Thailand AI Regulations 2026: Complete Compliance Guide

Thailand is positioning itself as Southeast Asia's AI hub while developing a regulatory framework that balances innovation with consumer protection and national security. This guide provides comprehensive analysis of Thailand's AI regulations, compliance requirements, and best practices for organizations deploying artificial intelligence systems in the Thai market.

Thailand's AI Regulatory Framework

Thailand's approach to AI governance combines horizontal data protection legislation with sector-specific requirements and emerging AI-focused regulations.

Personal Data Protection Act (PDPA)

Thailand's Personal Data Protection Act B.E. 2562 (2019), fully enforced since June 1, 2022, serves as the foundation for AI data governance. Modeled after GDPR, the PDPA imposes comprehensive obligations on AI systems processing personal data.

Core PDPA Principles:

Lawfulness and Consent: AI data processing requires a legal basis, typically:

• Explicit consent for general personal data
• Explicit consent plus necessity for sensitive personal data
• Legitimate interest (with balancing test)
• Contract performance
• Legal compliance
• Vital interests protection

Purpose Limitation: Organizations must:

• Specify AI processing purposes before collection
• Limit use to disclosed purposes
• Obtain fresh consent for new purposes
• Document purpose changes and justifications

Data Minimization: AI systems should:

• Collect only data necessary for stated purposes
• Avoid excessive data collection for "future use"
• Regularly review data requirements
• Delete data when no longer needed

Accuracy and Quality: Maintain:

• Accurate and current personal data
• Data quality assurance processes
• Correction mechanisms
• Regular data validation

Storage Limitation: Implement:

• Defined retention periods
• Automated deletion processes
• Archival procedures
• Disposal documentation

Security: Deploy:

• Appropriate technical safeguards
• Administrative controls
• Physical security measures
• Vendor security assessments

PDPA Requirements for AI Systems

Automated Decision-Making (Section 34):

The PDPA grants data subjects the right not to be subject to decisions based solely on automated processing that produces legal effects or significantly affects them. Organizations must:

Notification Requirements:

• Inform data subjects of automated decision-making
• Explain the logic, significance, and consequences
• Disclose data categories used in decisions
• Specify retention periods

Data Subject Rights:

• Right to object to automated processing
• Right to human intervention in decisions
• Right to express views on automated decisions
• Right to contest automated outcomes

Implementation Safeguards:

• Implement human oversight mechanisms
• Establish appeals processes
• Document decision logic and criteria
• Conduct regular accuracy assessments

Data Protection Impact Assessment (DPIA):

Section 37 requires DPIAs for processing likely to result in high risk to data subjects' rights. AI systems requiring DPIAs include:

High-Risk AI Applications:

• Systematic large-scale profiling
• Automated decision-making affecting legal rights
• Large-scale processing of sensitive data
• Systematic monitoring of public areas
• Processing of children's data
• Innovative technology use

DPIA Contents:

• Description of processing operations and purposes
• Assessment of necessity and proportionality
• Assessment of risks to data subjects
• Safeguards and security measures
• Consultation with data protection officer

Cross-Border Data Transfers

Section 28 restricts personal data transfers outside Thailand unless the destination country has adequate protection or other safeguards exist.

Transfer Mechanisms:

Adequacy Decisions: The Personal Data Protection Committee may recognize countries with adequate protection (none designated as of 2026).

Standard Contractual Clauses: Organizations may use PDPC-approved contractual clauses covering:

• Data protection obligations
• Security requirements
• Sub-processor controls
• Audit and inspection rights
• Data subject rights mechanisms

Binding Corporate Rules: Multinational groups may adopt BCRs approved by the PDPC.

Consent: Explicit consent with clear disclosure of:

• Destination country
• Recipient details
• Purpose of transfer
• Risks of transfer
• Safeguards implemented

AI-Specific Transfer Considerations:

Cloud AI Services: Using international AI platforms requires:

• Thai data residency options where available
• Contractual compliance with PDPA
• Encryption and access controls
• Regular compliance audits
• Documentation of data flows

Model Training Abroad: Organizations training models outside Thailand must:

• Anonymize training data where possible
• Conduct transfer impact assessments
• Implement contractual safeguards
• Maintain data inventories
• Monitor ongoing adequacy

Cybersecurity Act B.E. 2562 (2019)

Thailand's Cybersecurity Act governs critical information infrastructure (CII) protection, impacting AI systems in designated sectors.

