The National Intelligence Act 2019 gives the power to the National Intelligence Agency to perform duties related to activities on intelligence operations, civil security safeguards, and monitoring situations that affect national security (Section 4). Section 6 of the Act provides the National Intelligence Agency with the power to order public agencies or any person to submit the information or document that impacts national security within the specified period. If it is necessary to acquire the information, the agency is allowed to take action by adopting electronic, scientific, telecommunication devices, or other technology tools to obtain such information. Certain activities can be done without filing a motion to the court and are deemed in good faith for the public or national security.

The Copyright Act establishes a safe harbour regime for intermediaries for copyright infringements. Although Thailand has not signed the WIPO Copyright Treaty, in 2015, two copyright amendment laws were approved: the Copyright Act (No. 2) and Copyright Act (No. 3). These two laws implemented many of the key provisions of the WIPO Copyright Treaty. Copyright “safe harbour” protection for intermediaries such as cloud service providers is contained in the 2015 amendments to copyright laws. The provisions exempt Internet intermediaries from liability in broad circumstances provided that they did not control, initiate, or order the infringement. The intermediary is shielded from liability for content until they receive a court order ordering them to remove it.

The Computer-Related Crime Act and the Notification of the Ministry of Digital Economy and Society (MDES) establish a safe harbour regime for intermediaries beyond copyright infringement. According to Section 15 of the Computer-Related Crime Act, service providers are not liable of for for the content published if they remove computer data once it has received a notification from the Minister of Digital Economy and Society (MDES) to discontinue the dissemination of these. In addition, the Notification includes the 'Notice and Take Down' procedure to remove the offence's content and the intermediary's liability. This notification allows an individual to submit their notices of online offence to the police or competent officers. After the service provider receives the notification from the Ministry, the competent officer, or court order, they must remove or stop the dissemination of certain content immediately within the given period.

According to Art. 26 of the Commission of Computer-Related Offences Act (commonly known as the Computer Crimes Act or CCA), all service providers are required to record users' computer traffic data and store it for 90 days, with the possibility of extending the retention period up to a year if ordered by authorities. In 2019, it was reported that the Thai government requested all coffee shops or Internet cafè, including small operators, to retain traffic data of customers using their Wifi for 90 days and to provide that information upon request. This request includes keeping a 'log file' of customers' computer traffic data, including their IP address, full name, ID card number, or passport details. As defined in Art. 3 of the CCA, "Computer Traffic Data", encompasses information related to the communication of a computer system, such as the origin, source, terminal, route, time, date, size, duration, type of service, and other relevant communication details.

It is reported that Thailand’s approach to SIM registration requires mobile network operators to collect and validate users’ personal information and proof of identity, including the use of biometric checks.

According to the Act on the Organisation to Assign Radio Frequency and to Regulate the Broadcasting and Telecommunications Services B.E. 2553, the executive authority for the supervision and administration of services in the telecommunications sector in Thailand is the National Broadcasting and Telecommunications Commission. It is reported that the National Broadcasting and Telecommunications Commission is independent from the government in the decision-making process.

The Credit Information Business Act 2002 specifically covers the collection and processing of credit information. Section 9 states that only a credit information company has the right to operate the credit information business. Section 12 of the Act states that "No credit information company or information controller or information processor carrying on or operating the business in the Kingdom shall operate, control or process information outside the Kingdom."

Pursuant to Section 5.2.5.1 of the "NCSC Standards for the Maintenance of Cybersecurity in Cloud Computing Systems", cloud service providers are required to establish both a primary data centre and either a backup data centre located within Thailand or in the nearest Southeast Asian jurisdiction. The Standards further stipulate that information systems classified as having a “high” impact — defined as those capable of causing “very severe” consequences — must utilise these designated data centres.

Under Section 28 of the Personal Data Protection Act, personal data may only be transferred to a third country if the receiving country upholds adequate personal data protection standards, or if one of the following conditions is satisfied: (i) the transfer is necessary to comply with legal obligations; (ii) the individual has given informed consent for the transfer, despite being made aware of the inadequacy of the receiving country’s data protection laws; (iii) the transfer is required for the performance of a contract to which the individual is a party or will become a party; (iv) the transfer is necessary for the fulfilment of the controller’s obligations under a contract with a third party for the benefit of the individual; (v) the transfer is essential to prevent or address a danger to the life, body, or health of the individual or others, in situations where the individual cannot provide consent; or (vi) the transfer is necessary for the performance of a public task.
Section 29 of the Act further permits the international transfer of personal data under the following circumstances: (i) where the transfer is made to a controller or processor within a group company that has established binding corporate rules approved by the Committee; and (ii) where approval for the binding corporate rules from the Committee is pending, provided the controller or processor has implemented appropriate safeguards and effective legal remedies in accordance with the Committee’s guidelines.
Section 5 of the "Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country Pursuant to Section 28 of the Personal Data Protection Act" sets forth criteria for determining the adequacy of personal data protection standards in recipient countries.
Additionally, Clauses 7 and 8 of the "Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country Pursuant to Section 29 of the Personal Data Protection Act" outline additional requirements related to binding corporate rules, standard contractual clauses, and certifications, among others.

