The Personal Data Protection Act provides a comprehensive regime of data protection in Thailand.

The Notification on Telecommunications Service Users' Rights 2006, issued by the National Telecommunications Commission (NTC), states that licensed telecommunications service providers must retain their users' data for the last three months after the service is terminated (Clause 8). The personal data of telecommunication users includes factual information that can identify the individual user, usage details, subscriber number and behavioural activity in the use of telecommunication services. In case of necessity, the service provider may be required to extend the period of data retention but will not exceed two years.

Section 26 of the Commission of Computer-Related Offences Act 2007 (so-called Computer Crimes Act 2007) (amended 2017) defines 'computer traffic data' as data in relation to the communication of computer system or the origin, time, duration, type of service, or else related to the computer system. The Act requires a service provider to retain computer traffic data for not less than 90 days from the date when the data was entered into the computer system. If necessary, the competent official may order any service provider to retain computer traffic data for a period exceeding 90 days but not exceeding 2 years as a matter of an individually exceptional case and on an ad hoc basis. Also, the service provider shall maintain client data, which is necessary for identifying the client since their first use of service and shall keep such data for not less than 90 days from the ending date of service. Those who fail to comply with this measure shall be liable to a fine not exceeding 500,000 Thai Baht (approx. USD 14,000).
The Notification on Computer Traffic Data Retention Criteria for Service Providers in 2007 provides detailed information regarding this matter. For example, the computer traffic data must be maintained under secured measures using a centralised log server, data archiving, or data hashing (Clause 8). Moreover, the service providers - telecommunication and broadcast carriers, access service providers, host service providers, and content service providers - need to retain the information as the law requires (Clause 5).

The appointment of a Data Protection Officer (DPO) is a mandatory condition under the Personal Data Protection Act (PDPA). Section 41 of the Act specifies that the data controller and data processor shall designate a DPO in the following circumstances: the activities such as collection, use, or disclosure of personal data.
The DPO's duties include advising the data controller and data processor, investigating the performance of the data controller and data processor, coordinating and cooperating with the Office of the Personal Data Protection Committee (PDPC) when there are problems and keeping confidentiality of the personal data (Section 42).

Section 64 of the Cyber Security Maintenance Act (CSA) 2019 states that, if it is necessary for the prevention, handling, and reduction of cyber threat risks, the Cyber Security Supervisory Committee (CSSC) shall order State agencies to provide information in their possession and related to cybersecurity maintenance.
Also, in Section 66, the CSSC has the power to carry out or order competent officials to carry out operations, only to the extent necessary for preventing cyber threats, in the following matters:
- to enter a place for inspection upon written notification;
- to gain access, copying or filtering computer data, computer systems or other related data;
- to test the functionality of computers or computer systems;
- to seize or attach, only to the extent necessary, computers, computer systems, or equipment, not exceeding 30 days.
To carry out activities under (2), (3), (4), the CSSC must file a motion to the competent court. However, in case of emergency and the threat is critical to cybersecurity, the Secretary-General shall take immediate action to the extent necessary for preventing and remedying damage in advance without filing a motion with the Court (Section 68).

Section 18 of the Computer-Related Crime Act allows the government to access user-related or traffic data without a court order and compel ISPs to decode programmed data.

Thailand is not a party to the World Trade Organization (WTO) Agreement on Government Procurement (GPA). However, the country has been an observer of the WTO GPA since 2015.

According to Section 4 of the Budget Procedure Act, foreign companies are prohibited from acquiring shares exceeding 50% in publicly controlled firms or state-owned enterprises (SOEs).

The Foreign Business Act (FBA) of 1999 governs foreign investment in Thailand. The act defines "foreigner" as any company with at least 50% foreign-owned capital or shares, or any limited partnership or registered ordinary partnership where foreigners hold managerial control. Under the Telecommunications Business Act of 2001, foreign applicants are prohibited from obtaining Type 2 and Type 3 telecommunications licenses, limiting foreign ownership in these sectors to 49%.
Additionally, the 2011 Foreign Dominance Notification, enforced by the National Broadcasting and Telecommunications Commission (NBTC), establishes criteria for foreign dominance in the telecommunications sector. The regulation restricts foreign dominance, prohibiting actions like holding 50% or more of voting shares, controlling majority votes at shareholder meetings, or appointing or removing half or more of a company's directors. Prohibited behaviours also encompass dominance through shareholders, voting rights, controlling power, financial relationships, intellectual property agreements, procurement arrangements, joint business operations, and transfer pricing.

