You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
July 1, 2025

Thailand’s Data Privacy Landscape in the First Half of 2025

Subscribe to Updates

Now halfway through 2025, Thailand continues to advance in the realm of data privacy, with the ambitious goal of achieving zero data breaches. The Personal Data Protection Committee (PDPC), an independent government body established by the Personal Data Protection Act (PDPA), is taking a more proactive approach, having published several rulings and orders to enhance data protection measures and clarify compliance expectations for businesses.

Here is a look back at Thailand’s data privacy developments in the first half of the year.

Strengthening Law Enforcement and New Guidance for Compliance

Enforcement of existing data protection laws and regulations has taken a step forward this year. Some of the specific initiatives include:

  • Increased enforcement by the PDPC. A key trend to watch from the first half of 2025 is the PDPC’s active enforcement of the PDPA as it intensifies oversight through compliance orders and public warnings against noncompliant organizations while ramping up efforts to prevent and halt the illegal trading of personal data by actively monitoring emerging societal issues.
  • Call center scams and cyber fraud control. Thailand published an amendment to the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes to strengthen measures against technological crimes, particularly targeting call center scams and cyber fraud.
  • Orders from the Expert Committee. Several orders issued by the Expert Committee under the PDPA were announced in the first half of this year. These include directives for data controllers to take corrective actions to comply with the PDPA, as well as initiatives to raise awareness of data privacy within organizations, reflecting the regulator’s focus on promoting organizational awareness and compliance. A guideline report summarizing the Expert Committee’s decisions and orders was also published to serve as a reference for compliance.
  • Public issue monitoring. The PDPC has been taking a more proactive approach by staying current with high-profile data privacy issues that are top of mind for the public. This has involved actively monitoring and following up on cases such as data breaches or incidents that show early signs or suspicions of potential data breaches.
  • Supporting PDPA compliance through PDPC programs. The PDPC launched several initiatives to support PDPA compliance, including training programs for key roles and executive-level personnel. A particularly noteworthy initiative is the PDPC Regulator Checklist, introduced as part of the PDPC’s advisory and inspection activities, which outlines 10 key areas that organizations should focus on to ensure compliance with the PDPA.

Promoting the Data Economy

Authorities have also been putting infrastructure in place to support data-intensive economic activity, such as:

  • Facilitating cross-border data transfers: Thailand has supported initiatives aimed at simplifying and securing cross-border data flows, such as by hosting workshops to educate businesses on adopting the ASEAN Model Contractual Clauses for Cross Border Data Flows as mechanisms to enable secure cross-border data transfers among ASEAN member states. Beyond the ASEAN level, the PDPC participated in the Global CBPR Workshop 2025, with the key objective of presenting Thailand’s progress toward joining the Global Cross-Border Privacy Rules (CBPR) framework. This certification scheme is to facilitate easier data transfers across member countries.
  • Data-sharing laws: In the first half of the year, Thailand’s Electronic Transactions Development Agency took steps to align with international standards and best practices, such as the EU’s Data Act and Data Governance Act, by releasing draft principles for future legislation on data sharing. These draft principles aim to enhance data sharing practices while ensuring robust data protection standards. These draft principles reflect Thailand’s commitment to harmonizing its data protection framework with international standards.

Advancing Ecosystems and Technology Use

Adoption and implementation of technology, particularly in regard to regulatory compliance, was also a focus, as seen in the following developments:

  • Digital technology for data compliance: The Government Platform for PDPA Compliance was established through a collaboration between the Office of the PDPC and the Office of the National Digital Economy and Society Commission to promote the implementation of the PDPA through digital technology. This initiative has been approved by the cabinet, requiring all government agencies to adopt the platform.
  • AI adoption: The adoption of AI in Thailand’s business sector was actively encouraged in ETDA’s draft AI law, which was also released in the first half of this year. This draft outlines principles for data sandboxes and the reuse of personal data (including personal data obtained for other purposes if proper privacy safeguards are in place) for AI development in the public interest.

This progress that Thailand made in the first half of 2025 reflects the country’s dedication to enhancing data privacy and protection as part of a secure digital economy. As progress continues rapidly, organizations are encouraged to stay engaged, actively maintain PDPA compliance, and regularly update their data privacy practices. We are committed to keeping pace with the evolving privacy landscape in Thailand.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

