You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

January 30, 2026

Key Takeaways from Thailand’s Data Privacy Day 2026

Subscribe to Updates

Thailand’s Data Privacy Day 2026, hosted by the Office of the Personal Data Protection Committee (PDPC), underscored the country’s commitment to strengthening personal data protection, advancing regulatory maturity, and preparing organizations for the next phase of PDPA enforcement. The event marked a clear shift from policy-level compliance toward “Privacy in Action,” signaling that operational readiness and real-world implementation are now priorities.

The Office of the PDPC also emphasized that data protection is now a national economic enabler that supports digital trust, competitiveness, and sustainable growth, not just a compliance obligation.

The following insights summarize the key takeaways from the Data Privacy Day 2026 event.

PDPA in Real Life: What Happens to Your Data Today

The Office of the PDPC provided concrete data on enforcement trends and real-world compliance issues facing organizations across Thailand.

Complaints and trends. The Office of the PDPC’s Personal Data Protection Act (PDPA) Center recorded 2,672 PDPA-related complaints as of January 2026, with the highest volumes involving failure to comply with the data minimization principle, collection without lawful basis, and use and disclosure without lawful basis.

Administrative penalties. Several administrative penalties have been imposed on data controllers and data processors across various sectors, including government, healthcare, retail, SMEs and e-commerce, ranging from tens of thousands to several million baht. Most violations stemmed from weak security measures, failure to notify data breaches within the required timeline, absence of a data protection officer (DPO) when required, and noncompliance with governance requirements such as the Record of Processing Activities (ROPA) and data processing agreements with data processors.

Case studies. The Office of the PDPC highlighted specific examples of violations:

  • Hospitals misused personal data for purposes beyond their intended scope (e.g., using personal data collected for providing medical services to send birthday cards)
  • Vendors compromised systems due to inadequate password protocols and the absence of firewalls, resulting in unauthorized access

AI and Privacy: Regulatory Expectations in the Emerging Landscape

Thailand is moving toward a clearer regulatory framework for AI, with the AI Act currently in draft form. While the PDPA does not regulate AI itself, it governs personal data used within AI systems, meaning organizations, not the AI, remain fully accountable for any misuse or unlawful processing of personal data.

Key expectations highlighted for businesses include:

  • The use of AI is allowed, but accountability remains fundamental. Organizations must take full responsibility for how personal data is processed through AI systems.
  • Strong resource and access governance is necessary. Organizations must prevent uncontrolled AI usage and avoid over-sharing of data through proper data classification to restrict AI access to relevant datasets.
  • AI deployment may trigger obligations under other laws. While there is currently no specific law regulating the use of AI, AI deployment may trigger obligations under civil and commercial law, road traffic laws in relation to autonomous systems, and other regulations, reinforcing the need for comprehensive risk assessment.
  • Alignment with forthcoming guidelines. The Office of the PDPC is currently developing practical guidelines on personal data protection in the use and development of AI technologies. Organizations should align AI use with these forthcoming guidelines aimed at supporting safe innovation while adhering to PDPA requirements.

International Cooperation and Cross-Border Transfers

Efforts continue to advance Thailand’s participation in the Global Cross-Border Privacy Rules (CBPR) and strengthen alignment with regional data-protection frameworks. Organizations operating across borders should expect tighter scrutiny of cross-border transfers, including more rigorous requirements for risk assessments and transfer impact analyses to ensure compliance in multi-jurisdictional environments.

Data Breach Incident Monitoring

The PDPC Eagle Eye, a division within the Office of the PDPC, has launched advanced tools such as the PDPC Eagle Eye Crawler, which enables continuous URL access and facilitates 24-hour monitoring of data breach incidents. Additionally, the PDPC Eagle Eye shared details about their plan to send inspection letters to organizations for advisory reasons.

Privacy Maturity Model and Privacy Index

The Office of the PDPC introduced new tools to help organizations assess and improve their data protection practices.

