From “Knowing” to “Doing” — The PDPC Is No Longer Waiting
If you think the PDPA is still just a law on paper, this news may make you reconsider.
The Personal Data Protection Committee Office (PDPC) held Data Privacy Day 2026 under the theme “Privacy in Action”—and the message is clear: it is time for real implementation, not just awareness
2,672 Complaints — A Number Businesses Should Not Ignore
The PDPC disclosed that, as of January 2026, there had already been 2,672 complaints related to the PDPA. The most common violations were:
- Failure to comply with the Data Minimization principle — collecting more data than necessary
- Collecting data without a legal basis — no consent or no legitimate interest
- Using/disclosing data without a legal basis — sharing customer data without authorization
While 2,672 cases may not sound high in a country with millions of businesses, what is more concerning is the year-on-year upward trend, while the PDPC is also expanding both its workforce and its technology capabilities for enforcement.
AI Governance Is Coming — Faster Than Many Expect
One of the most important takeaways from Data Privacy Day was that the PDPC is preparing guidance on AI Governance to ensure that AI use aligns with personal data protection principles.
In addition, Thailand is drafting a separate AI Act, which would serve as dedicated legislation specifically regulating AI and operating alongside the PDPA.
The key point organizations need to understand is this: although the PDPA does not regulate AI directly, any personal data used in AI must still comply with the PDPA — and organizations, not the AI itself, bear full responsibility.
