil society on privacy has been overshadowed by their advocacy on freedom of expression. Thai Netizen Network (TNN), an online advocacy group, and its sister organisation, Siam Intelligence Unit, a think tank with a regularly updated Web site, identified privacy protection as one of their areas. However, their activities do not reflect efforts redressing privacy issues per se. Most of their public education, networking, and policy lobbying have been in the area of promoting freedom of speech. In some cases, in their zealous effort to promote free speech, privacy has, in effect, been overridden. In any case, of late the Thai Netizen Network has been pointing out problems of privacy violations emanating from political surveillance via social networking services like Facebook and Twitter. Cyber-witch hunting through disclosure of personal data emerged quite significantly in the height of the political conflicts that manifested between 2010 and 2011. Many of these violations generally took place because of the lack of understanding of and respect for people's privacy or personal data. Yet, they have continued with little notice or effort at remedy from government officials.
Leading representatives from civil society have highlighted two important problems related to privacy in Thailand. First is the lack of representation from civil society on the state-appointed committee that deals with privacy and data protection-related matters, and second is the lack of social awareness about privacy in Thai society. Since privacy is not an inherent cultural value, a long-standing media activist urged that a public education program on privacy should focus on issues that are concrete and easy to understand. According to Supinya Klangnarong, the former coordinator of the Thai Netizen Network and current member of the NBTC, 11 a good strategy for creating awareness about privacy in Thai society should focus on three aspects civil liberty, the accountability of large record-keeping organisations, and the public interest.
Freedom of information laws
There is a provision in the Thai Constitution that safeguards peoples' right to access information. Section 56 of the constitution 2007 reads:
A person shall have the right to know and have access to public data or information in possession of a Government agency, a State agency, a State enterprise or a local government organisation, unless the disclosure of such data or information shall affect the security of the State, public safety or interests of other persons which shall be protected or purport to be personal data, as provided by law."
Section 57 also ensures the right to receive information from state agencies. It reads:
A person shall have the right to receive data, explanations and reasons from a Government agency, a State agency, a State enterprise or a local government organisation prior to the approval or the operation of any project or activity which may affect the quality of the environment, health and sanitary conditions."
Moreover, any draft bill submitted for parliamentary reading must be open to public scrutiny and details made publicly accessible.12
Deriving from Section 56 of the Constitution, an Official Information Act B.E. 2540, was adopted in 1997 after much mobilisation by civil society activists and professional media organisations. The historic law, the first of its kind in Southeast Asia, contains three broad sections that address the right to access information held in government record-keeping as follows: (1) the structure and organisation of state agencies; (2) the summary of important powers and duties and operational methods; (3) a contacting address for the purpose of contacting the state agencies in order to request and obtain information or advice.13 According to the law, state agencies need also to make available for public inspection official information which is defined as 'any information in possession of or control by a State agency, whether it is the information relating to the operation of the State or the information relating to a private individual'14 and may take the following forms: a policy or draft law, a work-plan, a project, an annual expenditure estimate of the year of its preparation; or a manual or order relating to work procedures of State officials which affect the rights and duties of private individuals.15
An Official Information Board is set up to perform duties such as supervising and giving advice with regard to the performance of duties of state officials and state agencies for the implementation of this Act,16 and submitting a report on the implementation of the Act to the Council of Ministers from time to time as appropriate, but at least once a year.17
If the information is not publicly available, every citizen has the right to request to see the 'official information' and if the request is turned down by the agency in possession of the information, advice may be sought from or a complaint may be filed to the Office of the Official Information Board on the execution of Official Information Act.18
An Information Disclosure Tribunal has also been established to consider and decide appeals against orders prohibiting the disclosure of information.19
A number of cases have been brought to the Information Disclosure Tribunal, most of which were appeals requesting state agencies to disclose information which was not in breach of individual privacy. In a limited number of cases, the person who lodged the appeal requested information overlapping with individual privacy. In one such case, the sister of a patient who was unconscious requested a history of the prescribed medication, the doctor's opinion and the detailed medication bill of the patient from one of the state-run hospitals. The hospital rejected her request. After the sister filed an appeal to the Official Information Tribunal, the hospital was ordered to reveal all the documents requested by the patient's sister.20
- 1. http://prachatai.com/journal/2011/05/34651
- 2. Section 15, Official Information Act B.E. 2540
- 3. Section 15 (5), Official Information Act B.E. 2540
- 4. Section 17, Official Information Act B.E. 2540
- 5. Chapter 3, Official Information Act B.E. 2540
- 6. The NITC was hosted by the technocratic National Electronic and Computer Technology Center (NECTEC) of the Ministry of Science, Technology and Environment.
- 7. The areas addressed by the six draft laws include computer crime, electronic data interchange (EDI), digital signature, electronic commerce, information infrastructure, and data protection. Thus far, only two laws have been passed electronic commerce (which combined digital signature) and computer crime (which was enacted as the Computer Related Offences Act B.,E. 2550 (2007).
- 8. Article 25 of the Directive notably prohibits the transfer of data to a third country that does not provide an adequate level of protection. This provision has created pressure for EU's trading partners worldwide to adopt a data protection law.
- 9. Thaksin Shinawatra, a telecom tycoon-turned politician, was prime minister of Thailand from 2001 to 2006 when he was abruptly oustered in a military coup.
- 10. Section 27 (13), Act on Organization to Assign Radio Frequency and to Regulate the Broadcasting and Telecommunications Services B.E. 2553,
- 11. An interview with Supinya Klangnarong, former media activist and currently commissioner at the National Broadcasting and Telecommunications Commission, on April 18, 2011
- 12. Section 142, Thai Constitution 2007
- 13. Section 7, Official Information Act B.E. 2540.
- 14. Section 4, Official Information Act B.E. 2540.
- 15. Section 9, Official Information Act B.E. 2540.
- 16. Section 28, Official Information Act B.E. 2540.
- 17. Ibid.
- 18. Section 6, Official Information Act B.E. 2540.
- 20. Decision result of The Official Information Disclosure Consideration Board, Decision number POR SOR 1/2553