List 3 of the Foreign Business Act includes industries in which "Thai nationals are not yet ready to compete with foreigners". These are open to foreign investors provided they receive a licence from the Director-General of the Department of Business Development of the Ministry of Commerce and approval from the Foreign Business Committee. A wide range of businesses are covered under List 3, including advertising businesses. A foreign company can engage in List 3 activities if Thai nationals hold a majority of the limited company’s shares. Any company with a majority of foreign shareholders (more than 50%) cannot engage in List 3 activities unless it receives an exception from the Ministry of Commerce under its Foreign Business License application.

According to Section 16.2 of the Foreign Business Act (FBA) 1999, a foreigner intending to apply for a business license in Thailand must have a residence in the Kingdom or be permitted to temporarily enter the Kingdom. The Minister is empowered to issue Ministerial Regulations prescribing conditions to be observed by foreign license grantees, such as the number of foreign directors who must have a domicile or residence in the Kingdom or the period for maintaining the minimum capital in the country (Section 18).

According to Art. 5 of the Thai Foreign Business Act (FBA), when granting permission to foreigners to operate businesses under the Act, consideration must be given to both the beneficial and adverse impacts on national safety and security, the country’s economic and social development, public order, good morals, national values related to arts, culture, traditions, and customs, as well as the conservation of natural resources, energy, and the environment. Other factors include consumer protection, the size of enterprises, employment, technology transfer, and research and development.
Section 8 of the FBA outlines three categories of controlled business activities:
- List 1: Business activities that are prohibited to foreigners for specific reasons;
- List 2: Business activities concerning national safety, security, or those that affect arts, culture, traditions, customs, folklore handicrafts, natural resources, and the environment;
- List 3: Business activities in which Thai nationals are not yet prepared to compete with foreigners, such as the telecommunications sector (the Annex of the FBA provides detailed information on the businesses included in Lists 1, 2, and 3).

Foreign acquisition of a domestic, locally incorporated entity is allowed. Mergers in the telecommunication industry are regulated by the National Telecommunications Commission (NTC or the NBTC). Regarding the notification, the following circumstances are considered a merger:
(1) a licensee or its controlling shareholder mergers with other licensees (when one licensee will cease to exist);
(2) a licensee or its controlling shareholder acquires wholly or partly the assets of other licensees;
(3) a licensee or its controlling shareholder acquires more than 30% of the total voting rights of another licensee or significant control over another licensee (Clause 2(5)).
Therefore, the acquirer must file a merger review petition to the NBTC at least 60 days before the execution. The NBTC may only grant permission to the acquirer to execute a merger that does not cause market dominance. In addition, the NBTC authorises the examination of the effect of a permitted merger on competition.
Regarding the notification of the significant market power, the significant market power (SMP) is defined as operator capability that may pose a barrier to competition in the relevant market. The NBTC shall assess the non-competitive markets and the markets that have barriers to competition. Moreover, the NBTC shall identify the significant market power operators as per the requirements laid down in this notification.

Pursuant to Art. 14 of the Foreign Business Act, any initial foreign investment is subject to a minimum capital requirement of THB 2 million (approx. USD 56.000). In the case of restricted businesses (including advertising), the requirement is equivalent to 25% of the total three-year average expected annual expenditure but not less than THB 3 million (approx. USD 84.000).

Section 14 of the Patent Act 1979 (amended in 1999) stipulates that an applicant for a patent must possess one of the following qualifications: (i) be a Thai national or a juristic person with its headquarters located in Thailand; (ii) be a national of a country that is a party to a convention or international agreement on patent protection to which Thailand is also a party; (iii) be a national of a country that permits Thai nationals or juristic persons with headquarters in Thailand to apply for patents in that country; or (iv) be domiciled in, or have an industrial or commercial establishment in, Thailand or a country that is a party to a convention or international agreement on patent protection to which Thailand is also a party.
To file patents, the Ministerial Regulation No. 21 states that if the patent applicant does not reside in the Kingdom of Thailand, the applicant shall authorise an agent or patent attorney registered with the Director-General of the Department of Intellectual Property to act on his behalf (Clause 13). Moreover, the Power of Attorney (POA) shall be attached with the revenue stamp of 30 Thai Baht (around 1 USD) for each patent agent/patent attorney/application. The POA document, if not in a foreign language, must be translated into Thai (Clause 15).