Database

Browse Database

THAILAND

Since May 2019
(Fully entry into force in June 2021)

Pillar Domestic Data policies  |  Sub-pillar Requirement to perform an impact assessment (DPIA) or have a data protection officer (DPO)
Personal Data Protection Act 2019
The appointment of a Data Protection Officer (DPO) is a mandatory condition under the Personal Data Protection Act (PDPA). Section 41 of the Act specifies that the data controller and data processor shall designate a data protection officer in the following circumstances: the activities such as collection, use, or disclosure of the personal data.
The duty of the DPO, including: advise the data controller and data processor, investigate the performance of the data controller and data processor, coordinate and cooperate with the Office or the Personal Data Protection Committee (PDPC) when there are problems and keep confidentiality of the personal data (Section 42).
Coverage Horizontal

THAILAND

Since May 2019

Pillar Domestic Data policies  |  Sub-pillar Requirement to allow the government to access personal data collected
Cyber Security Maintenance Act 2019
Section 64 of the Cyber Security Maintenance Act (CSA) 2019 states that, if it is necessary for the prevention, handling, and reduction of cyber threat risks, the Cyber Security Supervisory Committee (CSSC) shall order State agencies to provide information in their possession and related to cybersecurity maintenance.
Also, in Section 66, the CSSC has the power to carry out or order competent officials to carry out operations, only to the extent necessary for preventing cyber threats, in the following matters:
(1) to enter a place for inspection upon written notification;
(2) to gain access to computer data, computer systems, or other related data, make copies, or screening;
(3) to test the functionality of computers or computer systems;
(4) to seize or attach, only to the extent necessary, computers, computer systems, or equipment, not exceeding 30 days.
To carry out activities under (2), (3), (4) must file a motion to the competent court. However, in case of emergency and the threat is critical to cybersecurity, the Secretary-General shall take immediate action to the extent necessary for preventing and remedying damage in advance without filing a motion with the Court (Section 68).
Coverage Computer data, Computer system (especially in critical infrastructure entities)

THAILAND

Since June 2007 (amended January 2017)
Since January 2017

Pillar Domestic Data policies  |  Sub-pillar Requirement to allow the government to access personal data collected
Commission of Computer-Related Offences Act 2007 (amended in 2017)

Commission of Computer-Related Offences Act (No.2) 2017
Section 18 of the Commission of Computer-Related Offences Act (so-called Computer Crimes Acts) provides that, when there is reasonable ground to believe that there is a violation of the Act, competent officials have the power to do:
(1) to address written inquiry or issue a summons on a person connected with the offender;
(2) to summon computer traffic data from providers of services;
(3) to order a service provider to hand over to the competent official data concerning users;
(4) to make a copy of computer data, or computer traffic data from the computer system
(5) to hand over such computer data from a person having in possession or custody
(6) to inspect and access a computer system, computer data, computer traffic data, or equipment used for retaining computer data
(7) to decryption computer data
(8) to seize or attach a computer system as necessary for identifying details of the offense
The person receiving a request from the competent official shall take action in response to the request without delay. Moreover, section 19 of the Act provides that the officials have the authority to access the computer data, computer traffic data from a computer system without filing a court petition. Only the power according to Section 18(4), (5), (6), (7), and (8) requires to apply motion to the court.

(*Remark: Section 18 and 19 of the Commission of Computer-Related Offences Act 2007 is repealed and replaced by the information in Section 13 of Thailand's Computer-Related Crimes Act (No.2) 2017.)
Coverage Computer data, Computer traffic data/ Telecommunication and Broadcast carrier, Access Service Provider, Host Service Provider, Content Service provider, and Application Service Providers

THAILAND

N/A

Pillar Cross-border data policies  |  Sub-pillar Participation in trade agreements committing to open cross-border data flows
Lack of participation in agreements with binding commitments on data flows
Thailand has not joined any agreement with binding commitments to open transfers of data across borders.
Coverage Horizontal

