Advance Blog

August 7, 2025
Formichella&Sritawat

HOW AN AUSTRALIAN DATA PRIVACY CASE SIGNALS STRICT LIMITS ON FACIAL RECOGNITION TECHNOLOGY USE IN THAILAND.

A landmark ruling against Australia’s hardware store “Bunnings” for the unlawful use of facial recognition technology (FRT) serves as a wake-up call for Thai businesses.

The November 2024 decision by Australia’s Privacy Commissioner – finding mass biometric collection without consent, transparency, or proportionality illegal – directly parallels Thailand’s Personal Data Protection Act (PDPA) requirements. With Thai regulators increasingly scrutinizing FRT deployments (like recent controversies at 7-Eleven Thailand and MBK Center), companies should urgently align practices with PDPA mandates or face severe penalties.

The Bunnings Precedent & Its Thai Relevance

Australia’s OAIC ruled Bunnings violated privacy laws by scanning faces across 62 stores (2019–2021). Key findings included:

  1. Illegal Collection: Capturing biometrics without consent breached “sensitive information” protections.
  2. Inadequate Transparency: Small signage and vague policies failed to notify customers meaningfully.
  3. Disproportionality: Mass surveillance of all customers was unjustified for theft prevention.
  4. The “Milliseconds” Myth: Data held for 4.17 MS (Bunning’s quoted processing time to determine facial parameters) still constituted illegal “collection.”

Thai Parallel: This mirrors PDPA’s core tenets. Biometric data is explicitly classified as Sensitive Personal Data” Under Section 26, demanding explicit consent. Recent Thai media exposés similar FRT misuse:

  • 7-Eleven Thailand: Faced public outcry in 2023 after deploying FRT without clear signage or consent mechanisms, violating PDPA’s transparency requirements (Bangkok Post, 15 March 2023).
  • Bangkok Mall Pilot: A major shopping center halted FRT trials in 2024 following PDPA Office warnings about insufficient customer notice (The Nation, 2 May 2024).

PDPA vs. Bunnings: Legal Alignment

Thailand’s PDPA (fully enforced since 2022) and Australia’s Privacy Act share stringent FRT restrictions:

IssueAustralia (Bunnings Ruling)Thailand (PDPA)Thai Media Context
Biometric Data Classification“Sensitive Information”Section 26: “Sensitive Personal Data” requires explicit consentThe PDPA Office repeatedly emphasizes the sensitivity of biometrics in its guidelines (2023).
Consent RequirementsMandatory, “impracticality” rejectedSection 19: Explicit, informed, freely given consent required. No exceptions for convenience.The 7-Eleven case shows that implied consent (via entry) is insufficient under PDPA.
Transparency ObligationsAPP 5.1: Notice must be clear, accessibleSection 23: Must inform subjects of purpose, retention, and rights before collection.MBK Center pilot criticized for “discreet signage,” failing PDPA’s prominence standard (Prachatai, 30 April 2024).
Proportionality & NecessityMass surveillance deemed disproportionateSection 24(3): Collection must be “necessary” and “least intrusive” means.Thai retailers have been warned that FRT must be a last resort, after enhanced CCTV or guards (PDPA Office Guidance, 2023).
“Collection” DefinitionMilliseconds-long processing is still illegalSection 19: “Collection” includes any capture/processing, regardless of duration.Thai tech firms warned that transient data processing still triggers PDPA compliance (Digital Economy Council, 2024).

PDPA Compliance Guidelines for Thai Businesses

  1. Explicit Consent is Mandatory:
    Security claims DO NOT override consent. PDPA Section 26 demands opt-in consent for biometrics. Bunnings’ “impractical consent” defense failed; Thai businesses (such as 7-Eleven) cannot rely solely on signage.
    Best Practice: Deploy consent kiosks at entrances with multilingual opt-in options. Document consent records.
  2. Conduct a PDPA-Compliant PIA:
    Australia mandated PIAs for FRT. PDPA Section 39 requires Data Protection Impact Assessments (DPIAs) for high-risk processing (like FRT). Document:
    1. Why FRT is essential and why less invasive options (e.g., traditional CCTV + guards) fail.
    1. Measures to prevent functionality creep and bias.
      (See PDPA Office’s “DPIA Guideline,” June 2023″).
  3. Prioritize Proactive Transparency:
    Bunnings’ “layered” notices were deemed inadequate. PDPA Section 23 requires a prominent, pre-collection notice.
    Best Practice: Use eye-level signage with icons + QR codes linking to concise privacy notices (Thai/English). Avoid “legalese.”
  4. Reject the “Milliseconds” Loophole:
    Thai businesses cannot claim that fleeting data retention is exempt from the PDPA. Any facial capture constitutes “collection” under Section 19 – as confirmed by the “DPIA Guideline,” June 2023 guidance.
  5. Narrowly Interpret “Vital Interest” Exceptions:
    While Section 26(4) allows processing sensitive data for “life safety” without consent, regulators (like Australia’s) interpret this strictly. FRT must be the only viable solution to an imminent, documented threat – not general theft deterrence.

