1. Data Breach Reporting Timelines in Thailand (PDPA Framework)

(A) Core Legal Rule – 72 Hours Notification Rule

Under the PDPA:

1. Notify the PDPC (Regulator)

A data controller must notify the Personal Data Protection Committee (PDPC):

• Without delay
• Within 72 hours after becoming aware of the breach
• Unless the breach is unlikely to risk individuals’ rights and freedoms

2. Notify Data Subjects (Individuals)

If the breach is high risk, the controller must also:

• Inform affected individuals without undue delay
• Explain:
  • nature of breach
  • likely consequences
  • mitigation steps

3. Processor Obligation

Data processors must:

• Notify the controller immediately upon awareness
• Assist in breach investigation and containment

4. Exception Rule

Notification may be delayed or waived if:

• Encryption or protection makes data unintelligible
• Risk is assessed as low
• Immediate notification may worsen harm (rarely applied)

2. Practical Breach Timeline Flow

Step 1: Detection (Day 0)

Organization discovers breach (hack, leak, insider misuse)

Step 2: Containment (0–24 hours)

• isolate systems
• revoke access
• preserve logs

Step 3: Assessment (24–72 hours)

• type of data affected
• number of individuals
• risk severity

Step 4: PDPC Notification (≤72 hours)

• formal breach report submitted

Step 5: Data Subject Notification (if required)

• individual notices sent
• remediation support provided

3. Legal Consequences of Late Reporting

Failure to comply may lead to:

• Administrative fines (PDPC)
• Civil liability for damages
• Criminal penalties (in severe negligence or unlawful disclosure cases)
• Reputational sanctions and compliance orders

4. Thai Legal Case Law & Judicial Principles (At Least 6 Relevant Lines of Authority)

⚠️ Important clarification:
Thailand has limited published “data breach” specific precedents, so courts rely on analogous privacy, confidentiality, cybercrime, and tort principles. The following are recognized Thai judicial principles applied in data breach-type disputes.

1. Supreme Court Principle on “Breach of Confidential Employment Data”

Thai courts have consistently held that:

• Employee personal records (salary, disciplinary data) are confidential
• Unauthorized disclosure by employers constitutes civil liability in tort

Relevance to data breach:
If HR systems are hacked or leaked, employer may be liable for failing to protect employee data.

2. Principle on Medical Record Confidentiality (Hospital Liability Cases)

Thai jurisprudence recognizes:

• Medical records are highly sensitive personal data
• Hospitals must maintain strict confidentiality

Courts have ruled:

• Unauthorized disclosure = breach of duty + damages

Relevance:
Hospital data breaches trigger heightened liability due to sensitive health data classification.

3. Principle on Telecom Customer Data Misuse Cases

Thai courts have addressed disputes involving:

• Unauthorized access to phone records
• Improper disclosure of call data or subscriber information

Held:

• Telecom operators owe a duty of strict confidentiality
• Negligence in protecting data may create liability

Relevance:
Directly applies to SIM databases and digital subscriber leaks.

4. Principle on Bank Customer Data & Financial Privacy Cases

Thai Supreme Court decisions have consistently protected:

• Bank account details
• Transaction histories
• Creditworthiness data

Courts held:

• Banks must maintain “highest standard of care”
• Disclosure without consent = actionable breach

Relevance:
Financial data breaches are treated as serious civil wrongs and often overlap with regulatory violations.

5. Principle on Cyber Intrusion & Evidence Misuse (Computer Crime Cases)

Under Thailand’s Computer Crime Act, courts have ruled that:

• Unauthorized access to systems is a punishable offence
• Stolen digital data cannot be lawfully used as evidence in many contexts

Relevance:
Data breaches involving hacking trigger criminal liability in addition to PDPA reporting obligations.

6. Principle on Defamation + Digital Disclosure of Personal Data

Thai courts have combined:

• Defamation law
• Privacy expectations
• Online publication liability

Held:

• Publishing personal data online without justification may be defamatory or unlawful
• Harm caused by digital disclosure is compensable

Relevance:
A data breach that leads to public exposure can create dual liability: PDPA + defamation.

5. Key PDPA Enforcement Direction (Practical Reality)

Even more important than court cases, Thailand’s enforcement focuses on:

• Speed of reporting (72-hour rule compliance)
• Whether encryption was used
• Whether risk assessment was done properly
• Whether mitigation steps were taken quickly
• Whether individuals were notified transparently

6. Summary

Thailand Data Breach Timeline:

• Notify PDPC within 72 hours
• Notify individuals if high risk
• Immediate internal containment required

Legal Exposure:

• PDPA administrative fines
• Civil damages (tort-based)
• Criminal liability (Computer Crime Act overlap)

Judicial Approach:

Thai courts rely on privacy, confidentiality, and duty-of-care principles, especially in:

• banking
• healthcare
• telecom
• employment data
• cybercrime cases