You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
July 1, 2025

Thailand’s Data Privacy Landscape in the First Half of 2025

Subscribe to Updates

Now halfway through 2025, Thailand continues to advance in the realm of data privacy, with the ambitious goal of achieving zero data breaches. The Personal Data Protection Committee (PDPC), an independent government body established by the Personal Data Protection Act (PDPA), is taking a more proactive approach, having published several rulings and orders to enhance data protection measures and clarify compliance expectations for businesses.

Here is a look back at Thailand’s data privacy developments in the first half of the year.

Strengthening Law Enforcement and New Guidance for Compliance

Enforcement of existing data protection laws and regulations has taken a step forward this year. Some of the specific initiatives include:

  • Increased enforcement by the PDPC. A key trend to watch from the first half of 2025 is the PDPC’s active enforcement of the PDPA as it intensifies oversight through compliance orders and public warnings against noncompliant organizations while ramping up efforts to prevent and halt the illegal trading of personal data by actively monitoring emerging societal issues.
  • Call center scams and cyber fraud control. Thailand published an amendment to the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes to strengthen measures against technological crimes, particularly targeting call center scams and cyber fraud.
  • Orders from the Expert Committee. Several orders issued by the Expert Committee under the PDPA were announced in the first half of this year. These include directives for data controllers to take corrective actions to comply with the PDPA, as well as initiatives to raise awareness of data privacy within organizations, reflecting the regulator’s focus on promoting organizational awareness and compliance. A guideline report summarizing the Expert Committee’s decisions and orders was also published to serve as a reference for compliance.
  • Public issue monitoring. The PDPC has been taking a more proactive approach by staying current with high-profile data privacy issues that are top of mind for the public. This has involved actively monitoring and following up on cases such as data breaches or incidents that show early signs or suspicions of potential data breaches.
  • Supporting PDPA compliance through PDPC programs. The PDPC launched several initiatives to support PDPA compliance, including training programs for key roles and executive-level personnel. A particularly noteworthy initiative is the PDPC Regulator Checklist, introduced as part of the PDPC’s advisory and inspection activities, which outlines 10 key areas that organizations should focus on to ensure compliance with the PDPA.

Promoting the Data Economy

Authorities have also been putting infrastructure in place to support data-intensive economic activity, such as:

  • Facilitating cross-border data transfers: Thailand has supported initiatives aimed at simplifying and securing cross-border data flows, such as by hosting workshops to educate businesses on adopting the ASEAN Model Contractual Clauses for Cross Border Data Flows as mechanisms to enable secure cross-border data transfers among ASEAN member states. Beyond the ASEAN level, the PDPC participated in the Global CBPR Workshop 2025, with the key objective of presenting Thailand’s progress toward joining the Global Cross-Border Privacy Rules (CBPR) framework. This certification scheme is to facilitate easier data transfers across member countries.
  • Data-sharing laws: In the first half of the year, Thailand’s Electronic Transactions Development Agency took steps to align with international standards and best practices, such as the EU’s Data Act and Data Governance Act, by releasing draft principles for future legislation on data sharing. These draft principles aim to enhance data sharing practices while ensuring robust data protection standards. These draft principles reflect Thailand’s commitment to harmonizing its data protection framework with international standards.

Advancing Ecosystems and Technology Use

Adoption and implementation of technology, particularly in regard to regulatory compliance, was also a focus, as seen in the following developments:

  • Digital technology for data compliance: The Government Platform for PDPA Compliance was established through a collaboration between the Office of the PDPC and the Office of the National Digital Economy and Society Commission to promote the implementation of the PDPA through digital technology. This initiative has been approved by the cabinet, requiring all government agencies to adopt the platform.
  • AI adoption: The adoption of AI in Thailand’s business sector was actively encouraged in ETDA’s draft AI law, which was also released in the first half of this year. This draft outlines principles for data sandboxes and the reuse of personal data (including personal data obtained for other purposes if proper privacy safeguards are in place) for AI development in the public interest.

This progress that Thailand made in the first half of 2025 reflects the country’s dedication to enhancing data privacy and protection as part of a secure digital economy. As progress continues rapidly, organizations are encouraged to stay engaged, actively maintain PDPA compliance, and regularly update their data privacy practices. We are committed to keeping pace with the evolving privacy landscape in Thailand.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