The Path Forward: FRT Under Thai Scrutiny

With FRT adoption rising in Thai retail, malls, and airports, regulators are escalating oversight:

  • Suvarnabhumi Airport FRT: Already under PDPA Office review for balancing security with traveler consent (Bangkok Post, 28 Nov 2024).
  • PDPA Enforcement: Fines up to THB 5 Million (+ criminal penalties) under Section 84 for violations.

Proactive Steps for Thai Businesses:

  • Audit & Destroy: Review of all FRT deployments. Destroy non-compliant historical biometric data.
  • Adopt Privacy-Enhancing Tech: Explore anonymized analytics or on-device processing.
  • Update Policies: Explicitly detail FRT use in PDPA-mandated privacy notices (Section 23).

Conclusion: Prioritize Privacy or Face Penalties

The Bunnings ruling underscores a global reality: convenience and security claims cannot override fundamental privacy rights. Thailand’s PDPA enforces identical principles – requiring explicit consent, necessity, and radical transparency for FRT. Thai businesses risk significant fines and reputational damage (as seen in the 7-Eleven backlash) if they ignore these lessons. As PDPA enforcement matures, proactive compliance is no longer optional – it’s essential for maintaining ethical and legal operations in Thailand.

The information in this article is only for general knowledge and learning purposes. We’re doing our best to keep the information accurate and current, but there’s a chance that some details may be outdated or not entirely accurate. This article shouldn’t be treated as legal advice. For any questions, you may contact Formichella & Sritawat at [email protected]


BIBLIOGRAPHY

  1. Office of the Australian Information Commissioner (OAIC). (2024). Bunnings Breached Australians’ Privacy with Facial Recognition Tool [Media Release].
  2. Personal Data Protection Committee (PDPA), Thailand. (2019). Personal Data Protection Act B.E. 2562 (2019).
  3. PDPA Thailand. (2023). Guidance on Data Protection Impact Assessment (DPIA).
  4. Bangkok Post. (15 March 2023). “7-Eleven Faces Backlash Over Facial Recognition Trial.”
  5. The Nation. (2 May 2024). “Major Bangkok Mall Halts Facial Recognition Pilot After PDPA Warning.”
  6. Prachatai. (30 April 2024). “Privacy Concerns Mount Over Silent Rollout of Facial Recognition in Malls.”
  7. Bangkok Post. (10 January 2024). “Airport Facial Scans Face Privacy Scrutiny.”
  8. Digital Economy Promotion Agency (DEPA), Thailand. (2024). Guidance Note: Biometric Data under the PDPA.
  9. Australian Privacy Principles. (2014). Schedule 1 of the Privacy Act 1988 (Cth).
Formichella & Sritawat
Share:
Facebook
Twitter
LinkedIn

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)

As the Personal Data Protection Act (PDPA) also applies to personal data collected prior to the PDPA’s entry into force, please be informed that AustCham Thailand will automatically keep your contact details including email address, name and last name, and company details, on our mailing list.

Your data was received by AustCham Thailand as a result from you either registering or attending an event, contacting our office or subscribing to regular updates via the website. However, if you would like to stop receiving emails AustCham Thailand and revoke your consent for AustCham to keep and use your data to contact you for chamber events and updates, please scroll down to the end of this email and click “Unsubscribe from this list”. Your personal data will be shortly deleted once the opt-out notice request is received.

Please note that your data is kept in AustCham’s CRM system, please see here for AustCham’s Terms of Use and Privacy Policy. AustCham uses a management software system from Wild Apricot, and emails are distributed through MailChimp.

MEMBER LOG IN