Section 18 of the Computer-Related Crime Act allows the government to access user-related or traffic data without court order and compel ISPs to decode programmed data.

There is no direct provision of the Personal Data Protection Act that requires the data controller to carry out a Data Protection Impact Assessment. However, the data controller must acknowledge the level of risk and severity of the personal data collected, used, and disclosed which may adversely affect the rights and freedoms of the natural persons. In this regard, Section 37(1) of the Act prescribes a mandatory requirement to review appropriate security measures when it is necessary, or when new technology is adopted.

The appointment of a Data Protection Officer (DPO) is a mandatory condition under the Personal Data Protection Act (PDPA). Section 41 of the Act specifies that the data controller and data processor shall designate a data protection officer in the following circumstances: the activities such as collection, use, or disclosure of the personal data.
The DPO's duties include: advise the data controller and data processor, investigate the performance of the data controller and data processor, coordinate and cooperate with the Office or the Personal Data Protection Committee (PDPC) when there are problems and keep confidentiality of the personal data (Section 42).

Section 26 of the Commission of Computer-Related Offences Act 2007 (so-called Computer Crimes Act 2007) (amended 2017) defines 'computer traffic data' as data in relation to the communication of computer system or the origin, time, duration, type of service, or else related to the computer system. The Act requires a service provider to retain computer traffic data for not less than 90 days from the date when the data was entered into the computer system. If necessary, the competent official may order any service provider to retain computer traffic data for a period exceeding 90 days but not exceeding 2 years as a matter of an individually exceptional case and on an ad hoc basis. Also, the service provider shall maintain client data which is necessary for identifying the client since their first use of service and shall maintain such data for not less than 90 days as from the ending date of service. Those who fail to comply with this measure shall be liable to a fine not exceeding 500,000 Thai Baht (approx. USD 14,000).
The Notification on Computer Traffic Data Retention Criteria for Service Providers in 2007 provides detailed information regarding this matter. For example, the computer traffic data must be maintained under secured measures using centralized log server, data archiving, or data hashing (Clause 8). Moreover, the service providers - telecommunication and broadcast carrier, access service provider, host service provider, content service provider - need to retain the information as the law required (Clause 5).

Section 17(6) of the Credit Information Act requires that a credit information company or a person assigned to process information shall set up a system of recording and reporting the result of every access to the credit information. The information record must be kept for at least 2 years from the date of access to the information.

The Notification on Telecommunications Service Users' Rights 2006 issued by the National Telecommunications Commission (NTC) states that the licensed telecommunications service providers must retain their users' data for the last three months after the service is terminated (Clause 8). The personal data of telecommunication users includes the factual information that can identify the individual user, usage details, subscriber number and behavioural activity in the use of telecommunication services. In case of necessity, the service provider may require to extend the period of data retention but will not exceed two years.

Thailand has not joined any agreement with binding commitments to open transfers of data across borders.

The Personal Data Protection Act provides a comprehensive regime of data protection in Thailand and it is the first consolidated legislation providing general data protection within Thailand. The Act is based on the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and contains many similar provisions, although they differ in areas such as anonymisation. More specifically, the Act introduces obligations for data controllers and data processors including lawful grounds of data collection, use, and disclosure, restrictions on data transfers to foreign countries, and requirements for breach notification, as well as rights for data subjects. The Ministry of Digital Economy and Society and Personal Data Protection Committee have released draft secondary laws and guidelines to clarify the provision of the Act in areas such as data security, data transfers to foreign countries, as well as requirements for data protection officer appointment and the conducting of Data Protection Impact Assessments.

According to Part 3 of the Personal Data Protection Act 2019 (PDPA), transferring data outside Thailand is only allowed if the destination country has adequate data protection standards or approaches. There are four exceptions to the adequacy requirement in the law, as follows:
- A data subject's consent to transfer has been obtained;
- Specific statutory exemptions apply;
- The receiving organization provides suitable protection measures that enable the enforcement of data subject's rights;
- The receiving organization has put in place a "personal data protection policy" applicable to overseas data transfers.
According to Section 16(5) of the Act, the Personal Data Protection Committee (PDPC) has the power to announce and establish criteria for providing protection of personal data that is sent or transferred to a foreign country, including the list of adequate jurisdictions.

According to the Act on the Organization to Assign Radio Frequency and to Regulate the Broadcasting and Telecommunications Services B.E. 2553, the executive authority for the supervision and administration of services in the telecommunications sector in Thailand is the National Broadcasting and Telecommunications Commission. It is reported that the National Broadcasting and Telecommunications Commission is independent from the government in the decision-making process.

The Credit Information Business Act 2002 specifically covers the collection and processing of credit information. Chapter 2 states that only a credit information company has the right to operate the credit information business (section 9). Section 12 of the Act states that "No credit information company or information controller or information processor carrying on or operating the business in the Kingdom shall operate, control or process information outside the Kingdom."

Thailand has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Thailand does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, accounting separation is mandated.

The Foreign Dominance Notification in 2011 introduces foreign dominance criteria in the telecommunication sector by taking into account elements such as shareholding, management control, and supply relationship. The schedule of Prohibitions of Foreign Dominance Behaviors includes prohibited behaviors includes dominance by shareholders, voting rights, controlling power, legal relationships with sources of funds and loans, intellectual property agreements, procurement agreements, joint business operations, and transfer pricing. Nevertheless, the Notification does not apply to the telecoms business having status as a state-owned enterprise license (Clause 5/1 is added by the Foreign Dominance Notification (No.2) in 2019).

The majority of the telecommunications infrastructure, such as the national broadband network and most submarine cable landing stations, is owned by the Government through state-owned enterprises (SOEs). The main SOEs in the telecommunications sector are TOT Public Company Limited and CAT Telecom Public Company Limited.