Thailand PDPA in Its Second Phase: What Recent Developments Really Indicate

Posted by , , on | Featured

Thai Language version available here: https://fosrlaw.com/2026/pdpa-ของประเทศไทยในระยะที่/

Many organizations continue to approach Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) as a first-generation compliance exercise. The emphasis remains on privacy notices, consent wording, template clauses, and remediation projects undertaken during the law’s initial implementation period.

That framing is becoming increasingly incomplete.

This shift is reflected in the Personal Data Protection Committee’s first major wave of administrative enforcement announced on 1 August 2025, involving eight administrative fines across five cases; the formalRegulation on the Examination and Certification of Binding Corporate Rules B.E. 2568 (2025),, published in the Government Gazette and effective on 17 February 2026; and recent AI-related regulatory developments, including ETDA’s public hearing on the draft principles of the law on artificial intelligence and the PDPC’s second public hearing on the draft Guidelines on Personal Data Protection in the Development and Use of Artificial Intelligence, which was open for comments during 13-19 March 2026.

Thailand’s PDPA is entering a second phase characterized by enforcement, operational governance, maturity in cross-border data transfers, and application to emerging technologies such as AI. Organizations are now expected not only to maintain compliance documentation, but to demonstrate how personal data protection obligations function in practice.

The more relevant question in 2026 is no longer whether an organization has baseline PDPA documentation in place, but whether it can operate a credible privacy governance framework in practice.

The direction of travel is marked by more procedural expectations, more sophisticated cross-border data transfers under the PDPA, increased attention to age-sensitive processing, and the application of existing PDPA principles to emerging technologies such as artificial intelligence. This trajectory is consistent with the maturation of privacy regimes in other jurisdictions: formal compliance precedes operational accountability.

For general counsel, data protection officers, and regional compliance teams, the implication is straightforward. Programs designed around static documentation may now be solving yesterday’s problem.

Executive Summary

Recent developments in Thailand PDPA compliance indicate five structural shifts:

  1. Data subject rights are becoming operational processes rather than theoretical obligations.
  2. Cross-border data transfers under the PDPA are evolving toward enterprise-level governance.
  3. Children’s data and age verification are attracting increased regulatory scrutiny.
  4. AI-related activity is likely to be governed through both broader AI governance initiatives and existing PDPA principles, particularly where AI involves the processing of personal data.
  5. Regulators increasingly expect demonstrable internal accountability rather than formal compliance alone.

I. From Paper Compliance to Operational Governance

The first phase of PDPA implementation in Thailand was necessarily documentation-driven. Organizations focused on visible deliverables: privacy notices, consent mechanisms, records templates, processor agreements, and internal policies. Those measures remain foundational to Thailand PDPA compliance.

However, as data protection law in Thailand matures, the focus shifts from the existence of documentation to the ability to operate it.

The increasing attention on access requests illustrates this transition. Data subject rights are straightforward in principle but complex in execution. Effective responses require coordination across legal, HR, IT, cybersecurity, and business units. Issues of identity verification, scoping, redaction, timing, and consistency quickly become operational rather than legal in nature.

For many organizations, this is where privacy programs are tested. A business may maintain compliant policies while lacking the ability to locate, reconcile, and deliver data across multiple systems under real conditions.

In practice, this often exposes structural issues rather than legal ones. Relevant data may sit across HR platforms, email archives, shared drives, and legacy systems, without a clear owner responsible for retrieval. Response timelines are therefore driven less by legal standards than by operational capability.

II. From Cross-Border Transfers to Enterprise Governance

Cross-border data transfers under the PDPA remain one of the most commercially significant aspects of Thailand PDPA compliance. For multinational groups, personal data frequently moves across jurisdictions through regional HR systems, cloud platforms, customer databases, and shared service arrangements.

Historically, many organizations approached transfer compliance as a contractual exercise, focusing on whether agreements contained appropriate clauses. That approach is increasingly insufficient.

Developments such as Binding Corporate Rules (BCRs) reflect a more advanced stage of governance. BCRs are not merely contractual instruments; they embody enterprise-wide accountability, including internal policies, audit mechanisms, training, complaint handling, and consistent enforcement across group entities for intra-group cross-border transfers, subject to PDPC certification/approval requirements.

This shift is significant for Thailand. As part of regional and global operations, Thai personal data is rarely isolated. Where Thailand is not fully integrated into broader governance structures, local compliance may rely on fragmented or duplicative solutions.

For many multinational groups, Thailand data is already embedded in regional systems—HR platforms hosted in Singapore, CRM environments in the United States, or support functions operating from India or the Philippines. Where cross-border data transfers under the PDPA are addressed only at the contractual level, these flows may not be fully mapped or consistently managed in practice.

The direction is clear. Cross-border data transfers under the PDPA are moving from document sufficiency to governance coherence.

III. Children’s Data and the Rise of Age-Sensitive Processing

Children’s data is receiving heightened regulatory scrutiny across multiple jurisdictions, and Thailand is showing increased attention to this issue, particularly in the context of digital services and AI-related risks. The issue combines legal capacity, consent requirements, fairness considerations, and reputational sensitivity under Thailand’s data protection law.

Under Thai law, the analysis is not reducible to a single age threshold. It intersects with civil law concepts of legal capacity and parental authority, requiring a more nuanced approach.

At an operational level, many organizations underestimate their exposure. A service may not be designed for minors but may nonetheless attract younger users through mobile applications, gaming environments, retail platforms, or digital content.

Age verification introduces additional complexity. Overly intrusive methods may lead to unnecessary collection of sensitive personal data, while minimal controls may fail to address foreseeable risks. The appropriate balance is inherently context-specific.

Exposure is often indirect. Services not designed for minors—such as retail platforms, gaming environments, or mobile applications—may nonetheless attract younger users. Age controls are therefore frequently tested not at the point of policy drafting, but at the point of real-world usage.

Organizations should therefore consider whether minors may realistically engage with their services and whether existing controls are proportionate to that possibility.

IV. AI Regulation Through Existing PDPA Principles

While many jurisdictions are developing dedicated AI legislation, Thailand 

is addressing AI-related activity through two parallel but distinct tracks: broader AI governance initiatives and personal data protection guidance for AI involving personal data.

On the broader AI governance side, the Ministry of Digital Economy and Society, through the Electronic Transactions Development Agency (ETDA), has opened a public hearing on the draft principles of the law on artificial intelligence. This initiative focuses on AI governance more generally, including high-risk AI, responsible AI use, rights protection, accountability, and the possible use of both soft law and hard law mechanisms.

Separately, from a personal data protection perspective, the PDPC conducted a second public hearing on the draft Guidelines on Personal Data Protection in the Development and Use of Artificial Intelligence, which was open for comments during 13-19 March 2026. These draft guidelines relate specifically to AI development and use involving the processing of personal data. They have not yet been finalized or formally issued and are not legally binding at this stage.

Where AI systems process personal data, established obligations under Thailand PDPA compliance remain relevant: lawful basis, transparency, purpose limitation, data minimisation, accuracy, retention, and security. Profiling and automated decision-making introduce additional considerations around fairness and accountability.

This has immediate implications across a range of activities, including:

  • customer service automation
  • fraud detection
  • HR screening tools
  • recommendation engines
  • marketing segmentation
  • internal productivity tools

In many organizations, AI use is already occurring without formal classification. Internal tools, customer service automation, and third-party platforms may process personal data as part of routine operations. The legal issue is therefore not future adoption, but current visibility and control.

The regulatory approach is likely to be incremental rather than legislative in the near term. Rather than waiting for a comprehensive AI statute, regulators may apply existing personal data protection principles to emerging technologies where AI systems involve personal data, while broader AI governance may continue to develop through separate ETDA/MDE-led initiatives.

Organizations that defer AI governance until new legislation is enacted may therefore be exposed under existing law.

V. Accountability as the Real Compliance Metric

The common thread across these developments is accountability.

In early stages, compliance is often assessed through documentation. Over time, the focus shifts toward whether the organization can demonstrate responsible governance in practice.

This includes:

  • clear ownership of privacy decisions
  • functioning escalation processes
  • effective handling of rights requests
  • disciplined cross-border data transfer management
  • oversight of vendors and processors
  • governance of technology use
  • documented decision-making

Gaps typically arise not from misunderstandings of legal principles, but from misalignment between policy and practice. Documents may no longer reflect actual data flows, vendor relationships may evolve without corresponding updates, and responsibility for compliance may be diffused across multiple functions.

The distinction is therefore practical. First-phase Thailand PDPA compliance asks whether policies exist. Second-phase governance asks whether they function.

What This Means for General Counsel and DPOs

For senior legal and compliance leaders, the immediate task is not wholesale restructuring, but recalibration.

Key pressure points often include:

  • whether data subject rights can be executed across fragmented systems and business units
  • whether Thailand is fully integrated into regional cross-border data transfer governance frameworks
  • whether services may realistically involve minors, even where not intended
  • whether AI tools are already processing personal data without formal oversight
  • whether existing policies reflect current data flows and operational reality

These are not theoretical compliance questions. They tend to emerge under pressure—during requests, incidents, audits, or internal investigations.

Organizations that address these issues proactively are better positioned to manage both regulatory and commercial risk.

Conclusion

Thailand’s PDPA is no longer best understood as a newly implemented statute requiring foundational compliance measures. It is increasingly operating as a governance framework with growing expectations around execution, accountability, and technology oversight.

Recent developments concerning access rights, cross-border data transfers, age-sensitive processing, and AI should be read collectively. They indicate a shift from formal compliance toward operational maturity.

For experienced professionals, that is the more significant signal.

Organizations that continue to treat Thailand PDPA compliance as a document exercise may be solving yesterday’s problem.

About the Authors

John Formichella is a founding partner of Formichella & Sritawat and advises on technology, media, telecommunications, and cross-border regulatory matters in Thailand.

Naytiwut Jamallsawat is a partner at Formichella & Sritawat and leads the firm’s corporate and regulatory practice, with substantial experience in data protection, licensing, and digital regulation.

Supitchaya Akeyati is an associate at Formichella & Sritawat whose practice focuses on data privacy, digital services, and regulatory compliance.

Disclaimer

The comments herein are provided for discussion and informational purposes only and may not reflect the most current legal developments. Nothing contained in this publication should be relied upon as legal advice.

© 2026 Formichella & Sritawat Attorneys at Law

Tags: , , , , ,