A close-up of Thailand’s regulatory approach to data governance, content moderation, competition, artificial intelligence, and more.
The “DPA Digital Digest” series provides concise summaries of each economy’s digital policy. Based on the Digital Policy Alert database, we outline rules and enforcement cases in data governance, content moderation, competition, artificial intelligence, and domestic points of emphasis.
Thailand's digital economy, the second largest in Southeast Asia, accounted for 6% of the country's GDP (USD 36 billion) in 2023, with projections indicating growth to 11% by 2027. This expansion is driven by accelerated technology adoption, supportive government policies, and the success of sectors such as ICT and e-commerce. The National Digital Economy and Society Commission has set a target to increase the digital sector’s contribution to 30% of GDP by 2027, with a focus on enhancing cloud infrastructure and attracting foreign investment.
But what do Thailand’s digital policies stand for? Our Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Thailand-specific points of emphasis.
Data governance: Thailand implemented the Personal Data Protection Act and adopted cybersecurity rules for critical infrastructure and cloud service providers.
Content moderation: Thailand adopted procedures for handling illegal computer data under the Computer-related Crime Act and pursued enforcement against large social media platforms and online gambling service providers.
Competition policy: Thailand adopted guidelines on the applicability of its current Trade Competition Act to digital platforms.
Artificial intelligence: Thailand is considering proposals to regulate AI, focusing on establishing innovation testing centres, AI sandboxes and risk assessment guidelines.
Thailand’s points of emphasis include registration and notification requirements, digital assets and user identification.
Jump directly to the section that interests you most:
Discover the details of Thailand's regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Maria Buza, Philine Jenzer, and Svenja Bossard. Edited by Tommaso Giardini.
In June 2022, Thailand implemented the Personal Data Protection Act (PDPA). It grants individuals rights regarding their personal data, including access, rectification, and portability. Personal data can be processed based on consent, contract, public interest, and legitimate interest. Special provisions apply to sensitive data. Processors are required to inform individuals about their data collection practices, maintain records of data processing activities, appoint a data protection officer, and notify authorities of any data breaches.
The PDPA also established the Personal Data Protection Commission (PDPC), which has the power to issue additional rules under PDPA.
In June 2024, the PDPC consulted on a draft order to set criteria for deleting, destroying, or anonymising personal data. The order guides data controllers on handling requests from data subjects, requiring compliance within 60 days of receipt.
In December 2023, the PDPC implemented rules on the appointment of data protection officers.
In December 2022, the PDPC adopted measures on record-keeping for personal data processing and on the reporting of data breaches within 72 hours.
In June 2022, the PDPC implemented security measures for data controllers and established exemptions for small businesses.
The Cyber Security Act of 2019 requires critical information infrastructure operators (CIIOs) to comply with security standards, conduct annual risk assessments, report cyber threats and investigate vulnerabilities. The results of these assessments must be submitted to the Cyber Security Supervisory Committee (CSSC). CIIOs include sectors such as national security, significant public services, banking and finance, and IT and telecommunications.
The Act established the National Cyber Security Committee (NCSC) to issue additional rules and clarify responsibilities, while the CSSC assists in monitoring operations, enforcing standards, and managing critical cyber threats.
In September 2024, the CSSC adopted cybersecurity standards for cloud systems, which will enter into force in 2 years. Government agencies and CIIOs will be required to comply with security measures such as securing data, conducting audits, and ensuring that cloud providers are certified for “high” or “medium” impact services.
In June 2024, the CSSC’s operational obligations for CIIOs entered into force. CIIOs must provide a list of their executive staff and emergency contacts to the NCSC, prepare cybersecurity policies, and conduct annual audits. Regarding incidents, CIIOs must respond promptly and submit a report to CSSC and NCSC within 24 hours.
In January 2024, the NCSC issued two orders that will become effective in January 2025. CIIOs must classify their data systems into risk categories (low, medium, or high) based on confidentiality, integrity, and availability. CIIOs must then implement corresponding cybersecurity measures for each class.
CIIOs must also comply with a code of conduct, which sets minimum cybersecurity measures and procedures for reporting cyber threats.
Currently, Thailand does not impose general data localisation requirements. However, in September 2024, the NCSC adopted regulations governing the use of cloud services by CIIOs. To mitigate the risks associated with the use of cloud services, the regulations mandate that “high” impact information systems, which could lead to “very severe” consequences, operate from a primary data centre located in Thailand. Additionally, these systems must have a backup data centre situated either in Thailand or within the ASEAN region.
