{"id":109036,"date":"2025-08-06T14:13:37","date_gmt":"2025-08-06T14:13:37","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=109036"},"modified":"2025-08-19T11:27:48","modified_gmt":"2025-08-19T11:27:48","slug":"thailand-tmt","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/thailand-tmt\/","title":{"rendered":"Thailand: TMT"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-109036","comparative_guide","type-comparative_guide","status-publish","hentry","guides-tmt","jurisdictions-thailand"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Chandler Mori Hamada Limited<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2025\/01\/admin-ajax.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Chandler Mori Hamada Limited<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2025\/01\/admin-ajax.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of TMT laws and regulations applicable in Thailand<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 How are proprietary rights in software and associated materials protected?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Proprietary rights in software are protected through intellectual property laws, particularly the Copyright Act B.E. 2537 (1994) (as amended) (the \u201cCopyright Act\u201d). The Copyright Act provides automatic protection for the expression of original works of authorship, including computer software. Under the Copyright Act, software\u2014referred to as a \u201ccomputer program\u201d \u2014is defined as a set of instructions or anything used in conjunction with a computer to enable its operation or to generate an output, irrespective of the programming language used. Software is classified as, and protected under, the same category as literary works. Consequently, the Copyright Act primarily ensures the protection of the software\u2019s source code. To establish evidence of ownership, software owners have the option (but not the obligation) to notify the Department of Intellectual Property (the \u201cDIP\u201d) of their copyright.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 In the event that software is developed by a software developer, consultant or other party for a customer, who will own the resulting proprietary rights in the newly created software in the absence of any agreed contractual position?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>When determining the ownership of a copyright work, the Copyright Act does not differentiate between a software developer and a consultant. Instead, ownership depends on the nature of the arrangement, i.e., whether it constitutes (1) an employment relationship or (2) a hire of work arrangement. If software is developed by a developer during their employment with a company, the ownership of the software will vest in the developer, unless otherwise agreed in writing. However, the employer retains the right to communicate the work to the public in accordance with the purpose of the employment. On the other hand, if the software is developed by a developer on commission (hire of work), the copyright vests in the hirer, unless otherwise agreed. Therefore, it is crucial for the parties involved to establish a clear agreement that addresses copyright right ownership to avoid any uncertainty.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 Are there any specific laws that govern the harm \/ liability caused by Software \/ computer systems?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no specific laws that exclusively address harm or liability arising from software or computer systems.<\/p>\n<p>Generally, the relevant laws may include, but are not limited to:<\/p>\n<ol style=\"padding-left: 0\">\n<li>the Unsafe Goods Liability Act B.E. 2551 (2008) (Product Liability Act) and the Consumer Case Procedure Act B.E. 2551 (2008) \u2013 these laws provide a framework for addressing harm and liability caused by products, including software and computer systems. To establish liability, an injured party (consumer) generally must demonstrate that they suffered harm or damage while using the defective product in its intended manner. Similar to consumer protection regimes in many countries, these laws allow injured parties to pursue legal recourse by shifting the burden of proof regarding fault or negligence to the business operator; and<\/li>\n<li>the Civil and Commercial Code \u2013 This may also apply more broadly, particularly in cases involving tort and breach of contract, to address liability arising from software or computer systems, i.e., covering matters outside the scope of consumer cases.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 To the extent not covered by (3) above, are there any specific laws that govern the use (or misuse) of software \/ computer systems?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The specific law governing offenses related to the misuse of software and computer systems in Thailand is the Computer-related Crime Act B.E. 2550 (2007) (as amended) (the \u201cComputer Crime Act\u201d). This Act specifically penalizes activities such as unauthorized access to computer data (hacking), phishing, and the use of software as a tool to cause harm or damage to another person or their property.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (Licence and SaaS) \u2013 Other than as identified elsewhere in this overview, are there any technology-specific laws that govern the provision of software between a software vendor and customer, including any laws that govern the use of cloud technology?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no technology-specific laws that govern the provision of software between a software vendor and a customer in Thailand. The Civil and Commercial Code generally governs the contractual relationships of the transactions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Is it typical for a software vendor to cap its maximum financial liability to a customer in a software transaction? If \u2018yes\u2019, what would be considered a market standard level of cap?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, it is typical for a software vendor to cap its financial liability. As the majority of software is provided by foreign software houses, the cap typically reflects the standard terms adopted by such software houses.