Thailand’s AI Law and Digital Platform Rules Are Now in Effect — What Businesses Need to Do "Now"
This is no longer something that is “coming soon” — Thailand’s AI Act has been in force since 1 March 2026, and within the same month, the Trade Competition Commission of Thailand (TCCT) followed with digital platform guidelines.
If your organization develops AI, uses AI in business decision-making, or operates through online platforms, this article is your practical roadmap for what to do next.
Key timeline you should remember
| Date | Event |
|---|---|
| February 2026 | PDPC opened a public consultation on draft personal data protection guidelines for AI |
| February 2026 | Draft AI Royal Decree and draft Prime Ministerial Notification on high-risk AI published |
| 1 March 2026 | Thailand’s AI Act took effect |
| 25 March 2026 | TCCT multi-sided platform guidelines took effect |
| 31 March 2026 | Deadline for ride-sharing platform registration notification |
| 29 April 2026 | Public consultation closes on draft rules for direct sales/direct market businesses |
| August 2026 | EU AI Act becomes fully applicable (affecting Thai companies serving the EU) |
Thailand’s digital law landscape has rarely changed this quickly in a single month.
Thailand’s AI Act — the era of “no rules” is over
Core concept: a risk-based approach
The new law adopts a risk-based approach, similar to the EU AI Act, dividing AI into 3 levels:
- Unacceptable-risk AI — AI systems posing unacceptable risks to human rights are outright prohibited
- High-risk AI — must pass a conformity assessment before use, such as AI used in justice processes, credit decisions, or hiring
- Limited-risk AI — subject to transparency requirements, such as informing users they are interacting with AI
AI Governance Center
The law requires the establishment of an AI Governance Center under ETDA as the central authority for AI oversight and enforcement.
Rights of individuals affected by AI
This is where many organizations are still underestimating the impact — the law clearly grants rights to individuals affected by AI-driven decisions:
- Right to know — individuals must be informed when AI is used in decisions that affect them
- Right to explanation — if AI makes a negative decision (credit rejection, failed job screening), the organization must explain the key factors behind that decision
- Right to human oversight — high-risk AI must be subject to human review and supervision
Draft rules for high-risk AI — what businesses should prepare for
The draft AI Royal Decree and draft Prime Ministerial Notification listing high-risk AI systems, published in February 2026, introduce major additional obligations:
For Providers (AI developers/service providers)
- Register both themselves and their AI systems with the regulator before placing them on the market
- Implement a Risk Management system based on international standards such as ISO/IEC 42001:2023
- Report serious incidents caused by AI to the regulator
- Foreign providers must appoint a representative in Thailand in writing
For Deployers (organizations using AI)
- Ensure human oversight in decision-making processes
- Maintain operational logs for AI systems
- Verify the quality of input data fed into the system
- Notify affected individuals when AI decisions may impact them
The key point: although the draft Royal Decree is still under consultation, the main AI Act is already in force — organizations that prepare now will have a major advantage.
PDPC’s AI + PDPA guidance — two laws you must handle together
In February 2026, Thailand’s Personal Data Protection Committee (PDPC) opened a public consultation on the draft personal data protection guidelines for AI development and use, covering key issues such as:
- Roles of involved parties — defining who acts as Data Controller or Processor in the AI chain
- Restrictions on model training use — Data Processing Agreements must clearly prohibit using data to train AI models without authorization
- DPIA for high-risk AI — a Data Protection Impact Assessment must be completed before using AI that processes personal data in high-risk scenarios
- Security measures throughout the AI lifecycle — from development and testing to deployment and decommissioning
Why this matters so much
Thailand’s AI Act and the PDPA do not operate separately — any organization using AI to process personal data must comply with both laws at the same time. This matters even more now that the PDPC uses tools like the Eagle Eye Crawler to proactively scan websites for compliance issues.
TCCT guidelines for digital platforms — a major shift from 25 March 2026
The Trade Competition Commission of Thailand (TCCT) issued guidelines on unfair trade practices, monopolization, and conduct that may reduce or restrict competition on multi-sided platforms. The guidelines were published in the Royal Gazette on 24 March 2026 and took effect on 25 March 2026.
Which platforms are covered?
The guidelines define a “multi-sided platform” as an intermediary connecting two or more user groups to interact, transact, or depend on each other within the same ecosystem. This includes:
- E-commerce platforms (connecting sellers, buyers, logistics, advertising, and payments)
- Ride-sharing platforms
- Social commerce platforms
- Food delivery platforms
Prohibited conduct
Pricing-related conduct:
- Parallel fee-setting arrangements resembling collusion
- Price discrimination against sellers in comparable circumstances
- Sudden changes to fee structures without prior notice
Commercial conduct:
- Opaque algorithmic ranking of sellers — restricting product visibility through non-transparent algorithms is prohibited
- Self-preferencing — platforms may not unfairly favor their own products or those of affiliated companies
- Forcing use of platform logistics — platforms may not require sellers to use logistics providers selected by the platform
- Using seller data for the platform’s own advantage — platforms may not use seller sales data or behavioral data to compete directly against those sellers
Penalties
Conduct found to significantly restrict competition may lead to administrative sanctions or even criminal penalties under the Trade Competition Act B.E. 2560 (2017).