After the Foodpanda incident in which the platform took out the deleting account button from the application, the right to be forgotten became known to more people. Before the incident, only a few people realized that such a right does exist. However, the right to be forgotten will gain more recognition in the future since we live in the age of big data. Several countries have adopted laws concerning the right to be forgotten and some consider doing so. Thailand is also one of the countries which have been looking to pass the law on that subject.
In Thai law, the right to be forgotten may lie within the Personal Data Protection Act. Firstly, for the dilemma of personal data protection, there is a necessity to identify all characters in this scenario. According to this widely-known food delivery application, Food Panda removed the log out button from the app for an hour by not making any notice to customers. In this case, Food Panda acted as the “data controller” under PDPA. Succinctly, Food Panda is a person or juristic person who has authority to make a decision regarding the collection, disclosure, and usage of the Personal data. In other words, this app has the power to control personal data of all users. For the term “Personal data”, it means the data relating to a person in particular directly or indirectly. Personal data used for Food Panda may be the customer's residence and telephone number. To elaborate, by using this information, there is an indirect identification of that particular person. Thus, the definitions of all characters in this scene are wholly fit.
Next, the legal basis for usage of personal data protection is required. The PDPA applies to the collection by a data controller or a data processor located in Thailand. Regardless of any purposes established by law, a data controller must obtain consent from such a person. However, in our case, such a person willfully accepts the agreement term provided by the application at the beginning. It is an implied consent that the customer of Food Panda entered into a contract to conduct delivery within a reasonable period. Principally, this is not the case of having direct consent given by the customer. Rather, it is the case where the data controller used personal data for the purpose within exception by virtue of law. According to section 24(3) of PDPA, direct consent may not be needed if it is the matter of contractual necessity for performing the obligation. In other words, a data controller does not have to persistently ask for consent in the case where there is a contractual basis for doing that obligation. Henceforth, legal basis for collecting personal information in Food Panda is constituted.
Subsequently, since all actors and specific legal bases are well defined in action, there must be rights and duties in this circumstance. For the right of the data subjects, he or she could inform the data controller to erase or destroy his or her personal data with the grounds that the withdrawal of consent is claimed to be contractual permission. Since their consents are nullified, there is no legal basis to collect personal data with a data controller or data processor who is acting on behalf of a juristic person. In practical sense, the withdrawal of consent shall be as easy as giving consent. Nevertheless, this food delivery application made the withdrawal within its setting more unaccommodating or somehow complicatedly obscured. Based on Twitter and other social media, the delete account button is temporarily removed for one hour not so long after the assembly against the Thai government. Therefore, we could say that “Food panda did not guarantee the right of data subjects to withdraw their consent in conformity with PDPA, resulting in infringement of the right to withdraw”.
On the other hand, regarding the duty of the data controller, Food panda did not inform this technical error without delay in public. In other words, it did not comply with its duty to ensure stability of the destruction or erasure system without any acceptable exceptions by virtue of this act. Concurrently, Food panda does not only infringe the right of data subjects, but also breached its duty without reasonable grounds. This leads to both civil and administrative liability within this act.
Nonetheless, in practice, this legislation may not be enforced effectively by the ground that it is barred by Royal decree on 8 May 2564 regarding specification of agencies or businesses of personal data controllers not subjected to Personal Data Protection Act B.E. 2562. Therefore, PDPA is not applicable and there are no legal remedies to this infringement of right. On the other hand, somehow the right to be forgotten may not be guaranteed by Thai law.
Definition of the Right to be Forgotten
The right to be forgotten is considered to be a remedy which entitles a person to claim information about him or her be removed from search engines. It also refers to demands to the website's host to delete certain information. The expanded definition of the right to be forgotten is a right that grants the individual the ability to control over information about them. The right to be forgotten is not recognized in international human rights laws nor in several countries’ constitutions. As a result, the scope of it varies from a limited right mentioned in data protection law to notions including the protection of reputation, honor, and dignity. Nevertheless, numerous countries have adopted a right to be forgotten or have been looking to adopt new laws on such a right such as in Section 20 of India’s Personal Data Protection Bill 2019.
The right to be forgotten is recognized by the EU in Article 12 of the EU’s 1995 Data Protection Directive. The decision of the Court of Justice of the European Union (CJEU) in the Google Spain case of 2014 is based on such law. In May 2018, the General Data Protection Regulation (GDPR) which applied to all EU member states, modernized data and privacy protection rules as well as updated the definition of the right to be forgotten. Article 17 of the GDPR stipulates that, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” The right to be forgotten in the 1995 Data Protection Directive only allows individuals to request their data to be erased when it is no longer relevant. However, Article 17 of GDPR expands the right to grant people control over who can access and use their personal data.
Right to be Forgotten and Foodpanda incident
On 18 of July, there was a photo of a Foodpanda rider joining a demonstration on Twitter. In the evening of the same day, Foodpanda came out with a statement mentioning that it dismissed the rider. Consequently, many were frustrated with Foodpanda and started a campaign to cancel it by deleting their account as a way to ban the application for its action towards the rider. After the ban Foodpanda campaign started, several people tweeted that Foodpanda removed the delete account function from the application.
