Thailand

Overview

Thailand’s privacy landscape is defined by three contradictions. The Personal Data Protection Act (PDPA), effective June 1, 2022, provides GDPR-influenced data protection with consent requirements and cross-border transfer restrictions — while the Computer Crime Act grants the government broad powers to surveil internet activity and block content. The constitution guarantees a right to privacy — while Section 112 of the Criminal Code (lèse-majesté) has been used to charge 284+ individuals since 2020 for online expression, with one man sentenced to 50 years for 27 Facebook posts. And the PDPA’s Personal Data Protection Committee (PDPC) began issuing administrative fines in 2024 — while the National Intelligence Act 2019 authorizes the NIA to collect data from private entities without prior judicial approval.^[1]

The May 2014 military coup created the surveillance infrastructure that persists today. The National Council for Peace and Order (NCPO) established an internet censorship working group, purchased a traffic “sniffing” device to track lèse-majesté content, and proposed a Single Gateway to funnel all internet traffic through one state-controlled access point. The Single Gateway was scrapped in October 2015 after public backlash, but mandatory SIM card registration, expanded interception powers, and military-affiliated surveillance capabilities remain.^[2]

Thailand is a founding member of SSPAC (SIGINT Seniors of the Pacific), the Asia-Pacific signals intelligence alliance. Intelligence sharing with the United States dates to the 1954 Southeast Asia Collective Defense Treaty, and the annual Cobra Gold exercise — the largest US military exercise in the Indo-Pacific — includes dedicated SIGINT training components.^[3]

Data Protection Authority: PDPC

The Personal Data Protection Committee (PDPC), established under the PDPA, serves as Thailand’s data protection authority. The PDPC is supported by the Office of the Personal Data Protection Committee (OPDPC), which handles day-to-day regulatory operations. The Committee has the power to issue subordinate regulations, investigate complaints, and impose administrative fines.^[4]

Enforcement Record

The PDPC issued its first administrative fine on August 21, 2024 — more than two years after the PDPA took full effect. Maximum penalties: THB 5 million (~$144,500) administrative, plus up to THB 1 million and one year imprisonment for criminal violations.

The two-year enforcement gap between full PDPA effect (June 2022) and first penalty (August 2024) reflects a cautious regulatory approach. However, five additional cases in 2025 signal a shift toward more proactive enforcement.^[7]

Key Legislation

Personal Data Protection Act B.E. 2562 (2019)

The PDPA was enacted in 2019 and entered full force on June 1, 2022, after two pandemic-related postponements from the original 2020 effective date. The Act is consent-based and GDPR-influenced, covering collection, use, and disclosure of personal data by both private and public entities. Key provisions include purpose limitation, data minimization, data subject rights (access, correction, deletion, portability, objection), mandatory Data Protection Officer appointment for certain controllers, and mandatory breach notification to the PDPC within 72 hours of discovery.^[4]

Cross-border transfers require the destination country to have adequate data protection standards, with exemptions for consent, contractual necessity, vital interests, and significant public interest. The PDPC published the Adequacy Notification and Non-adequate Countries Notification on December 25, 2023 (effective March 24, 2024), introducing binding corporate rules, standard contractual clauses, and certification mechanisms as alternative transfer bases. Thailand has no EU adequacy decision.^[8]

Computer Crime Act B.E. 2550 (2007, amended 2017)

The Computer Crime Act (CCA) grants the government broad powers to restrict online speech, enforce surveillance, and censor content. The 2017 amendment significantly expanded the Act: it extended data collection and investigatory powers to any criminal offense involving computer systems (not just computer-specific crimes), authorized a Computer Data Screening Committee to order ISPs to block content, and criminalized importing “forged” or “false” computer data. The CCA has been widely used alongside Section 112 to prosecute lèse-majesté offenses committed online. Human Rights Watch described the amendments as “tightening internet control.”^[9]

Section 112 Criminal Code (Lèse-Majesté)

