You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

April 2, 2026

Thailand Insurance Industry: AI and Privacy Regulatory Updates

Subscribe to Updates

Thailand’s Personal Data Protection Act (PDPA) enforcement has entered a new phase, and the insurance industry is squarely in the regulatory spotlight. The Personal Data Protection Committee (PDPC) considers insurers “large-scale” processors of sensitive data—including health records, financial information, and biometric data—making the sector a focal point for enforcement action. In August 2025 alone, the PDPC issued administrative fines totaling THB 21.5 million, and fines for individual violations have ranged from THB 50,000 to THB 2 million. The PDPC has also deployed its “Eagle Eye Crawler,” an AI-driven surveillance tool that monitors websites around the clock for data leaks and noncompliant privacy notices. This article highlights the key regulatory developments directly affecting insurers and outlines practical steps toward compliance.

What Has Changed: OIC and PDPC Alignment

The Office of Insurance Commission (OIC) has synchronized its sector-specific rules with the PDPA through the Notification on Customer Personal Data Protection (No. 2) B.E. 2568 (2025). The combined effect of the PDPC’s general enforcement push and the OIC’s sectoral guidance creates four critical compliance areas for insurers.

  • Consent unbundling. Consent for marketing must be strictly separated from the core insurance contract; bundling marketing consent into the policy application is no longer permissible.
  • Agent and intermediary oversight. Insurance intermediaries are generally classified as data processors, meaning that insurers—as data controllers—must provide specific written instructions and security protocols to all agents and brokers. A 2026 enforcement trend shows controllers being held liable for the “weak security” of their vendors and downstream processors.
  • Enhanced privacy notices. Insurers must provide a summary privacy notice alongside the full policy, plainly stating categories of data, purposes, lawful bases, disclosure recipients, cross-border transfers, retention periods, data subject rights, and easy marketing opt-out channels.
  • DPO registration and ROPA. All organizations involved in “regular or systematic monitoring of data subjects on a large scale”—expressly including insurance—must appoint and register a data protection officer (DPO). The absence of a registered DPO or an outdated record of processing activities (ROPA) that fails to map agent-level data flows is now considered a high-risk compliance gap.

AI in Insurance: Draft PDPC Guidelines

The PDPC’s draft AI guidelines carry particular significance for insurers. The guidelines single out insurance risk assessments as an example of automated decision-making that produces legal effects or significantly affects data subjects. Organizations using AI-driven tools for underwriting, claims processing, or policy recommendations must implement a human-in-the-loop mechanism with actual authority to overturn AI decisions and must document processes for data subjects to request review. A data protection impact assessment (DPIA) is required for high-risk AI projects, including automated decision-making with legal effects and large-scale processing of sensitive data. Leakage of sensitive health or financial data through AI systems is categorized as high risk, requiring notification to both the PDPC and affected data subjects without delay.

Cross-Border Data Transfers

For multinational insurance groups, a binding corporate rules (BCRs) regulation became fully effective on February 17, 2026, providing a formal mechanism for intragroup cross-border transfers. Groups that already hold GDPR-approved BCRs may use a “fast-track” process by submitting their existing BCRs together with a Thailand addendum. Alternatively, Standard Contractual Clauses based on the ASEAN Model Contractual Clauses may be used for transfers to third-party reinsurers or service providers outside Thailand.

Practical Compliance Steps

Given the current regulatory landscape, insurers should consider the following immediate and near-term actions.