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Please comment on whether any of the following areas of liability would typically be excluded from any financial cap on the software vendor\u2019s liability to the customer or subject to a separate enhanced cap in a negotiated software transaction (i.e. unlimited liability): (a) confidentiality breaches; (b) data protection breaches; (c) data security breaches (including loss of data); (d) IPR infringement claims; (e) breaches of applicable law; (f) regulatory fines; (g) wilful or deliberate breaches.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As a majority of software is provided by foreign software houses, the cap typically reflects the standard terms adopted by such software houses. The areas of liability listed above are typically subject to negotiation to determine whether liability will be capped at all and, if so, how it will be capped.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Is it normal practice for software source codes to be held in escrow for the benefit of the software licensee? If so, who are the typical escrow providers used? Is an equivalent service offered for cloud-based software?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No, it is not normal practice in Thailand.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Are there any export controls that apply to software transactions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, the dual-use export control regime under the Control of Items in Relation to the Proliferation of Weapons of Mass Destruction Act B.E.\u00a02562\u00a0(2019) also applies to software and technology.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">IT Outsourcing \u2013 Other than as identified elsewhere in this questionnaire, are there any specific technology laws that govern IT outsourcing transactions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Except for certain specific industries (e.g., financial institutions, digital asset business providers) which are subject to IT outsourcing requirements, there are no specific laws governing IT outsourcing transactions in Thailand.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">IT Outsourcing \u2013 Please summarise the principal laws (present or impending), if any, that protect individual staff in the event that the service they perform is transferred to a third party IT outsource provider, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no specific laws governing IT outsourcing transactions in Thailand.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Telecommunications \u2013 Please summarise the principal laws (present or impending), if any, that govern telecommunications networks and\/or services, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The principal laws governing telecommunications networks and services include the Organisation to Assign Radio frequency and to Regulate the Broadcasting and Telecommunications Services Act B.E. 2553 (2010) (as amended) (the \u201cNBTC Act\u201d) and the Telecommunications Business Act B.E. 2544 (2001) (as amended) (the \u201cTelecom Business Act\u201d). The NBTC Act provides a comprehensive definition of \u201cTelecommunications Service\u201d, while the Telecom Business Act sets out the licensing requirements for telecommunications business operators.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Telecommunications \u2013 Please summarise any licensing or authorisation requirements applicable to the provision or receipt of telecommunications services in your country. Please include a brief overview of the relevant licensing or authorisation regime in your response.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the NBTC Act and Telecom Business Act, telecom licenses are classified into three types as follows:<\/p>\n<ol style=\"padding-left: 0\">\n<li>Type 1 License: granted to telecommunications business operators who operate telecommunications services without their own network, for services deemed appropriate to be fully liberalized, such as data center, cloud computing, internet, etc;<\/li>\n<li>Type 2 License: granted to telecommunications business operators who operate telecommunications services with or without their own network, for services provided to a limited group of people, or services that do not have a significant impact on free and fair competition or on public interest; and<\/li>\n<li>Type 3 License: granted to telecommunications business operators who operates telecommunications services with their own network, for services provided to the general public, or services that may cause a significant impact on free and fair competition or on public interest, or services that require special consumer protection, such as mobile network services.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Telecommunications \u2013 Please summarise the principal laws (present or impending) that govern access to communications data by law enforcement agencies, government bodies, and related organisations. In your response, please outline the scope of these laws, including the types of data that can typically be requested, how these laws are applied in practice (e.g., whether requests are confidential, subject to challenge, etc.), and any legal or procedural safeguards that apply.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Computer-Related Crime Act B.E. 2560 (2017) (as amended) (the \u201c<strong>CCA<\/strong>\u201d) provides the legal framework for addressing offenses committed in the digital realm and establishes rules and guidelines for the investigation, prosecution, and punishment of cybercrimes. The CCA also require service providers to retain certain data related to computer-related crimes for a specified period, facilitating the investigation and prosecution of cybercriminals.<\/p>\n<p>Under the CCA, the Ministry of Digital Economy and Society (the \u201c<strong>MDES<\/strong>\u201d) may request access to, or conduct investigates involving computer systems, computer traffic data, and user data in connection with criminal investigations. Furthermore, the MDES can order the production of any data or devices and seize computer systems where necessary. Depending on the nature of the enforcement, the competent officer must notify the competent court within 48 hours of exercising such authority.<\/p>\n<p>Other relevant safeguards include restricting the duplication of computer data to circumstances where there are reasonable grounds to believe that an offence has been committed and ensuring that such actions do not unduly interfere with the operations of the owner or possessor of the computer data. In the case of seizure or attachment, in addition to providing the owner or possessor of the computer system with a copy of the document evidencing the seizure or attachment as proof, the competent officer may not order the seizure or attachment for more than thirty days unless specifically approved by the court.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Mobile communications and connected technologies \u2013 What are the principle standard setting organisations (SSOs) governing the development of technical standards in relation to mobile communications and newer connected technologies such as digital health or connected and autonomous vehicles?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is currently no specific standard setting organisation governing the use and development of mobile communications and connected technologies in Thailand. However, these technologies are subject to oversight by various governmental authorities, each with distinct areas of responsibility. For example, the National Broadcasting and Telecommunications Commission (\u201c<strong>NBTC<\/strong>\u201d) oversees telecommunications as outlined in our response to item no.13 above. The processing of personal data through connected devices, particularly in contexts such as health monitoring, falls under the jurisdiction of the Office of the Personal Data Protection Committee (\u201c<strong>PDPC<\/strong>\u201d). Furthermore, if mobile communications and connected technologies are related to applications, websites, or other digital platforms, compliance with the Royal Decree on Operation of Digital Platform Services Which Require Notification B.E. 2565 (2022) (\u201c<strong>Royal Decree on Digital Platform<\/strong>\u201d), regulated by the Electronic Transactions Development Agency (\u201c<strong>ETDA<\/strong>\u201d), may be necessary.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Mobile communications and connected technologies \u2013 How do technical standards facilitating interoperability between connected devices impact the development of connected technologies?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently, there are no specific technical standards that govern mobile communications and connected devices in Thailand, so regulations regarding the interoperability of such technologies have yet to be established. However, devices that fall within the regulatory scope of the NBTC must adhere to the standards set by the NBTC for respective devices.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Data Protection \u2013 Please summarise the principal laws (present or impending), if any, that govern data protection, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA is Thailand\u2019s principal data protection legislation, modelled closely on the EU General Data Protection Regulation (GDPR). It is designed to safeguard personal data by regulating its collection, use, disclosure, storage, and processing. The PDPA establishes a broad framework of responsibilities for entities and individuals handling personal data, including obligations to provide privacy notices, obtain valid consent, and implement appropriate security measures to ensure data integrity and confidentiality. Failure to comply with the PDPA may result in civil, criminal, and administrative penalties.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Data Protection \u2013 What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable data protection laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA imposes a maximum administrative fine of THB 5 million for a violation of its provisions. In terms of criminal penalties, offenders may face imprisonment of up to one year and\/or a fine of up to THB 1 million, depending on the nature of the offence. \u00a0However, civil penalties, including both actual damages and punitive damages, are not subject to a fixed statutory cap as they vary depending on the specific circumstances of each case.<\/p>\n<p>Apart from the PDPA, a newly enacted Emergency Decree on Measures for the Prevention and Suppression of Technology Crimes (No.\u202f2) B.E.\u202f2568, effective on April\u202f13,\u202f2025, imposes far harsher penalties specifically for the unlawful buying or selling of personal data. Under this decree, individuals found guilty may face imprisonment for up to five years and\/or fined up to THB\u202f500,000.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Data Protection \u2013 Do technology contracts in your country typically refer to external data protection regimes, e.g. EU GDPR or CCPA, even where the contract has no clear international element?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No, typically, technology contracts do not directly incorporate external data protection regimes, but such regimes are sometimes referred to in data processing agreements or data sharing agreements.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Cybersecurity \u2013 Please summarise the principal laws (present or impending), if any, that govern cybersecurity (to the extent they differ from those governing data protection), including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Cybersecurity Act B.E. 2562 (2019) (\u201cCybersecurity Act\u201d) is the principal legislation specifically governing cybersecurity in Thailand. Its overarching objective is to safeguard Thailand\u2019s cyberspace by establishing a comprehensive legal framework for the prevention, management, and mitigation of cybersecurity threats. The Act is particularly focused on entities responsible for information and communication infrastructure that is critical to national security and the public interest (CII). These include organisations involved in, or providing, national security, essential public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, and public health services.