Section 112 criminalizes defaming, insulting, or threatening the King, Queen, Heir-apparent, or Regent, with penalties of 3 to 15 years imprisonment per count. Since the 2020–2021 pro-democracy protests, at least 284 individuals have been charged in 317 cases. In January 2025, Mongkol Thirakot was sentenced to 50 years for 27 Facebook posts. In January 2025, UN human rights experts called for Thailand to “immediately repeal” the lèse-majesté law. Section 112 functions as a digital surveillance trigger: online posts are identified through monitoring, reported by members of the public (168+ cases), and prosecuted using evidence obtained through the Computer Crime Act.^[10]

National Intelligence Act B.E. 2562 (2019)

The National Intelligence Act authorizes the NIA to obtain data or documents impacting national security “by any means, including using electronic, scientific, telecommunication devices or other technologies.” The NIA can order any person or government agency to submit data within a specified period. No prior judicial approval is required. Failure to comply is reported to the Prime Minister for enforcement. The Act also established the National Intelligence Coordination Center (NICC). Critics argue the law enables unchecked political surveillance under the guise of national security.^[11]

Special Case Investigation Act (Section 25)

Section 25 authorizes the interception of postal, digital, and telephonic communications when there is suspicion of a “special case offence.” Unlike the NIA Act, interception under this provision requires authorization from the Chief Judge of the Criminal Court, who must provide written justification. This is the closest Thailand has to a judicial warrant requirement for communications interception.^[12]

Internal Security Act B.E. 2551 (2008)

Establishes the Internal Security Operations Command (ISOC) as a permanent body under the Prime Minister, with the Army Commander-in-Chief as ISOC director. ISOC can declare internal security operation zones, impose curfews, restrict gatherings, and conduct surveillance operations. ISOC powers were extensively used during and after the 2014 coup.^[13]

Surveillance and Intelligence

Intelligence Agencies

Thailand’s intelligence community comprises seven agencies that mostly function independently. The National Intelligence Agency (NIA), headquartered at Paruskavan Palace in Bangkok, is the primary civilian intelligence body reporting to the Prime Minister. It operates through nine bureaus: Bureaus 1–3 (domestic intelligence), Bureaus 4–6 (technical intelligence and SIGINT), and Bureaus 7–9 (foreign intelligence). The NIA director answers directly to the Prime Minister and the National Security Council.^[14]

Other agencies include: ISOC (Internal Security Operations Command, military-affiliated), the Armed Forces Security Center (AFSC), the Army Military Intelligence Command (AMIC), the Naval Intelligence Department (NID), the Directorate of Intelligence RTAF, and the Royal Thai Police Special Branch Bureau (SBB). Overlapping mandates and lack of coordination have been repeatedly identified as structural weaknesses.^[14]

Post-Coup Surveillance Infrastructure (2014–Present)

After the May 22, 2014 coup, the NCPO created an internet censorship working group comprising representatives from the Ministry of Information and Communication Technology (MICT), the NBTC, and the army’s Peace and Order Maintaining Command (POMC). The working group targeted the LINE messaging app, with its head stating: “We’ll send you a friend request. If you accept the friend request, we’ll see if anyone disseminates information which violates the NCPO orders.”^[2]

In September 2015, the government acquired a surveillance device to “sniff” internet traffic, reportedly purchased to track lèse-majesté content online. A cabinet resolution called for implementing a “Single Gateway” that would funnel all internet traffic through one state-controlled access point, reducing Thailand’s nine international internet gateways to one. The plan was scrapped on October 15, 2015 after widespread public opposition, but the underlying surveillance capabilities persist.^[15]

Mandatory SIM Card Registration

Since June 2014, the NBTC requires all SIM cards to be registered with the buyer’s national ID card. Vendors photograph the SIM code and the buyer’s ID using a dedicated NBTC application, which transmits the data for approval before activation. In 2024, the NBTC tightened SIM rules further with new regulations published on August 29, targeting cybercrime prevention.^[16]