  • Governance and organization. Register a DPO with the PDPC if not already done, and ensure that the DPO has a direct reporting line to senior management with sufficient authority and resources to fulfill the role. Update the ROPA to comprehensively map all processing activities, including data flows through agents, brokers, and third-party administrators.
  • Consent architecture overhaul. Redesign application forms and digital onboarding flows so that marketing consent is presented as a separate, clearly labeled opt-in, entirely distinct from the consent required for the insurance contract itself. Ensure that refusal to consent to marketing does not affect the customer’s ability to obtain coverage.
  • Agent and vendor compliance program. Issue updated written instructions and security protocols to all insurance intermediaries classified as data processors. Review and strengthen data processing agreements with all third-party processors, including specific provisions for PDPA responsibilities, security standards, audit rights, breach notification obligations, and end-of-term data deletion or return. Implement a periodic audit cycle—rather than relying on static contractual commitments—to verify vendor compliance.
  • Privacy notice refresh. Prepare a concise summary privacy notice for distribution alongside insurance policies, covering all required elements under the OIC guidance. For digital tele-sales, implement prerecording disclosures informing customers that their voice or image data will be processed under the PDPA.
  • AI and automated decision-making readiness. Conduct DPIAs for all AI-driven underwriting, claims, and risk-assessment tools currently in use or under development. Establish a documented human-in-the-loop process for any automated decision that produces legal effects on policyholders, including a clear escalation path and a mechanism for data subjects to contest decisions.
  • Breach response preparedness. Ensure that internal incident response plans can meet the 72-hour notification deadline to the PDPC, with particular attention to AI-related data leakage scenarios.
  • Cross-border transfer mechanism. For multinational groups, evaluate whether BCR certification—including the fast-track route—or SCCs provide the most efficient path for data transfers to group entities or reinsurers abroad.

Outlook

Thailand’s insurance sector faces a significantly more demanding compliance environment as PDPA enforcement matures and OIC alignment tightens. The convergence of stricter consent rules, expanded liability for intermediary conduct, new AI governance expectations, and a workable cross-border transfer framework means that insurers must move from reactive compliance to proactive data governance. Organizations that address these areas systematically—beginning with DPO registration, ROPA updates, and consent architecture—will be best positioned to manage regulatory risk and maintain the trust of their policyholders.