Businesses can transfer data to countries recognised as providing an adequate level of data protection, referred to as "whitelisted countries". In March 2024, the PDPC established the criteria it will follow to assess whether a destination country or international organisation meets these adequate standards. Businesses may also transfer data using binding corporate rules (BCRs) or appropriate safeguards. These safeguards include standard contractual clauses, certifications, or binding agreements between government agencies. In March 2024, the PDPC also implemented rules for the submission of BCRs for review and approval, along with the criteria that standard contractual clauses and certifications must meet to be deemed valid. Additionally, data transfers may also take place under certain conditions, including legal compliance, consent from the data subject, contractual obligations, or public interest.
The PDPC issues guidelines to clarify obligations and facilitate compliance.
In September 2022, the PDPC published guidelines on obtaining consent from data subjects and notifying the purpose and details of collecting personal data from data subjects.
In December 2022, the PDPC issued a guide on personal data breach risk assessment and reporting.
Concerning enforcement, in August 2024, the PDPC issued its first administrative fine of THB 7 million (approx. USD 207,853) against an unnamed online goods company for breaching the PDPA by disclosing personal data without consent to unauthorised persons. The company was also ordered to take corrective actions after a call centre misused the data for fraudulent activities. In February 2024, the Ministry of Digital for Economic and Social Affairs, alongside the PDPC and other agencies, discovered over 5,869 cases of improperly shared personal data online. They implemented corrective measures and blocked 54 instances of data being sold on Facebook.
In December 2022, Thailand enacted new procedures for handling illegal computer data under the Computer-related Crime Act. Service providers and social media platforms must establish clear policies for users to report illegal data, which must then be swiftly removed or blocked. Providers that implement a notice and takedown policy are protected from penalties associated with illegal activities. Additionally, competent officials have the authority to issue removal orders, and service providers must comply or face penalties. Providers can appeal takedown orders within 30 days, and officials may revoke orders based on new evidence or legal changes.
In July 2024, the Prime Minister issued an order to expedite the suppression of false information on social media, particularly regarding government projects such as the Digital Wallet initiative. The Ministry of Digital Economy and Society (MDES) and Technology Crime Suppression Division (TCSD) will form a working group to analyse content, block fake news, and improve public access to factual information.
The MDES has the power to issue take-down notices to platforms and require courts to issue blocking orders.
In July 2024, the MDES launched the "FINAL BET" operation, which uses AI to combat online gambling networks.
In March 2024, the MDES launched an investigation into an online gambling site, seeking a court order for permanent restriction and enforcing ISP compliance.
In August 2023, the MDES announced plans to pursue legal action against Facebook for failing to remove scam advertisements.
In September 2022, the MDES reported blocking 4,735 illegal URLs under 183 court orders in 2022, while the Cyber Police handled 2,330 cases involving various online crimes.
In January 2022, the MDES reported the court-ordered shutdown of 50 URLs with illegal content, urging the public to be cautious about sharing false information on social media.
Thailand’s competition regime is based on the Trade Competition Act, which prohibits business operators from using their dominant market position to obstruct competition or engage in unfair trade practices and establishes rules on mergers and acquisitions. In October 2020, the Trade Competition Commission (TCC), established under the Trade Competition Act, adopted guidelines to assess unfair trade practices between food delivery digital platforms and restaurants. These rules aim to ensure fair, non-discriminatory trade practices and protect restaurants.
The TCC has the power to issue binding rules and guidelines and take enforcement actions against companies in the digital markets sector in accordance with the Trade Competition Act.
In February 2024, the TCC ruled against an intermediary platform for abusing its market dominance by unilaterally imposing fees on online tickets.
In December 2023, the TCC began investigating TikTok for alleged unfair trade practices raised by merchants, including account issues and fund withdrawal difficulties.
In February 2021, the TCC concluded that two food delivery companies adhered to the Trade Competition Act, finding their varying service fees reasonable and not indicative of market dominance, unfair harm to competitors, or collusion.
In May 2019, the TCC dismissed a complaint against an advertising company for acquiring 18.60% of another firm's shares, concluding that the acquisition did not significantly reduce competition or create a dominant market position under the Trade Competition Act.