CII Designation: The National Cybersecurity Committee designates CII operators in:

• Banking and finance
• Information and telecommunications
• Transportation and logistics
• Energy and utilities
• Government services
• Emergency services

AI Security Requirements for CII Operators:

Security Measures:

• Risk assessments and management
• Security monitoring and detection
• Incident response procedures
• Business continuity planning
• Regular security audits

Incident Reporting:

• Immediate notification of cyber threats
• Detailed incident reports
• Remediation documentation
• Lessons learned analysis

Government Cooperation:

• Compliance with security directives
• Participation in threat intelligence sharing
• Coordination during cyber incidents
• Access for government audits

Sector-Specific AI Regulations

Financial Services

The Bank of Thailand (BOT) and Securities and Exchange Commission (SEC) regulate AI in financial services through multiple frameworks.

BOT AI Guidelines:

Model Risk Management:

• Comprehensive model governance
• Independent validation and testing
• Performance monitoring
• Stress testing protocols
• Regular model reviews

AI Credit Decisioning:

• Explainable credit models
• Bias testing and mitigation
• Appeals mechanisms for denials
• Transparency in credit scoring
• Documentation of model limitations

Consumer Protection:

• Clear disclosure of AI use
• Human oversight for complex decisions
• Complaint handling procedures
• Fair treatment assurance
• Regular consumer impact assessments

Anti-Money Laundering:

• AI transaction monitoring systems
• Explainable alerts
• Audit trail requirements
• Regular effectiveness testing
• Regulatory reporting

SEC AI Requirements:

Algorithmic Trading:

• Pre-deployment testing and approval
• Real-time monitoring
• Circuit breaker mechanisms
• Audit trail maintenance
• Regular compliance reviews

Robo-Advisory Services:

• Client suitability assessments
• Risk profiling accuracy
• Algorithm disclosure
• Human oversight requirements
• Performance monitoring

Healthcare

The Food and Drug Administration (FDA) Thailand and Ministry of Public Health regulate medical AI devices and health data processing.

Medical Device Classification:

AI medical devices are classified by risk level:

Class I (Low Risk): Administrative AI tools with minimal patient impact

Class II (Medium Risk): Clinical decision support systems requiring:

• Medical device registration
• Performance validation
• Clinical evidence
• Post-market surveillance

Class III (High Risk): Autonomous diagnostic or treatment AI requiring:

• Rigorous clinical trials
• Extensive safety documentation
• Ongoing safety monitoring
• Adverse event reporting

Health Data Protection:

The Health Data Protection Act (under development) will impose enhanced requirements:

• Stricter consent requirements
• Prohibition on health data exports (except for treatment)
• Enhanced security measures
• Mandatory health data impact assessments
• Patient access rights

Clinical AI Implementation:

• Physician oversight mandatory
• Clear labeling of AI-generated outputs
• Documentation of AI limitations
• Continuing education on AI tools
• Patient notification of AI use

Telecommunications and Broadcasting

The National Broadcasting and Telecommunications Commission (NBTC) oversees AI content moderation and recommendation systems.

Content Regulation:

Prohibited Content Detection: AI systems must identify and address:

• Illegal content (child exploitation, terrorism)
• Defamatory content
• Misinformation during emergencies
• Content violating Thai cultural norms

Recommendation Algorithm Transparency:

• Disclosure of personalization criteria
• User control over recommendations
• Protection of minors
• Limitation of filter bubbles

Platform Accountability:

• Content moderation standards
• Appeals processes
• Transparency reporting
• Cooperation with authorities

Thailand's National AI Strategy

Thailand's National AI Strategy and Action Plan (2022-2027) guides the country's AI development and regulation.

Strategic Pillars:

1. AI Infrastructure: Developing computing resources, datasets, and platforms to support AI innovation.

2. AI Workforce: Building AI talent through education, training, and immigration policies.

3. AI Innovation: Supporting startups, R&D, and technology transfer.

4. AI Adoption: Encouraging AI implementation across industries, especially SMEs.

5. AI Governance: Developing regulatory frameworks, ethical guidelines, and standards.

Regulatory Initiatives:

AI Sandbox: The Digital Economy Promotion Agency (DEPA) operates regulatory sandboxes allowing:

• Testing innovative AI applications
• Temporary regulatory exemptions
• Controlled experimentation
• Regulatory learning and adaptation

AI Ethics Framework: Thailand is developing national AI ethics principles covering:

• Human-centric AI
• Fairness and non-discrimination
• Transparency and explainability
• Accountability and oversight
• Privacy and security
• Social and environmental well-being

AI Standards: Thai Industrial Standards Institute (TISI) is adopting international AI standards:

• ISO/IEC 42001 (AI Management Systems)
• ISO/IEC 23894 (AI Risk Management)
• ISO/IEC 22989 (AI Concepts and Terminology)
• Sector-specific standards

Compliance Implementation Framework

Phase 1: Scoping and Assessment (Months 1-2)

AI System Inventory:

