Cyber Crime Law in Thailand
For over a decade, Thailand's legal approach to cybercrime has been dominated by the Computer Crime Act B.E. 2550 (2007). While intended to combat hacking, fraud, and digital intrusions, the Act was also famously—or infamously—used to prosecute online defamation, leading to widespread criticism that it was stifling free expression. However, 2026 has ushered in a dramatic transformation of Thailand's digital legal landscape. From sweeping amendments that decriminalize certain online speech to new draconian penalties for "mule SIMs" and fresh compliance obligations for social media giants, this article provides a deep dive into the critical updates every citizen, expat, and business needs to know.
1. The End of Cyber-Defamation: The 2026 Amendment
Perhaps the most significant change in 2026 is the revision of the controversial Article 14(1) of the Computer Crime Act. Historically, this clause criminalized the importation of false computer data that is "likely to cause damage to an individual or the public." This vague wording was frequently weaponized against journalists, activists, and critics, effectively serving as a harsher version of defamation law .
Key Changes: As of the amendment coming into effect (reported on January 24, 2026), the phrase "an individual" has been excised from Article 14(1) . Furthermore, the updated law now explicitly states that it cannot be used to prosecute offenses already covered by the Penal Code (i.e., standard defamation). According to the lead author of the revised Act, this restores the law to its original purpose: combating phishing and online scams, not silencing personal criticism .
Impact on Pending Cases: The legal ramifications are immediate and massive. Approximately 50,000 pending defamation cases filed under the old law are facing dismissal. Public prosecutors have been instructed to drop cases not yet submitted to the court. For cases currently in trial, defendants are expected to be found not guilty or have the charges withdrawn .
Practical Takeaway: If you are an expat or local involved in a criminal defamation suit filed under the Computer Crime Act prior to 2026, your case is now likely subject to dismissal. However, "lèse-majesté" (royal defamation) remains prosecutable under separate security laws, and the government retains the power to remove content threatening national security .
2. The Crackdown on "Mule SIMs" and Tech Crime
While defamation provisions were relaxed, 2026 saw a severe tightening of laws targeting the infrastructure of cyber-fraud, specifically "mule SIMs" and mule bank accounts. The government has amended the Royal Decree on Measures for the Prevention and Suppression of Technology Crime to hold individuals accountable for facilitating scams like call center fraud .
Harsh New Penalties for Mule SIMs: The updated decree imposes strict liability on individuals who register SIM cards or bank accounts for others to use fraudulently.
For the Account/SIM Holder: If you accept payment (even a small fee) to register a SIM card that is later used in a crime, you face up to three years imprisonment and/or a fine of up to 300,000 Baht .
For Brokers: Anyone who advertises or arranges the buying/selling of mule SIMs or accounts faces 2 to 5 years in prison and fines ranging from 200,000 to 500,000 Baht .
The government has explicitly warned the public, particularly young people, not to allow strangers to use their ID cards or facial scans to register SIM cards, as the "owner" of the SIM is legally responsible for its use . These measures are part of a broader "blacklist" strategy, supported by the NBTC, to disrupt the communication channels used by scammers .
3. The End of "Safe Harbor" for Social Media?
In a move to combat fraud, deepfakes, and fake news, Thailand is rolling out new "Duty of Care" obligations for social media platforms. The Electronic Transactions Development Agency (ETDA) is finalizing a notification that imposes Know-Your-Customer (KYC) requirements on social media providers—moving away from the traditional "safe harbor" protections that shielded platforms from user content .
Proposed Obligations: The draft law, expected to be finalized by Q2 2026, would require platforms to identify all users, but specifically demands that advertisers undergo rigorous identity verification. This includes:
Tier 1 Verification: Identifying advertisers before publishing ads.
Tier 2 Verification: For "risky" advertisers (e.g., those involved in investment ads or subject to complaints), platforms must verify identities using government IDs or digital ID service providers .
What this means for platforms: Failure to comply could strip them of their safe harbor protection, making them jointly liable for scams run on their services. While the initial draft had proposed mandatory content filtering, the current version prioritizes user verification, giving platforms a 180-day grace period to implement systems once the law is gazetted .
4. Data Privacy, AI, and the PDPA
Parallel to the tech crime laws, the enforcement of the Personal Data Protection Act (PDPA) has reached full maturity in 2026. The Office of the PDPC recently reported receiving 2,672 complaints, primarily regarding data minimization failures and collection without lawful basis .
Notable Enforcement Actions:
Healthcare Sector: Hospitals have been fined for "mission creep"—using patient data collected for medical treatment to send birthday cards or marketing materials .
Data Breaches: Several entities have been penalized for weak security protocols (e.g., no firewalls, weak passwords) leading to unauthorized access .
Artificial Intelligence (AI): Thai regulators are emphasizing that while AI is not yet regulated by a specific "AI Act" (currently in draft), the organizations using it are fully accountable for how personal data is processed within AI systems .
Compliance Warning: The PDPC has launched automated surveillance tools like the "PDPC Eagle Eye Crawler" to monitor data breaches in real-time . Organizations are now expected to operationalize privacy policies, moving beyond mere documentation to demonstrable, practical implementation .
5. Beware the April Fools' Trap: False Information
Despite the amendments, Thailand still takes a hard line on "fake news." A timely warning from the government (issued on April 1, 2026) reminded the public that spreading false information, even as a joke (e.g., fake bomb threats, false emergency alerts), remains illegal .
Computer Crime Act: Spreading false info affecting national security or causing public panic carries up to 5 years in prison .
Criminal Code: Defamatory jokes can lead to 2 years in prison .
Conclusion
The 2026 legal landscape in Thailand presents a distinct paradox. On one hand, the decriminalization of online defamation marks a significant victory for free speech and civil liberties. On the other hand, the introduction of user verification for social media advertisers and the severe sanctions against "mule accounts" represent an aggressive expansion of state power to regulate the digital economy and dismantle scam networks. For residents and businesses, the key takeaway is vigilance: the law is now more protective of your reputation (from rogue cyber-defamation suits) but far stricter regarding your financial identity and advertising practices.
Siam Legal employs a full team of Cyber Crime Lawyers in Thailand, based in our Bangkok office, to provide legal support to clients who have
As of 2026, Thailand’s legal framework for the digital world has shifted from a reactive stance to a "high-intervention" model. The kingdom















