Criminal Law Enforcement and Penal Sanctions for the Illegal Sale of Personal Data in Thailand
Main Article Content
Abstract
This research examines the adequacy of Thailand’s legal framework in deterring and sanctioning the illegal sale of personal data, with particular attention to enforcement under the Personal Data Protection Act B.E. 2562 (PDPA). Using a qualitative documentary approach grounded in legal hermeneutics, the study analyzes statutory provisions, doctrinal writings, and comparative legal standards to evaluate whether current sanctions achieve proportionality and deterrence in the context of cross-border and technology-driven data markets. The findings reveal a critical loophole: Section 80 of the PDPA imposes criminal liability primarily on state officials, thereby excluding private individuals and non-state actors—who constitute a major source of unlawful data trading—from direct criminal accountability. In addition, the penalties available under relevant Thai laws are comparatively mild when benchmarked against international standards, where regimes such as the GDPR and the UK Data Protection Act 2018 authorize significantly higher financial sanctions and more robust enforcement mechanisms. The hermeneutic method is particularly suited to this inquiry because it enables interpretation of legislative intent, structural gaps, and practical enforceability across intersecting legal instruments, addressing jurisdictional complexity and evidentiary barriers that cannot be resolved through purely textual comparison of statutes. Based on these findings, the study proposes legal reforms including the expansion of criminal liability to private actors, clearer definitional elements of “unlawful data sale,” and a tiered sanction model designed to strengthen deterrence while preventing over-criminalization. These reforms aim to align Thai enforcement capacity with the realities of contemporary personal data trafficking and transnational digital crime.
Article Details
References
Anderson, R., Barton, C., Böhme, R., Clayton, R., Van Eeten, M., Levi, M., Moore, T., & Savage, S. (2019). Measuring the changing cost of cybercrime. Proceedings of the 28th International World Wide Web Conference (WWW 2019), 1–11. https://doi.org/10.1145/3308558.3313537
BBC News Thai. (2024, March 17). PDPA: What can and cannot be done under Thailand’s Personal Data Protection Act and the exceptions to consent requirements. https://www.bbc.com/thai/thailand-61642823
Computer Crime Act B.E. 2550 (2007) (as amended by the Computer Crime Act (No. 2) B.E. 2560 (2017)). Royal Thai Government Gazette.
Constitution of the Kingdom of Thailand. (2017). Constitution of the Kingdom of Thailand B.E. 2560 (2017). Government of Thailand. https://constitutionnet.org/sites/default/files/2017-05/CONSTITUTION+OF+THE+KINGDOM+OF+THAILAND+(B.E.+2560+(2017)).pdf
Creswell, J. W., & Poth, C. N. (2018). Qualitative inquiry and research design: Choosing among five approaches (4th ed.). SAGE Publications. https://books.google.co.th/books?id=gX1ZDwAAQBAJ
Criminal Code B.E. 2499 (1956). Royal Thai Government Gazette.
European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). Official Journal of the European Union, L 119, 1–88.
Government of Thailand. (2017). Constitution of the Kingdom of Thailand B.E. 2560 (2017). Government of Thailand.
Hart, H. L. A. (1968). Punishment and responsibility: Essays in the philosophy of law. Clarendon Press. PhilPapers
Information Commissioner’s Office (ICO). (2023). Data Protection Act 2018. https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-protection-act-2018/ ICO
Khamsom, J., Areerat, T., & Lekdee, A. (2024). Development of an information management model in accordance with the Personal Data Protection Act for Rajabhat Universities. Journal of Technology Management Rajabhat Maha Sarakham University, 11(1), 42–55.
Legislation.gov.uk. (2024). Data Protection Act 2018. Retrieved March 18, 2025, from https://www.legislation.gov.uk/ukpga/2018/12/contents Legislation.gov.uk
Miles, M. B., Huberman, A. M., & Saldaña, J. (2019). Qualitative data analysis: A methods sourcebook (4th ed.). SAGE Publications. https://www.metodos.work/wp-content/uploads/2024/01/Qualitative-Data-Analysis.pdf
Office of the Personal Data Protection Committee. (2024a, March 17). PDPA information guide. https://www.pdpc.or.th/pdpc-book/pdpa-information
Office of the Personal Data Protection Committee. (2024c, March 18). European Union Convention on the Protection of Personal Data. https://www.pdpc.or.th/3442/
Personal Data Protection Act B.E. 2562 (2019). Royal Thai Government Gazette.
Rattanapornsuwan, N. (2023). Public awareness and understanding of the Personal Data Protection Act among citizens in Bangkok. Journal of Roi Kaensarn Academi, 8(9), 200–208. https://so02.tci-thaijo.org/index.php/JRKSA/article/view/262948
Royal Thai Government Gazette. (2019, May 27). Personal Data Protection Act B.E. 2562 (2019) (Vol. 136, Part 69 A). https://www.ratchakitcha.soc.go.th/DATA/PDF/2562/A/069/T_0052.PDF
State of California Department of Justice, Office of the Attorney General. (2024, March 18). California Consumer Privacy Act (CCPA). https://oag.ca.gov/privacy/ccpa
Suraratchai, R. (2023). The guidelines for personal data protection in criminal investigation. Chulalongkorn Law Journal, 41(1), 103–137.
United Nations Human Rights Council. (2018). Promoting and protecting human rights in the context of the illicit trade in personal data (A/HRC/39/49). United Nations. https://docs.un.org/en/A/HRC/39/49
United Nations Human Rights Council. (2018). Promoting and protecting human rights in the context of the illicit trade in personal data (A/HRC/39/49). United Nations. https://docs.un.org/en/A/HRC/39/49
Wipulakhom, S., & Pitiyasak, S. (2021). Problems concerning personal data protection laws: A case study of biodata types. Veridian E-Journal, Silpakorn University, 34(2), 36–59.
Wolford, B. (2024). What is GDPR, the EU’s new data protection law? GDPR.EU. https://gdpr.eu/what-is-gdpr/ GDPR.eu