July 17, 2025
On July 9, 2025, Thailand issued a notification that introduces comprehensive operational requirements for digital platform service providers operating as goods marketplaces, effective December 31, 2025 (i.e., 180 days after its publication in the Government Gazette). The regulation’s official name is Notification of the Electronic Transactions Committee Re: Other Actions for Digital Platform Service Operators in the Category of Marketplace for Goods with Specific Characteristics under Section 18(2) of the Royal Decree on the Operation of Digital Platform Service Businesses that are Subject to Prior Notification B.E. 2565 (2022), B.E. 2568 (2025). Scope of Application The notification applies exclusively to goods marketplace operators formally designated by the Electronic Transactions Development Agency (ETDA), which on the same day designated 19 platforms that had previously notified the ETDA of their operations. The goods requiring enhanced oversight by these operators are limited to those regulated by the Thai Food and Drug Administration (FDA) and the Thai Industrial Standards Institute (TISI). Development from Earlier Draft An earlier draft of the notification had included a requirement for offshore platforms to establish a local entity, but this requirement was removed from the final notification. Key Obligations Despite the removal of the local entity requirement, the notification imposes a range of additional obligations on designated goods marketplace operators: Transparency. Operators must implement robust transparency measures, including clear, accessible, and understandable disclosures to users in Thai. These disclosures must cover all relevant terms and conditions, comprehensive product information, and complaint management procedures. Operators must also submit an annual compliance report to the ETDA within 60 days after the end of their accounting period, including statistics on regulated goods. Business user registration and identity verification. Before permitting the sale or advertisement of regulated goods, operators must collect and verify business user information, including contact details, identification documents, registration
Read More
July 15, 2025
Thailand has established new safe harbor rules that require social media platforms to remove specified content within 24 hours of government notification. On July 5, 2025, the Notification of the Electronic Transactions Commission on Measures to Prevent Technological Crimes for Social Media Service Providers was issued and took effect. This followed a hearing in May 2025 where only a select group of social media and online communication platform operators were invited to attend and comment on draft rules that could exempt social media platform operators from joint liability under the amended Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes in cases involving victims of technological crimes. Safe Harbor Rules The notification stipulates procedures that must be followed in order to receive the protection of the safe harbor rules. Upon being notified by the Division of Prevention and Suppression of Cybercrime, Office of the Permanent Secretary of the Ministry of Digital Economy and Society (MDES) of the presence of false or misleading information that may lead to the commission of a technological crime, social media service providers must immediately take down the specified content, with a maximum allowable turnaround time of 24 hours from the time of receiving the notification. Social media service providers are required to promptly report the outcome of each takedown to the MDES Division of Prevention and Suppression. This shift in Thailand’s regulatory approach to social media content moderation establishes clear government oversight mechanisms while providing platforms with liability protection for compliance. As the new rules took immediate effect, social media platforms need to ensure that they have adequate systems and processes in place to comply with the requirements.
Read More
July 11, 2025
Vietnam’s recent embrace of “regulatory sandboxes” reflects a deliberate policy choice to balance the need for robust oversight with an equally pressing imperative to catalyze innovation. A sandbox is a controlled, time-bound framework in which businesses may pilot emerging technologies, products, or business models under relaxed or tailor-made regulatory requirements, thereby allowing regulators to observe risks in real time while innovators validate commercial viability without bearing the full weight of the traditional compliance regime. By issuing sandbox regulations, the government of Vietnam is signaling its commitment to accelerating digital transformation, attracting investment, and developing a knowledge-based economy, all while safeguarding financial stability, consumer protection, and national security. This strategy is embodied in a suite of instruments that together establish sector-specific sandboxes: Decree No. 94/2025/ND-CP on the Regulatory Sandbox in the Banking Sector (Fintech Sandbox Decree), effective July 1, 2025. Law on Digital Technology Industry (DTI Law), effective January 1, 2026, and Law on Science, Technology and Innovation (STI Law), effective October 1, 2025. Resolution No. 222/2025/QH15 on International Financial Centers (IFC Resolution), effective September 1, 2025. In addition, a draft resolution on the pilot implementation of the crypto-asset market (Draft Crypto Pilot Resolution) is expected to introduce a dedicated sandbox for crypto-asset service providers later this year, further underscoring Vietnam’s holistic, forward-looking approach to regulating emerging technologies. Below is a brief summary of all the regulatory sandboxes, who they are open for, and what businesses are attracted. Fintech Sandbox Decree Under the Fintech Sandbox Decree, besides credit institutions and foreign bank branches, fintech companies operating in Vietnam can apply for a Certificate of Sandbox Participation issued by the State Bank of Vietnam to operate any of the following services in Vietnam: Credit scoring: A solution applicable to information technology systems of credit institutions, branches of foreign banks, and fintech
Read More
July 11, 2025
On June 10, 2025, Thailand’s Supreme Administrative Court accepted for consideration a pivotal lawsuit concerning the regulatory obligations of administrative agencies over internet-based television broadcasting services, commonly referred to as over-the-top (OTT) services. This court’s decision in the case may set important precedents for how OTT platforms are regulated, especially regarding consumer protections and advertising practices. Background A user of an OTT television application initiated legal action against the National Broadcasting and Telecommunications Commission (NBTC) and related officials, alleging that the lack of clear regulatory criteria and oversight allowed OTT operators to broadcast general television content while compelling users to view advertisements before and during programming. The plaintiff argued this constituted consumer exploitation and claimed that the responsible authorities neglected or delayed their statutory duties under the Act on the Organization to Assign Radio Frequencies and Regulate Broadcasting, Television, and Telecommunications Services B.E. 2553 (2010). Initially, the Central Administrative Court declined to accept the lawsuit. However, on appeal, the Supreme Administrative Court determined that the claim fell within its jurisdiction, noting that OTT television services—defined under section 4 of the governing act—are subject to the same regulatory framework as traditional television services, regardless of the transmission method (frequency, cable, internet, or other system). Implications for OTT Services The key implications for OTT services concern the following issues: Regulatory oversight: The court recognized that OTT television services are explicitly covered under Thailand’s broadcast regulatory regime. Regulatory agencies may be compelled to establish clear operational rules and oversight mechanisms for OTT providers. Consumer protections: The plaintiff’s claim that excessive or unavoidable in-program advertising constitutes consumer exploitation was acknowledged as a matter of public interest. This may prompt stricter advertising standards for OTT platforms. Licensing requirements: The case raises the prospect that OTT operators may be required to obtain licenses from the
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice