Individual Control over Alternative Credit Data via Notice-and-Consent Mechanism under the Thai Personal Data Protection Law

Main Article Content

Kriengsak Areejitkasame

Abstract

          The purpose of this research paper is to find an effective way to provide the data subject with proper individual control over personal information via notice-and-consent mechanism in the processing of alternative credit data under the Thai personal data protection law.


          This study employed a qualitative research method by (1) reviewing the origin, legal concept, and practice of the protection of personal data by providing the data subject with individual control over personal information via notice-and-consent mechanism; (2) examining the criteria and elements in law that determine notice-and-consent mechanism relating to the processing of alternative credit data; and (3) analyzing and evaluating whether the Thai personal data protection law properly provides the data subject with individual control over personal information via notice-and-consent mechanism in the processing of alternative credit data by comparing the Thai law with international measures, frameworks, laws, and relevant cases.


          This study found that (1) the legal concept of granting individual control over personal information, especially via notice and consent has long been playing a key role in information privacy law, and widely adopted in credit process; (2) the processing of alternative credit data presents the risks of failure to inform, lack of freedom to choose and decide, and improper reuse and repurpose that undermine individual control; (3) although the Thai Personal Data Protection Act (PDPA), 2019 (B.E. 2562) has provided fair individual control over personal information relating to alternative credit data processing, it still has certain limitations, including inflexible and impractical notice and consent, and  lack of clear guidance on subsequent use of personal data. This study, therefore, recommends the relevant Thai authorities to impose stricter requirements under the PDPA or issue financial regulations that focus on the data subject’s understandability, establish greater resilient, substantive, and consumer-centric notice and consent, and ensure the controller’s accountability.

Article Details

Section
บทความวิจัย (Research Article)

References

Ball C. “What is transparency?.” Public Integrity 11, 4 (September 2009): 293-308.

Bennett Colin J. Regulating privacy: Data protection and public policy in Europe and the United States. New York: Cornell University Press, 1992.

Bundesverfassungsgericht U. V. zum Volkszählungsgesetz 1983 [Online]. Available URL: https://freiheitsfoo.de/files/2013/10/Census-Act.pdf. 1983 (December, 15).

Citron D. K. and Solove D. J. “Privacy harms.” Boston University Law Review 102, 3 (April 2022): 793-863.

Commission nationale de l’Informatique et des Libertés (CNIL - French Data Protection Authority). Restricted Committee Deliberation No. SAN-2022-019 of 17 October 2022 concerning CLEARVIEW AI [Online]. Available URL: https://www.cnil.fr/sites/default/files/atoms/files/deliberation_of_the_restricted_committee_no_san-2022- 019_of_17_october_2022_concerning_ clearview_ai.pdf, 2022 (October, 17).

Daniel J. Solove. "Privacy self-management and the consent dilemma." Harvard Law Review 126, 7 (May 2013): 1880-1881.

Draper N.A. and Turow J. "The corporate cultivation of digital resignation." New Media & Society 21, 8 (August 2019): 1824-1839.

Fried C. “Privacy.” Yale Law Review 77, 3 (January 1968): 475-493.

Gillis T. B. False dreams of algorithmic fairness: The case of credit pricing, (Cambridge: Harvard University Press, 2020).

Granados N. and Gupta A. “Transparency strategy: Competing with information in a digital world.” MIS quarterly 37, 2 (June 2013): 637-641.

Khaosanit D. “Legal Measures in Private Data Protection : Case Study in Finance and Banking of Commercial Bank.” M.A. thesis, Dhurakij Pundit University, 2018.

Koene A. Clifton, C., Hatada Y. Webb H., and Richardson, R. A governance framework for algorithmic accountability and transparency [Online]. Available URL: https://www.europarl.europa.eu/stoa/en/document/EPRS_STU (2019)624262, 2019 (April, 4).

Lapowsky I. How Cambridge Analytica Sparked the Great Privacy Awakening [Online]. Available URL: https://www.wired.com/story/cambridge-analytica-facebook-privacy-awakening, 2019 (March, 17).

