Data Privacy Law in the Language of Trust Relationship in U.S. and Singapore: A Model for Thai Personal Data Protection
- Author(s): Phusamruat, Visakha
- Advisor(s): Mayali, Laurent
- et al.
This dissertation aims at a better understanding of the role of data privacy law in
promoting organization-individual trust relationship. It focuses on data security breaches
in U.S. and Singapore, and the interactions of the regulatory designs, agency
implementations and the emergence of organization’s post-breach responses towards
affected individuals that reflects and reinforces the value of trust in their relationship.
Examining the divergent approaches adopted by U.S. and Singapore provides lessons for
a regulatory design for privacy in Thailand.
Based on the comparative analysis of the selected data security breach decisions from the
key regulators in both jurisdictions—the Federal Trade Commission (FTC) and the
Personal Data Protection Commission (PDPC)—and on the U.S. and Singapore’s
organizational perception of privacy, the study found a divergence as to the U.S. and
Singapore design and enforcement approach to individual-organization trust relationship.
The non-right-based privacy of the Singaporean Personal Data Protection Act, coupled
with the enforcement agency’s interpretation, constructs the direct venue and the gap for
organizations to perform trustful behaviors towards individuals following the breach.
Desirable post-breach responses from organizations are consistently witnessed from the
PDPC decisions such as voluntary and prompt notification and remedies provided to
individuals, and the Personal Data Protection Commission’s interpretation covers
individual interests informed by values in the society. The regulatory design aligns its ‘no
ideal of privacy’ with the organization’s perception and more established practices based
on trust relationship on the ground and the PDPC mitigating criteria applied to induce
organization in initiating voluntary post-breach responses towards better protection of
individual privacy interests.
Despite more established culture of privacy among U.S. corporations, the integrated
practices on the ground, and the long-standing enforcement against unreasonable data
security practices under Section 5 of the FTC Act, its current mechanism does not
facilitate a venue for trust relationships that drive organizational post-breach responses
towards individuals. Unlike the PDPC, the FTC enforcement does not formally recognize
post-breach responses of organizations consistently. In a small number of cases where
those post-breach responses were recognized, only limited normative implications can be
inferred from those contexts. Much ambiguity and uncertainty due to the unclear
boundary of liabilities set under Section 5 has left organization actors with high risks,
without adequate assurance for organizations to perform desirable post-breach behaviors.
The legal ideal of U.S. privacy rightness, as exemplified by Section 5, is based on the
notions of self-control, independence and informational duties, and does not cover
broader individual privacy interests, which could be promoted through trust relationships.
The U.S.’s consumer protection approach, in tandem with Singapore’s trust relationship
based approach of Singapore provide a great lens for Thailand to meet the dual legal
ideals of privacy rightness and promoting trust relationship. Thai specific conditions and
this hybrid iteration have led to the implementation in a complementary ways. The
pending Personal Data Protection Bill of 2018 and regulatory oversight should allow
organizations with some limited space to practice exercising discretion towards desirable
post-breach responses, alongside mitigating penalties imposed by the regulator to
encourage these desirable practices. Rather than treating the breach notification and
post-breach responses as reporting duties, the Thai Bill could offer an opportunity to
cultivate privacy awareness and enhance an organization’s trustful behaviors towards
affected individuals. The consumer protection provisions regarding advertisings could be
interpreted by the Thai consumer protection agency to trigger investigations against
unfair and deceptive data security practices, and regulate consumer contracts in
businesses involved in handling sensitive personal data. This consumer protection-based
model would provide a readily available means to protect consumer privacy interests,
engage media and public vigilance to uncover breach incidents and increase individual
and organizational awareness of privacy and data security.