ป้ายกำกับ: artificial-intelligence

Navigating Thailand’s AI Law: Development at a Crossroads

เขมภัทร ทฤษฎิคุณ

First Published in Tech for Good Institute (techforgoodinstitute.org) on March 19, 2025.

The rapid development of Artificial Intelligence (AI) has become a focal point for governments globally, including Thailand. However, a key challenge for Thailand lies in maximising the benefits of AI, particularly in developing a skilled AI workforce and fostering the adoption of AI among SMEs and startups across various industries.

Thailand’s Ambiguous AI Policy

Thailand has historically exhibited ambiguity in its approach to AI governance, mirroring broader trends in its digital policy landscape. However, the European Union (EU)’s proactive stance on AI regulation has significantly influenced Thailand’s policy direction, leading to the incorporation of similar principles into national AI policies.

In April 2022, the Thai government introduced a draft Royal Decree on the Operation of AI-Based Service Businesses, known as the Regulated AI Law. This legislation aimed to establish regulatory measures for AI-driven businesses to enhance credibility while mitigating public risks. High-risk AI applications—such as those used in critical infrastructure and facial recognition surveillance—would require mandatory registration with the government and compliance with legally defined safety standards, including risk management measures to assess human impact. The law also classified some AI applications as prohibited technologies and outlined penalties for non-compliance.

However, in July 2022, the Thai Cabinet approved the National AI Action Plan (2022–2030), signaling a shift in regulatory direction. Recognising AI’s crucial role in advancing Thailand’s data-driven economy, the plan introduced a structured approach to AI development, with five strategic priorities:

  1. Reforming laws and regulations to ensure responsible AI usage while preventing misuse.
  2. Strengthening AI infrastructure to support long-term technological growth.
  3. Enhancing workforce skills and competencies to meet industry demands.
  4. Promoting AI adoption in key sectors such as healthcare, energy, education, and tourism, with the goal of reducing reliance on foreign technology.
  5. Fostering public-private collaboration through AI Sandboxes and data-sharing frameworks to enhance industrial competitiveness.

To support these objectives, Thailand began drafting the Act on the Promotion and Support of Artificial Intelligence Innovation (or the Supported AI Law). This legislation aims to create an enabling ecosystem by reducing regulatory barriers and fostering public-private partnerships in AI research and application. It proposes the establishment of an AI Innovation Promotion Committee, responsible for setting policies, defining standards, and supporting AI entrepreneurs through registration, advisory services, and AI Sandbox programs that facilitate safe AI experimentation and development. Additionally, the law promotes data-sharing mechanisms between the government and private sector under principles of security and fairness.

From a regulatory perspective, the draft law mandates AI transparency, bias prevention, and user safety while setting contractual standards to clarify AI service provider liabilities. It also introduces an AI Compensation Fund to cover damages in cases where no accountable entity can be identified and implements data confidentiality measures for AI providers submitting information to government agencies.

Unlike the EU’s stricter AI regulations, Thailand’s approach under the Supported AI Law reflects a more balanced model that encourages AI innovation while maintaining fundamental safeguards against potential risks. This dual focus ensures that Thailand remains competitive in AI development without compromising essential regulatory protections.

The Crossroads of Thailand’s AI Law in Policy Development

Thailand recognises the need for AI-specific laws to help meet its development goals. However, there’s a key question about which direction the country should take: should it focus more on regulation or innovation?

So far, the Thai government hasn’t made a final decision. However, in a 2022 meeting, officials from the National AI Committee passed a resolution stating that the country should focus on encouraging AI innovation and creating a clear AI ecosystem, while ensuring regulations are flexible and don’t hold back progress. This suggests Thailand is leaning toward the Supported AI Law, which focuses on promoting AI rather than imposing strict rules.

The Thai government is introducing two draft laws: the Regulated AI Law, which proposes stricter regulatory controls, and the Supported AI Law, which prioritises facilitating AI innovation. This distinction presents a crucial policy choice for Thailand.

