Skip to main content
eScholarship
Open Access Publications from the University of California

Data Privacy Law in the Language of Trust Relationship in U.S. and Singapore: A Model for Thai Personal Data Protection

  • Author(s): Phusamruat, Visakha
  • Advisor(s): Mayali, Laurent
  • et al.
No data is associated with this publication.
Abstract

This dissertation aims at a better understanding of the role of data privacy law in

promoting organization-individual trust relationship. It focuses on data security breaches

in U.S. and Singapore, and the interactions of the regulatory designs, agency

implementations and the emergence of organization’s post-breach responses towards

affected individuals that reflects and reinforces the value of trust in their relationship.

Examining the divergent approaches adopted by U.S. and Singapore provides lessons for

a regulatory design for privacy in Thailand.

Based on the comparative analysis of the selected data security breach decisions from the

key regulators in both jurisdictions—the Federal Trade Commission (FTC) and the

Personal Data Protection Commission (PDPC)—and on the U.S. and Singapore’s

organizational perception of privacy, the study found a divergence as to the U.S. and

Singapore design and enforcement approach to individual-organization trust relationship.

The non-right-based privacy of the Singaporean Personal Data Protection Act, coupled

with the enforcement agency’s interpretation, constructs the direct venue and the gap for

organizations to perform trustful behaviors towards individuals following the breach.

Desirable post-breach responses from organizations are consistently witnessed from the

PDPC decisions such as voluntary and prompt notification and remedies provided to

individuals, and the Personal Data Protection Commission’s interpretation covers

individual interests informed by values in the society. The regulatory design aligns its ‘no

ideal of privacy’ with the organization’s perception and more established practices based

on trust relationship on the ground and the PDPC mitigating criteria applied to induce

organization in initiating voluntary post-breach responses towards better protection of

individual privacy interests.

Despite more established culture of privacy among U.S. corporations, the integrated

practices on the ground, and the long-standing enforcement against unreasonable data

security practices under Section 5 of the FTC Act, its current mechanism does not

facilitate a venue for trust relationships that drive organizational post-breach responses

towards individuals. Unlike the PDPC, the FTC enforcement does not formally recognize

post-breach responses of organizations consistently. In a small number of cases where

those post-breach responses were recognized, only limited normative implications can be

inferred from those contexts. Much ambiguity and uncertainty due to the unclear

boundary of liabilities set under Section 5 has left organization actors with high risks,

without adequate assurance for organizations to perform desirable post-breach behaviors.

The legal ideal of U.S. privacy rightness, as exemplified by Section 5, is based on the

notions of self-control, independence and informational duties, and does not cover

broader individual privacy interests, which could be promoted through trust relationships.

The U.S.’s consumer protection approach, in tandem with Singapore’s trust relationship

based approach of Singapore provide a great lens for Thailand to meet the dual legal

ideals of privacy rightness and promoting trust relationship. Thai specific conditions and

this hybrid iteration have led to the implementation in a complementary ways. The

pending Personal Data Protection Bill of 2018 and regulatory oversight should allow

organizations with some limited space to practice exercising discretion towards desirable

post-breach responses, alongside mitigating penalties imposed by the regulator to

encourage these desirable practices. Rather than treating the breach notification and

post-breach responses as reporting duties, the Thai Bill could offer an opportunity to

cultivate privacy awareness and enhance an organization’s trustful behaviors towards

affected individuals. The consumer protection provisions regarding advertisings could be

interpreted by the Thai consumer protection agency to trigger investigations against

unfair and deceptive data security practices, and regulate consumer contracts in

businesses involved in handling sensitive personal data. This consumer protection-based

model would provide a readily available means to protect consumer privacy interests,

engage media and public vigilance to uncover breach incidents and increase individual

and organizational awareness of privacy and data security.

Main Content

This item is under embargo until April 2, 2020.