Thailand

Overview

Thailand’s privacy landscape is defined by three contradictions. The PDPA (effective June 2022) provides GDPR-influenced data protection — while the Computer Crime Act grants broad content blocking and surveillance powers. The constitution guarantees privacy — while Section 112 (lèse-majesté) has charged 284+ individuals since 2020, with one man sentenced to 50 years for 27 Facebook posts. The PDPC began imposing fines in 2024 — while the National Intelligence Act 2019 authorises data collection without judicial approval.^[1]

The May 2014 military coup created the surveillance infrastructure that persists: internet censorship working group, traffic “sniffing” device for lèse-majesté tracking, mandatory SIM registration, and a proposed Single Gateway to funnel all traffic through one state-controlled access point (scrapped after backlash, but underlying capabilities remain). Thailand is a founding SSPAC member, and Cobra Gold (largest US Indo-Pacific exercise) includes dedicated SIGINT training.^[2][3]

Privacy Framework

The PDPC (Personal Data Protection Committee) enforces the PDPA with fines up to THB 5 million. First administrative fine: THB 7M (August 2024); five additional cases in 2025 totalling THB 21.5M+. Government agencies fined alongside private companies. A five-year PDPA review was triggered in 2025. Cross-border transfer rules in force since March 2024; BCR certification rules issued September 2025.^[4]

Key surveillance-enabling legislation: Computer Crime Act (2007/2017) enables ISP data retention (90 days, extendable to 2 years), content blocking, and surveillance powers. Section 112 Criminal Code: lèse-majesté with 3–15 years per count — functioning as an institutionalised digital speech surveillance trigger (168+ cases from public reports). National Intelligence Act 2019: NIA can access data “by any means, including electronic, scientific, or telecommunication devices” without judicial approval. Internal Security Act 2008: Prime Minister can declare internal security areas, curfews, and censorship orders.^[1][5]

Surveillance and Intelligence

Intelligence Agencies

NIA (National Intelligence Agency): Primary civilian intelligence, nine bureaus (domestic, technical/SIGINT, foreign), reporting to PM. Seven agencies total including ISOC (military-affiliated), AFSC, AMIC, NID, RTAF Intelligence, and Special Branch Bureau. Overlapping mandates are a structural weakness.^[6]

Post-Coup Surveillance (2014–Present)

The NCPO created an internet censorship working group (MICT, NBTC, army POMC). The working group targeted LINE messaging: “We’ll send you a friend request. If you accept, we’ll see if anyone disseminates information which violates NCPO orders.” A traffic “sniffing” device was acquired (September 2015) to track lèse-majesté content. The Single Gateway proposal would have reduced nine international gateways to one state-controlled access point; scrapped October 2015 after backlash, but capabilities retained. Mandatory SIM registration (since June 2014) requires national ID, with NBTC rules tightened August 2024.^[2][7]

Pegasus Spyware

Citizen Lab confirmed 35+ pro-democracy activists targeted with Pegasus (July 2022). Many had been prosecuted under Section 112. Thailand’s NHRC confirmed the abuse (April 2024). On November 21, 2024, a Civil Court dismissed the lawsuit against NSO Group; Amnesty International called it “alarming.” Government has never confirmed or denied procurement.^[8][9]

Oversight

No independent intelligence oversight body. NIA reports to PM; ISOC to Army Commander-in-Chief. Parliamentary committees lack operational access. NIA data access requires no judicial authorisation. Computer Crime Act content blocking rests with executive appointees. Accountability depends on the political alignment of the executive itself.^[5]

Internet Infrastructure and Cable Surveillance

BKNIX (Bangkok Neutral Internet eXchange, est. 2015, first neutral Thai IXP) and TH-IX (government-affiliated, handles majority of domestic peering). Three cable landing stations at Sri Racha (Chonburi), Petchaburi, and Songkhla serving cables to Hong Kong, Singapore, Japan, and the wider Southeast Asian network. TDSCN provides internal coastal connectivity.^[10]

The Computer Crime Act’s 90-day retention requirement provides a legal basis for accessing data at exchange points. The post-coup “sniffing” device specifically monitors traffic for lèse-majesté content. The abortive Single Gateway would have concentrated all cross-border traffic through a single surveillance chokepoint; the underlying legal authority to order ISPs and telecom operators to facilitate interception remains under the Telecommunications Act, Computer Crime Act, and National Intelligence Act.^[7]

Data Retention

The Computer Crime Act requires ISPs to retain traffic data for 90 days, extendable to 2 years by ministerial appointee. The PDPA requires retention only for the necessary period, but the CCA obligation and NIA’s warrantless data access create parallel retention pressures outside the PDPA’s purpose limitation principle.^[11]

International Data Sharing Agreements

SSPAC Founding Member

Thailand participates alongside Five Eyes, South Korea, and Singapore via NIA (Bureaus 4–6 supporting SIGINT exchange) on the CRUSHED ICE secure network for counterterrorism intelligence.^[3]

Mutual Legal Assistance

US-Thailand MLAT: Signed March 19, 1986 at Bangkok, in force June 10, 1993 — one of the earliest US bilateral MLATs. ASEAN MLAT: Thailand is party to the multilateral Treaty on Mutual Legal Assistance in Criminal Matters among ASEAN member states (Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, Vietnam), signed 2004–2006, in force 2013. Under Thailand’s Act on Mutual Assistance in Criminal Matters B.E. 2535 (1992), assistance may be granted even without a treaty on a reciprocity basis.^[12]

US-Thailand Defense Alliance

Founded on the 1954 Manila Pact and 1962 Thanat-Rusk Communiqué. Defence agreements include GSOMIA (1983), CISMOA (communications interoperability), and ACSA (2014). 2012 Joint Vision designates Thailand a “21st Century Security Partnership.” Cobra Gold (largest US Indo-Pacific exercise, since 1982): 8,000+ troops from 30 nations, including dedicated SIGINT training.^[13][14]

Other Frameworks

APEC member but has not joined CBPR. Interpol (Royal Thai Police as NCB). Egmont Group (AMLO financial intelligence).^[15]

The Privacy Backdoor Effect

Despite PDPA protections, international and domestic surveillance channels create parallel access:

• SSPAC: Founding member, intelligence sharing on CRUSHED ICE
• NIA: Warrantless data access from any person or entity
• Computer Crime Act: 90-day mandatory retention, content blocking, traffic sniffing
• US-Thailand alliance: Deep defence cooperation with Cobra Gold SIGINT training
• Section 112: Lèse-majesté enforcement drives active monitoring of online speech

Recent Developments

50-Year Lèse-Majesté Sentence (January 2025): Mongkol Thirakot sentenced to 50 years for 27 Facebook posts — longest Section 112 sentence on record. UN experts called for “immediate repeal.” 284+ charged in 317 cases since 2020; 168+ from public reports; 11 more imprisoned without bail in September 2025.^[16]

Pegasus Lawsuit Dismissed (November 2024): Civil Court dismissed activist Jatupat’s lawsuit against NSO Group despite NHRC confirming Pegasus abuse against 35 individuals. Amnesty called it “alarming.”^[9]

PDPC Enforcement Escalation (2024–2025): THB 21.5M+ across 8 orders, with government agencies fined alongside private companies. Five-year PDPA review triggered.^[4]

NBTC SIM Rules Tightened (August 2024): Enhanced identity verification requirements for SIM card registration, targeting cybercrime prevention.^[7]

Sources