The Privacy Maturity Model assesses an organization’s readiness for personal data protection. The Privacy Index measures data protection levels using both privacy data (such as survey results and Privacy Maturity Model scores) and secondary data (like public information), giving organizations an overview of their privacy risk management capabilities.

Information derived from the Privacy Maturity Model and Privacy Index can then be used toward obtaining the Personal Data Protection Certification Mark, an upcoming certification program to recognize compliant organizations.

Outlook for 2026

Based on the Office of the PDPC’s roadmap and expert discussions during the Data Privacy Day event, organizations should expect several key developments in the coming year:

  • Data privacy must go beyond policy and legal compliance to practical implementation in all systems and operations.
  • Heightened enforcement, driven by expanded automated surveillance capabilities such as the PDPC Eagle Eye Crawler and the rollout of inspection letters for advisory purposes.
  • Stronger national PDPA infrastructure, with continued development of PDPA Centers and Trustmark certification.
  • Closer alignment with international privacy standards, supporting Thailand’s role in cross-border digital trade and strengthened mechanisms to support trusted cross-border data flows.
  • Increased regulatory attention on AI governance, with forthcoming guidance to ensure AI use complies with data-protection principles and standards.
  • A nationwide push toward a “new data-ethics culture” emphasizing legal compliance, incident prevention, organizational cooperation, and the use of technology to strengthen national and public trust, anchored in the national goal of improving data security, attracting investments, and enhancing quality of life.

Organizations should treat 2026 as a critical year for operationalizing privacy compliance, building robust governance frameworks, and preparing for more active regulatory oversight. The shift from policy to practice means that demonstrable implementation, not just documentation, will be the standard by which compliance is measured.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

