Preparing to Deal with Personal Data Protection Measures in Platform Business

Published in TDRI Quarterly Review, Vol. 38 No. 2 (June 2023)

Suggested Bibliographic Citation: Trisadikoon, K. (2023). “Preparing to Deal with Personal Data Protection Measures in Platform Business.” TDRI Quarterly Review, 38(2). 3-16.

Summary

This article examines the challenges of personal data protection in digital platform businesses, which have expanded rapidly over the past decade and now play a central role in the modern economy. Platform companies rely heavily on collecting and analyzing large volumes of user data to improve services, target consumers, and generate revenue. However, this intensive use of personal data raises significant concerns about privacy, particularly because users often do not fully understand how their data are collected, used, or shared. The article highlights the problem of information asymmetry between businesses and consumers, which leads individuals to underestimate the true cost of disclosing personal information.

Although Thailand enacted the Personal Data Protection Act B.E. 2562 (2019), modeled largely on the European Union’s GDPR, the article argues that the main challenge lies not in the existence of the law but in its effective enforcement, especially in the platform economy. Key issues include unclear and unfriendly communication with users—such as complex privacy notices or the use of “cookie walls” that pressure users to consent—insufficient data security measures that increase the risk of breaches, cross-border data transfers to countries with lower protection standards, and legal exemptions that may allow government agencies to bypass certain requirements. These factors may weaken overall privacy protection and undermine public trust.

The article also compares three major global regulatory models for personal data protection: a rights-based model prioritizing data subjects’ privacy (exemplified by the EU), a market-oriented model emphasizing business freedom (associated with the United States), and a state-centric model prioritizing national security (illustrated by China). It suggests that Thailand should adopt a balanced approach similar to the GDPR, which seeks to reconcile economic benefits with the protection of individual rights while facilitating international data flows.

Drawing on experiences from the European Union and the United Kingdom, the study emphasizes the importance of “soft law” instruments—such as guidelines, codes of conduct, and self-regulatory mechanisms—in clarifying legal obligations and promoting responsible business practices. It also underscores the need for proactive oversight by regulatory authorities, including monitoring high-risk platforms and providing advisory support through mechanisms such as regulatory sandboxes. Ultimately, the article concludes that protecting personal data in the platform era requires not only formal legislation but also flexible governance tools and active regulatory engagement to balance innovation, business interests, and individuals’ privacy rights.