<\/p>\n<p>Entities designated as Critical Information Infrastructure organisations are subject to a range of obligations under the Cybersecurity Act, including:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The requirement to implement a code of practice covering all topics prescribed by the National Cybersecurity Committee (NCSC).<\/li>\n<li>The obligation to establish and maintain cybersecurity measures in accordance with standards set by the NCSC.<\/li>\n<li>The duty to notify the Office of the NCSC and other relevant regulators upon detection of any actual or potential cyber threats.<\/li>\n<\/ul>\n<p>In addition, the NCSC has recently introduced cybersecurity standards for cloud systems. These standards are primarily aimed at organisations subject to the Cybersecurity Act, including cloud service providers providing services to such organisations. The objective is to minimise cyber risks associated with the use of cloud services by these entities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Cybersecurity \u2013 What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable cybersecurity laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Cybersecurity Act imposes a maximum fine of THB 200,000 for administrative penalties, whereas the Act provides for a maximum penalty of three years\u2019 imprisonment for criminal penalties.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Which body(ies), if any, is\/are responsible for the regulation of artificial intelligence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently, there is no existing law or specific body that specifically governs the use of artificial intelligence (\u201c<strong>AI<\/strong>\u201d). However, a public hearing on the draft Royal Decree on Artificial Intelligence System Service Business (the \u201c<strong>Royal Decree on AI<\/strong>\u201d), proposed by the Office of National Digital Economy and Society Commission, was conducted in late 2022.<\/p>\n<p>Additionally, a new draft principles on Artificial Intelligence (the \u201c<strong>Draft Principles on AI<\/strong>\u201d) by the MDES recently underwent a public hearing process.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Please summarise the principal laws (present or impending), if any, that govern the deployment and use of artificial intelligence, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Royal Decree on AI aims to regulate service businesses utilizing AI, adopting a risk-based approach and focusing on two distinctive categories: prohibited AI and high-risk AI, similar to the EU\u2019s model. Prohibited AI refers to the use of AI that aims to influence or alter human behaviour, resulting in potential bodily or mental harm, or unfair discrimination that is disproportionate. Examples include AI employing subliminal techniques, social scoring, and real-time remote biometric identification systems used in public spaces. On the other hand, high-risk AI includes the use of AI that may result in unfair treatment or impact the rights or freedoms of others, such as the use of CV-scanning tools or test scoring systems. The use of prohibited AI is generally prohibited unless, for example, the AI systems are used under the supervision of specific regulators, while the use of high-risk AI must be registered with the competent authority.<\/p>\n<p>Meanwhile, the Draft Principles on AI focus on establishing a legal framework for the development and application of AI, considering risks that may arise from uses that does not align with AI governance. It empowers authorities to collaborate in identifying prohibited or high-risk AI applications. Additionally, it imposes obligations on AI service providers, such as appointing a legal representative in Thailand and reporting serious incidents. The draft also affirms key legal principles, such as non-discrimination, and promotes measures such as exceptions for the use of copyrighted data and the adoption of AI testing sandboxes. It also provides for the establishment of the AI Governance Clinic to support the practical implementation of the law.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Are there any specific legal provisions (present or impending) in respect of the deployment and use of Large Language Models and\/or generative AI (including agentic AI)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No, there are currently no specific legal provisions in that respect. However, it is noteworthy that the Royal Decree on AI contains provisions relating to AI chatbots and deepfakes, requiring service providers and\/or content creators to inform users of chatbot programs or viewers of deepfake content that they are interacting with AI or viewing artificially created content, as the case may be.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Do technology contracts in your jurisdiction typically contain either mandatory (e.g. mandated by statute) or recommended provisions dealing with AI risk? If so, what issues or risks need to be addressed or considered in such provisions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Thailand, technology contracts do not typically include provisions regarding AI risks, as the use and development of AI are not yet widespread in the country. However, Thailand\u2019s future approach to AI is expected to align with international standards, such as the EU AI Act. Therefore, it is advisable that any provisions regarding AI risks in technology contracts should be designed to align with relevant global standards to ensure compliance and maintain relevance, as the adoption of AI in Thailand increases.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Do software or technology contracts in your jurisdiction typically contain provisions regarding the application or treatment of copyright or other intellectual property rights, or the ownership of outputs in the context of the use of AI systems?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Similar to the above response, as AI development in Thailand is still in its nascent stage, comprehensive legislation specifically addressing various aspects of AI has not yet been established. At this stage, in the absence of Thai laws on AI, it would be beneficial to include provisions in any agreements related to AI systems, including those regarding intellectual property rights, that are in line with relevant international practices.