If Foodpanda’s act of removing the delete account function is considered based on the GDPR, then it is a violation of the right to be forgotten. As according to Article 17 subsection (a) of the GDPR, people have the right to erase their personal data if the personal data is no longer necessary for the purpose an organization originally collected or processed it. In this case, people no longer have the intention to use the application, so such an application is no longer necessary for those people who join the campaign. The fact satisfies Article 17 subsection (a) of the GDPR. The result of Article 17 is that people have the right to delete their accounts and the controller has the obligation to remove the data without delay. Therefore, the act of Foodpanda is an infringement of the right to be forgotten as well as a failure to perform its duty arising from Article 17 by eliminating the erase account function from the application. Nonetheless, the right to be forgotten still has not yet been recognized by Thai law.
Application in international law
In Europe, there is a similar rational law based on Right to be forgotten written in Articles. Such as Article 17 of General Data Protection Regulation (GDPR) which contains principle about the data that has right to be deleted from online platforms if those data fit conditions within the article. The concept of this right is based on the fundamental right or need of an individual to live their lives autonomously without being stigmatized as a consequence of actions performed in the past, especially when these events occurred many years ago and are no longer necessary with the contemporary context.
This article is called ‘the right to erasure’ which allows Europeans to erase their consent to process their personal data and obligates the curator to erase those online personal data if it is no longer necessary for the purpose it was collected or if the data has been unlawfully processed in order to limit the customers’ personal risks of data breaches at organization.
The motive behind this provision, the Right to be forgotten, is not only has been used in Article 17 but also used in other laws as well. For example, In the case of Mario Costeja González, a Spanish national, lodged with the Spanish Data Protection Agency (the AEPD), was against the publisher of a daily newspaper in Spain, La Vanguardia, and Google Spain.
Mr. Costeja González stated that, when an internet user enters his name in the search engine on Google, their name will appear on the pages of La Vanguardia. Those pages contained an announcement for a real-estate auction organised following attachment proceedings for the recovery of social security debts owed by Mr. Costeja González. Accordingly, Mr. Costeja González requested the newspaper to delete or alter those pages in question. Furthermore, he requested Google Spain to remove or conceal the personal data relating to him so that all his personal data will no longer appear. As those attachments concerning him had been amended for years and that reference to them was irrelevant in the contemporary context.
Subsequently, according to Article 12 and 14 in Directive 95/46, the European court ruled that the case shall be interpreted in the way that complies with the rights laid down in those provisions. As this case has the conditions laid down by those provisions satisfied, the operator of a search engine is obliged to remove the attachment and the person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.
Since personal data could be harmful to individuals if they were not unwillingly collected or published, not only current information but also data which are no longer relevant to contemporary context, we shall respect these boundaries of individuals and conform with the right to be forgotten. Therefore, we strongly encourage Thai society to recognize and gradually perform this right in every online case to protect and prevent our society.
Article 17, https://gdpr-info.eu/art-17-gdpr/
“Data protection law," Norton Rose Fulbright, Accessed 8 August 2021, from https://www.dataprotectionreport.com/2020/02/thailand-personal-data-protection-law/
“Everything you need to know “Right to be forgotten”,” GDPR.EU, accessed 10 August 2021, from https://gdpr.eu/right-to-be-forgotten
“Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González,” CURIA, accessed 11 Auguest 2021, from https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-05/cp140070en.pdf
“JUDGMENT OF THE COURT in Case Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González,” CURIA, accessed 11 August 2021 from https://curia.europa.eu/juris/document/document_print.jsf?docid=152065&doclang=EN
Personal Data Protection Act, B.E. 2562 (2019).
“POLITECNICO DI TORINO Repository ISTITUZIONALE,” Elsevier, accessed 10 August 2021, from https://iris.polito.it/retrieve/handle/11583/2506410/59471/Mantelero_The_European_Right_to_Be_Forgotten.pdf
Section 33 (2), Section 37(3), Section 72, and Section 82 from Personal Data Protection Act, B.E. 2562 (2019).
“The “Right to be Forgotten”: Remembering Freedom of Expression,” ARTICLE 19, accessed 8 August 2021, from https://www.article19.org/data/files/The_right_to_be_forgotten_A5_EHH_HYPERLINKS.pdf
“The GDPR Right to Erasure (Right to be Forgotten) Under Article 17,” Clarip, accessed 10 august 2021, from https://www.clarip.com/data-privacy/gdpr-erasure/
“What is the 'right to be forgotten'? Everything you need to know about the EU's data-removal ruling,” Afiti-Sabet, accessed 9 August 2021, from https://www.itpro.co.uk/general-data-protection-regulation-gdpr/what-is-the-right-to-be-forgotten
“ผู้บริหาร foodpanda เปิดใจครั้งแรก “น้อมรับข้อผิดพลาดทั้งหมด” ไม่มีนโยบายลิดรอนสิทธิเสรีภาพ เผยสอบวินัยพนักงานที่กระทำผิดแล้ว,” the standard, สืบค้นเมืื่อ 8 สิงหาคม 2564, จาก https://thestandard.co/foodpanda-interview/
“สรุปปม #แบนfoodpanda แห่ลบแอพพ์-ยกเลิกขาย โพสต์ให้ออกพนง. อ้างต่อต้านก่อการร้าย,” มติชน, สืบค้นเมื่อ 8 สิงหาคม 2564, จาก https://www.matichon.co.th/economy/news_2836933
ร้านแน็พแล็บ สาขาวังหลัง ( Naplap Wanglang )