Thailand hasn't enacted a law to regulate artificial intelligence (AI) but is currently deliberating on three proposals issued by the Electronic Transactions Development Agency (ETDA):
The draft AI Innovation Promotion Act, released in March 2023, would establish AI Innovation testing centres, a data-sharing system, and standards for AI technology.
The draft rule on establishing an AI Sandbox would provide a controlled environment for testing AI technologies. Developers would be required to apply for testing permission and submit detailed project plans for review and oversight.
The draft rules on AI risk assessment would establish standardised guidelines for managing AI-related risks, covering governance, risk mapping, and measurement. Furthermore, they would require AI importers and service providers to submit detailed risk assessment reports.
In October 2022, the Office of the National Digital Economy and Society Commission (ONDE) issued the draft Royal Decree on Business Operations Using AI Systems. The draft adopts a risk-based approach, categorising AI systems into prohibited and high-risk. It specifically bans AI systems that employ subliminal techniques to influence behaviour, social scoring systems, and real-time remote biometric identification in public areas. The high-risk AI systems are those that impact public safety, human rights, or access to essential services. The draft decree requires providers to register their high-risk AI systems and comply with risk management and data governance measures. Additionally, the draft establishes a regulatory framework for importers and distributors of AI systems.
In March 2022, the ETDA released the AI ethics guidelines for Digital Thailand, emphasising ethical, transparent, and fair AI practices, along with six principles. The principles include competitiveness and sustainability, adherence to laws and ethics, transparency and accountability, security and privacy, fairness, and reliability. Previously, in February 2021, ETDA issued AI governance guidelines to establish a Governance Council and define stakeholder roles, focusing on responsible AI deployment and compliance with ethical standards.
In July 2022, the government adopted the National AI Strategy, which includes an action plan to advance AI development across various sectors, including agriculture, healthcare, and finance. The strategy focuses on building human resources and fostering innovation. Furthermore, a report released in November 2022 proposed the establishment of an AI testing centre to ensure the reliability and competitiveness of AI technologies.
Thailand mandates that both domestic and foreign digital platform services notify the Electronic Transactions Development Agency (ETDA) of their operations. Large platforms, defined as those with over THB 50 million (approx. USD 1.5 million) in gross income or more than 5,000 monthly active users, were required to submit their notifications by November 2023 and smaller platforms by August 2024. Foreign platforms accepting Thai currency or using the Thai language are also required to appoint a local coordinator. In addition, providers must inform users of terms and conditions before use, detailing service rules, fee structures, and data usage.
In November 2023, the ETDA established criteria for identifying "high-risk" platforms. These include platforms with transaction values exceeding THB 100 million (approx. USD 3 million), those operated by unregistered entities with more than 100 business users or total users between 5 and 10 % of the country’s population, and those enabling user-generated content that could negatively impact public welfare, children's rights, or political opinions. Such platforms must conduct risk assessments and annual compliance reporting. The ETDA also issued user verification standards, mandating identity checks for users, particularly high-risk ones, and requiring clear symbols for verified identities.
In 2024, the ETDA also issued guidelines on managing the sale of products that must meet product standards and conditions for using the business service platform notification mark. In August 2024, the ETDA opened a consultation on the effectiveness of current obligations for digital platforms.
The Digital Asset Businesses Decree mandates that exchanges, brokers, and dealers obtain licences to operate. The regulations cover digital asset trading and initial coin offerings and require compliance with anti-money laundering laws, investor protection measures, and transparency rules. Since September 2022, providers have also to comply with advertising rules for cryptocurrency.
In May 2024, the Securities and Exchange Commission (SEC) issued an order reinforcing the existing prohibition against digital asset exchanges listing meme tokens and updated the rules on criteria for investments in digital tokens in January 2024. In April 2024, the SEC, in collaboration with the Ministry of Digital Economy and Society and other relevant agencies, implemented an order to block access to unauthorised digital asset service platforms. Also, in June 2024, the SEC revoked Zipmex's digital asset business licence due to financial instability and non-compliance with regulatory directives.
In June 2023, Thailand adopted a decree which regulates digital identification businesses, requiring prior approval for services such as identity verification and authentication. In June 2024, the ETDA issued draft rules to standardise the verification of foreign users’ identities. Previously, in June 2023, the ETDA published assessment guidelines for digital identity proofing and authentication systems that require licensing and a risk management guide for the digital identification system.