In March 2024, a Thai court of first instance handed down a decision in a personal data protection case against an insurance company in Thailand. The landmark ruling has important implications for the disclosure of special categories of personal data.
The case concerned an individual, acting as the plaintiff, who filed a claim against an insurance company, as a data controller, and its representatives, for collecting, using, and disclosing the results of the plaintiff's blood alcohol level test, along with a photo of the plaintiff taking the test, without explicit consent, resulting in his insurance claim being rejected. The company also disclosed the data to the insured party, who is the plaintiff's family member, causing the plaintiff to suffer reputational damage, discrimination, humiliation, and ill treatment.
Since results of a blood alcohol level test are considered a special category of personal data pursuant to section 26 of the Personal Data Protection Act B.E. 2562 (2019) (PDPA), the plaintiff filed the claim with the criminal court, requesting that the criminal penalties under the PDPA and the Penal Code be imposed on the defendants, and that the defendants delete or destroy the plaintiff's personal data. The insurance company argued that it had disclosed the test results and the photograph to the plaintiff's family member—as the insured under the insurance agreement—for the purpose of informing the insured of the rejection of the insurance claim.
Considering these facts and reasons, the criminal court ruled that the processing of this special category of personal data was necessary for the defense of the insurance company's legal claims pursuant to section 26(4) of the PDPA, and therefore, explicit consent was not required. As a result, the criminal court dismissed the case.
Key Takeaways
While this case was dismissed, it indicates that explicit consent is not the only legal basis for processing a special category of personal data, and data controllers are able to process personal data as long as there is a lawful purpose and an appropriate legal basis to achieve that purpose. This case also suggests that data subjects are now becoming more aware of their rights in regard to privacy and personal data, which could increase the likelihood of more cases being brought before the courts.
As this ruling was made by the court of first instance, it might be appealed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.