THAILAND

Since August 2006

Pillar Domestic Data policies  |  Sub-pillar Minimum period for data retention
Notification of the National Telecommunications Commission regarding Telecommunications Service Users' Rights Concerning Personal Information Rights to Privacy and Freedom of Communication 2006/ Minimum period of data retention
The Notification on Telecommunications Service Users' Rights 2006 issued by the National Telecommunications Commission (NTC) states that the licensed telecommunications service providers must retain their users' data for the last three months after the service is terminated (Clause 8). The personal data of telecommunications users including the factual information which may be identifiable to the individual user, usage detail, subscribed number, and behavioral activity in using telecommunications services. In case of necessity, the service provider may require to extend the period of data retention but will not exceed two years.
Coverage Personal information in telecommunications sector

THAILAND

Since February 2020

Pillar Telecom infrastructure and competition  |  Sub-pillar Other restrictions to operate in the telecom market
Notification of the National Broadcasting and Telecommunications Commission regarding Criteria and Procedures for Licensing and the Right to Orbit Satellites 2020
Previously, satellite businesses have been operated under concession contracts. In 2020, Thailand opened its satellite telecommunications services to foreign-owned satellites. Anyone who wants to provide satellite telecommunications services must apply to the National Broadcasting and Telecommunications Commission (NBTC) for a telecommunication services license. Regarding the NBTC Notification, any persons who wish to orbit their satellites in the country must apply for a license and comply with the requirements.
Coverage Telecommunications/ Satellites Communication Services

THAILAND

Since December 2010 (amended in April 2019)
Since April 2017

Pillar Telecom infrastructure and competition  |  Sub-pillar Other restrictions to operate in the telecom market
Organization to Assign Frequency Waves and to Regulate the Radio Broadcasting, Radio Television and Telecommunications Services Act 2010 (amended in 2019)

Notification of the National Broadcasting and Telecommunications Commission regarding Criteria and Allocation Procedures of the Radio Spectrum for the Telecommunication Business 2017
Radio Spectrum, including frequency waves, radio communication, radio broadcasting, sound broadcasting, and frequency waves are regulated by the National Broadcasting and Telecommunications Commission (NBTC). The Organization to Assign Frequency Waves and to Regulate Act 2010 (amended) states that any person who wishes to use a radio spectrum for broadcasting for commercial purposes must obtain a license from the NBTC. The permission to use the frequency wave shall be done by means of frequency auctions at the national, regional, and local levels. The auctions shall be conducted separately for each level, in accordance with the criteria, procedures, timeframe, and conditions as prescribed by the NBTC (Section 41 amended).

The NBTC Notification 2017 provides the specific criteria and requirements of the spectrum allocation. The validity period of each spectrum allocation shall not exceeding 5 years (Clause 10).
(*Remark: Section 41 is amended by the Organization to Assign Frequency Waves and to Regulate the Radio Broadcasting, Radio Television and Telecommunications Services Act (No.3) in 2019.)
Coverage Telecommunications/ Radio Spectrum

THAILAND

Since February 2008
Since October 2012
Since August 2013

Pillar Telecom infrastructure and competition  |  Sub-pillar Other restrictions to operate in the telecom market
Broadcasting and Television Business Act 2008

Notification of the National Broadcasting and Telecommunications Commission regarding Licensing Criteria and Procedures for Radio and Television Broadcasting Services 2012

Notification of the National Broadcasting and Telecommunications Commission regarding Criteria, Procedures and Condition for Digital Television Services Auction 2013
In general, the Broadcasting and Television Business Act 2008 states that any person who operates a television business and sound broadcasting business must obtain a license from the National Broadcasting Commission (Section 7). There are three types of broadcasting license for radio and television program, including (Section 10):
(1) Type 1: public services business, available only to government entities, charities, and educational institutions (not allow private sector operators);
(2) Type 2: community services (not allow private sector operators);
(3) Type3: profit-making at national, regional, or local levels.
Moreover, the NBTC Notification 2012 includes specific requirements of an applicant's qualifications, the required evidence, as well as the procedures for issuing a license.

According to the National Broadcasting and Telecommunications Commission (NBTC) Master Plan, Thailand has transitioned to the digital television system. Any persons who wish to operate the digital television program must obtain the digital television license specified in the NBTC Notification 2013. After receiving the license, a person shall enter into the process of digital television channel auction regulated by the NBTC.

