On June 18, 2026, Thailand’s Office of the Personal Data Protection Committee (PDPC) published two notifications in the Government Gazette establishing Thailand’s first formal certification framework for personal data protection standards under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The notifications, which took immediate effect, introduce a voluntary certification framework aimed at promoting accountability, strengthening organizational data protection governance, and aligning Thailand more closely with international frameworks that recognize certification as a key compliance tool. Certification Criteria The first notification sets out the assessment criteria for organizations seeking certification. Applicants must undergo an evaluation against a framework comprising four assessment categories, 10 focus areas, and 128 assessment criteria covering key elements of a privacy management program. These include: Organizational oversight and internal policies and procedures. Human resource development, including staff training and awareness programs. Clearly defined operational processes and procedures covering data subject rights, transparency obligations, records of processing activities, and lawful basis management, as well as contractual safeguards such as data-processing and data-sharing agreements and risk assessments, including Data Protection Impact Assessments. Technical measures encompassing data security controls and breach response capabilities Based on the assessment results, organizations may be awarded either a PDPA Compliance Certificate or a higher-level PDPA Certificate accompanied by a certification mark. Application and Assessment Process The second notification establishes the application and assessment process for obtaining certification. Eligible applicants include government agencies and private-sector entities that demonstrate sufficient privacy governance maturity and meet the prescribed eligibility requirements. Applicants must submit their applications along with supporting documentation for review. Upon receiving an application, the Office of the PDPC will conduct a detailed evaluation, which may include both documentary review and on-site inspections. Incomplete applications may be rejected, though applicants are typically given a limited period to correct deficiencies before a final decision

On May 26, 2026, Thailand’s Department of Land Transport (DLT) published for public consultation a draft amendment to the Ministerial Regulation on Electronic Ride-Hailing Vehicles that would, for the first time, allow juristic persons (legal entities) to register vehicles as electronic ride-hailing cars—a right that currently belongs exclusively to natural persons, limited to one person per one vehicle. If finalized in its current form, the regulation would significantly expand the supply side of Thailand’s ride-hailing market by enabling corporate fleet operators to enter the space. The public comment period is open through June 24, 2026. Key Principles Under the Draft Regulation Under the proposed amendment, juristic persons that maintain a fleet of at least 50 vehicles will be permitted to register vehicles as electronic ride-hailing cars. This represents a fundamental shift from the current framework, which restricts registration to individual natural persons on a one-person-one-car basis. Vehicle Specifications Corporate-owned ride-hailing vehicles must meet the following requirements: Be brand new from the factory, or no more than two years old from first registration with no more than 20,000 km of use. Not be a vehicle that has been reconstructed or repaired after involvement in a serious accident affecting safety—a standard consistent with public transport vehicles (RorYor. 6). Be classified as small, medium, or large in accordance with ministerial or director-general specifications. The vehicles may be equipped with safety devices such as interior or exterior cameras (video/photo recording) and can retain the original factory color of the vehicle body (no mandatory color change is required). License Plates Corporate ride-hailing vehicles will use license plates of the same size, characteristics, and color as those for private passenger vehicles not exceeding seven seats (RorYor. 1), rather than public transport plates. Potential Impact The government has stated that the regulation is intended to: Promote

On May 14, 2026, Thailand published a ministerial regulation in the Government Gazette to prescribe measures for prevention and suppression of technology crimes. The regulation creates a comprehensive procedural framework for returning money and digital assets to victims of technology crimes. It will take effect 90 days after publication (in mid-August 2026), giving affected entities a limited window to prepare. Mandatory Reporting Obligations for Financial Institutions When a deposit account, e-money account, or digital asset wallet is frozen in connection with a technology crime, the relevant financial institution or business operator must report transaction data to the Anti-Money Laundering Office (AMLO) via AMLO’s designated electronic system. Required data elements include account numbers (sender and receiver), names, identification or passport numbers, legal entity registration numbers, phone numbers, remaining balance, damage amount, transaction reference numbers, and the bank case ID. Institutions that already share data through the information-sharing system under the emergency decree are deemed to have satisfied this reporting obligation, creating an incentive for platform participation. When the Royal Thai Police or the Department of Special Investigation seize or freeze assets related to technology crimes, they must provide AMLO with investigation reports, complaint evidence, money-trail data, and account statements. Notification and Claims Process Once the AMLO secretary-general approves verified reports of a technology crime, the account information of persons connected to the crime will be published in the Government Gazette, triggering a 90-day window for victims to file claims and for related persons to file objections. Officers will also publish details on AMLO’s electronic media and send registered mail to identified victims, which will be deemed received after 7 days domestically or 15 days internationally. Victims have 90 days from the date the crime is published in the Government Gazette to file claims through AMLO’s electronic system. Claims must include

Thailand’s Electronic Transactions Development Agency (ETDA) has released a revised draft Electronic Transactions Act (ETA) for public hearing from May 12, 2026, to June 15, 2026. This is not merely an amendment to certain provisions of the current ETA, but a comprehensive redrafting of the entire act. The revised draft ETA introduces several significant changes from the current framework, with practical implications for businesses operating in Thailand. Unified Coverage of Public and Private Sectors The current law segregates government transactions into a separate chapter with distinct rules. The draft ETA eliminates this division, defining “transaction” to encompass civil and commercial juristic acts as well as administrative procedures, administrative contracts, and other acts of government agencies. Enhanced E-Signature Definition The definition of “electronic signature” is broadened to expressly include biometric data and refocused on identifying the signatory and demonstrating intent regarding the content of the electronic data. Shift in Burden of Proof When a party challenges the reliability of electronic data created using a “trusted electronic method” or a method prescribed by the ETDA, the burden of proof and the cost of proving unreliability shifts to the challenger. Introduction of New Digital Method Concepts The draft ETA introduces several new digital method concepts that are not currently recognized under the existing ETA framework. These include: Electronic timestamping (e-timestamp) Electronic registered delivery Electronic company seals Electronic stamp duty compliance Electronic identity authentication and verification Electronic transferable records (electronic bills of lading, promissory notes, and similar negotiable instruments) Recognition of Automated Systems and Electronic Contracting The draft ETA expressly recognizes the legal validity and enforceability of contracts formed through automated systems, including contracts concluded entirely between automated systems or between an automated system and a person. A party may not deny the binding effect of such contracts solely because no human review