• Identify all AI systems processing Thai personal data
• Classify by risk level and data sensitivity
• Map data flows and processing activities
• Determine applicable regulatory requirements

PDPA Compliance Assessment:

• Review legal bases for processing
• Evaluate consent mechanisms
• Assess data subject rights processes
• Examine cross-border transfer safeguards
• Review security measures

Sector-Specific Review:

• Identify industry-specific requirements
• Assess compliance with sectoral regulations
• Review licensing and registration status
• Evaluate reporting obligations

Gap Analysis:

• Compare current state to requirements
• Identify documentation gaps
• Assess technical control deficiencies
• Evaluate governance structure adequacy

Phase 2: Governance and Organization (Months 2-4)

Data Protection Officer (DPO):

PDPA Section 41 requires DPO appointment for:

• Government agencies
• Organizations processing large volumes of personal data
• Organizations regularly processing sensitive data
• Organizations conducting large-scale systematic monitoring

DPO Responsibilities:

• Monitoring PDPA compliance
• Advising on data protection obligations
• Conducting training and awareness
• Serving as regulatory contact point
• Conducting internal audits

AI Governance Committee:

Establish cross-functional committee overseeing:

• AI strategy alignment
• Risk assessment and management
• Ethical AI implementation
• Compliance monitoring
• Incident response coordination

Roles and Responsibilities:

• Data controller and processor definitions
• Decision-making authorities
• Escalation procedures
• Accountability assignments

Phase 3: Technical Implementation (Months 3-6)

Consent Management:

• Implement consent capture mechanisms
• Deploy preference management systems
• Enable consent withdrawal
• Maintain consent records

Data Subject Rights:

Implement processes for PDPA rights:

• Access requests (Section 30)
• Correction and deletion (Section 31, 32)
• Portability (Section 33)
• Objection to processing (Section 34)
• Restriction of processing (Section 35)

Privacy-Enhancing Technologies:

• Data minimization techniques
• Pseudonymization and anonymization
• Encryption (at rest and in transit)
• Access controls and authentication
• Differential privacy for model training

AI Transparency Mechanisms:

• Explainability tools and techniques
• Model documentation systems
• Performance monitoring dashboards
• Audit logging infrastructure

Security Controls:

• Multi-factor authentication
• Network segmentation
• Intrusion detection and prevention
• Security information and event management
• Regular vulnerability assessments

Phase 4: Documentation and Policies (Months 4-7)

Required Documentation:

Records of Processing Activities (ROPA): Section 39 requires maintaining:

• Processing purposes
• Data categories and sources
• Data subject categories
• Data recipients and transfers
• Retention periods
• Security measures

Data Protection Impact Assessments:

• Processing operation descriptions
• Necessity and proportionality assessments
• Risk identification and evaluation
• Mitigation measures
• DPO consultation records

Transfer Impact Assessments:

• Destination country analysis
• Legal framework review
• Practical safeguards evaluation
• Risk assessment
• Supplementary measures identification

Policies and Procedures:

• Privacy policy (public-facing)
• Data protection policy (internal)
• AI ethics and governance policy
• Data retention and disposal policy
• Incident response plan
• Vendor management policy
• Training and awareness program

Phase 5: Training and Culture (Months 6-8)

Awareness Training:

• PDPA principles and requirements
• Data subject rights
• Security awareness
• Incident identification and reporting

Role-Specific Training:

• DPO certification and continuing education
• AI developer training on privacy-by-design
• Marketing team training on consent
• Customer service training on rights requests
• IT security team training on incident response

Executive Education:

• Strategic compliance implications
• Risk and liability overview
• Governance responsibilities
• Regulatory enforcement trends

Phase 6: Testing and Validation (Months 7-9)

Internal Audits:

• Compliance control testing
• Policy adherence review
• Documentation completeness check
• Technical control validation

Penetration Testing:

• External security assessments
• Vulnerability identification
• Remediation verification
• Ongoing security posture evaluation

AI Model Validation:

• Performance metric evaluation
• Bias testing and assessment
• Explainability verification
• Edge case analysis

Incident Response Exercises:

• Tabletop exercises
• Simulated data breaches
• Response procedure testing
• Communication protocol validation

Phase 7: Continuous Compliance (Ongoing)

Monitoring and Metrics:

• Compliance KPIs and dashboards
• Data subject rights request metrics
• Incident response metrics
• Training completion rates
• Audit findings tracking

Regular Reviews:

• Quarterly compliance assessments
• Annual internal audits
• Regular DPIA updates
• Periodic policy reviews

Regulatory Tracking:

• Monitor PDPC guidance and rulings
• Track sectoral regulatory developments
• Follow AI governance trends
• Participate in industry consultations

Penalties and Enforcement

The PDPA establishes significant penalties for non-compliance.