This leaves a challenge: strict regulations could limit innovation and make it harder for local businesses to compete, while other countries may advance AI more quickly by not prioritising ethics and transparency. The most critical issue is the clarity of Thailand’s AI policy direction and how the country envisions its AI development model. In the author’s view, Thailand must carefully consider which development approach best suits its context. The Thai government needs to find a balance between encouraging innovation and ensuring AI is used responsibly.

The main issue is whether Thailand should follow the EU’s strict AI regulations, focusing on ethics, transparency, and preventing bias. While these are important, a very strict framework might hurt local AI development and make Thailand rely more on foreign AI technologies that meet stringent compliance requirements. This could lead to fewer opportunities for local businesses to innovate. This challenge is becoming increasingly evident as digital regulations continue to expand and overlap, raising concerns about their long-term impact on AI innovation within the country.

Another option is a more promotion-driven approach, particularly through voluntary governance mechanisms such as AI Sandboxes, where businesses can experiment with AI under flexible rules, while still following existing laws on data privacy and other areas. Such regulatory sandboxes could prevent overly strict regulations from stifling innovation. However, this strategy also presents challenges. Thailand must ensure that its regulatory framework evolves in parallel with emerging AI risks. Key concerns include maintaining transparency, preventing bias, and safeguarding personal data privacy from unauthorised collection and misuse. A balanced regulatory approach is essential to foster innovation while mitigating potential risks associated with AI deployment.

The Future of AI Law Development in Thailand

Thailand’s AI policy is currently at a crossroads, trying to balance strict regulation with a more flexible, innovation-driven approach. If Thailand aligns with the EU’s AI Act, it would focus on key principles such as transparency, preventing bias, and ethical AI development. However, overly strict rules could stifle local innovation and make Thailand more dependent on foreign AI technologies. On the other hand, a model focused on innovation, such as using AI Sandboxes and sector-specific rules, could encourage growth and adapt to new risks. But, even with this, safeguards are necessary to ensure transparency, accountability, and data privacy. Ultimately, Thailand must strike a balance between AI governance and technological advancement to build a sustainable and competitive AI ecosystem.

Thailand’s AI development stands at a pivotal moment. Following the AI Action Summit, the debate on AI’s future direction has become a critical issue—not just for global AI leaders but for Thailand as well. Our choices go beyond industrial growth; they must align with strategic market entry and the geopolitical forces shaping the global AI landscape.

Ultimately, Thailand may need a third approach — a legal framework that balances innovation promotion with government oversight. This model would allow AI innovation to thrive while ensuring responsible governance, possibly guided by ethical AI development principles. While these principles wouldn’t have the same legal power as formal laws, they could help shape best practices. At the same time, the law could limit high-risk AI applications that could harm human safety and life, while offering guidelines for handling such risks and addressing sector-specific issues.

This approach could serve as a viable alternative for Thailand, ensuring a well-structured AI ecosystem that fosters technological advancement while maintaining accountability and transparency in monitoring AI’s societal impact. However, this issue requires further review and deliberation to refine Thailand’s AI governance strategy.

Examining the benefits and challenges of Thailand’s latest Data Protection Law

เขมภัทร ทฤษฎิคุณ

First Published in Tech for Good Institute on Wednesday, August 16, 2023. This article is co-authored by Gunn Jiravuttipong and Khemmapat Trasadikoon, researchers from the Thailand Development Research Institute (TDRI).

Thailand recognises the importance of embracing the digital economy and has taken significant steps to facilitate its growth through national plans, strategic investments, and new digital laws. The Data Protection Act is one area that received significant attention and generated discussion.

This article aims to provide an overview of the country’s developments in data protection, including the current regulations and guidelines, the potential benefits of having a strong data protection regime, and the challenges as Thailand continues to strengthen its data protection practices. The insights shared in this reflection will be valuable not only for Thailand’s progress but also for other nations navigating a similar path.