Lazaro C. and Metayer D. L. “Control over personal data: True remedy or fairy tale.” SCRIPTed: A Journal of Law, Technology and Society 12, 1 (June 2015): 3-34.

Miller A. R. The Assault on Privacy-Computers Data Banks and Dossiers. Ann Arbour, MI: The Universiiy of Michigan Press, 1971.

Nill A. and Aalberts R. “Legal and Ethical Challenges of Online Behavioral Targeting in Advertising.” Journal of Current Issues & Research in Advertising 35, 2 (July 2014): 126-146.

Parent William A. “Privacy, Morality and the Law.” Philosophy and Public Affairs, 12, 4 (October 1983): 269–288.

Phillips R. “Optimizing prices for consumer credit.” Journal of Revenue and Pricing Management 12, 4 (July 2013): 360-77.

Riedel Eibe. "New Bearings in German Data Protection. Judgement of the Federal Constitutional Court, Karlsruhe, of 15 December 1983." Human Rights Law Journal 94, 101 (January 1984): 94-116.

Sloan Robert H., and Richard Warner. "Beyond notice and choice: Privacy, norms, and consent." Journal of High Technology Law 14, 2 (March 2013): 370-414.

Smith H. J., Dinev T., and Xu H. “Information privacy research: An interdisciplinary review.” MIS Quarterly 35, 4 (December 2011): 989–1016.

Solove Daniel J. The future of reputation: Gossip, rumor, and privacy on the internet. New Haven: Yale University Press, 2007.

Srichola S. and Tipayanee P., “Legal Issues Related to Credit Information on the Use of Credit Information for Other Purposes.” DPU Graduate Studies Journal 4, 3 (March 2016): 215-226.

Staten M. “Risk-Based Pricing in Consumer Lending.” Journal of Law, Economics & Policy 11, 1 (March 2015): 33-58.

Tene O. and Polonetsky J. "Big data for all: Privacy and user control in the age of analytics." Northwestern Journal of Technology and Intellectual Property 11, 5 (April 2013): 240-272.

Vaccaro A. and Madsen P. “Corporate dynamic transparency: the new ICT-driven ethics?.” Ethics and information technology 11, 2 (June 2009): 113-122.

Van Ooijen I. and Vrabec H. U. “Does the GDPR enhance consumers’ control over personal data? An analysis from a behavioural perspective.” Journal of Consumer Policy 42, 1 (March 2019): 91-107.

Warren S. and Brandeis L. “The right to privacy.” Harvard Law Review 14, 5 (December 1890): 193-220.

Westin Alan F. "Privacy and freedom." Washington and Lee Law Review 25, 1 (March 1968): 166-170.

Wilairat Y. “Problems on “Credit Information” under the Law Relating to Credit Information Business.” M.A. thesis, Thammasat University, 2017.

World Bank. The Role of Consumer Consent in Open Banking: Financial Inclusion Support Framework [Online]. Available URL: https://documents.worldbank.org/curated/en/099425002082230437/pdf/P1705050aeb8e704f088260f228802b73b8.pdf, 2021 (December, 15).

Article 29 Working Party. “Guidelines on Consent under Regulation 2016/679.” (6 July 2018).

Article 29 Working Party. “Opinion 15/2011 on the Definition of Consent, Article 29.” 13 July 2011.

Article 29 Working Party. “Working Document on the processing of personal data relating to health in electronic health records (EHR).” 15 February 2007.

Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 1995.

The White House. “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” 1 February 2012.

Asia-Pacific Economic Cooperation Privacy Framework 2005.

Council of Europe Convention 108+ 2018.

Explanatory Report of the Council of Europe Convention 108+ 2018.

General Data Protection Regulation 2018.

Organization for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 2013.

Personal Data Protection Act 2019 (B.E. 2562), Thailand.

WP29 Opinion 15/2011 on the definition of consent (WP 187).

Deutsche Telekom AG v. Bundesrepublik Deutschland, CJEU, C-543/09, 2011.

Smaranda Bara and Others v. Casa Natională de Asigurări de Sănătate and Others, CJEU, C-201/14, 2015.

Tournier v National Provincial Bank of England. 1 K.B. 461, 1924.