Pegasus Spyware

In July 2022, the Citizen Lab confirmed that at least 35 pro-democracy activists involved in the 2020–2021 protests were targeted with Pegasus spyware. Many victims had been prosecuted under Section 112. Notable targets include Panusaya Sithijirawattanakul (charged with at least 10 lèse-majesté offenses, detained 85 days) and Jatupat Boonpattararaksa (detained three times, eight months in prison, repeatedly infected with Pegasus in 2021).^[17]

In April 2024, Thailand’s National Human Rights Commission (NHRC) confirmed the abuse of Pegasus against 35 individuals. However, on November 21, 2024, a Civil Court dismissed Jatupat’s lawsuit against NSO Group, ruling that the evidence failed to meet legal thresholds. Amnesty International called the dismissal “alarming.” The government has never confirmed or denied Pegasus procurement.^[18]

Oversight

Thailand has no independent intelligence oversight body. The NIA reports to the Prime Minister; ISOC to the Army Commander-in-Chief. Parliamentary committees lack operational access to intelligence activities. The National Intelligence Act 2019’s data access provisions have no judicial authorization requirement. The Computer Crime Act’s content blocking powers rest with executive appointees. The structural absence of independent oversight means that surveillance activities operate under executive discretion, with accountability dependent on the political alignment of the executive branch itself.^[12]

Internet Infrastructure and Cable Surveillance

Internet Exchange Points

Thailand operates two primary internet exchange points. BKNIX (Bangkok Neutral Internet eXchange), launched February 2015 by the THNIC Foundation, is Thailand’s first neutral IXP with points of presence across multiple data centers including AIMS DC TH, CSL CW, ETIX Bangkok1, NTT Bangkok2, STT Bangkok1, TCCT Bangna, and Telehouse Bangkok. TH-IX (Thailand Internet Exchange), the government-affiliated exchange, predates BKNIX and has historically handled the majority of domestic peering traffic.^[19]

Submarine Cable Infrastructure

Thailand connects to international networks through three submarine cable landing stations at Sri Racha (Chonburi Province), Petchaburi, and Songkhla. These stations serve multiple cable systems connecting Thailand to Hong Kong, Singapore, Japan, and the broader Southeast Asian network. The Thailand Domestic Submarine Cable Network (TDSCN) provides internal connectivity along the Thai coastline.^[20]

Surveillance Nexus

Thailand’s internet infrastructure is subject to multiple surveillance mechanisms. The Computer Crime Act requires ISPs to retain traffic data for 90 days (extendable to two years by ministerial order), providing a legal basis for accessing data at exchange points. The 2015 internet traffic “sniffing” device was deployed specifically to monitor traffic for lèse-majesté content. The abortive Single Gateway proposal — reducing nine international gateways to one — would have concentrated all cross-border traffic through a single surveillance chokepoint. While the Single Gateway was scrapped, the underlying legal authority to order ISPs and telecommunications operators to facilitate interception remains under the Telecommunications Act, the Computer Crime Act, and the National Intelligence Act.^[15]

Data Retention

The Computer Crime Act requires internet service providers to retain traffic data for 90 days, extendable to two years by order of a “competent official” (a ministerial appointee). Traffic data includes source, destination, route, time, date, size, duration, and type of communications, but not content. ISPs that fail to comply face fines of up to THB 500,000.^[9]

The PDPA requires data controllers to retain personal data only for the period necessary for the purpose of processing. However, the 90-day CCA retention obligation and the NIA’s authority to order data production without judicial approval create parallel retention pressures that operate outside the PDPA’s purpose limitation principle.^[4]

International Data Sharing Agreements

SSPAC (SIGINT Seniors of the Pacific)

Thailand is a founding member of SSPAC alongside the Five Eyes nations, South Korea, and Singapore. SSPAC members share counterterrorism intelligence through the CRUSHED ICE secure network. Thailand’s NIA provides the country’s representation in SSPAC, with Bureaus 4–6 (technical intelligence and SIGINT) supporting intelligence exchange.^[3]

US-Thailand Mutual Legal Assistance Treaty

The US-Thailand MLAT was signed at Bangkok on March 19, 1986 and entered into force on June 10, 1993. It provides for mutual assistance in criminal investigations including taking testimony, executing searches, transferring persons in custody, locating persons, and forfeiture of proceeds.^[21]