December 12, 2025
Tilleke & Gibbins has updated the Cambodia, Myanmar, Thailand, and Vietnam chapters in Multilaw’s Global Data Protection Guide, which collects expert advice from Multilaw member firms in 90 jurisdictions around the world (including a Laos chapter, which is also authored by Tilleke & Gibbins). The guide provides answers to key issues concerning the fast-developing data protection and privacy laws around the world, and helps data protection officers and in-house counsel understand how the regulatory regime for data protection can affect their organizations in various jurisdictions. Each section of the guide identifies the main laws that govern data protection in that jurisdiction, and gives a detailed overview of the legal principles in place as well as the enforcement authorities responsible for overseeing compliance. The guide also covers issues related to data subject rights, data protection officers, impact assessments, data breach notification requirements, and cross border data transfers. The use of personal data in marketing is also considered, with specific information on electronic marketing rules, cookies, and marketing to businesses and consumers. Multilaw, of which Tilleke & Gibbins is a longtime member, is a global network of carefully selected independent law firms able to provide expert legal advice in complex environments around the globe. The full guide is available for free on the Multilaw website.
Read More
December 11, 2025
On December 10, 2025, the National Assembly of Vietnam passed a new Cybersecurity Law, which will take effect on July 1, 2026. The new Cybersecurity Law was developed based on the consolidation of the 2018 Cybersecurity Law and the 2015 Law on Network Information Security. While the final approved version of the new Cybersecurity Law has not yet been published, according to official reports, the following notable requirements are confirmed to be included: The new Cybersecurity Law dedicates a specific article to prohibited acts related to cybersecurity, under which it strictly prohibits posting or disseminating information online that propagandizes against the Socialist Republic of Vietnam. The law also prohibits, among other things, (i) the appropriation, trading, seizure, or intentional disclosure of information classified as state secrets, work secrets, business secrets, personal secrets, family secrets, and private life; (ii) intentionally eavesdropping, recording, or filming online conversations without authorization; and (iii) the use of artificial intelligence (AI) or new technologies to conduct prohibited acts. The Ministry of Public Security (MPS) has the authority to require enterprises providing telecommunications, internet, and online services, as well as system administrators, to remove information violating cybersecurity laws from systems under their management. The MPS is also assigned responsibility for ensuring information security in cyberspace and data security, establishing mechanisms for IP address identity management, verifying digital account registration information, and issuing warnings and sharing information on cybersecurity threats. Information systems are classified into five levels (similar to the 2015 Law on Network Information Security) based on the degree of harm to national security and social order if an incident occurs. The MPS is the lead agency assisting the government in state management of cybersecurity. The Ministry of National Defense is responsible for managing military information systems, and the Government Cipher Committee manages cryptographic and cipher
Read More
December 4, 2025
Thailand has expanded the circumstances under which state agencies may bypass competitive bidding procedures to address urgent security challenges. On November 28, 2025, Thailand’s Ministry of Finance published the Ministerial Regulation Determining Cases of Procurement by Specific Method (No. 6) B.E. 2568 in the Royal Gazette, introducing a new pathway for procuring supplies and services needed to address cyber and military threats that may affect the stability of government agencies or the nation. For technology vendors, cybersecurity firms, and defense contractors, this regulatory change creates immediate opportunities to engage directly with government buyers facing urgent security challenges. New Fast-Track Category for Security Threats The regulation amends Thailand’s Public Procurement and Supplies Management Act B.E. 2560 (2017) to add a new category of procurement that qualifies for the “specific method”—a noncompetitive, direct selection process. Previously, agencies could use this expedited method only in limited circumstances, such as emergencies, cases with proprietary technology requirements, or national security operations. The new provision explicitly covers procurement of supplies related to preventing or resolving cyber or military threats that could impact the stability of a state agency or the country. This addition recognizes the urgent nature of modern security challenges, where competitive bidding timelines may leave agencies vulnerable during critical threat windows. State agencies dealing with active cyberattacks, preparing defensive measures against anticipated threats, or responding to military security concerns can now move directly to negotiate with qualified vendors rather than conducting lengthy public tender processes. Vendor Considerations Vendors offering cybersecurity solutions now have a regulatory avenue to work directly with government clients when stability concerns are present. These solutions include threat detection systems, anti-ransomware tools, incident response services, firewalls, and security consulting. Similarly, defense contractors providing military equipment or specialized security supplies can pursue direct engagement channels where traditional procurement methods would create
Read More
December 3, 2025
Thailand’s Civil Court has issued a regulation targeting the use of artificial intelligence (AI) in the preparation of pleadings and other documents submitted to the court. Effective November 17, 2025, the regulation aligns with September 2025 guidance from the president of the Supreme Court, and aims to safeguard accuracy, transparency, and public confidence in civil adjudication. The regulation applies to all parties submitting pleadings or any documents to the Civil Court that are prepared using AI tools or contain AI-generated content. It subjects AI used for these purposes to strict requirements on verification, disclosure, and accountability. Core Obligations The regulation imposes four principal obligations: Lawyers who use AI remain subject to duties of honesty, responsibility to the court, professional standards, and legal ethics, including the duty to assess the appropriateness of the AI tool for the work. Parties and lawyers must verify the accuracy and completeness of all facts, legal provisions, and citations in AI-generated content before submission. Parties and lawyers must disclose to the court any AI-generated content by clearly marking the beginning and end of the AI-generated portion with prescribed statements (see below). Additionally, a certification confirming the use of AI must be provided at the end of the pleading or document, stating that AI was used for certain portions and that the party has reviewed and certifies the accuracy of factual and legal content. Parties and lawyers bear the same full legal and ethical responsibility for AI-generated content as they do for personally authored documents; they cannot evade responsibility or avoid liability by citing AI-related errors. Likewise, parties must ensure that any AI-generated content is truthful, accurate, and unbiased. Prescribed Disclosure Language Each instance of AI-generated content must be preceded by the statement “[The following content was prepared using artificial intelligence]” and must end with “[End
Read More