The Credit Information Business Act 2002 specifically covers the collection and processing of credit information. Chapter 2 states that only a credit information company has the right to operate the credit information business (section 9). Section 12 of the Act states that "No credit information company or information controller or information processor carrying on or operating the business in the Kingdom shall operate, control or process information outside the Kingdom."

Under Section 28 of the Personal Data Protection Act, personal data may only be transferred to a third country if the receiving country upholds adequate personal data protection standards, or if one of the following conditions is satisfied: (i) the transfer is necessary to comply with legal obligations; (ii) the individual has given informed consent for the transfer, despite being made aware of the inadequacy of the receiving country’s data protection laws; (iii) the transfer is required for the performance of a contract to which the individual is a party or will become a party; (iv) the transfer is necessary for the fulfilment of the controller’s obligations under a contract with a third party for the benefit of the individual; (v) the transfer is essential to prevent or address a danger to the life, body, or health of the individual or others, in situations where the individual cannot provide consent; or (vi) the transfer is necessary for the performance of a public task.
Section 29 of the Act further permits the international transfer of personal data under the following circumstances: (i) where the transfer is made to a controller or processor within a group company that has established binding corporate rules approved by the Committee; and (ii) where approval for the binding corporate rules from the Committee is pending, provided the controller or processor has implemented appropriate safeguards and effective legal remedies in accordance with the Committee’s guidelines.
Section 5 of the "Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country Pursuant to Section 28 of the Personal Data Protection Act" sets forth criteria for determining the adequacy of personal data protection standards in recipient countries.
Additionally, Clauses 7 and 8 of the "Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country Pursuant to Section 29 of the Personal Data Protection Act" outline additional requirements related to binding corporate rules, standard contractual clauses, and certifications, among others.

Thailand has not joined any agreement with binding commitments to open transfers of data across borders.

The Personal Data Protection Act provides a comprehensive regime of data protection in Thailand, and it is the first consolidated legislation to offer general data protection within Thailand. The Act is based on the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and contains many similar provisions, although they differ in areas such as anonymisation. More specifically, the Act introduces obligations for data controllers and data processors, including lawful grounds for data collection, use, and disclosure, restrictions on data transfers to foreign countries, requirements for breach notification, and rights for data subjects. The Ministry of Digital Economy and Society and Personal Data Protection Committee have released draft secondary laws and guidelines to clarify the provision of the Act in areas such as data security, data transfers to foreign countries, as well as requirements for data protection officer appointment and the conducting of Data Protection Impact Assessments.

The Notification on Telecommunications Service Users' Rights 2006, issued by the National Telecommunications Commission (NTC), states that licensed telecommunications service providers must retain their users' data for the last three months after the service is terminated (Clause 8). The personal data of telecommunication users includes factual information that can identify the individual user, usage details, subscriber number and behavioural activity in the use of telecommunication services. In case of necessity, the service provider may be required to extend the period of data retention but will not exceed two years.

Section 26 of the Commission of Computer-Related Offences Act 2007 (so-called Computer Crimes Act 2007) (amended 2017) defines 'computer traffic data' as data in relation to the communication of computer system or the origin, time, duration, type of service, or else related to the computer system. The Act requires a service provider to retain computer traffic data for not less than 90 days from the date when the data was entered into the computer system. If necessary, the competent official may order any service provider to retain computer traffic data for a period exceeding 90 days but not exceeding 2 years as a matter of an individually exceptional case and on an ad hoc basis. Also, the service provider shall maintain client data, which is necessary for identifying the client since their first use of service and shall keep such data for not less than 90 days from the ending date of service. Those who fail to comply with this measure shall be liable to a fine not exceeding 500,000 Thai Baht (approx. USD 14,000).
The Notification on Computer Traffic Data Retention Criteria for Service Providers in 2007 provides detailed information regarding this matter. For example, the computer traffic data must be maintained under secured measures using a centralised log server, data archiving, or data hashing (Clause 8). Moreover, the service providers - telecommunication and broadcast carriers, access service providers, host service providers, and content service providers - need to retain the information as the law requires (Clause 5).

The appointment of a Data Protection Officer (DPO) is a mandatory condition under the Personal Data Protection Act (PDPA). Section 41 of the Act specifies that the data controller and data processor shall designate a DPO in the following circumstances: the activities such as collection, use, or disclosure of personal data.
The DPO's duties include advising the data controller and data processor, investigating the performance of the data controller and data processor, coordinating and cooperating with the Office of the Personal Data Protection Committee (PDPC) when there are problems and keeping confidentiality of the personal data (Section 42).

Thailand has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Section 64 of the Cyber Security Maintenance Act (CSA) 2019 states that, if it is necessary for the prevention, handling, and reduction of cyber threat risks, the Cyber Security Supervisory Committee (CSSC) shall order State agencies to provide information in their possession and related to cybersecurity maintenance.
Also, in Section 66, the CSSC has the power to carry out or order competent officials to carry out operations, only to the extent necessary for preventing cyber threats, in the following matters:
- to enter a place for inspection upon written notification;
- to gain access, copying or filtering computer data, computer systems or other related data;
- to test the functionality of computers or computer systems;
- to seize or attach, only to the extent necessary, computers, computer systems, or equipment, not exceeding 30 days.
To carry out activities under (2), (3), (4), the CSSC must file a motion to the competent court. However, in case of emergency and the threat is critical to cybersecurity, the Secretary-General shall take immediate action to the extent necessary for preventing and remedying damage in advance without filing a motion with the Court (Section 68).

According to the Trade Secrets Act, trade secrets can be in any means or any medium which conveys a statement, story, or fact in formula, form, compilations, or assembled works, programs, methods, techniques, or processes (Section 3). The disclosure or use of trade secrets by a governmental agency that supervises the maintenance of trade secrets shall not be deemed as an infringement of rights in trade secrets in the following cases:
- When it is necessary to protect the health or safety of the public, or;
- When it is necessary for the benefit of the public, not for a commercial purpose, the governmental agency must proceed under the procedure to protect such trade secrets from being used in unfair trading activities (Section 7.2).

The Trade Secrets Act (TSA) provides a framework for effective protection of trade secrets. Any “trade information”, such as an instrument of statements, facts, or other information that meets the following three requirements, is protected as a trade secret:
- It is confidential, i.e. the trade information is not being publicly known to or accessible by persons who are not related to the trade information;
- It has a commercial value derived from its secrecy;
- Its secrecy is protected by its owner/controller, who has taken appropriate and sufficient protection measures to maintain its secrecy.
In practice, a non-disclosure agreement is commonly used to safeguard and maintain the secrecy of a trade secret.
If there is a dispute concerning the trade secret because a person infringes its secrecy, the trade secret owner can submit the dispute to the Trade Secret Committee for mediation and settlement. Alternatively, they can file a lawsuit in court against the infringer for interim and permanent injunction orders and compensations for actual damages and punitive damages. The lawsuit must be filed within three years from the date on which the infringement act and the infringer are known or within 10 years from the date of the infringement act.

It is reported that passive infrastructure sharing in Thailand to deliver telecom services to end users is mandated, and it is practised in both the mobile and fixed sectors based on commercial agreements.

The Foreign Business Act (FBA) 1999 governs foreign investment in Thailand. Section 4 of the Act defines a "foreigner" as a company in which at least half of the capital or shares are held by foreigners, or a limited partnership or registered ordinary partnership with foreigners as the managing partner or manager.
According to Section 8 of the Telecommunications Business Act 2001, Type 2 licenses (telecommunications operators providing services to a specific group of customers, with or without operating their own telecommunications network) and Type 3 licenses (telecommunications operators providing their own telecommunications network for public use) cannot be granted to foreign applicants. As a result, foreign ownership in these sectors is capped at 49%.

The Foreign Business Act (FBA) of 1999 governs foreign investment in Thailand. The act defines "foreigner" as any company with at least 50% foreign-owned capital or shares, or any limited partnership or registered ordinary partnership where foreigners hold managerial control. Under the Telecommunications Business Act of 2001, foreign applicants are prohibited from obtaining Type 2 and Type 3 telecommunications licenses, limiting foreign ownership in these sectors to 49%.
Additionally, the 2011 Foreign Dominance Notification, enforced by the National Broadcasting and Telecommunications Commission (NBTC), establishes criteria for foreign dominance in the telecommunications sector. The regulation restricts foreign dominance, prohibiting actions like holding 50% or more of voting shares, controlling majority votes at shareholder meetings, or appointing or removing half or more of a company's directors. Prohibited behaviours also encompass dominance through shareholders, voting rights, controlling power, financial relationships, intellectual property agreements, procurement arrangements, joint business operations, and transfer pricing.

List 3 of the Foreign Business Act includes industries in which "Thai nationals are not yet ready to compete with foreigners". These are open to foreign investors provided they receive a licence from the Director-General of the Department of Business Development of the Ministry of Commerce and approval from the Foreign Business Committee. A wide range of businesses are covered under List 3, including advertising businesses. A foreign company can engage in List 3 activities if Thai nationals hold a majority of the limited company’s shares. Any company with a majority of foreign shareholders (more than 50%) cannot engage in List 3 activities unless it receives an exception from the Ministry of Commerce under its Foreign Business License application.