Thailand’s Personal Data Protection Act (PDPA) will enter into effect on May 27th of this year. While official guidelines for complying with the PDPA are still scant, many businesses have recognized the need to review their data collection policies and business processes in preparation for the May 2020 deadline.
In a prior article, we discussed the background and conceptual framework of the PDPA. In this piece, we will take a deep dive and explore implementation issues surrounding data protection and privacy laws by drawing on actual EU case studies involving the GDPR. Given that the PDPA is heavily influenced by the GDPR and has adopted many similar standards, the EU experiences should provide useful lessons for Thai organisations and businesses. In particular, we will look at the rationale for organisations to collect and use personal data on grounds of legitimate interest.
Legitimate interest
While personal data protection laws generally require the individual’s consent for the collection and processing of data, the GDPR and PDPA provide for exemptions where data is collected on grounds of legitimate interest.
Legitimate interest is not defined at law; it is generally deemed to be a circumstance where there is a compelling justification for the collection and use of personal data and where the impact on the individual’s privacy rights is minimal.[1] While this lends flexibility to the law, it also creates vast uncertainty for businesses seeking to maintain compliance. For instance, the GDPR provides examples of fraud prevention and security as potential grounds for legitimate interest.
The UK’s Information Commissioner’s Office (ICO) explains that using the legitimate interest basis for collecting and processing personal data requires a three-pronged test. Firstly, there must be a compelling purpose to use the data. Secondly, the use of data must be necessary. And thirdly, there must be a balancing of the individual’s interests against the legitimate interest. The PDPA also adopts this balancing act – the necessity for the collection and use of personal data must be weighed against the fundamental rights of the individual whose personal data is being used.[2]
The CCTV cases
To consider how legitimate interest plays out in the real world, we look to two cases involving the use of CCTV footage by an employer for disciplinary action that were adjudicated before the Irish Data Protection Commission in 2017.[3]
In the first case, a company offering security services had assigned an employee to serve as a night security officer at a client’s site. The security company had reason to suspect that the employee had been routinely absent from the assigned post and requested the client’s CCTV footage to verify the employee’s location while on duty. The investigation confirmed the employee’s absence and disciplinary actions were imposed. The Data Protection Commission found that the use of the employee’s personal data (i.e. CCTV images) represented a legitimate interest that outweighed the employee’s data privacy rights.
In the second case, there were similar fact patterns, though this time relating to an employee of a toll collection company. Here the employer used CCTV and audio records to confirm that its service engineer employee had threatened the security of client’s toll system. The employee was disciplined and prohibited from servicing the client in the future. Some time later, the employer requested and received the CCTV footage and audio recording of the incident from the client, presumably to keep as record. Here, the Data Protection Commission ruled that toll company did not demonstrate sufficient legitimate interest in disclosing the service engineer’s personal data and was thus in violation of the GDPR.
Making sense
The above cases demonstrate that legitimate interest can be narrowly defined, is time sensitive, and requires a balancing act on a case-by-case basis. The fact that an employer may have legitimate interest to collect or use an employee’s personal data to ensure that the employee had properly performed his or her responsibilities does not imply a blanket exemption.
The collection and use of personal data on grounds of legitimate interest is specific and purpose driven – data must be used for an intended purpose and only during the window of time where such purpose or need exists.
[1] See, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/.
[2] Refer to Section 24(6) of the PDPA.
On 28 February, the National Legislative Assembly approved the Personal Data Protection Act (“PDPA”). The Act is aimed at regulating the lawful collection, use, or disclosure of personal data that can directly or indirectly identify a natural person – but does not apply to the data of a deceased person. This Act also provides a framework how to process the personal data. The PDPA, which in many ways resembles a similar initiative in Europe (the General Data Protection Regulation, known as GDPR), requires a data controller (a natural person or a legal person), who has the authority to decide to collect, use, or disclose the personal data, to follow guidelines in an effort to protect each data owner.
Read more