Artificial Intelligence, Machine Learning, and Big Data in Thailand: Legal and Regulatory Developments 2025

Posted by , , , on | Featured

1. Introduction to AI in Thailand

Thailand continues to develop as a regional leader in artificial intelligence (AI), machine learning (ML), and big data regulation, balancing innovation with legal protections. In 2025, the legal environment will be shaped by existing laws, such as the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), sector-specific regulations, and an upcoming draft law called the “Artificial Intelligence Act.” The Thai government also continues to implement its National AI Strategy (2022–2027), aimed at strengthening the ecosystem supporting AI growth.

2. Market Trends and Sectoral Adoption

AI adoption has grown substantially across various sectors, including healthcare, financial services, e-commerce, public services, and transportation. For example:

  • Healthcare: Thai hospitals utilize AI for early disease detection, predictive analytics, and diagnostic support. AI-assisted radiology and IBM Watson’s oncology platform are now integrated into tertiary healthcare networks.
  • Financial Services: AI/ML are used for fraud detection, credit scoring, and regulatory compliance (RegTech). The Bank of Thailand oversees the use of outsourcing and third-party AI systems for strategic functions. If such AI/ML systems are employed for strategic functions that should be managed internally, institutions may need to obtain approval or a waiver from the Bank of Thailand (BOT) under relevant outsourcing regulations. The BOT also encourages fairness, transparency, accountability, and security in AI adoption.
  • Public Sector: The Revenue Department and the Customs Department now utilize AI for predictive enforcement, tax audits, and smart border management.

The National Digital Economy and Society Commission (NDESC) and the Digital Government Development Agency (DGA) continue to promote responsible AI procurement across state agencies.

3. Regulatory Timeline

A chronological overview of key regulatory and policy developments is provided below to contextualize Thailand’s evolving legal approach to AI:

YearDevelopmentDescription
2019PDPA EnactedThailand enacts the Personal Data Protection Act B.E. 2562 (2019)
2022National AI Strategy (2022–2027)Thailand launches a national AI roadmap with development pillars
2023Public Sector AI Procurement GuidelinesGuidelines for transparent, explainable AI use in government projects
2024PDPA Fully EnforcedFull enforcement of the PDPA and regulatory guidance on automated decision-making
2025Draft Artificial Intelligence Bill ReleasedMDES releases a draft law introducing registration and sandbox regimes

4. Ownership and Intellectual Property Protection

AI systems may be classified as incorporeal property under the Civil and Commercial Code (Section 138), but their legal recognition depends on the specific context. Current statutes offer limited protection:

  • Copyright Act B.E. 2537 (1994): Protects source code and computer programs, but not AI algorithms or model outputs generated autonomously.
  • Patent Act B.E. 2522 (1979): Excludes mathematical methods and software from patentability, although this is under review as Thailand considers harmonization with WIPO and TRIPS-plus frameworks.
  • Employment Agreements: Under Section 9 of the Copyright Act, employers must explicitly assign ownership of copyrightable works to prevent ambiguity.

5. Data Protection and AI Compliance

The PDPA (see https://fosrlaw.com/2025/gdpr-vs-pdpa/), fully enforced since mid-2022, is a cornerstone of AI governance. Key provisions include:

  • Lawful Basis (Sections 19–25): Controllers must establish a lawful basis (e.g., consent, legitimate interest, or contract) for AI-driven data processing.
  • Rights of Data Subjects (Sections 30–40): These rights include the right to access, rectification, and erasure, which challenge the use of black-box AI models.
  • Automated Decision-Making: Though not yet directly regulated, the PDPC issued soft guidance in 2024 encouraging transparency and fairness in profiling.

Cross-border data transfers for AI training purposes must comply with Sections 28 and 29 of the PDPA, requiring the implementation of appropriate safeguards or adequacy decisions.

To support organizations with ongoing obligations, we provide the following compliance checklist:

CategoryRequirementRelevant Law/Guidance
Data ProtectionObtain valid consent or other lawful basis for AI data processingPDPA Sections 19–25
Data Subject RightsEnable access, rectification, and erasure of AI-derived dataPDPA Sections 30–40
AI Risk ClassificationDetermine if the AI system is high-risk and register accordinglyDraft AI Bill (2025)
Algorithmic FairnessAudit AI models for bias and explainabilityPublic Sector AI Guidelines (2024)
EmploymentAssess AI automation impact and provide severance if requiredLabour Protection Act Section 121
CybersecurityProtect AI systems from data leaks and attacksCybersecurity Act (2019)
ContractingAvoid unenforceable waivers of AI liabilityProduct Liability Act Section 22

6. Corporate Governance and Fiduciary Risk

Directors integrating AI into enterprise operations must consider:

  • Fiduciary Duties under Section 85 of the Public Limited Companies Act B.E. 2535 (1992): Directors may be liable for oversight failures in deploying unsafe or biased AI.
  • Section 437 of the CCC: AI tools, if found hazardous (e.g., autonomous vehicles), could impose strict liability on their controllers.
  • Cybersecurity: Under the Cybersecurity Act B.E. 2562 (2019), companies deploying AI infrastructure must implement risk-based safeguards against intrusion and data leaks.

7. Regulatory Framework and Government Policy

Although Thailand does not yet have a dedicated AI law, the Ministry of Digital Economy and Society (MDES) released a Draft Artificial Intelligence Bill (2025) for public comment. Key features include:

  • AI System Registration: Mandatory for high-risk AI (e.g., biometric surveillance, autonomous systems).
  • Ethical AI Principles: Incorporating fairness, accountability, and transparency.
  • Regulatory Sandbox: To test AI applications under supervision.

In parallel, the National AI Strategy’s implementation roadmap prioritizes:

  • Development of a national AI data repository.
  • Incentives for AI startups under BOI promotional privileges.
  • Sectoral AI action plans (agriculture, health, transportation).

8. AI in the Workplace and Labour Implications

AI automation is increasingly prevalent in Thailand’s industrial and service sectors. Businesses must comply with:

  • Labour Protection Act B.E. 2541 (1998), Section 121: Severance pay is owed if an employee is terminated due to automation, including AI systems.
  • AI and Employment Guidelines (2024): Issued by the Ministry of Labour, these recommend impact assessments and employee reskilling programs before implementing AI systems.

9. Liability and Risk Allocation

  • Civil Liability: The CCC Section 437 imposes strict liability on those possessing hazardous AI systems.
  • Product Liability Act B.E. 2551 (2008): May apply to tangible AI systems like robots or autonomous drones. Algorithms alone fall outside this scope.
  • Contractual Limitation of Liability: Agreements to exclude liability for harm from AI use may be deemed void under Section 22 of the Product Liability Act.

10. Criminal Law and AI Misuse

The Thai Penal Code and Computer Crime Act B.E. 2550 (2007) may impose liability on AI users or owners where criminal conduct is facilitated. For example:

  • If an AI is used to disseminate false data (Section 14 CCA), the owner could be liable.
  • If AI compels another to commit a crime, the AI is treated as an instrumentality.

To date, no Supreme Court decision has directly addressed AI criminal liability.

11. Discrimination, Bias, and Ethical Use

Bias in AI outcomes remains unregulated, though:

  • PDPA indirectly applies where profiling results in discrimination.
  • Public Sector AI Procurement Guidelines (2024) encourage algorithmic audits and explainability.
  • The National Human Rights Commission of Thailand called in 2023 for AI systems used in education and finance to undergo fairness assessments.

12. National Security and Surveillance

The use of AI for surveillance remains controversial. Legal safeguards include:

  • Cybersecurity Act: Allows the National Cybersecurity Committee to oversee critical infrastructure.
  • 2023 Pegasus Software Scandal: Led to calls for reform after revelations of government usage against civil society actors.

13. Conclusion

Thailand’s AI legal landscape continues to be industry-focused, but 2025 represents a turning point with the proposed Artificial Intelligence Bill and the enforcement of the robust PDPA. Corporate stakeholders need to prepare for a compliance-driven environment. To stay competitive and compliant, companies operating in Thailand should ensure that their AI implementations adhere to data privacy laws, ethical AI standards, and emerging liability doctrines.

The comments herein are for discussion and information purposes only and are not guaranteed to be up to date. Nothing herein should be or can be relied on as legal advice,

For any questions, you may contact Formichella & Sritawat at [email protected]

© 2025 Formichella & Sritawat Attorneys at Law

Authors

  • Supitchaya Akeyati is an associate attorney at Formichella & Sritawat Attorneys at Law (FOSR Law) in Bangkok, Thailand. She specializes in corporate law, commercial law, personal data protection law, and litigation. Her current practice primarily focuses on corporate matters and personal data protection. Additionally, she assists senior lawyers and partners in providing legal advice related to technology, media, and telecommunications (TMT).

  • Onnicha Khongthon (Ging) is a Senior Associate with over seven years of experience in corporate law, the technology, media, and telecoms sector (TMT), data privacy, cyber-security, and space law, including corporate and commercial matters. Onnicha began practicing after receiving an LL.B. at Chulalongkorn University.

  • Naytiwut Jamallsawat is a partner at Formichella & Sritawat and a recognized legal advisor in Thailand’s telecommunications, media, and energy sectors. He represents leading multinational and Thai companies in complex legal and regulatory matters, with a focus on high-compliance industries, including telecommunications licensing, satellite operations, media platforms, and data privacy.

    In the energy sector, Naytiwut has advised on numerous greenfield and brownfield generation projects—both conventional and renewable—providing legal guidance on project development, transactional structuring, and compliance with Thai regulatory frameworks.

    He leads the firm’s specialized group of lawyers focused on telecommunications, media, technology (TMT), and data privacy. In this role, he ensures the delivery of practical, business-focused legal solutions across regulated and fast-evolving sectors. Naytiwut also works closely with founding partner John Formichella on TMT and energy mandates, providing integrated legal support on transactions and compliance matters involving international and domestic stakeholders.

  • John Formichella

    John Formichella heads our Telecommunication, Media, Technology, Data Privacy Practice, and is past Chair of the Information and Communications Technology Committee of the American Chamber of Commerce in Bangkok. He is rated as Leading Individual by Legal 500 and ranked as a Band 1 individual by Chambers and Partners.
Tags: , , , , , , , ,