June 27, 2025
Three American giants are actively protecting their intellectual property rights against generative AI, as two legal battles commence on both sides of the Atlantic. In the UK, Seattle-based media company Getty Images accuses UK-based Stability AI of multiple IP infringements. In the US, The Walt Disney Company and Universal Studios are teaming up against Midjourney, an AI startup, with their main ground being copyright infringement. Both cases are centered around questions legal minds have been posing since the introduction of generative AI: Is the output of generative AI an infringement? And who is ultimately responsible for the output, the platform or the user? Getty Images v. Stability AI Getty initially filed a claim in the High Court in 2023, which resulted in Stability applying for reverse summary judgment on the grounds that Getty had no real prospect of success, arguing that their operations took place outside the UK. However, the High Court judge hearing the case decided that the claims brought by Getty did have a real prospect of succeeding in court. Despite this, Stability saw a small victory when the court ruled that the representative action brought by Getty would not succeed due to the difficulties in identifying who qualified for the class. The proposed class was comprised of 50,000 rightsholders who alleged their rights were also infringed. Stability was successful in arguing that identifying these individuals would be challenging due to the unclear definition of the class. This current trial is centered around four main grounds: Copyright infringement. Getty accuses Stability of using content that Getty owns or has an exclusive license for when training their model, Stable Diffusion, resulting in the generated output containing substantial parts of that content. Getty is also alleging secondary copyright infringement, arguing that Stability is importing an article into the UK
Read More
June 26, 2025
Vietnam’s new Personal Data Protection Law (PDPL) was passed by the National Assembly on June 26, 2025, and will enter into force on January 1, 2026. The PDPL introduces several new concepts, exemptions, and obligations in comparison with the current Decree No. 13/2023/ND-CP on personal data protection (PDPD), while other contents remain essentially the same. The relationship between the PDPD and the PDPL has not been clearly addressed; however, it is expected that the government will issue a new decree providing necessary guidance on certain requirements under the PDPL, and the PDPD will remain in effect until it is replaced by this new decree. Some key points of the new PDPL include the following: Personal data will be further defined by lists of basic personal data and sensitive personal data to be issued by the government. The consent-centric approach of the PDPD remains in place, along with additional exemptions for certain data processing activities. The requirements for the data processing impact assessment (DPIA) and transfer impact assessment (TIA) remain unchanged. However, there are new exemptions for the TIA, including for the processing and storing in the cloud of employee data, and when the data subject is the person sending its own data outside of Vietnam. Consent obtained under the PDPD remains valid under the PDPL. DPIAs and TIAs submitted under the PDPD are valid under the PDPL but may need to be updated to be in line with the requirements of the PDPL. Administrative fines depend on the type of violation. The fine for sale and purchase of personal data will be 10 times the revenue from the sale or VND 3 billion (about USD 115,000), whichever is higher. The fine for cross-border transfer violations is 5% of the violator’s revenue of the preceding year or VND 3 billion,
Read More
June 25, 2025
Generative artificial intelligence (GenAI) is no longer a distant innovation confined to science fiction and research labs; it has become an integral part of daily business operations worldwide. Employees across industries are adopting GenAI tools at a remarkable pace—including in Southeast Asia, where a tech-savvy workforce and widespread internet and mobile access have driven early adoption. The reality facing organizations today is clear: employees are integrating GenAI into their daily work, often without official approval or clear policies. This phenomenon, often called “Bring Your Own AI,” comes out of a disconnect between organizational governance and employee behavior and reveals the urgent need for proactive AI policies and oversight. For business leaders and legal teams, GenAI is both an opportunity and a challenge. On one hand, these tools can deliver real business value and boost efficiency. On the other, the unsanctioned and unmonitored use of GenAI introduces substantial legal risks, such as data privacy violations, confidentiality breaches, and intellectual property issues. The widespread adoption of GenAI tools by employees, regardless of official organizational stance or guidelines, demonstrates that prohibition is neither practical nor effective. A more strategic approach involves establishing comprehensive governance policies that encourage responsible AI use while managing the risks. Organizations that take the lead in developing GenAI governance policies are better positioned to benefit from its transformative potential. The question isn’t whether GenAI will change how we work, but how quickly organizations can put the right safeguards in place to manage this change successfully. Risks of GenAI Use The use of GenAI in business operations, whether sanctioned or not, exposes organizations to a unique set of risks. The following are particularly relevant: Data security and confidentiality: General GenAI tools in the market may transmit data to external servers, retain conversation histories, and use inputs for model training.
Read More
June 19, 2025
The Bank of Thailand (BOT) has released draft guidelines establishing principles for managing artificial intelligence (AI) risks in the financial sector. The draft guidelines provide a structured framework for the responsible adoption of AI technologies. Financial service providers will be able to use the guidelines as a reference to appropriately manage their risks in a manner that aligns with internationally recognized best practices. The BOT is accepting public comments on the draft guidelines until June 30, 2025. Scope and Application The draft guidelines apply to all financial service providers, including financial institutions and special financial institutions under the Financial Institution Business Act, as well as payment providers under the Payment Systems Act. These guidelines supplement existing BOT risk management guidelines covering IT risk management, third-party risk management, data governance, and market conduct. The guidelines define AI systems as systems that mimic human intelligence, including machine learning, deep learning, generative AI (such as large language models), and agentic AI. This definition specifically excludes rule-based automation systems like robotic process automation and condition matching. Key Risk Management Principles The guidelines lay out two main principles in managing AI risk. Governance: Financial service providers should define and establish clear roles and responsibilities for their personnel and AI system supervision structures to uphold FEAT (fairness, ethics, accountability, and transparency) principles as follows: Stakeholder roles and responsibilities. Financial service providers should define roles and responsibilities for boards and executives on AI risk oversight. Responsibilities include establishing an AI system usage policy, designating personnel responsible for AI risk management, and building awareness of AI-related risk within the organization. AI system usage policy. The AI system usage policy should be aligned with organizational objectives, regulatory requirements, and FEAT principles. These policies should be reviewed regularly to respond to technological advancements and evolving risk profiles. Risk management
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice