For Japanese companies operating in Thailand, understanding “which laws govern our IT systems and data?” is not an abstract concern — it is an operational necessity. Thailand’s digital-related laws are not codified into a single “digital code.” Instead, separate laws and royal decrees govern personal data, cybersecurity, electronic transactions, AI, and crypto assets. This six-part series provides a systematic guide to Thailand’s digital law landscape. Volume 1 maps the entire terrain.
Why Understanding Thailand’s Digital Laws Matters Now
Thailand’s Digital Economy Is Booming
Thailand’s e-commerce market is projected to reach approximately 1.15 trillion baht in 2026 (7% year-on-year growth), with Shopee, Lazada, and TikTok Shop dominating the market. Manufacturing has accelerated IoT adoption and digitization of industrial control systems. The Thai government has embedded AI and data economy development into its national Digital Economy and Society Development Plan (DESDP) 2025–2030, driving a wave of new legislation.
In response, Thailand has enacted or amended multiple digital laws over the past several years. A Japanese company that simply uses IT systems, maintains a website, manages employee personal data, and signs electronic contracts in Thailand may already be subject to several of these laws simultaneously.
The Challenge: Knowing Which Laws Apply
One of the most common questions from Japanese SMEs is: “What IT-related laws exist in Thailand, and which ones apply to us?” Information on Thai law is primarily available in English and Thai, with limited systematic resources in Japanese. This series aims to serve as that systematic guide.
Thailand’s Digital Law Map — 7 Laws + 2 Draft Bills
Thailand’s digital-related legal framework can be divided into seven enacted laws and two bills under development.
Enacted Laws
① Personal Data Protection Act (PDPA)
- Full name: Personal Data Protection Act B.E. 2562
- Enacted: 2019 / Fully effective: June 1, 2022
- Scope: Regulates collection, use, disclosure, and cross-border transfer of personal data; protects data subject rights
- Supervisory authority: PDPC (Personal Data Protection Committee)
- Japanese equivalent: Act on Protection of Personal Information (APPI)
Often called “Thailand’s GDPR,” the PDPA is one of the most immediately relevant digital laws for Japanese businesses. Any company that handles even basic personal information — employee names, contact details — falls within its scope.
② Cybersecurity Act
- Full name: Cybersecurity Act B.E. 2562
- Effective: May 27, 2019
- Scope: Protection of Critical Information Infrastructure (CII), establishment of cybersecurity response frameworks
- Supervisory authority: NCSA (National Cyber Security Agency)
- Japanese equivalent: Basic Act on Cybersecurity
Obligations apply primarily to CII operators in sectors such as telecommunications, finance, energy, logistics, and healthcare. Japanese manufacturers with digitized factory control systems may also qualify as CII operators.
③ Computer Crime Act
- Full name: Computer Crime Act B.E. 2550 (amended 2017)
- Scope: Prohibits unauthorized access, data tampering, dissemination of false information; imposes traffic data retention obligations on service providers
- Supervisory authority: MDES (Ministry of Digital Economy and Society) / Police
- Japanese equivalent: Act on Prohibition of Unauthorized Computer Access
Applies to all entities that use computer systems in Thailand. The “false information dissemination” provision (Section 14) has implications for social media communications and marketing.
④ Electronic Transactions Act
- Full name: Electronic Transactions Act B.E. 2544 (amended 2019)
- Scope: Legal validity of electronic signatures, evidentiary value of electronic records, formation of electronic contracts
- Supervisory authority: ETDA (Electronic Transactions Development Agency)
- Japanese equivalent: Act on Electronic Signatures and Certification Business
Provides the legal foundation for electronic contracts in Thailand. The key reference when assessing whether services like DocuSign are legally valid under Thai law.
⑤ Royal Decree on Technology Crime Prevention
- Full name: Royal Decree on Measures for Prevention and Suppression of Technology Crimes B.E. 2566 (amended 2025)
- Scope: Prevention of online fraud and financial crime, reporting obligations for financial institutions, content removal obligations for social media platforms
- Supervisory authority: MDES / Financial institutions / ETDA
- Japanese equivalent: Act on Prevention of Transfer of Criminal Proceeds (related laws)
Addresses the surge in online fraud and phishing. Imposes significant obligations on social media platforms and financial institutions.
⑥ Emergency Decree on Digital Asset Business
- Full name: Emergency Decree on Digital Asset Business B.E. 2561
- Effective: 2018
- Scope: Licensing of crypto exchanges, brokers, dealers, fund managers, advisors, and custodians; ICO regulation
- Supervisory authority: SEC (Securities and Exchange Commission)
- Japanese equivalent: Payment Services Act / Financial Instruments and Exchange Act
Directly relevant to companies engaged in crypto asset businesses or blockchain-based token issuance.