Administrative Penalties:

PDPC Orders: The Personal Data Protection Committee may:

• Order cessation of processing
• Require corrective measures
• Impose data deletion
• Suspend cross-border transfers
• Order public disclosure of violations

Civil Penalties:

• Compensation for damages caused by violations
• Court-ordered compliance measures
• Injunctive relief

Criminal Penalties:

Section 70: Processing without consent or legal basis:

• Imprisonment up to 1 year
• Fine up to THB 1 million (≈ USD 28,000)
• Or both

Section 71: Unlawful disclosure or transfer:

• Imprisonment up to 1 year
• Fine up to THB 1 million
• Or both

Section 72: Failure to comply with PDPC orders:

• Imprisonment up to 1 year
• Fine up to THB 1 million
• Or both

Section 73: Failure to notify data breach:

• Fine up to THB 5 million (≈ USD 140,000)

Enforcement Trends:

• Increasing scrutiny of international platforms
• Focus on consent and transparency
• Growing attention to automated decision-making
• Active investigation of data breaches
• Public enforcement actions and guidance

Best Practices for Thailand AI Compliance

1. Implement Robust Consent Mechanisms

Design Effective Consent:

• Granular, specific consent requests
• Clear, plain language disclosures
• Prominent placement and accessibility
• Easy withdrawal mechanisms
• Documented consent records

Avoid Consent Pitfalls:

• No pre-ticked boxes
• No consent bundling
• No processing before consent
• No consent as condition for unrelated services

2. Build Privacy by Design into AI

Embed Privacy from Inception:

• Data minimization by default
• Pseudonymization where possible
• Automated retention and deletion
• Privacy-preserving machine learning techniques
• Regular privacy impact assessments

3. Ensure AI Transparency and Explainability

Implement Explainable AI:

• Model interpretability techniques (LIME, SHAP)
• Decision documentation and audit trails
• User-facing explanations
• Regular transparency reporting

Communicate Clearly:

• Disclose AI use to data subjects
• Explain decision-making logic
• Provide meaningful information
• Use accessible language

4. Conduct Regular Bias Assessments

Test for Discrimination:

• Analyze training data for bias
• Evaluate model outputs across demographics
• Conduct fairness audits
• Implement bias mitigation techniques

Monitor Ongoing Performance:

• Continuous bias monitoring
• Regular retraining and validation
• Diverse testing datasets
• Stakeholder feedback mechanisms

5. Establish Strong Vendor Management

Assess Third-Party AI Providers:

• Due diligence on data practices
• Contractual data protection obligations
• Regular vendor audits
• Incident response coordination
• Exit and data return procedures

Maintain Accountability:

• Clear controller-processor agreements
• Sub-processor management
• Documentation of instructions
• Regular compliance reviews

6. Engage with Thai Regulators

Proactive Regulatory Engagement:

• Participate in PDPC consultations
• Join industry working groups
• Seek regulatory guidance when uncertain
• Maintain open communication channels
• Consider sandbox participation for novel AI

Looking Ahead: Thailand's AI Regulatory Evolution

Thailand's AI regulatory landscape will continue developing as the government refines its approach to balancing innovation and protection.

Expected Developments:

Enhanced AI Governance Framework: Thailand may introduce:

• Comprehensive AI-specific legislation
• Risk-based AI classification system
• Mandatory AI registration for high-risk systems
• Algorithmic impact assessment requirements
• AI auditing and certification schemes

Sector-Specific AI Regulations: Anticipate:

• Detailed financial AI requirements
• Medical AI regulatory pathways
• Educational AI guidelines
• Government AI procurement standards

International Alignment: Thailand is likely to:

• Harmonize with ASEAN Digital Economy Framework
• Adopt ISO AI standards
• Seek adequacy recognition from GDPR jurisdictions
• Participate in international AI governance initiatives

Enforcement Maturation: Expect:

• More frequent PDPC enforcement actions
• Published guidance on AI compliance
• Industry-specific compliance frameworks
• Capacity building for regulators and courts

Conclusion

Thailand offers a dynamic environment for AI innovation supported by an increasingly sophisticated regulatory framework. The PDPA provides a strong foundation for data governance, while sector-specific regulations address industry-specific risks. Emerging AI governance initiatives signal Thailand's commitment to responsible AI development.

Success in the Thai market requires proactive compliance with existing requirements, engagement with evolving regulations, and commitment to ethical AI practices that respect Thai legal standards and cultural values. Organizations that invest in robust governance, transparency, and stakeholder trust will be well-positioned to thrive in Thailand's AI economy.

Explore AI compliance requirements across Southeast Asia in our regional guide.

Ready to navigate Thailand's AI regulatory landscape? Contact Pertama Partners for expert compliance advisory services.