AI Regulations in Thailand: DEPA Guidelines and Business Compliance
Thailand's AI governance framework is developing rapidly. The Digital Economy Promotion Agency (DEPA) leads AI governance initiatives, while the PDPA provides the legal foundation for data protection. Organizations operating in Thailand should understand current requirements and emerging expectations.
Executive Summary
- Thailand PDPA is now fully enforceable. Personal data protection in AI is a legal requirement.
- DEPA provides AI governance guidelines. Voluntary frameworks set industry expectations.
- National AI Strategy shapes direction. Policy goals influence regulatory development.
- Enforcement capacity is growing. The PDPC is actively building enforcement capability.
- ASEAN alignment is a priority. Thailand coordinates with regional neighbors on AI governance.
- Sector-specific rules are emerging. Financial services and other sectors developing specific requirements.
- Practical implementation expected. Guidelines emphasize actionable governance.
- Preparation is advisable. Building governance ahead of formal requirements reduces risk.
Why This Matters Now
Thailand's AI governance is evolving:
- PDPA B.E. 2562 now fully effective with enforcement underway
- National AI Strategy driving governance expectations
- Growing AI adoption across Thai businesses
- Regional harmonization creating consistent frameworks
- Customer and investor focus on AI governance
Organizations should prepare for both current compliance and emerging requirements.
Current Regulatory Framework
Personal Data Protection Act B.E. 2562 (PDPA)
Thailand's PDPA, effective June 2022, applies to AI processing personal data:
Key Principles Applied to AI:
| PDPA Principle | AI Application |
|---|---|
| Lawfulness | Legal basis required for AI processing |
| Purpose limitation | AI uses data only for specified purposes |
| Data minimization | AI processes only necessary data |
| Accuracy | AI should use accurate data |
| Storage limitation | AI data retention limited to purpose |
| Security | AI systems must protect personal data |
| Accountability | Organizations demonstrate compliance |
Legal bases for processing:
| Legal Basis | AI Applicability |
|---|---|
| Consent | Most common for AI processing |
| Contract | AI necessary for contract performance |
| Legitimate interests | Balancing test required |
| Vital interests | Emergency situations |
| Legal obligation | Compliance requirements |
| Public interest | Government functions |
Data subject rights:
- Right to be informed (including about AI)
- Right of access (AI-processed data)
- Right to rectification
- Right to erasure
- Right to data portability
- Right to object (including to AI processing)
- Right not to be subject to automated decisions
PDPC Enforcement
The Personal Data Protection Committee oversees enforcement:
- Increasing enforcement capacity
- Administrative fines up to THB 5 million
- Criminal penalties for serious violations
- Regulatory guidance developing
DEPA AI Guidelines
The Digital Economy Promotion Agency provides AI governance guidance:
AI Ethics Guidelines
DEPA has published AI ethics guidelines covering:
Core principles:
- Human-centered AI
- Fairness and non-discrimination
- Transparency and explainability
- Accountability and responsibility
- Security and safety
- Privacy protection
Governance expectations:
- Clear accountability structures
- Risk management processes
- Stakeholder engagement
- Continuous improvement
National AI Strategy
Thailand's AI strategy influences governance direction:
Relevant goals:
- Trusted AI development
- Responsible innovation
- Skills development
- Ethical AI adoption
Implications:
- Growing government focus on AI governance
- Development of specific requirements likely
- Alignment with ASEAN approaches
Sector-Specific Considerations
Financial Services (Bank of Thailand)
BOT has requirements relevant to AI:
- IT risk management frameworks
- Outsourcing requirements
- Consumer protection expectations
- Digital banking guidelines
Financial institutions should expect AI-specific guidance.
Telecommunications (NBTC)
National Broadcasting and Telecommunications Commission oversight:
- Data protection requirements
- Consumer protection
- Service quality expectations
Other Sectors
- Healthcare: Patient data protection heightened
- Public sector: Government AI ethics frameworks developing
- E-commerce: Consumer protection in AI-driven services
Implementation Roadmap
Phase 1: PDPA Compliance Foundation (Weeks 1-4)
Data mapping:
- Identify personal data processed by AI
- Document legal bases for processing
- Review consent mechanisms
- Assess current compliance status
Legal basis and consent:
- Establish legal basis for AI processing
- Obtain consent where required
- Update privacy notices for AI
- Document consent records
Data subject rights:
- Implement right to be informed for AI
- Enable access to AI-processed data
- Implement objection mechanism
- Address automated decision rights
Phase 2: Governance Structure (Weeks 5-8)
Accountability:
- Designate AI governance responsibility
- Consider DPO appointment if required
- Establish oversight mechanism
- Document governance policies
Security:
- Implement appropriate security measures
- Establish breach notification procedures
- Document security practices
- Test incident response
Phase 3: Enhanced Governance (Weeks 9-12)
DEPA alignment:
- Implement AI ethics principles
- Conduct fairness assessment
- Establish transparency mechanisms
- Create human oversight processes
Documentation:
- Complete data processing records
- Document AI systems and purposes
- Prepare for regulatory inquiries
- Maintain audit trail
Cross-Border Considerations
Thailand PDPA has cross-border transfer provisions:
Transfer requirements:
- Adequate protection in destination country, OR
- Appropriate safeguards in place, OR
- Data subject consent, OR
- Legal exceptions apply
Practical implications:
- Cloud AI services often involve international transfers
- Training data may cross borders
- Vendor locations affect compliance
Compliance approaches:
