The Legitimate Interest Rule, the Exception to the Rule, and the Exception to the Exception. This intricate web of legal concepts is not just a mere set of rules but a challenge that engages legal professionals in the field of data privacy compliance.


Statutes often include rules, exceptions to those rules, and even exceptions to the exceptions. This type of legal structure is seen in various legal systems, such as British nationality laws, U.S. Securities and Exchange compliance codes, and the well-known United States Tax Code.


As a Data Controller, your role is pivotal under the Personal Data Protection Act (PDPA). For example, breach notification obligations, which you can read about here.


Section 19 obligates you not to collect, use, or disclose Personal Data unless a Data Subject has given prior consent, a reasonably straightforward foundation to data privacy law. Understanding the Legitimate Interest Rule and its exceptions is crucial to your responsibility.


However, under Section 24 of the PDPA, there is an exception to Section 19 (actually six exceptions) that is often cited (Section 24 (5)), under which no consent of a Data Subject is required if “there is a legitimate interest of the Data Controller or any other Persons…. except where the fundamental rights of the Data Subject override such interests….


As you can see, within Section 24 (5) of the PDPA there is an exception to the exception to Section 19.


Section 32 of the PDPA buttresses the consent exception to Section 19 via Section 24, giving a Data Subject the right to object to the collection, use, or disclosure of Personal Data if a Data Controller exercises the consent exception under Section 24 (5) unless the Data Controller can “prove” that collection, use, or disclosure without consent is based on compelling legitimate purposes.


What is a “legitimate” interest under the PDPA? First, via Section 24 and Section 32, the burden to prove a legitimate interest will ultimately be on the Data Controller. This process, though challenging, is designed to ensure that Data Controllers are confident and prepared to justify their actions under the PDPA. As is expected with flexible language in the PDPA, legitimate purposes will depend on purpose, necessity, and balancing interests. 


Take, for example, the use of CCTV at a bank. It is reasonable that a retail bank has a legitimate interest in protecting its customers and employees and ensuring the security of its premises. The purpose of CCTV has been established, and thus necessity and balancing need to be further addressed by a Data Controller. For example, if there was an attempted robbery at a retail bank, and local police, after reviewing CCTV footage, cannot identify the alleged perpetrator. In such a case, it is arguable the bank may need to release such footage to the public to help identify the perpetrator. This is a necessary consideration. As to balancing interests, the Data Controller (presumably a bank) will need to consider whether innocent customers captured on the CCTV footage may be blurred without impacting the image quality of the perpetrator. Depending on the quality of the CCTV footage, the balance of interests may favor the Data Controller not blurring images of innocent bystanders. Alternatively, the Data Controller could place signs notifying customers that CCTV is operating and provide information on how their personal data will be processed. This way, customers know they may be captured by the CCTV, and their personal data may be used in an investigation to identify the alleged perpetrator. Since this processing would not cause unwarranted harm to customers, their interests are balanced with the Data Controller’s legitimate interests. 


For more articles on Thailand’s laws on data privacy, technology, and telecommunications, please see the Fosrlaw Blog.


The above is for informational purposes only and is not legal advice. For any further information, please contact us at [email protected].


© Formichella & Sritawat Attorneys at Law