
Artificial Intelligence Is No Longer Just an IT Issue
Artificial intelligence ("AI") is rapidly transforming the way businesses operate. From drafting documents and analyzing data to screening job applicants and enhancing customer service, AI tools are increasingly being integrated into day-to-day business operations. While these technologies offer significant opportunities to improve efficiency and innovation, they also introduce legal, compliance and governance considerations that businesses should not overlook.
Although Thailand has not yet enacted a dedicated law governing artificial intelligence, the regulatory landscape continues to evolve. In particular, the Ministry of Digital Economy and Society, through the Electronic Transactions Development Agency (ETDA), has recently published the first draft principles for Thailand's AI legislation for public consultation. The proposed framework adopts a risk-based approach, with particular focus on high-risk AI systems, while seeking to promote the responsible and ethical use of AI without hindering technological innovation.
While the proposed principles are not yet legally binding, organizations using AI are already subject to a number of existing legal obligations.
Existing Legal Frameworks Businesses Should Consider
When adopting or deploying AI, businesses should consider whether their use of AI may trigger obligations under existing Thai laws, including:
- Personal Data Protection
The use of publicly available generative AI platforms in the workplace may also give rise to obligations under the Personal Data Protection Act B.E. 2562 (2019) ("PDPA"). In practice, employees may upload information to AI platforms to summarize documents, draft emails, analyze data or prepare reports. Such information may include employees' names, salary details, identification numbers, performance evaluations, customer contact information or other personal data.
Where personal data is entered into a publicly available AI platform (e.g., ChatGPT, Gemini etc.), businesses should carefully assess whether such use complies with the PDPA, including whether there is an appropriate legal basis for the processing, whether the disclosure is consistent with the original purpose of collection, whether adequate security measures are in place, and whether any cross-border data transfer requirements may be triggered. Businesses should also consider implementing internal AI policies and employee guidance to prohibit or restrict the input of confidential or personal data into publicly available AI tools without appropriate approval or safeguards.
As employees generally use AI tools in the course of their employment and on behalf of the organization, businesses remain responsible for ensuring that such processing complies with the PDPA. Accordingly, the use of publicly available AI platforms by employees may not, in itself, relieve an organization from its obligations as a data controller or shield it from potential liability where such use results in a personal data breach or other non-compliance with the PDPA. - Confidential Information, Trade Secrets and Intellectual Property
Businesses should also be mindful of the risks associated with employees uploading confidential business information into publicly available AI platforms. For example, employees may input contracts, board papers, internal investigation reports, customer lists, pricing information, source codes or business strategies into AI tools to summarize documents or generate content. Depending on the AI platform's terms of use and data handling practices, such activities may increase the risk of disclosing confidential information or trade secrets protected under the Trade Secrets Act B.E. 2545 (2002), potentially affecting the organization’s legal rights and commercial interests. In addition, businesses should consider intellectual property implications when using AI-generated content. While AI can assist in preparing documents, marketing materials or software code, organizations should verify the accuracy and originality of AI-generated outputs and ensure that they do not infringe copyright or other intellectual property rights under applicable Thai law, including the Copyright Act B.E. 2537 (1994).
Key Takeaways for Businesses
While Thailand's AI-specific legislation continues to evolve, businesses should not assume that AI operates in a legal vacuum. Existing legal obligations already apply to many AI use cases, making now an appropriate time for organizations to establish internal AI governance frameworks and responsible AI practices. Practical actions may include identifying AI systems currently in use, assessing whether personal data is being processed, establishing an internal AI policy, implementing appropriate human oversight over AI-assisted decisions and providing employees with clear guidance on the responsible use of AI tools.
Establishing an effective AI governance framework today can help organizations support responsible innovation, strengthen stakeholder confidence and better prepare for future regulatory developments.
Disclaimer: The information contained in this publication is for general informational purposes only and should not be relied upon as legal advice. Readers are encouraged to seek professional advice before taking any action based on the information contained herein.