Thailand has not joined any agreement with binding commitments to open transfers of data across borders.

The Personal Data Protection Act provides a comprehensive regime of data protection in Thailand, and it is the first consolidated legislation to offer general data protection within Thailand. The Act is based on the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and contains many similar provisions, although they differ in areas such as anonymisation. More specifically, the Act introduces obligations for data controllers and data processors, including lawful grounds for data collection, use, and disclosure, restrictions on data transfers to foreign countries, requirements for breach notification, and rights for data subjects. The Ministry of Digital Economy and Society and Personal Data Protection Committee have released draft secondary laws and guidelines to clarify the provision of the Act in areas such as data security, data transfers to foreign countries, as well as requirements for data protection officer appointment and the conducting of Data Protection Impact Assessments.

The Notification on Telecommunications Service Users' Rights 2006, issued by the National Telecommunications Commission (NTC), states that licensed telecommunications service providers must retain their users' data for the last three months after the service is terminated (Clause 8). The personal data of telecommunication users includes factual information that can identify the individual user, usage details, subscriber number and behavioural activity in the use of telecommunication services. In case of necessity, the service provider may be required to extend the period of data retention but will not exceed two years.

Section 26 of the Commission of Computer-Related Offences Act 2007 (so-called Computer Crimes Act 2007) (amended 2017) defines 'computer traffic data' as data in relation to the communication of computer system or the origin, time, duration, type of service, or else related to the computer system. The Act requires a service provider to retain computer traffic data for not less than 90 days from the date when the data was entered into the computer system. If necessary, the competent official may order any service provider to retain computer traffic data for a period exceeding 90 days but not exceeding 2 years as a matter of an individually exceptional case and on an ad hoc basis. Also, the service provider shall maintain client data, which is necessary for identifying the client since their first use of service and shall keep such data for not less than 90 days from the ending date of service. Those who fail to comply with this measure shall be liable to a fine not exceeding 500,000 Thai Baht (approx. USD 14,000).
The Notification on Computer Traffic Data Retention Criteria for Service Providers in 2007 provides detailed information regarding this matter. For example, the computer traffic data must be maintained under secured measures using a centralised log server, data archiving, or data hashing (Clause 8). Moreover, the service providers - telecommunication and broadcast carriers, access service providers, host service providers, and content service providers - need to retain the information as the law requires (Clause 5).

It is reported that passive infrastructure sharing in Thailand to deliver telecom services to end users is mandated, and it is practised in both the mobile and fixed sectors based on commercial agreements.

The Foreign Business Act (FBA) 1999 governs foreign investment in Thailand. Section 4 of the Act defines a "foreigner" as a company in which at least half of the capital or shares are held by foreigners, or a limited partnership or registered ordinary partnership with foreigners as the managing partner or manager.
According to Section 8 of the Telecommunications Business Act 2001, Type 2 licenses (telecommunications operators providing services to a specific group of customers, with or without operating their own telecommunications network) and Type 3 licenses (telecommunications operators providing their own telecommunications network for public use) cannot be granted to foreign applicants. As a result, foreign ownership in these sectors is capped at 49%.

The majority of the telecommunications infrastructure, such as the national broadband network and most submarine cable landing stations, is owned by the Government through state-owned enterprises (SOEs). The main SOEs in the telecommunications sector are TOT Public Company Limited and CAT Telecom Public Company Limited.

Thailand does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, accounting separation is mandated.

Thailand has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

According to the Act on the Organisation to Assign Radio Frequency and to Regulate the Broadcasting and Telecommunications Services B.E. 2553, the executive authority for the supervision and administration of services in the telecommunications sector in Thailand is the National Broadcasting and Telecommunications Commission. It is reported that the National Broadcasting and Telecommunications Commission is independent from the government in the decision-making process.

The Credit Information Business Act 2002 specifically covers the collection and processing of credit information. Chapter 2 states that only a credit information company has the right to operate the credit information business (section 9). Section 12 of the Act states that "No credit information company or information controller or information processor carrying on or operating the business in the Kingdom shall operate, control or process information outside the Kingdom."

Pursuant to Art. 14 of the Foreign Business Act, any initial foreign investment is subject to a minimum capital requirement of THB 2 million (approx. USD 56.000). In the case of restricted businesses (including advertising), the requirement is equivalent to 25% of the total three-year average expected annual expenditure but not less than THB 3 million (approx. USD 84.000).

Section 14 of the Patent Act 1979 (amended in 1999) stipulates that an applicant for a patent must possess one of the following qualifications: (i) be a Thai national or a juristic person with its headquarters located in Thailand; (ii) be a national of a country that is a party to a convention or international agreement on patent protection to which Thailand is also a party; (iii) be a national of a country that permits Thai nationals or juristic persons with headquarters in Thailand to apply for patents in that country; or (iv) be domiciled in, or have an industrial or commercial establishment in, Thailand or a country that is a party to a convention or international agreement on patent protection to which Thailand is also a party.
To file patents, the Ministerial Regulation No. 21 states that if the patent applicant does not reside in the Kingdom of Thailand, the applicant shall authorise an agent or patent attorney registered with the Director-General of the Department of Intellectual Property to act on his behalf (Clause 13). Moreover, the Power of Attorney (POA) shall be attached with the revenue stamp of 30 Thai Baht (around 1 USD) for each patent agent/patent attorney/application. The POA document, if not in a foreign language, must be translated into Thai (Clause 15).

Thailand is a party to the Patent Cooperation Treaty (PCT).

Thailand has a copyright regime under the law Copyright Act 1994. However, the exceptions do not follow the fair use or fair dealing model, therefore limiting the lawful use of copyrighted work by others. Art. 32 lists the exceptions, which include research or study of the work provided that such not for profit; the use for personal benefit or the family benefit including close relatives; review, accompanied by an acknowledgement of the copyright owner, among others