Last review date: January 2025
- The Personal Data Protection Committee (PDPC)
- The Official Information Commission
- The Credit Information Protection Committee (CIPC)
- The National Cyber Security Committee (NCSC)
- The Cybersecurity Regulating Committee (CRC)
Last review date: January 2025
☒ Moderately active
As an overview, the main data privacy regulators are the most active compared to other regulators listed in the Thailand chapter of the Handbook. The PDPC is the most active regulator, issuing sub-regulations and interpretative opinions on compliance with the PDPA and its sub-regulations. It has also issued administrative orders against business operators and cooperated with other competent authorities in arresting several individuals who violated the PDPA and other relevant legislation. Both the NCSC and CRC have regularly issued sub-regulations to clarify details, issued warnings, and requested cooperation for compliance with the Cybersecurity Act B.E. 2562 (2019). The Official Information Commission has been active in organizing conferences and discussion seminars, while the CIPC has not been quite active compared to other regulators in these aspects.
Last review date: January 2025
The PDPC has drafted the national data protection promotion and safeguarding plan for Thailand for the years 2024 – 2027. Strengthening law enforcement and promoting data protection awareness are key parts of this plan. Specifically for 2025, the PDPC has revealed that its focus will be on training senior executives, issuing a data protection standard mark (i.e., a Trust Mark), developing a DPO training course, expanding service/complaint centers, and other related areas.
The cybersecurity framework for 2022-2027 aims to efficiently prevent and mitigate cyber threats through stricter enforcement of laws and elevated cybersecurity measures. The Secretary-General of the NCSA stated that the NCSA aims to be a leader in driving Thailand’s cybersecurity efforts. The NCSC’s strategic plan focuses on enhancing defense and response capabilities, raising awareness, and developing high-performing organizations rather than imposing enforcement. Additionally, they operate both reactively and proactively to assist the public in case of damage and to monitor and close vulnerabilities to prevent threats before they occur.
Last review date: January 2025
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Increasing
From a data protection perspective, considering the PDPC’s current priority to achieve zero data leakage, it is anticipated that the PDPC will continue to actively investigate and enforce the PDPA against business operators that violate or fail to comply with the PDPA, particularly in incidents related to data breaches.
☒ Rare
Under the PDPA and the Cybersecurity Act, a class action lawsuit is possible for civil liabilities arising from a breach of the law. However, we have not yet seen an official class action court decision in the data and cyber area.
Last review date: January 2025
There are:
☒ administrative remedies from regulators and law enforcement
Non-compliance could be punished with administrative fines up to THB 5,000,000 (approximately USD 144,500).
☒ criminal penalties from regulators and law enforcement
Non-compliance could be punished with imprisonment for up to one year, or a fine not exceeding THB 1,000,000 (approximately USD 28,900), or both.
☒ private remedies
The data subject may, for example,
- file complaints with the Expert Committee, and
- claim compensation for any damage caused to data subjects as a result of operations involving their personal data
The court shall have the power to order the personal data controller or the personal data processor to pay punitive damages of up to twice the actual compensation.