Overview of the law the Personal Data Protection Act, B.E. 2562 (2019)

The Personal Data Protection Act, B.E. 2562 (2019), also known as the PDPA, was announced on 24 May 2019 but came into full effect on 1 June, 2022. The Personal Data Protection Committee (PDPC) is the primary regulator and has been actively working on developing sub-regulations and guidelines to support the implementation of the PDPA. Several of these sub-regulations and guidelines have already been officially published (see Table).

Table: Sub-regulations and guidelines announced by the Personal Data Protection Commission (PDPC) (as of 14 July 2023)
Sub-regulationsDate
1. Notification of the PDPC on the Exemption from Maintenance of Records Obligation of the Data Controller Which Is a Small Organisation B.E. 2565 (2022)21 June 2022
2. Notification of the PDPC on the Security Measures of the Data Controller B.E. 2565 (2022)21 June 2022
3. Notification of the PDPC on the Rules on Consideration for Issuance of Orders Imposing Administrative Fines by the Expert Committee B.E. 2565 (2022)21 June 2022
4. Notification of the PDPC on the Rules and Methods of Personal Data Breach Notification B.E. 2565 (2022)15 Dec 2022
5. Notification of the PDPC on the Rules and Methods for Preparation and Maintenance of Records of Personal Data Processing Activities for the Data Processor B.E. 2565 (2022)17 Dec 2022
6. Rules of the PDPC on the Filing, Refusal of Acceptance, Dismissal, Consideration, and Timeframe for the Consideration of the Complaints B.E. 2565 (2022)12 July 2022
GuidelinesDate
7. Operational Guideline on Obtaining Consent from Data Subjects under the PDPA (2019)7 Sep 2022
8. Operational Guideline on the Notification of the Purposes and Details of Collection of Personal Data from the Data Subjects under the PDPA7 Sep 2022
Source: PDPC website

Draft sub-regulations are being developed to provide further clarity on Data Protection Officers (DPOs) in government agencies and international data transfers. Additionally, sector-specific regulations pertaining to data protection exist in areas such as telecommunications, credit bureaus, payments, and insurance. As of now, there have been no publicly announced court cases regarding the Data Protection Act.

Advantages of a robust data protection framework

The Data Protection Act has been acknowledged by stakeholders as a catalyst for boosting Thailand’s digital economy. Effective implementation of the act is crucial to protecting privacy rights in today’s data-driven economy. It also builds investor confidence, positioning Thailand as an appealing destination for data hubs and enhancing its competitiveness in the global market. Therefore, establishing a robust data protection framework is a vital preparatory step to capitalise on these opportunities.

An example of this potential is Amazon Web Services (AWS) recently announcing plans to invest in data centers and cloud services in Thailand and other ASEAN countries. Furthermore, compliance with international data protection standards facilitates seamless data flows, fostering collaborations and strengthening Thailand’s participation in trade negotiations such as Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)Regional Comprehensive Economic Partnership (RCEP), and the latest Indo-Pacific Economic Framework for Prosperity (IPEF).

Navigating data protection challenges in a dynamic landscape

In early 2023, a significant personal data leak prompted the PDPC to call upon public organisations to assess their readiness in terms of risk and security systems. These incidents, coupled with a series of data breaches, may have adversely affected stakeholders’ confidence in Thailand’s data protection measures.

These security breaches are not unique to Thailand. According to a 2021 Check Point report, the Asia Pacific region experienced a 168% increase in cyberattacks year-on-year, with 59% of businesses reported being victims of cyberattacks. Furthermore, this issue is further compounded by the global cybersecurity workforce gap, which is estimated to be 2.72 million in 2021.

Thus, there is an urgent need for Thailand to establish a robust data protection framework while ensuring data risks are mitigated. Achieving this goal requires an effective data protection framework built on collaboration and continuous learning among all stakeholders to strike the right balance and understand the diverse perspectives of different stakeholders. Regulators, in particular, play a pivotal role in creating a clear policy and regulatory framework, overseeing and collaborating with the public and companies.