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Blockchain \u2013 What are the principal laws (present or impending), if any, that govern (i) blockchain specifically (if any) and (ii) digital assets, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are currently no laws governing blockchain technology in general.<\/p>\n<p>As for digital assets, the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018) is the primary law regulating both the offerings of digital tokens, commonly known as \u201cinitial coin offerings\u201d (\u201c<strong>ICOs<\/strong>\u201d), and the undertaking of digital-asset-related businesses and activities. The purpose of this law is to enhance the standards for the digital asset market and safeguard stakeholders, particularly investors in the market. For example, token issuers must file a prospectus and obtain approval from the SEC prior to conducting an ICO. Additionally, certain digital asset business operators are required to obtain licenses before commencing their operations. These operators include: (i) digital asset exchanges, (ii) digital asset brokers, (iii) digital asset dealers, (iv) digital asset advisory service providers, (v) digital asset fund managers, (vi) initial coin offering portals, and (vii) digital asset custodial wallet providers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Search Engines and Marketplaces \u2013 Please summarise the principal laws (present or impending), if any, that govern search engines and marketplaces, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The principal laws related to search engines and marketplaces include the Electronic Transactions Act B.E. 2544 (2001) (the \u201c<strong>Electronic Transactions Act<\/strong>\u201d), the Direct Sale and Direct Marketing Act B.E. 2545 (2002) (the \u201c<strong>Direct Sale Act<\/strong>\u201d), the Royal Decree on Digital Platforms, and the Consumer Protection Act B.E. 2522 (1979).<\/p>\n<p>The Electronic Transactions Act establishes the legal framework for electronic transactions and provides guidelines for the use of electronic data messages. While it may not specifically govern search engines and marketplaces, it forms the legal foundation for the enforceability and admissibility of electronic evidence in Thai legal proceedings.<\/p>\n<p>The Direct Sale Act regulates \u201cdirect marketing activities\u201d, particularly those conducted through online channels, where customers can complete a purchase order on a platform without any input from the platform operator, e.g., via carting systems. B2C e-commerce marketplace operators that meet these criteria must obtain direct marketing registration from the Office of the Consumer Protection Board (the \u201cOCPB\u201d) under the Direct Sale Act. In addition, they are required to comply with other obligations such as preparing a return policy, submitting periodic reports, and maintaining a certain amount as a business guarantee with the OCPB.<\/p>\n<p>The Royal Decree on Digital Platforms imposes obligations on digital platform service providers, including online marketplaces and search engines. The decree aims to regulate and monitor digital platform service providers that provide services to consumers in Thailand,\u00a0<u>regardless of the provider\u2019s legal residency or domicile<\/u>. Operators of such platforms are required to comply with certain obligations such as notification to the ETDA prior to commencing their businesses, preparation of annual reports, disclosure of terms and conditions, and appointment of coordinators in Thailand.<\/p>\n<p>Additionally, the draft Digital Platform Economy Act, which completed its public hearing in February 2025, aims to regulate the digital platform economy in Thailand, ensuring fair competition, consumer protection, and balanced oversight. It introduces obligations for digital platform service providers, including transparency, complaint mechanisms, advertising disclosures, and clearly stated terms of service. It also introduces a distinct category, &#8220;very large online platforms&#8221; (VLOPs), defined based on revenue, user base, or systemic risk, and\u00a0 subject to additional duties such as annual reporting, user tracking mechanisms for commercial transactions, and prompt suspension of illegal activities. The draft Act also outlines the responsibilities of the &#8220;gatekeepers&#8221;\u2014dominant service providers in core digital services\u2014requiring open access, data sharing, and non-discriminatory practices.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Social Media \u2013 Please summarise the principal laws (present or impending), if any, that govern social media and online platforms, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Social media platform operators, as digital platform service providers, are required to comply with notification requirements, among other obligations, under the Royal Decree on Digital Platforms. The CCA, which is the main legislation governing social media in Thailand, aims to address a range of computer-related offences. These include offenses committed through social media platforms, such as spreading false information or sharing altered images of individuals intended to defame or humiliate them.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Social Media \u2013 What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable online safety laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no dedicated online safety laws applicable to social media in Thailand. However, depending on the nature of the breach, sanctions under relevant laws may apply (e.g., the CCA, the Electronic Transactions Act, the PDPA, etc.)<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Spatial Computing \u2013 Please summarise the principal laws (present or impending), if any, that govern spatial computing, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are currently no dedicated laws specifically governing spatial computing in Thailand. However, several existing and forthcoming laws are relevant, and may apply, to certain aspects of spatial computing, primarily through their regulation of digital platforms, data, and online content, as outlined below:<\/p>\n<ul style=\"padding-left: 0\">\n<li>PDPA &#8211; Spatial computing applications frequently process personal data, including biometric, location, and behavioural data. The PDPA therefore applies to these technologies by protecting individuals\u2019 privacy rights and regulating the collection, use, and disclosure of personal data.