Related Professionals

Industries

Insurance

Technology

Location

RELATED INSIGHTS​

March 6, 2026
Thailand’s Legislation Consideration Committee of the Ministry of Interior has ruled that in-game loot boxes in online games do not constitute gambling under the Gambling Act B.E. 2478 (1935). This first-of-its-kind ruling provides useful guidance for online game operators and digital entertainment companies operating in Thailand. Background The ruling came in response to an inquiry concerning an online role-playing game operator that launched a campaign featuring a loot box mechanism. The mechanism allowed players to purchase a token in exchange for the opportunity to receive a virtual loot box containing randomized in-game items. The key features of this were as follows: The items received were digital, noncash items usable only within the game. The items could not be exchanged, redeemed, or converted into cash with the game operator. Items may differ in rarity but remain purely virtual. The central question was whether paying money to obtain randomized in-game items constituted a risk-based activity involving the chance to receive money or property of monetary value, which would constitute gambling under the Gambling Act. Committee Ruling The committee reached the following conclusions regarding the characteristics of the game’s loot-box mechanism: No cash or monetary equivalent: Players did not receive cash or property that could be exchanged for cash. The in-game items were merely usage rights within the online game ecosystem. No real-world monetary valuation: There was no determination of item value in real currency, and no mechanism for redeeming or converting items into money with the game operator. Any off-platform trading of in-game items between players is irrelevant to online game operators, as any value arising from such transactions is determined by the market rather than by the operators themselves. Service fee characterization: Payments made by players purchasing in-game loot boxes constituted fees for online game services. Accordingly, the committee concluded
Read More
March 5, 2026
Thailand’s Securities and Exchange Commission (SEC) has filed a criminal complaint against a licensed digital asset broker, its overseas trading platform, and its executives for allegedly operating an unlicensed digital asset exchange targeting Thai customers. The case marks an escalation in the SEC’s enforcement efforts against unlicensed offshore platforms that attempt to serve Thai users through local licensed entities. Criminal Complaint On February 20, 2026, the SEC filed a criminal complaint with the Economic Crime Suppression Division against a local licensed digital asset broker, its overseas global trading platform, and its executives. The SEC alleges that the parties violated the Digital Asset Business Emergency Decree B.E. 2561 (2018) by cooperatively operating a digital asset exchange business on a cross-border basis since 2023 without the required SEC license. According to the SEC, the local broker promoted the overseas platform’s services to the public through Thai-language posts on social media channels, with services available exclusively to customers residing in Thailand. Access to the global platform was provided through the local broker’s website and mobile application. Customers who registered for the local broker’s services were automatically granted access to the global platform without having to undergo a separate identity verification process. The SEC also found that the local broker provided back-office system support services to the global platform. The SEC considers these activities to constitute joint operation of an unlicensed digital asset exchange. The former executives of the local broker are being held liable as the responsible persons during the relevant period. The SEC emphasized that the complaint initiates the criminal process, and the decision to prosecute or convict the accused parties will ultimately be made by law enforcement authorities and the criminal courts. Platform Blocking The SEC has also coordinated with the Ministry of Digital Economy and Society to block public
Read More
February 27, 2026
The Bank of Thailand (BOT) has officially implemented a new regulatory framework supervising systemically important retail payment systems (SIRPS), effective February 21, 2026, with PromptPay being the first payment system designated as a SIRPS. Under this new set of regulations, the BOT may designate payment systems under the Payment Systems Act B.E. 2560 (2017) as SIRPSs based on quantitative and qualitative assessments. Once a system is designated as a SIRPS, the operator becomes subject to expanded supervisory obligations beyond the general requirements of the Payment Systems Act. Enhanced Supervisory Requirements SIRPS operators must comply with a heightened supervisory regime across three key areas, outlined below. 1. Governance SIRPS operators must maintain robust and transparent governance structures, including: Balanced board composition, with at least one-third of the board comprising independent directors who represent stakeholders in the system (such as payment service providers, consumers, and experts). Independent directors may serve for no more than two consecutive terms. Subcommittees to assist the board in overseeing compliance, policy implementation, and operational strategy. Clear separation between executives responsible for risk and information security and those overseeing day-to-day business operations. Risk Management and System SecuritySIRPS operators must implement comprehensive risk management frameworks, including: Clear service agreements between the SIRPS operator and its direct participants (payment service providers who connect directly to the SIRPS), defining roles and responsibilities among stakeholders. These agreements must include obligations for direct SIRPS participants to supervise any indirect participants they onboard to ensure compliance with service agreements and business rules. A business continuity plan covering both IT and non-IT aspects, with annual review. The SIRPS must target service availability comparable to international payment infrastructures, including the ability to recover operations within two hours of a disruption and to maintain scalable operational capacity. Tools and controls to monitor and manage material or
Read More
February 26, 2026
Thailand is preparing to offer new tools for intellectual property enforcement as the Electronic Transactions Development Agency (ETDA) recently released for public consultation a draft notification requiring social media platforms to verify user identities and conduct know-your-customer (KYC) checks on advertisers. The draft Notification of the Electronic Transactions Commission on Measures to Prevent Technological Crimes for Social Media Service Providers, which is to be issued under the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes B.E. 2566 (2023), as amended in 2025, primarily aims to combat online fraud and technology-related crimes. However, its new obligations also provide IP owners with valuable tools to identify anonymous infringers. Key Regulatory Mandates The draft notification imposes several verification requirements on social media platforms operating in Thailand. These requirements also strengthen IP rights holders’ ability to identify anonymous infringers, as platforms must: Verify user identities through registered phone numbers and link all accounts to verifiable identities. Conduct KYC checks on advertisers, including individuals, companies, and any third-party payers. Perform heightened identity checks for high-risk or repeat offenders before publishing advertisements. Promptly remove content flagged by the Anti-Technology Crime Division and prescreen advertisements for prohibited or high-risk content. How IP Owners Can Use This Notification for Enforcement The phone number–based verification requirement enables IP owners to work more effectively with enforcement authorities in tracing individuals or entities responsible for infringing content. The comprehensive advertiser KYC obligations, including mandatory disclosure of third-party payment sources, create a clear audit trail even when bad actors attempt to obscure their identity through intermediaries or shell accounts. This traceability is essential for pursuing damages and dismantling organized counterfeit operations. The ETDA is now considering adjustments to the draft notification after receiving comments during the public consultation period, which ended on February 2, 2026. Following finalization
Read More