On July 19, 2007, Thailand’s new Computer Crimes Act (CCA) took effect. CCA Section 26 made data retention mandatory for all “Service Providers,” who would be required to keep records of their users’ e-mail, chat, and internet usage and personal identification for a minimum of 90 days. The details of this mandatory data retention were left to the discretion of the Ministry of Information & Communication Technology (ICT). A “Service Provider” is defined as either (a) a person who provides internet access or computer communications to other persons, or (b) a person who provides data storage services to another person. At first blush, the definition of “service provider” appears intended to apply to operators who offer internet or email services to third parties. However, the ICT is taking a very broad interpretation of the Notification’s language: interpreting the phrase “other persons” to include services rendered by an operator to its own staff\representatives. This article examines the implications of this interpretation, under which Thailand will have one of the most expansive mandatory data retention requirements in the entire world.