<\/li>\n<li>Cybersecurity Act &#8211; Spatial computing platforms and services, particularly those integrated into critical sectors, may be classified as operators of critical information infrastructure and thus fall within the scope of the Cybersecurity Act. This imposes obligations relating to cybersecurity risk management and incident response.<\/li>\n<li>CCA &#8211; This Act grants the government authorities broad powers to regulate online content and activities, including those taking place within virtual environments. It is used to address issues such as online fraud, misinformation, and other computer-related offences that may arise in the context of spatial computing.<\/li>\n<li>Draft Royal Decree on AI &#8211; As spatial computing may rely on AI-driven technologies such as object recognition, motion tracking, and real-time data processing, the draft Royal Decree on AI\u2014currently undergoing public consultation\u2014may significantly impact the development, deployment, and operation of spatial computing solutions in Thailand. While the decree is not yet enacted, it is expected to introduce regulatory requirements concerning AI system transparency, accountability, risk assessment, and data governance, which spatial computing providers may need to comply with in the future.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Quantum Computing \u2013 Please summarise the principal laws (present or impending), if any, that govern quantum computing and\/or issues around quantum cryptography, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are currently no dedicated laws specifically governing quantum computing or quantum cryptography in Thailand. However, several existing and forthcoming laws could be relevant to the regulation of quantum computing or quantum cryptography, similar to those discussed in item 31.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Datacentres \u2013 Does your jurisdiction have any specific regulations that apply to data centres?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Thailand does not have a single, dedicated law that exclusively governs data centres. Instead, the operation, construction, and management of data centres are regulated through a combination of sector-specific laws and general regulatory frameworks, including the following:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Telecommunications business &#8211; Data centres are generally classified as designated businesses under the Telecommunications Business Act B.E. 2544 (2001). Operators are required to obtain an operating licence from the Office of the National Broadcasting and Telecommunications Commission (NBTC) before commencing operations. Most data centre activities typically fall under the scope of a Type 1 operating licence.<\/li>\n<li>BOI promotion \u2013 The Thai government actively encourages investment in data centre infrastructure through the Board of Investment (BOI). Under the Investment Promotion Act B.E. 2520 (1977), data centre operations are recognised as a promoted business activity. Operators may apply for a range of tax and non-tax incentives, such as corporate income tax exemptions, import duty exemptions, land ownership rights, and permission to employ foreign experts. To qualify for these benefits, data centre operators must satisfy specific conditions and requirements set by the BOI, including minimum facility size and investment thresholds.<\/li>\n<li>Environmental and Construction Regulations &#8211; Data centre often involve a large-scale development and must therefore comply with local building codes, environmental regulations, and utility requirements, particularly those related to energy and water usage.<\/li>\n<li>Sector-Specific Regulations &#8211; Data centres serving regulated industries (e.g., banking, insurance, healthcare) may be subject to additional requirements imposed by sectoral regulators.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">General \u2013 What are your top 3 predictions for significant developments in technology law in the next 3 years?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>We anticipate the following significant developments.<\/p>\n<ol style=\"padding-left: 0\">\n<li>AI \u2013 Thailand is on the cusp of enacting comprehensive legislation to regulate the use and development of AI across various sectors. Multiple draft laws are already at an advanced stage, with strong indications that at least one will be enacted in the near future. The government\u2019s commitment is further underscored by the National AI Strategy and Action Plan, which sets out a structured roadmap for responsible AI adoption and governance.<\/li>\n<li>Data Centres \u2013 As data centres become an increasingly vital part of Thailand\u2019s digital infrastructure, the development and establishment of a more comprehensive and robust legal framework to govern their operation is expected.<\/li>\n<li>Digital assets \u2013 Relevant authorities are likely to collaborate to level the playing field between (i) various types of digital assets and (ii) their corresponding traditional securities equivalents. Notably, the Thai government is also taking a more active role in this sector, signaling its intention to participate directly in the digital asset market.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">General \u2013 Do technology contracts in your country commonly include provisions to address sustainability \/ net-zero obligations or similar environmental commitments?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No, it is not yet common for technology contracts in Thailand to include provisions related to environmental commitments or obligations. Nevertheless, the growing awareness and importance of Environmental, Social, and Governance (ESG) considerations among Thai companies suggest a potential future trend, and such provisions are expected to become more prevalent in the near future.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">5019<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/109036","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=109036"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}