(*Remark: The business using the frequency spectrum requires to obtain frequency assignment.)
Coverage Telecommunications/ News Provider, Television and Sound Broadcasting Business (TV program or radio)
Sources

THAILAND

Since January 1955 (amended in March 1992)
Since March 1992

Pillar Telecom infrastructure and competition  |  Sub-pillar Other restrictions to operate in the telecom market
Radio Communication Act 1955 (amended in 1992)

Radio Communication Act (No.3) 1992
The Radio Communication Act covers the radio communication devices and ancillary devices, including a radio communication-transmitter, radio communication receiver, or radio communication transmitter-receiver, etc. Any person who wishes to produce, possess, use, import, export, trade-in radio communication devices, or establish a radio communication station, or receive foreign radio communication news, must obtain a license. In other words, those who operate the mentioned activities require to obtain a specific type of license (e.g. license to import, export, trade, etc.) (Section 6 amended), and each license has a different validity period (Section 9 amended). In addition, those who violate shall be liable to a fine, or imprisonment, or both (Section 23 amended).
Coverage Radiocommunication and telecommunications equipment

THAILAND

Since November 2002

Pillar Cross-border data policies  |  Sub-pillar Ban to transfer and local processing requirement
Credit Information Business Act 2002
The Credit Information Business Act 2002 specifically covers the collection and processing of credit information. Chapter 2 states that only a credit information company has the right to operate the credit information business (section 9). Section 12 of the Act states that "No credit information company or information controller or information processor carrying on or operating the business in the Kingdom shall operate, control or process information outside the Kingdom."
Coverage Credit information companies

THAILAND

Since May 2019, entry into force in June 2021

Pillar Cross-border data policies  |  Sub-pillar Conditional flow regime
Personal Data Protection Act 2019
According to Part 3 of the Personal Data of the Personal Data Protection Act 2019 (PDPA), transferring data outside Thailand is only allowed if the destination country has adequate data protection standards or approaches. There are four exceptions to the adequacy requirement in the law, as follows:
(1) A data subject's consent to transfer has been obtained;
(2) Specific statutory exemptions apply;
(3) The receiving organization provides suitable protection measures that enable the enforcement of data subject's rights;
(4) The receiving organization has put in place a "personal data protection policy" applicable to overseas data transfers.

According to section 16(5) of the Act, the Personal Data Protection Committee (PDPC) has the power to announce and establish criteria for providing protection of Personal Data that is sent or transferred to a foreign country, including the list of adequate jurisdictions. However, since the PDPC still not establish, the transferring landscape and details are still in progress.
Coverage Personal data

THAILAND

Since November 2001
Since March 2020

Pillar Telecom infrastructure and competition  |  Sub-pillar Other restrictions to operate in the telecom market
Telecommunications Business Act 2001

Notification of the National Broadcasting and Telecommunications Commission regarding Criteria and Procedures for Telecommunications Business License 2020
In general, regarding the telecommunications sector, the restrictions vary depending on the type of license required. Any person who wishes to operate a telecommunications business in the country is required to obtain a license issued by the National Broadcasting and Telecommunications Commission (NBTC) (Section 7).
(1) Type 1: Telecommunications operators who provide telecommunications service without operating their telecommunications network;
(2) Type 2: Telecommunications operators who provide services to a specific group of customers with or without operating their own telecommunications network;
(3) Type 3: Telecommunications operators who provide their own telecommunications network for the use of the general public.

The NBTC Notification in 2020 provides specific requirements for obtaining a license, including the applicant's qualification, procedures to grant the license and conditions. The validity period of each type of license is different: Type1 and Type 2 are no expiry date, and Type 3 is 15-25 years.
Coverage Telecommunications

THAILAND

Since June 2019
Since March 2020

Pillar Telecom infrastructure and competition  |  Sub-pillar Other restrictions to operate in the telecom market
Notification of the National Broadcasting and Telecommunications Commission regarding Characteristics and Types of Telecommunications Business Requiring a Telecommunications Business License 2019