Thailand has not joined any agreement with binding commitments to open transfers of data across borders. Art. 12.15 of the Regional Comprehensive Economic Partnership (RCEP) recognises that each party may maintain its own regulatory requirements governing cross‑border transfers of information by electronic means and stipulates that such transfers shall not be restricted when undertaken for the conduct of business by a covered person; however, the article simultaneously allows parties to adopt or maintain any measures they themselves deem necessary to achieve a legitimate public policy objective, as well as any measures necessary to protect essential security interests, with the parties expressly affirming that the determination of such necessity lies solely with the implementing party and that such measures shall not be subject to dispute. It is reported that this formulation enables the parties to preserve their domestic data‑control regime under the rubric of national security without risking inter‑state disputes, and that the relative weakness of Chapter 12 renders its provisions largely ineffectual in facilitating the liberalisation of cross‑border data flows, particularly because the clause entrusting necessity assessments to the implementing party effectively permits any measure to be characterised as legitimate at that party’s discretion.

The Personal Data Protection Act provides a comprehensive regime of data protection in Thailand.

The Notification on Telecommunications Service Users' Rights 2006, issued by the National Telecommunications Commission (NTC), states that licensed telecommunications service providers must retain their users' data for the last three months after the service is terminated (Clause 8). The personal data of telecommunication users includes factual information that can identify the individual user, usage details, subscriber number and behavioural activity in the use of telecommunication services. In case of necessity, the service provider may be required to extend the period of data retention but will not exceed two years.

Section 26 of the Commission of Computer-Related Offences Act 2007 (so-called Computer Crimes Act 2007) (amended 2017) defines 'computer traffic data' as data in relation to the communication of computer system or the origin, time, duration, type of service, or else related to the computer system. The Act requires a service provider to retain computer traffic data for not less than 90 days from the date when the data was entered into the computer system. If necessary, the competent official may order any service provider to retain computer traffic data for a period exceeding 90 days but not exceeding 2 years as a matter of an individually exceptional case and on an ad hoc basis. Also, the service provider shall maintain client data, which is necessary for identifying the client since their first use of service and shall keep such data for not less than 90 days from the ending date of service. Those who fail to comply with this measure shall be liable to a fine not exceeding 500,000 Thai Baht (approx. USD 14,000).
The Notification on Computer Traffic Data Retention Criteria for Service Providers in 2007 provides detailed information regarding this matter. For example, the computer traffic data must be maintained under secured measures using a centralised log server, data archiving, or data hashing (Clause 8). Moreover, the service providers - telecommunication and broadcast carriers, access service providers, host service providers, and content service providers - need to retain the information as the law requires (Clause 5).

The appointment of a Data Protection Officer (DPO) is a mandatory condition under the Personal Data Protection Act (PDPA). Section 41 of the Act specifies that the data controller and data processor shall designate a DPO in the following circumstances: the activities such as collection, use, or disclosure of personal data.
The DPO's duties include advising the data controller and data processor, investigating the performance of the data controller and data processor, coordinating and cooperating with the Office of the Personal Data Protection Committee (PDPC) when there are problems and keeping confidentiality of the personal data (Section 42).

Section 64 of the Cyber Security Maintenance Act (CSA) 2019 states that, if it is necessary for the prevention, handling, and reduction of cyber threat risks, the Cyber Security Supervisory Committee (CSSC) shall order State agencies to provide information in their possession and related to cybersecurity maintenance.
Also, in Section 66, the CSSC has the power to carry out or order competent officials to carry out operations, only to the extent necessary for preventing cyber threats, in the following matters:
- to enter a place for inspection upon written notification;
- to gain access, copying or filtering computer data, computer systems or other related data;
- to test the functionality of computers or computer systems;
- to seize or attach, only to the extent necessary, computers, computer systems, or equipment, not exceeding 30 days.
To carry out activities under (2), (3), (4), the CSSC must file a motion to the competent court. However, in case of emergency and the threat is critical to cybersecurity, the Secretary-General shall take immediate action to the extent necessary for preventing and remedying damage in advance without filing a motion with the Court (Section 68).