- Use vendors with Thailand data residency
- Implement contractual safeguards
- Obtain consent for transfers
- Document legal basis
Common Failure Modes
1. Underestimating PDPA applicability. The law is now fully effective. AI processing personal data must comply.
2. Ignoring automated decision requirements. PDPA includes rights related to automated decisions. AI making decisions about individuals triggers these.
3. Treating ethics guidelines as optional. While voluntary, they set industry expectations and likely influence future requirements.
4. Cross-border oversight. International AI services must comply with transfer provisions.
5. Delayed preparation. Building compliance now is easier than scrambling when enforcement intensifies.
Thailand AI Compliance Checklist
THAILAND AI COMPLIANCE CHECKLIST
PDPA Compliance
[ ] Personal data in AI systems identified
[ ] Legal basis for AI processing established
[ ] Consent obtained where required
[ ] Privacy notices updated for AI
[ ] Data subject rights processes include AI
[ ] Automated decision rights addressed
[ ] Security measures implemented
[ ] Breach notification procedures established
[ ] Cross-border transfers compliant
Governance Structure
[ ] AI governance responsibility assigned
[ ] DPO appointed (if required)
[ ] Oversight mechanism established
[ ] Governance policy documented
DEPA Alignment
[ ] AI ethics principles adopted
[ ] Human-centered approach implemented
[ ] Transparency measures in place
[ ] Fairness assessment conducted
[ ] Accountability structures defined
Sector-Specific (if applicable)
[ ] BOT requirements addressed (financial services)
[ ] Industry-specific guidance reviewed
[ ] Sector regulator expectations understood
Documentation
[ ] Data processing records maintained
[ ] AI systems documented
[ ] Consent records kept
[ ] Security practices documented
Metrics to Track
| Metric | Target | Frequency |
|---|---|---|
| AI systems with PDPA compliance | 100% | Quarterly |
| Legal basis documented | 100% | Per system |
| Data subject rights processes tested | 100% | Annually |
| Security assessment completed | 100% | Annually |
| Cross-border compliance verified | 100% | Ongoing |
FAQ
Q: Is Thailand PDPA now enforceable? A: Yes. Full enforcement began in June 2022 after a transition period.
Q: What are the penalties for non-compliance? A: Administrative fines up to THB 5 million, criminal penalties for serious violations, and civil liability for damages.
Q: Does PDPA apply to AI without personal data? A: PDPA applies when processing personal data. AI using only non-personal data isn't subject to PDPA but should follow good governance.
Q: Are DEPA guidelines mandatory? A: Currently voluntary, but they set industry expectations and may influence future requirements.
Q: How does Thailand's approach compare to ASEAN neighbors? A: Similar principles-based approach to Singapore and Malaysia. ASEAN coordination is creating consistency.
Next Steps
Thailand compliance is part of regional governance:
- AI Regulations in 2026: What Businesses Need to Know
- AI Regulations in Singapore: IMDA Guidelines and Compliance Requirements
- AI Regulations in Malaysia: Current Framework and Future Directions
Book an AI Readiness Audit
Need help with Thailand AI compliance? Our AI Readiness Audit includes PDPA assessment and governance development.
Disclaimer
This article provides general guidance on Thailand AI regulations. It does not constitute legal advice. Organizations should consult qualified Thai legal counsel for specific compliance requirements.
References
- Thailand Personal Data Protection Act B.E. 2562 (2019).
- PDPC. Personal Data Protection Guidelines.
- DEPA. Thailand AI Ethics Guidelines.
- DEPA. National AI Strategy.
- Bank of Thailand. IT Risk Management Guidelines.
Frequently Asked Questions
Thailand's PDPA and DEPA guidelines jointly govern AI use affecting Thai data subjects. Explicit consent is required for sensitive data, and cross-border transfers require adequacy assessment or safeguards.
DEPA (Digital Economy Promotion Agency) promotes ethical AI development through voluntary certification programs, provides guidance on AI best practices, and shapes national AI policy direction.
Organizations conducting certain AI processing activities affecting Thai data subjects must appoint a DPO. The specific thresholds depend on the scale and nature of processing.
References
- Thailand Personal Data Protection Act B.E. 2562 (2019).. Thailand Personal Data Protection Act B E (2019)
- PDPC. Personal Data Protection Guidelines.. PDPC Personal Data Protection Guidelines
- DEPA. Thailand AI Ethics Guidelines.. DEPA Thailand AI Ethics Guidelines
- DEPA. National AI Strategy.. DEPA National AI Strategy
- Bank of Thailand. IT Risk Management Guidelines.. Bank of Thailand IT Risk Management Guidelines