⑦ Trade Competition Act (Digital Platform Regulation)
- Full name: Trade Competition Act B.E. 2560 (2017)
- Scope: Prohibition of abuse of dominant position and unfair trade practices, applied to e-commerce platforms via TCCT Guidelines
- Supervisory authority: TCCT (Trade Competition Commission of Thailand)
- Japanese equivalent: Act on Transparency and Fairness of Specified Digital Platform Transactions
Bills Under Development
⑧ Draft AI Law (Draft Principles of the AI Law)
- Drafting body: ETDA (consolidated version)
- Status: Basic principles finalized in June 2025; revision ongoing
- Scope: Risk-based AI regulation (prohibited AI, high-risk AI, limited-risk AI); obligations for providers and deployers
- Comparison: Closely mirrors the EU AI Act structure
⑨ Draft Platform Economy Act (PEA)
- Drafting body: ETDA
- Status: Under development
- Scope: EU DSA-style platform governance (notice and takedown, ranking transparency, trusted flaggers)
Regulatory Authority Map
| Law / Bill | Supervisory Authority | Japanese Equivalent |
|---|---|---|
| PDPA | PDPC | APPI |
| Cybersecurity Act | NCSA | Basic Act on Cybersecurity |
| Computer Crime Act | MDES / Police | Unauthorized Computer Access Act |
| Electronic Transactions Act | ETDA | Electronic Signatures Act |
| Technology Crimes Decree | MDES / Financial institutions | AML-related laws |
| Digital Assets Decree | SEC | Payment Services Act / FIEA |
| Trade Competition Act | TCCT | Specified Digital Platform Act |
| Draft AI Law | ETDA / AI Governance Center | (AI Basic Law under consideration) |
| Draft PEA | ETDA | Digital Platform Transparency Act |
Which Laws Apply to Your Company? — A Decision Framework
Applies to All Businesses (In Principle)
PDPA: Any company that processes the personal data of even one employee, customer, or business partner is covered. The PDPA also has extraterritorial reach — it applies when organizations outside Thailand process personal data of individuals in Thailand. A Japanese parent company managing Thai subsidiary employee data may also be covered.
Computer Crime Act: Any entity operating IT systems, websites, or networks in Thailand falls within scope. Service providers (ISPs, data centers) face additional traffic data retention obligations.
Additional Laws by Business Type
| Business Type | Additional Applicable Laws |
|---|---|
| Telecoms, finance, energy, logistics, healthcare (infrastructure) | Cybersecurity Act (CII obligations) |
| E-commerce / digital platform operators | Trade Competition Act (TCCT Guidelines) |
| Crypto / blockchain / fintech companies | Digital Assets Decree |
| AI developers, providers, or users | PDPA (now) + Draft AI Law (future) |
| Companies executing electronic contracts | Electronic Transactions Act |
| Social media platforms / financial institutions | Technology Crimes Decree |
Series Overview: What’s Coming in Each Volume
| Volume | Date | Topic |
|---|---|---|
| Vol. 1 (this article) | Mar 22, 2026 | Complete map of Thailand’s digital laws |
| Vol. 2 | Mar 23, 2026 | PDPA — Enforcement, fine cases, AI nexus |
| Vol. 3 | Mar 24, 2026 | AI regulation — Draft AI Law structure and obligations |
| Vol. 4 | Mar 25, 2026 | E-commerce / platform regulation — TCCT Guidelines and Draft PEA |
| Vol. 5 | Mar 26, 2026 | Cybersecurity Act + Computer Crime Act |
| Vol. 6 | Mar 27, 2026 | Electronic transactions, e-signatures, crypto regulation + Series summary |
We have also published standalone practical guides on AI regulation, e-commerce regulation, and PDPA ahead of this series. This series focuses on the legal structure and provisions of each law; those guides provide complementary practical guidance.
Related Articles
- Thai AI Regulation 2026: What Companies Using AI in Thailand Need to Know
- Thailand’s New E-Commerce Regulations: Platform Fees, Logistics Monopolies, and What Sellers Need to Know
- Thailand PDPA Practical Guide 2026
Next in the Series
Volume 2 (March 23, 2026): A deep dive into Thailand’s PDPA — now in active enforcement mode. We analyze actual fine cases, explain how the PDPC’s Eagle Eye Crawler monitors websites for compliance, examine the February 2026 draft guidelines on AI and PDPA, and address cross-border data transfer mechanisms (BCR/SCC).
This article is for general informational purposes about Thailand’s legal system and does not constitute legal advice under Thai law. For specific matters, please consult a Thai-qualified legal professional. Our firm works in collaboration with JTJB International Lawyers’ Thai-qualified attorneys.