Notification of the National Broadcasting and Telecommunications Commission regarding Requirements and Criteria of Telecommunications Business License 2020
The National Broadcasting and Telecommunications Commission (NBTC)'s Notification in 2019 provides the characteristics and types of telecommunications business required to obtain a telecommunications business license (Type 1, Type 2, or Type 3) as prescribed in the Telecommunications Business Act. Appendix A and B include the lists of telecommunications businesses that require to apply for a license (Appendix C provides the telecommunication business that not requires to obtain a license).
-Appendix A includes the following list:
(1) Wireline Network: Copper wire network, Fiber optic network, Submarine cable network, Power line network, including Voice over IP (VoIP), etc.
(2) Wireless Network: Satellite network, Mobile phone network, Specific Group: trunked radio, single-channel, multi-channel, Wireless mobile phone network, Radio communication network, Photonic network, and electromagnetic wave networks, etc.
(3) Telecommunication facilities/ infrastructure (towers, cables, pipes, etc.)

-Appendix B includes the following list:
(1) Telecommunication service that has its own network: public switched telephone service, leased circuit/channel services, broadband internet service, terrestrial link service, satellite uplink/downlink service, etc.
(2) Telecommunication service that does not have own network: internet service, audio text service, VPN, VSAT service, non-facilities-based MVNO, etc.

In addition, the NBTC Notification in 2020 provides that telecommunication businesses listed in the Appendix of this Notification are allowed to acquire an 'Automatic License'. The Automatic License is a fast-track application process, granting license within 7-15 days (regular procedures prolong to 90 days).
(*Remark: Appendix of 2020 Notification covers VoIP/ Colocation, Dedicated Server, Backup Server, Virtual Private Server, Web Hosting, Mail Hosting/ EDI Service/ International Calling Card/ Store-and-Retrieve Value-Added Service/ Cloud Computing/ Video Conference/ Forward Call/ Audiotext Service/ RoIP/ VPN, VPLS, IP-VPN, etc.)
Coverage Telecommunications/ Wireline network, Wireless network, Telecom facilities, or Telecommunication service has or does not have its own network: VPN, VoIP, etc.
Sources

THAILAND

Since November 2001 (amended in January 2006)
Since January 2006

Pillar Telecom infrastructure and competition  |  Sub-pillar Maximum foreign equity share for investment in the telecommunication sector
Telecommunications Business Act 2001 (amended in 2006)

Telecommunications Business Act (No.2) 2006
The foreigners can operate telecoms businesses provided that they do not have their own telecommunications network, and the characteristics of their businesses are appropriate to provide services on the basis of liberalization or telecommunications Type 1. Nevertheless, if the telecommunications business has its own network (Type 2 and Type 3 telecoms business), it is prohibited from being acquired by a foreigner under the law on foreign business (Section 8 (1)). The National Telecommunications Commission (NBTC) regulates the merger in the telecommunication sector. The Commission has the power to prescribe specific measures to prevent monopoly in the telecoms market (Section 21). Moreover, the licensee acts or is acted upon in such manner as the business takeover shall be reported.
Coverage Telecommunications

THAILAND

Since May 2010
Since September 2014

Pillar Telecom infrastructure and competition  |  Sub-pillar Maximum foreign equity share for investment in the telecommunication sector
Notification of the National Telecommunications Commission regarding Criteria and Methods of Merger & Acquisition and Cross-Shareholding in Telecommunication Business 2010

Notification of the National Broadcasting and Telecommunications Commission regarding the Criteria and Method to Determine the Significant Market Power in Telecommunication Business 2014
To conduct the merger in the telecommunication sector, the acquirer requires to submit a merger review petition to the National Telecommunications Commission (NBTC). The NBTC will grant permission to the acquirer to execute a merger that does not cause market dominance. Whether the merger considers as dominant or not will be checked by the Herfindahl-Hirschman Index (HHI) to identify the level of concentration in the market (Clause 8).

In addition, regarding the notification of the significant market power (SMP), the SMP operators require to conform with the requirements issued by the NBTC, such as report or disclose the information, separate services, prevent activities that may lead to monopoly or competition, etc. (Clause 13).
Coverage Telecommunications
Sources