The EU AI Act takes full effect in August 2026. It is the world's first binding cross-sector AI law. Its reach is extraterritorial: if your AI output touches a person inside the EU, the Act applies — no matter where you built or hosted the model. For Thai enterprises with EU customers, EU subsidiaries, or EU-based supply-chain partners, this is a present legal exposure, not a future risk.
At home, Thailand's Personal Data Protection Act (PDPA) is enforced by the Personal Data Protection Committee (PDPC). It increasingly bites any AI system that handles personal data at inference time. Automated decision pipelines, credit scoring models, and customer segmentation engines all touch data subject rights. The two regimes overlap. Satisfy the EU AI Act's transparency rules but skip PDPA's Data Subject Access Request duties, and you are still exposed under Thai law.
What does the EU AI Act classify as high-risk?
The Act sorts AI into four risk tiers. Unacceptable-risk uses — like real-time biometric surveillance in public spaces, or government-run social scoring — are banned outright. High-risk systems (listed in Annex III) cover critical infrastructure, hiring, credit and insurance underwriting, law enforcement, and biometric ID. These demand a Technical File, a Conformity Assessment (a formal pre-market check that the system meets the Act), registration in the EU database, and a live Audit Trail. Limited-risk systems only need to disclose they are AI. Minimal-risk systems — most commercial AI today — sit largely outside the Act.
Risk tiers at a glance:
- Unacceptable Risk — banned by default (social scoring, real-time biometric surveillance in public spaces).
- High Risk (Annex III) — full compliance pack: Technical File, Conformity Assessment, EU database registration, Audit Trail, and Human-in-the-Loop controls.
- Limited Risk — must disclose AI use to end users (a chatbot must say it is AI).
- Minimal Risk — no mandatory rules; voluntary codes of conduct are encouraged.
How does the EU AI Act affect Thai enterprises that don't sell into the EU?
The Act follows the output, not your office address. If your model's prediction, recommendation, or decision affects a person in the EU — even when the model runs on a Bangkok server — you may be in scope as a provider or deployer. Thai firms in finance, logistics, SaaS, and digital health with European users or EU-domiciled enterprise clients should assume the Act applies until a formal legal review says otherwise. EU-headquartered multinationals also push Act-aligned terms onto Asian vendors through procurement contracts and data-processing agreements. That makes compliance a commercial requirement even if direct regulatory exposure is unclear.
What are the PDPA penalties for non-compliant AI processing?
PDPA administrative fines run up to THB 5 million per violation. Intentional or negligent disclosure of sensitive personal data adds criminal liability — up to one year in prison and THB 1 million in fines. The biggest AI exposure shows up when an automated process makes a "significant decision" about a person — denying a loan or rejecting an insurance claim — without a meaningful right to human review (the local equivalent of GDPR Article 22). The PDPC has also said that automated profiling on sensitive data (health, financial behaviour, location history) needs explicit consent and a documented Lawful Basis. Both must be re-checked when you retrain on new data.
Bolting governance on after launch costs an order of magnitude more than designing it in from day one.
Where the EU AI Act and PDPA overlap
| Dimension | EU AI Act | Thailand PDPA |
|---|---|---|
| Scope | AI systems by risk class (unacceptable / high / limited / minimal) | Personal data processing of identifiable individuals |
| Trigger | Risk classification of the AI system + market placement in EU | Any controller or processor of personal data, regardless of sector |
| Lead obligation | Conformity assessment + technical documentation + post-market monitoring (high-risk) | Lawful basis (consent, contract, legitimate interest, etc.) + records of processing |
| Max administrative penalty | Up to €35M or 7% of worldwide annual turnover | Up to THB 5M plus criminal liability for sensitive-data violations |
| DPO requirement | High-risk AI providers and deployers | Required when processing meets the PDPA Section 41 thresholds |
| Effective | Phased: prohibitions Feb 2025 → GPAI Aug 2025 → high-risk Aug 2026 → embedded high-risk Aug 2027 | In force since 1 June 2022 |
The two regimes share enough ground that one governance layer can serve both. Both want documented Audit Trails for any decision that affects a person. Both demand clarity on Data Residency: the Act requires logs to stay in the EU for high-risk systems, and PDPA limits cross-border transfers to jurisdictions with adequate protection. Both impose a 72-hour Incident Response window — the Act for serious high-risk incidents reported to the market surveillance authority, PDPA for personal data breaches reported to the PDPC and affected data subjects. Build a single governance layer that meets both, and you cut integration effort and shrink your audit surface.
Pre-August 2026 compliance checklist for Thai enterprises
Aim to finish the items below before the enforcement date. Each one maps to a specific obligation under the Act, PDPA, or both.
- Inventory every AI system. Catalogue all production models, including third-party models embedded in SaaS tools, and document the intended use, data inputs, and decision outputs.
- Apply Risk Classification to each system using the Annex III criteria. Record the rationale, especially when you decide a system is not high-risk.
- For high-risk systems: prepare the Technical File, set up the Conformity Assessment process, and stand up Human-in-the-Loop review before any EU-facing launch.
- Instrument model Observability. Capture input distributions, output confidence scores, drift signals, and bias metrics in an Immutable Record that satisfies both Act logging and PDPA Audit Trail expectations.
- Review the PDPA Lawful Basis for all personal data used in training and inference. Update consent records, and document Sub-Processor agreements with model vendors and cloud providers.
- Set up a 72-hour Incident Response that covers both AI Act serious-incident notice and PDPA breach notice. Name owners and write down the escalation path.
Next steps
Start with a scoped AI inventory and Risk Classification before you build any technical controls. The European Commission's regulatory framework guidance is the official interpretive source. If you need implementation help, HarmonyX's AI Governance practice covers system inventory, Risk Classification, Observability instrumentation, and Audit Trail architecture in a single engagement designed to satisfy both the Act and PDPA.
