PDPC Sends a Clear Signal: The Awareness Era Is Over — Now It’s Time to Prove Compliance
Data Privacy Day 2026, hosted by Thailand’s Personal Data Protection Committee Office (PDPC) this past February, was not just another industry event — it was the clearest signal in years that the rules of the game are changing.
This year’s theme, "Privacy in Action," reflects a significant policy shift: from building awareness to demonstrating accountability in practice. Organizations that still view PDPA as a paper policy exercise may face a much harsher reality this year.
2,672 Complaints: A Number That Demands Attention
The PDPC disclosed that since the PDPA came into force through January 2026, it has received a cumulative 2,672 complaints. The three most common types of violations are:
- Failure to comply with the Data Minimization principle — collecting more personal data than necessary for the stated purpose
- Collecting data without a lawful basis — no consent, no legitimate interest, and no applicable legal exemption
- Unauthorized disclosure or use of data — sharing customer or employee personal data without the data subject’s knowledge or consent
At first glance, 2,672 complaints may not seem high compared with the number of businesses nationwide. But the key point is this: the PDPC is materially expanding its enforcement capacity, and soon this will not be the only number organizations need to worry about.
Eagle Eye Crawler: When the PDPC No Longer Waits for Complaints
One critical point many organizations still do not realize is that the PDPC has developed a system called Eagle Eye Crawler, an automated, 24/7 tool for detecting potential PDPA violations.
The system crawls organizational websites and digital channels to assess whether:
- A legally compliant Cookie Consent Banner is in place and genuinely allows users to reject cookies
- The Privacy Policy contains all disclosures required under the PDPA and is easy to access
- Personal data is being collected beyond necessity or collected without prior consent
- Online forms include a valid consent mechanism before collecting personal data
The implication is significant: your organization may be reviewed without your knowledge and flagged before anyone even files a complaint. Enforcement is no longer purely reactive — it is becoming a form of proactive surveillance with broader reach than many organizations expect.
Fines Are Increasing Across All Sectors
According to reports from Tilleke & Gibbins and international legal outlets such as Mondaq and Transatlantic Law International, recent administrative fines issued by the PDPC have affected multiple sectors, including government agencies, healthcare providers, retail SMEs, and e-commerce businesses. Penalties have ranged from tens of thousands of baht for minor breaches to several million baht for serious violations.
What organizations need to understand clearly is that PDPA liability does not stop at the corporate entity. Executives involved in or aware of violations may face personal liability, including civil and criminal exposure. In other words, overlooking PDPA is no longer just a company risk.
AI and PDPA Guidelines: What’s Coming Next
Another major takeaway from Data Privacy Day 2026 is that the PDPC is currently drafting personal data protection guidelines for AI use to connect PDPA requirements with enterprise AI adoption.
Key principles expected to appear in these guidelines include:
Organizations using AI remain full Data Controllers — whether it is a chatbot that stores user conversations, a resume screening system that processes applicant data, or AI used to analyze customer behavior, responsibility under the PDPA remains with the organization, not the AI system.
Using AI with personal data is considered High-Risk Processing — organizations will need to conduct a Data Protection Impact Assessment (DPIA) before deployment, especially for systems involving automated decision-making.
Data subjects have the right to know the basis of AI-driven decisions — where AI affects an individual’s rights or interests, such as credit denial, recruitment rejection, or differential pricing, organizations must be able to explain the reasoning.
These guidelines are not waiting for Thailand’s proposed standalone AI law to be passed. They are expected to operate alongside the already enforceable PDPA. That means organizations currently using AI must start preparing now.
5 Actions to Take Before Eagle Eye Knocks on Your Door
Waiting until a complaint is filed or Eagle Eye Crawler flags your organization is not a safe strategy. Organizations should act proactively:
- Review all websites and digital channels — Is your Cookie Consent Banner legally compliant? Is your Privacy Policy up to date? Are there any forms collecting data without valid consent?
- Conduct a Consent Audit — Can every consent collected in the past be backed by verifiable Proof of Consent? Is that consent still valid?
- Build a Data Inventory — Know what personal data your organization holds, where it resides, who can access it, and what it is used for
- Prepare your DSR process — Data Subject Request handling must be able to respond within 30 days, with clear procedures and complete documentation
- Assess all AI systems in use — If your organization uses AI that processes personal data, identify the lawful basis for each system and determine whether a DPIA is required
You can assess your organization’s current PDPA compliance status right away with the PDPA Compliance Assessment — it takes little time, but helps identify where the gaps are today.
Sectors Receiving Particular PDPC Attention
Based on recent enforcement patterns, the sectors receiving particular PDPC scrutiny include:
- E-commerce and online retail — collection of purchasing behavior data, personalized marketing, and third-party data sharing
- Healthcare providers and health-related businesses — health data is sensitive personal data and carries heavier penalties
- Retail and SME businesses — often exposed through weaknesses in Cookie Consent and Privacy Policy practices
- Government agencies — which hold vast volumes of citizen data and are facing more rigorous oversight
But the reality is simple: every organization that processes personal data, regardless of size, falls within the scope of enforcement.
What Comes Next: From Awareness to Demonstrable Accountability
"Privacy in Action" is more than an event theme — it is the policy direction likely to continue throughout this year and beyond. The PDPC is steadily building a more robust enforcement infrastructure across personnel, technology (Eagle Eye Crawler), and emerging rules (AI Governance Guidelines).
For organizations that want to prepare systematically, read the PDPA Checklist 2026 to verify whether all critical areas have been covered.
Enersys’ PrivacyHub is built to address these needs directly, covering Consent Management, DSR Automation, Data Inventory, RoPA, Breach Notification, and Vendor Management on a Zero-PII Storage architecture that reduces risk by design. It also includes Genesis AI, which helps analyze compliance gaps and provide proactive recommendations before Eagle Eye finds them first.
If your organization would like to assess its PDPA compliance status or prepare for the upcoming AI Governance Guidelines, Enersys’ specialists are ready to help. Contact the Enersys team today for a preliminary assessment at no cost.
References: Tilleke & Gibbins: Key Takeaways from Thailand's Data Privacy Day 2026 | Mondaq | Transatlantic Law International | Thairath English