We reflect on Thailand’s experiences and highlight three primary challenges in the foreseeable future.

1. Creating industry-aligned regulations and guidelines that are fit-for-purpose

Industry standards and the co-creation of guidelines play a vital role in PDPA compliance. Even before the law entered into force, legal academics from Chulalongkorn University created a data protection guideline and continued to develop into specific areas. Additionally, sector associations, such as those in the financial, banking, and insurance, have made efforts to develop sector-specific guidelines.To further promote compliance and best practices, the PDPC has engaged the Thailand Development Research Institute (TDRI) to conduct public hearings and consult with seven sectors.

This collaboration aims to create case studies and identify best practices in data protection. The demonstrated interest from stakeholders indicates their readiness and the opportunity for the PDPC to establish legally binding codes of conduct, similar to leading jurisdictions. Such engagements can enhance clarity in regulatory compliance.In the era of rapidly emerging technologies and evolving business models, collaboration with all stakeholders becomes crucial. Regulators must navigate the technical aspects and strike a balance between business practices, individual rights, and other public benefits.

Future collaboration may encompass topics like algorithm transparency and the automation of systems that collect consumer behavior data.

2. Establishing a robust regulatory authority

To enhance enforcement and foster confidence in safeguarding personal data, it is crucial to prioritise adequate funding and the recruitment of qualified personnel. Thailand faced challenges during the initial enforcement of the Personal Data Protection Act (PDPA) in 2019, resulting in two one-year postponements.

The law eventually came into full effect on 1 June 2022, amidst the complexities and demands imposed by the COVID-19 pandemic on both public and private organisations, as well as the regulatory body. These postponements had implications for the appointment of the commissioner and the approval of sub-regulations. Adequate funding and recruitment of qualified personnel are crucial for strengthening enforcement efforts and building trust in personal data protection. While staff and budget constraints are common challenges in data protection agencies in other countries, the PDPC currently operates with a workforce below its target of 210 personnel.

However, there are plans to recruit approximately 49 more staff this year. Ongoing efforts are being made to secure a budget allocation of 99 billion baht to support the operations of the PDPC. These resources are vital for the PDPC to effectively fulfil its responsibilities and enforce the provisions of the PDPA.

3. Establishing a clear framework for regulatory exemption and divergence

Thailand’s PDPA was drafted closely aligned with the EU’s General Data Protection Regulation (GDPR), sharing many core principles with minor differences. Recognising the diverse landscape of businesses in Thailand, certain exemptions have been put in place to support small and medium-sized enterprises (SMEs) in mitigating the compliance burden.

However, Thailand faces a challenge of fragmentation in interpreting the data protection law, particularly in the context of existing sector-specific regulations such as in the financial on sensitive data collected before PDPA was enforced. There is a need for clarity on which law takes precedence and applies in specific scenarios.

Furthermore, the current draft sub-regulations being considered include provisions for exemptions to the Personal Data Protection Act (PDPA) specifically for select public agencies. Additionally, the precise frameworks for these exemptions and how they will be implemented remain ambiguous. This lack of clarity may result in a divergence in Thailand’s standard of personal data protection. Consequently, this divergence could potentially jeopardise the country’s inclusion in the European Union’s whitelist and impede data transfer across borders with countries that maintain equivalent data protection standards. To prevent such implications, it is crucial for the government to approach the issue of exemptions with utmost caution.

Any exemptions granted must undergo thorough evaluation and alignment with the overarching objective of establishing a robust data protection framework in Thailand.

Conclusion

Overall, enforcing the PDPA in Thailand requires addressing challenges related to state capacity, exemption and divergence, and industry standards. By prioritising adequate resources, aligning with international standards, and actively collaborating with the private sector, Thailand can strengthen its data protection framework and enhance compliance, fostering trust and facilitating the secure and responsible use of personal data.