- within Privacy topic(s)
- within Wealth Management, Employment and HR and Transport topic(s)
- with Senior Company Executives, HR and Inhouse Counsel
- with readers working within the Law Firm industries
Much of the discussion around artificial intelligence ("AI") regulation in Thailand focuses on future legislation. Less attention is paid to the obligations that already exist. For businesses deploying AI systems, Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA") is already engaged and, in practice, any system involving personal data falls within its scope.
The Office of the Personal Data Protection Committee ("PDPC") has been developing its Guidelines on Personal Data Protection in the Development and Use of Artificial Intelligence (the "Draft AI Guidelines"). The Draft AI Guidelines reflect how the PDPA applies to AI systems. Following public consultations in February and March 2026, the revised second draft translates statutory requirements into concrete, technology-specific guidance for both AI development and deployment.
What Constitutes Personal Data in AI
Personal data extends well beyond names and addresses. The Draft AI Guidelines confirm that user prompts, vector embeddings, and interaction logs are all within scope — even in technically transformed forms. If any of these can identify an individual when combined with a decryption key or supplementary data, they remain personal data in the eyes of the PDPC.
Roles in the AI Value Chain
The Draft AI Guidelines draw a clear line on legal roles. An organisation deploying an AI system for its own business purposes will generally be a Data Controller: it decides what data goes in, how it is processed, and how outputs are used. Critically, where a service provider uses a customer's data to train or improve its own models, it may become an independent Data Controller, regardless of how the contract characterises the relationship.
Lawful Basis and Purpose Limitation
Consent is a last resort, not a safe harbour. Consent under the PDPA must be freely given, specific, informed, and unambiguous. The Draft AI Guidelines caution that sole reliance on consent creates operational risk: withdrawal can require suspension of processing or removal of data from training datasets, potentially compromising the model itself. Legitimate interest — relevant for fraud detection, risk management, and service improvement — requires a documented three-part assessment: a purpose test, a necessity test, and a balancing test against data subjects' rights. The purpose limitation rule is strict: data collected for one purpose cannot be repurposed for model training without a fresh lawful basis. Where the original basis was consent, fresh consent is required.
Automated Decision Making
Where AI makes decisions with legal or significant effects such as credit approvals, recruitment, or insurance risk assessment, organisations must explain those decisions and offer a genuine right to human review. The reviewing individual must have both the authority and information required to override the AI's outcome.
Practical Steps
The compliance steps are concrete. Organisations should map their AI systems against PDPA obligations, update Privacy Notices to reflect AI-specific processing, and conduct Data Protection Impact Assessments for high-risk deployments. Data Processing Agreements with AI vendors must explicitly prohibit unauthorised use of personal data for model training and must address deletion of data residual in model weights or vector databases upon termination.
The Draft AI Guidelines include compliance checklists for AI developers and deployers — reflecting the PDPC's current baseline expectations. Organisations that align now will be best positioned not only for the final guidelines, but for the AI regulatory regime that will follow.
This article first appeared in https://thelegalindustry.com/thailand/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
