In more detail

The intersection of data protection and the insurance industry has become increasingly significant over the past year. It is important to reflect on the legal updates and trends for data protection that have shaped the past year and look ahead to what we can expect in 2024. On Friday 1 December 2023, a meeting took place between the Ministry of Digital Economy and Society (MDES), Office of Insurance Commission (OIC), Thai General Insurance Association (TGIA), Thai Life Assurance Association (TLAA), and Thai Insurance Brokers Association (TIBA) at the MDES to discuss the plans and measures for preventing and solving the issues of personal data breaches in the insurance business sector.

Following Thailand's first consolidated law to govern data protection becoming fully enforceable back in June 2022, Thai businesses and insurers alike have taken measures to tighten their data privacy policies. However, recently a slew of negative media coverage regarding personal data violations relating to the insurance business sector has prompted relevant regulators to take appropriate action, culminating in the meeting at the MDES.

In this alert, we would like to provide you with an update and summary of the meeting, including some of the key issues and strategies discussed. This will keep you informed about trends in the enforcement of the Personal Data Protection Act (PDPA) by relevant regulators, as well as industry challenges in 2024.

1. Insurance industry under the radar of regulators

1.1. Meeting background

The meeting was prompted by the following key factors:

1. Recent news of personal data breaches in the insurance business sector that attracted public attention.
2. The government's policies placing significant importance on the protection of personal information.

1.2. The MDES's policies

The chair of the meeting was the Minister of MDES, who outlined the MDES’s policies regarding personal data protection as follows:

1. They seek cooperation from associations and networks within the insurance industry to prevent future events that hinder the rights and freedoms of personal data owners. Urgent investigations are necessary to determine whether there are any other violations of customer personal information similar to those previously reported by news outlets.
2. They intend to intensify inspection and control measures and more stringently supervise promotional activities conducted by employees or representatives of insurance companies. This includes introducing measures to prevent employees or agents of an insurer from infringing on customers' personal information, particularly to prevent personal information from being traded illegally.
3. They request the Office of the Personal Data Protection Commission (PDPC) to collaborate with the OIC in closely supervising the protection of citizens' personal data in the insurance business sector. This includes closely monitoring the situation and taking action in related areas if violations or non-compliance with the PDPA are identified.

In this regard, those affected by personal data violations can file a formal complaint with the MDES. The MDES will then investigate and impose administrative penalties on companies that violate or fail to comply with the PDPA.

1.3. Issues that were discussed during the meeting

1. The PDPC and OIC are to jointly establish a center for monitoring personal data violations in the insurance business sector, named the "OIC Center - PDPA Eagle Eye", to enhance the inspection and supervision of personal data protection in this sector. This is to also increase oversight of organizations, insurance brokers, and related persons, ensuring strict compliance with measures to protect personal information within insurance business networks, in accordance with the guidelines set out by the OIC and PDPC.
2. The PDPC and OIC revealed that related insurance business network associations will jointly prepare and announce guidelines to serve as standards for the insurance business sector in appropriately handling personal data protection.
3. All relevant sectors should increase the intensity of supervision over relevant personnel. For example, they could incorporate content regarding personal data protection laws into the curriculum for applying for or renewing licenses to be agents, brokers, etc.

1.4. Operational guidelines

At the meeting, there was a discussion on the recommended measures to be taken by the insurance business sector, for example:

1. To check and ensure that the organization of the insurance stakeholders strictly complies with the PDPA.
2. To monitor people's personal information to prevent leaks on websites and other channels.
3. To verify and ensure that personal data collection and dissemination are limited to necessary purposes.
4. To provide measures to properly supervise the officials within the organization to prevent personal data from being sold or disclosed illegally.
5. To organize training sessions to educate and raise awareness of personal data protection for personnel within the organization.

2. Challenges in 2024

In addition to the approach and recommendations above, the following key points could present compliance challenges for the industry in terms of data protection requirements.

2.1. The issuance of a number of sub-regulations under the PDPA 

Since the end of 2023, several sub-regulations have been issued under the PDPA, such as the data protection officer regulation and cross-border transfer obligations. These developments have led to increased efforts in compliance, requiring businesses, including those in the insurance industry, to stay updated on the latest regulations and guidelines to ensure full compliance. However, the complexity and volume of these sub-regulations can pose challenges for businesses seeking to navigate and adhere to them in a timely and accurate manner.

2.2. Discrepancies with the EU GDPR

Discrepancies with the EU GDPR have become more apparent in relation to the PDPA. While many of the PDPA provisions are derived from the EU GDPR, there has been a trend of the regulator not adhering as closely to the EU GDPR for the sub-regulations. This has resulted in discrepancies that require businesses, who are GDPR-compliant, to revisit their operations and ensure continued and full compliance with the PDPA, separate from their GDPR compliance.

2.3. Enforcement trends

The trend of enforcement by the data protection regulator is undergoing a significant shift in 2024, marked by a surge in complaints filed with the Office of the PDPC and the issuance of administrative orders. As of January 2024, 394 complaints have been filed, along with 91 administrative orders issued by the PDPC. Especially within the insurance industry, the PDPC has demonstrated proactive investigation of issues concerning insurance companies and insurance brokers when they appear in the news. For example, there was a case involving the controversial collection of personal data through students' homework and questionnaires at school. The PDPC also issued an administrative order against an insurance company for conducting telemarketing using personal data purchased from another company before the enforcement of the PDPA. The number of lawsuits related to data protection is also on the rise, with court decisions being made for both civil and criminal cases, particularly regarding the illicit trade of personal data.

At the PDPA center opening ceremony on 29 January 2024, the PDPC indicated that it will be more proactive in monitoring compliance with the PDPA, with a focus on intensifying enforcement. In recent months, the PDPC has been actively investigating compliance issues and intercepting instances of personal data breaches. It is expected that there will be more intense enforcement from the PDPC and the courts, including the imposition of civil and criminal penalties. Considering the administrative orders, it is also likely that fine penalties will be imposed following the initial leniency of rectifying orders during the early stages of enforcement.

In light of this, staying informed about the latest regulations, monitoring and addressing discrepancies with the EU GDPR, and proactively adapting operations, can help navigate these challenges and ensure continued compliance in the year ahead.

We hope that the above update provides valuable insights into the current regulatory momentum in the insurance industry from the perspective of data protection laws.

We will be closely monitoring the development of this matter and will keep you updated.