Thailand’s Electronic Transactions Development Agency (ETDA) held an explanatory session on the draft principles and regulatory approaches of the country’s planned artificial intelligence (AI) law on May 2, 2025. This came after a lull of two years following the initial release of draft legislation on AI. In the session, the ETDA explained that the earlier drafts were modeled after the EU’s legal framework for AI, but given the evolving Thai legal and technological landscape, it is now necessary to revisit and refine the drafts to ensure they remain relevant and effective in the local context. To aid in this process, the ETDA will accept public comments on the draft principles of the AI law until June 9, 2025. Based on gap analysis and a comparative study of how different countries have addressed AI issues, the ETDA’s draft AI law principles are structured into five key areas. These are described below. 1. Risk-Based Requirements The draft principles outline a set of approaches that the legislation will take toward mitigating risk: Delegation of powers to enforcement agency or sectoral regulators The primary legislation will not directly specify a list of prohibited risks or high-risk types of AI. Instead, it will empower an enforcement agency or relevant sectoral regulators to determine and issue such lists. This approach allows regulators in each specific industry to assess the necessity of risk classifications within their respective sectors, based on the principle that sectoral regulators are best positioned to understand the specific risks in their domains. These regulators are expected to issue subordinate legislation in alignment with the overall framework. Meanwhile, the central enforcement agency will coordinate oversight across sectors and cover areas not under the jurisdiction of any specific regulator. Duties of high-risk AI providers Providers of AI deemed by the enforcement agency or sectoral

Following the amendment to the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes in mid-April 2025, new measures were introduced by the Electronic Transactions Development Agency (ETDA) in a hearing session held on May 13, 2025, to establish shared liability between online social media platform operators and other in-scope operators for damages arising from technological crimes. Stakeholders are being invited to submit their comments on the proposed new provisions directly to the ETDA by May 20, 2025. The concept of the new measures for social media platform operators is that to be released from liability for damages arising from technological crimes, social media platform operators must demonstrate compliance with the relevant technological crime prevention standards and measures prescribed by their respective regulators (“safe harbor rules”). Safe Harbor Rules Under the principles of the proposed safe harbor rules, social media platform operators and the relevant service providers would be required to comply with the following obligations: Immediate takedown and suspension of dissemination: Disable access, remove the content from the system, or suspend the relevant service within 24 hours of receiving an official notification from the Cyber Crime Investigation Bureau’s Anti-Online Scam Operation Center (AOC) that a service or social media platform is disseminating content that is or may be used to commit or support technological crimes. Establishment of notification channels: Establish a system or channel to receive notifications from the AOC. User registration and identity verification: Require user registration (including identity verification and authentication) before allowing content to be posted, with sufficient information to identify the user. Suspending dissemination of suspect advertisements: Disable access to advertisements reasonably suspected of involving or potentially involving the commission of technology-related crimes. Reporting: Report on actions taken, including details like account owner information, IP address, email, or phone number used for account

Attorneys from Tilleke & Gibbins have updated the latest edition of Doing Business in Thailand, a Q&A-style guide from Thomson Reuters Practical Law that offers an overview of key legal considerations for companies operating in jurisdictions worldwide. The contribution outlines the country’s legal and regulatory framework for foreign investment and business operations and reflects the latest legislative developments. The chapter addresses the following core topics: Legal system: Structure of the courts and the codified nature of Thai law. Foreign investment: Business restrictions under the Foreign Business Act, sector-specific regulations, exchange control rules, and investment incentives. Business vehicles: Overview of partnerships, private and public limited companies, and other legal entities. Employment: Labor protections, employment contracts, foreign worker requirements, and termination procedures. Tax: Corporate and personal income tax, indirect taxes, and tax obligations for residents and non-residents. Intellectual property: Registration and enforcement of patents, trademarks, designs, and copyrights. Data protection: Key provisions of the Personal Data Protection Act and related compliance obligations. Competition law: Regulatory framework under the Trade Competition Act. Anti-bribery and corruption: Relevant legislation and enforcement mechanisms. E-commerce and digital business: Legal regime for online transactions and digital platforms. Marketing and advertising: Consumer protection laws and regulations affecting advertising and marketing practices. Product regulation and liability: Safety standards, liability regimes, and roles of enforcement authorities. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The insurance and reinsurance guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the guide, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.

On April 11, 2025, Thailand’s Office of Insurance Commission (OIC) released draft principles for two notifications for public comment, open until the end of April. These aim to amend the OIC Notifications on Guidelines for Customer Personal Data Protection for life and non-life insurance businesses, which were issued in 2021. Key Principles Both life and non-life insurance companies will be required to obtain consent for the following processing activities: Processing of general personal data: When requesting the OIC to disclose information related to a customer’s insurance policy for the purpose of underwriting or claims consideration. Processing of sensitive personal data: When requesting the OIC to disclose information related to a customer’s insurance policy for the purpose of underwriting or claims consideration; and When requesting the OIC to disclose information about a customer’s insurance fraud behavior for fraud monitoring, fraud risk management, and assessing and preventing insurance fraud risk for underwriting or claims payment. The consent for the above processing activities must be in accordance with the consent requirements prescribed by the OIC, and the disclosure of personal data must also comply strictly with the conditions set by the OIC. Life insurance companies may obtain consent for other purposes as long as they comply with Thailand’s Personal Data Protection Act B.E. 2562 (2019), and companies will be liable in the event of a personal data breach. Additional Principles for Non-Life Insurance Businesses Non-life insurance companies will be required to provide a privacy notice and a summary of the privacy notice for each type of insurance policy in accordance with the form prescribed by the OIC. The privacy notice and its summary must be provided prior to or at the time of offering insurance policies, or together with the consent form for data processing through any channels used for offering insurance.