AI Regulations in Thailand: DEPA Guidelines and Business Compliance

Thailand's AI governance framework is developing rapidly. The Digital Economy Promotion Agency (DEPA) leads AI governance initiatives, while the PDPA provides the legal foundation for data protection. Organizations operating in Thailand should understand current requirements and emerging expectations.

Executive Summary

• Thailand PDPA is now fully enforceable. Personal data protection in AI is a legal requirement.
• DEPA provides AI governance guidelines. Voluntary frameworks set industry expectations.
• National AI Strategy shapes direction. Policy goals influence regulatory development.
• Enforcement capacity is growing. The PDPC is actively building enforcement capability.
• ASEAN alignment is a priority. Thailand coordinates with regional neighbors on AI governance.
• Sector-specific rules are emerging. Financial services and other sectors developing specific requirements.
• Practical implementation expected. Guidelines emphasize actionable governance.
• Preparation is advisable. Building governance ahead of formal requirements reduces risk.

Why This Matters Now

Thailand's AI governance is evolving:

• PDPA B.E. 2562 now fully effective with enforcement underway
• National AI Strategy driving governance expectations
• Growing AI adoption across Thai businesses
• Regional harmonization creating consistent frameworks
• Customer and investor focus on AI governance

Organizations should prepare for both current compliance and emerging requirements.

Current Regulatory Framework

Personal Data Protection Act B.E. 2562 (PDPA)

Thailand's PDPA, effective June 2022, applies to AI processing personal data:

Key Principles Applied to AI:

Legal bases for processing:

Data subject rights:

• Right to be informed (including about AI)
• Right of access (AI-processed data)
• Right to rectification
• Right to erasure
• Right to data portability
• Right to object (including to AI processing)
• Right not to be subject to automated decisions

PDPC Enforcement

The Personal Data Protection Committee oversees enforcement:

• Increasing enforcement capacity
• Administrative fines up to THB 5 million
• Criminal penalties for serious violations
• Regulatory guidance developing

DEPA AI Guidelines

The Digital Economy Promotion Agency provides AI governance guidance:

AI Ethics Guidelines

DEPA has published AI ethics guidelines covering:

Core principles:

• Human-centered AI
• Fairness and non-discrimination
• Transparency and explainability
• Accountability and responsibility
• Security and safety
• Privacy protection

Governance expectations:

• Clear accountability structures
• Risk management processes
• Stakeholder engagement
• Continuous improvement

National AI Strategy

Thailand's AI strategy influences governance direction:

Relevant goals:

• Trusted AI development
• Responsible innovation
• Skills development
• Ethical AI adoption

Implications:

• Growing government focus on AI governance
• Development of specific requirements likely
• Alignment with ASEAN approaches

Sector-Specific Considerations

Financial Services (Bank of Thailand)

BOT has requirements relevant to AI:

• IT risk management frameworks
• Outsourcing requirements
• Consumer protection expectations
• Digital banking guidelines

Financial institutions should expect AI-specific guidance.

Telecommunications (NBTC)

National Broadcasting and Telecommunications Commission oversight:

• Data protection requirements
• Consumer protection
• Service quality expectations

Other Sectors

• Healthcare: Patient data protection heightened
• Public sector: Government AI ethics frameworks developing
• E-commerce: Consumer protection in AI-driven services

Implementation Roadmap

Phase 1: PDPA Compliance Foundation (Weeks 1-4)

Data mapping:

• Identify personal data processed by AI
• Document legal bases for processing
• Review consent mechanisms
• Assess current compliance status

Legal basis and consent:

• Establish legal basis for AI processing
• Obtain consent where required
• Update privacy notices for AI
• Document consent records

Data subject rights:

• Implement right to be informed for AI
• Enable access to AI-processed data
• Implement objection mechanism
• Address automated decision rights

Phase 2: Governance Structure (Weeks 5-8)

Accountability:

• Designate AI governance responsibility
• Consider DPO appointment if required
• Establish oversight mechanism
• Document governance policies

Security:

• Implement appropriate security measures
• Establish breach notification procedures
• Document security practices
• Test incident response

Phase 3: Enhanced Governance (Weeks 9-12)

DEPA alignment:

• Implement AI ethics principles
• Conduct fairness assessment
• Establish transparency mechanisms
• Create human oversight processes

Documentation:

• Complete data processing records
• Document AI systems and purposes
• Prepare for regulatory inquiries
• Maintain audit trail

Cross-Border Considerations

Thailand PDPA has cross-border transfer provisions:

Transfer requirements:

• Adequate protection in destination country, OR
• Appropriate safeguards in place, OR
• Data subject consent, OR
• Legal exceptions apply

Practical implications:

• Cloud AI services often involve international transfers
• Training data may cross borders
• Vendor locations affect compliance

Compliance approaches:

• Use vendors with Thailand data residency
• Implement contractual safeguards
• Obtain consent for transfers
• Document legal basis

Common Failure Modes

1. Underestimating PDPA applicability. The law is now fully effective. AI processing personal data must comply.

2. Ignoring automated decision requirements. PDPA includes rights related to automated decisions. AI making decisions about individuals triggers these.

3. Treating ethics guidelines as optional. While voluntary, they set industry expectations and likely influence future requirements.

4. Cross-border oversight. International AI services must comply with transfer provisions.

5. Delayed preparation. Building compliance now is easier than scrambling when enforcement intensifies.

Thailand AI Compliance Checklist

THAILAND AI COMPLIANCE CHECKLIST

PDPA Compliance
[ ] Personal data in AI systems identified
[ ] Legal basis for AI processing established
[ ] Consent obtained where required
[ ] Privacy notices updated for AI
[ ] Data subject rights processes include AI
[ ] Automated decision rights addressed
[ ] Security measures implemented
[ ] Breach notification procedures established
[ ] Cross-border transfers compliant

Governance Structure
[ ] AI governance responsibility assigned
[ ] DPO appointed (if required)
[ ] Oversight mechanism established
[ ] Governance policy documented

DEPA Alignment
[ ] AI ethics principles adopted
[ ] Human-centered approach implemented
[ ] Transparency measures in place
[ ] Fairness assessment conducted
[ ] Accountability structures defined

Sector-Specific (if applicable)
[ ] BOT requirements addressed (financial services)
[ ] Industry-specific guidance reviewed
[ ] Sector regulator expectations understood

Documentation
[ ] Data processing records maintained
[ ] AI systems documented
[ ] Consent records kept
[ ] Security practices documented

Metrics to Track

FAQ

Q: Is Thailand PDPA now enforceable? A: Yes. Full enforcement began in June 2022 after a transition period.

Q: What are the penalties for non-compliance? A: Administrative fines up to THB 5 million, criminal penalties for serious violations, and civil liability for damages.

Q: Does PDPA apply to AI without personal data? A: PDPA applies when processing personal data. AI using only non-personal data isn't subject to PDPA but should follow good governance.

Q: Are DEPA guidelines mandatory? A: Currently voluntary, but they set industry expectations and may influence future requirements.

Q: How does Thailand's approach compare to ASEAN neighbors? A: Similar principles-based approach to Singapore and Malaysia. ASEAN coordination is creating consistency.

Next Steps

Thailand compliance is part of regional governance:

• [AI Regulations in 2026: What Businesses Need to Know]
• [AI Regulations in Singapore: IMDA Guidelines and Compliance Requirements]
• [AI Regulations in Malaysia: Current Framework and Future Directions]

Disclaimer

This article provides general guidance on Thailand AI regulations. It does not constitute legal advice. Organizations should consult qualified Thai legal counsel for specific compliance requirements.

DEPA's AI Governance Framework Development

Thailand's Digital Economy Promotion Agency is developing an AI governance framework that draws on international standards while addressing Thailand-specific regulatory and cultural contexts. The emerging framework emphasizes responsible AI development, transparency in AI-assisted decision-making, and protection of individual rights affected by AI systems. Organizations operating in Thailand should monitor DEPA's regulatory publications and participate in public consultations to stay informed about evolving requirements.

Practical Compliance for Thai Market Operations

Organizations deploying AI systems in Thailand should implement governance practices that demonstrate compliance readiness even before mandatory regulations take effect. Maintain documentation of AI system inventories, risk assessments, and data handling practices in formats that align with DEPA's published guidelines. Ensure that AI systems processing Thai consumers' personal data comply with Thailand's Personal Data Protection Act provisions regarding consent, purpose limitation, and data subject rights. Engage with DEPA's regulatory sandbox programs where available to test AI applications in a supervised environment that provides regulatory guidance and demonstrates proactive compliance commitment.

Sector-Specific AI Requirements in Thailand

Beyond DEPA's cross-industry framework, Thailand's sectoral regulators are developing AI-specific requirements for regulated industries. The Bank of Thailand has published technology risk management guidelines that address AI use in financial services including algorithmic lending, fraud detection, and customer scoring systems. The Food and Drug Administration is developing guidance on AI-assisted medical devices and diagnostic systems. Organizations operating in regulated Thai industries should layer sector-specific requirements on top of DEPA's general framework to build comprehensive governance programs addressing both horizontal and vertical regulatory expectations.

Organizations should also track Thailand's participation in international AI governance forums including ASEAN digital cooperation initiatives and bilateral technology agreements that may influence domestic regulatory development. Thailand's engagement with regional and international governance frameworks suggests that future domestic regulations will increasingly align with international standards, making early adoption of globally recognized governance practices a strategic investment that facilitates both domestic compliance and international business operations.

Organizations should also prepare for Thailand's emerging requirements around AI transparency and explainability, which DEPA has identified as priority governance areas in its published strategic documents. Implementing explainability features in AI systems proactively, including audit trails, decision rationale documentation, and user-facing explanations of AI-assisted decisions, positions organizations to comply with anticipated requirements without costly retrofitting when regulations are finalized.

How Thailand's AI Regulatory Approach Compares to Its Neighbors

Thailand occupies a middle position in ASEAN's AI regulatory spectrum. Singapore leads with comprehensive voluntary frameworks and practical testing tools. Vietnam enacted binding legislation through Law 134/2025, creating Southeast Asia's first mandatory AI compliance regime. The Philippines issued detailed NPC guidance bridging data privacy and AI governance. Thailand's DEPA-led approach balances between these models: more structured than Malaysia's primarily PDPA-based coverage but less prescriptive than Vietnam's statutory requirements or Singapore's AI Verify framework. Organizations operating across Southeast Asia should map Thailand's emerging requirements against their existing compliance programs for neighboring jurisdictions to identify gaps and leverage existing governance investments.

Practical Steps for International Companies Entering Thailand's AI Market

International companies deploying AI systems in Thailand should engage local legal counsel specializing in DEPA regulations before market entry. Conduct a regulatory mapping exercise comparing your existing governance practices against DEPA guidelines, Thailand PDPA requirements, and sector-specific mandates from the Bank of Thailand or FDA. Establish a local data processing presence or contract with Thai-based data centers when processing Thai consumer personal data, as data localization expectations are strengthening across ASEAN jurisdictions.

Practical Next Steps

To put these insights into practice for ai regulations in thailand, consider the following action items:

• Establish a cross-functional governance committee with clear decision-making authority and regular review cadences.
• Document your current governance processes and identify gaps against regulatory requirements in your operating markets.
• Create standardized templates for governance reviews, approval workflows, and compliance documentation.
• Schedule quarterly governance assessments to ensure your framework evolves alongside regulatory and organizational changes.
• Build internal governance capabilities through targeted training programs for stakeholders across different business functions.

Effective governance structures require deliberate investment in organizational alignment, executive accountability, and transparent reporting mechanisms. Without these foundational elements, governance frameworks remain theoretical documents rather than living operational systems.