US-Thailand Defense Alliance

The alliance is founded on the 1954 Southeast Asia Collective Defense Treaty (Manila Pact) and the Thanat-Rusk Communiqué of 1962, which commits the US to Thailand’s defense without requiring prior SEATO consensus. Defense agreements include the GSOMIA (1983), CISMOA (Communications Interoperability and Security Memorandum of Agreement), and ACSA (Acquisition and Cross-Servicing Agreement, 2014). The 2012 Joint Vision Statement designates Thailand a “21st Century Security Partnership.”^[22]

Cobra Gold

Cobra Gold is the largest annual US military exercise in the Indo-Pacific, co-hosted by Thailand since 1982. The 2026 exercise involved over 8,000 troops from 30 nations. Exercise activities include dedicated SIGINT training, amphibious operations, counter-drone operations, and humanitarian disaster relief. Cobra Gold serves as both a military interoperability exercise and an intelligence-sharing platform.^[23]

Other Frameworks

Thailand is an APEC member economy but has not yet joined the APEC Cross-Border Privacy Rules (CBPR) system. The NBTC cooperates with regional telecommunications regulators on cybersecurity. Thailand participates in Interpol (Royal Thai Police as National Central Bureau) and the Egmont Group for financial intelligence sharing through the Anti-Money Laundering Office (AMLO).^[24]

The Privacy Backdoor Effect

Despite the PDPA’s consent requirements and data subject rights, international intelligence cooperation and domestic surveillance powers create parallel pathways for accessing Thai person data:

• SSPAC: Founding member with intelligence sharing on CRUSHED ICE network
• National Intelligence Act: NIA can order any person to produce data without judicial authorization
• Computer Crime Act: 90-day mandatory traffic data retention, extendable to 2 years
• US-Thailand alliance: Deep defense cooperation with SIGINT training through Cobra Gold
• Section 112: Lèse-majesté enforcement drives active monitoring of online speech

The PDPA’s protections apply to commercial data processing, but the government’s own data collection activities — through the NIA, ISOC, the Computer Crime Act, and Section 112 enforcement — operate under separate legal authorities with weaker or nonexistent privacy safeguards.

Recent Developments

50-Year Lèse-Majesté Sentence (January 2025)

Mongkol Thirakot, 30, was sentenced to 50 years imprisonment for 27 Facebook posts related to the monarchy — the longest lèse-majesté sentence on record. In January 2025, UN human rights experts called for Thailand to “immediately repeal lèse-majesté laws.”^[10]

PDPC Enforcement Escalation (2024–2025)

First administrative fine of THB 7 million (August 2024), followed by five additional cases in 2025 totaling over THB 21.5 million. Government agencies fined alongside private companies. A five-year review of the PDPA was triggered in 2025.^[7]

Pegasus Lawsuit Dismissed (November 2024)

A Civil Court dismissed activist Jatupat Boonpattararaksa’s lawsuit against NSO Group, ruling the evidence insufficient despite Thailand’s NHRC confirming Pegasus abuse against 35 individuals. Amnesty International called the dismissal an “alarming setback in the fight against unlawful surveillance.”^[18]

NBTC Tightens SIM Rules (August 2024)

New regulations titled “Measures to Prevent Technological Crime for Telecommunications Operators” published in the Royal Gazette on August 29, 2024, tightening SIM card registration and requiring operators to implement enhanced identity verification.^[16]

Cross-Border Transfer Rules in Force (March 2024)

PDPC’s Adequacy Notification and Non-adequate Countries Notification became effective March 24, 2024, establishing the framework for international data transfers including adequacy assessment, binding corporate rules, and standard contractual clauses.^[8]

Section 112 Charges Continue Rising

By August 2025, at least 284 individuals charged in 317 cases since 2020. At least 168 cases originated from public reports to police. In September 2025, 11 more individuals imprisoned without bail. Two defendants in a Section 110 case received sentences of 16 and 21 years each.^[25]

Sources