A Fourth Draft, and a Harder Edge
Thailand's Electronic Transactions Development Agency (ETDA) used AI Governance Week 2026 — held in Bangkok from June 29 to July 3, with participation from the OECD, Google, Meta, Microsoft and AWS — to put a new version of its draft AI Act, internally labelled Draft AI Regulation v.4, into public hearing on July 2. It is the most consequential iteration yet of a process ETDA began in mid-2025 with a risk-based "Draft Principles" consultation aimed at high-risk uses that touch rights, safety and freedoms. The new draft keeps that risk-tiered architecture — prohibited, high-risk and "designated" AI systems requiring notification or licensing — but adds three features that go well beyond anything in the EU AI Act it otherwise borrows from: strict liability for AI-related harm, mandatory local representatives for foreign providers, and administrative fines of THB 1–5 million per violation, according to legal analyses of the draft from Mondaq and LexBangkok.
The Case for Going This Far
Thailand's regulators are not acting on a blank slate. The country has watched deepfake fraud, AI-driven scam call centres and unaccountable algorithmic decision-making proliferate faster than its existing Personal Data Protection Act (PDPA) and Computer Crime Act could address, and — unlike the EU or US — it has no domestic AI giant whose lobbying could soften the rules. A regime that gives victims a strict-liability claim, rather than forcing them to prove a foreign AI vendor's negligence from Bangkok, is a defensible response to that asymmetry: individual harmed users rarely have the resources to litigate causation against a multinational's engineering practices. Likewise, a mandatory local representative is not novel — the EU AI Act and GDPR both use the same device — and it solves a genuine enforcement gap: without a Thailand-based entity to serve notice on, ETDA's high-risk-system audits and fine orders are unenforceable against providers with no local presence. Digital Economy Minister Chaichanok Chidchob has said Thailand intends to finish the Act within the current fiscal year, framing AI governance as too significant a shift to leave to soft law, per Thai Examiner.
Where the Draft Overshoots
The problem is the specific combination, not any single element. Strict liability for AI harm — with defences limited to force majeure, victim negligence, and compliance with an official order — means a provider can face full damages even where it exercised reasonable care and the harm arose from a deployer's misuse. Layer the local-representative rule on top: for certain high-risk systems, that Thailand-based representative must accept unlimited liability on the foreign provider's behalf, per the same legal analyses. That is a materially higher bar than the EU's authorised-representative model, which does not itself assume the manufacturer's liability. For a mid-sized AI vendor deciding whether Thai users are worth the exposure, the rational response is not compliance — it is geo-blocking, which leaves Thai consumers with less access to safety-tested tools, not more protection from unsafe ones. Minister Chaichanok's own acknowledgment that the law "must avoid deterring international investment" suggests officials are aware of this risk, even as the draft's substance runs the other way.
What Would Fix It Without Gutting the Draft
The fine ceiling itself — THB 1–5 million (roughly $28,000–$140,000) — is not the issue; it is proportionate next to the EU's revenue-percentage penalties and unlikely to bankrupt anyone. The fix should target the liability allocation and the 180-day runway. Draft AI Regulation v.4 lets core product-launch obligations bite immediately on Gazette publication while risk-control and supervision provisions phase in 180 days later — a sensible sequencing that ETDA should extend, not shorten, given how much of the compliance burden (representative appointment, risk documentation, conformity assessment) falls on entities that may not yet have Thai counsel engaged. ETDA should also cap representative liability at the provider's own exposure rather than making it unlimited, and should let providers rebut strict liability with evidence of state-of-the-art compliance, mirroring the EU's emerging product-liability carve-outs rather than inventing a stricter Thai standard from scratch.
The PDPA Precedent Cuts Both Ways
Thailand's 2019 PDPA offers a instructive parallel: it also arrived with aggressive extraterritorial reach and tough on-paper penalties, then took nearly two years of delayed enforcement and amendment before businesses adapted and the regulator built enforcement capacity to match its ambitions. If ETDA repeats that pattern — publishing a maximalist Act, then de facto easing enforcement while it builds capacity — Thailand risks the worst of both worlds: a law that spooks vendor decisions on paper without ever delivering commensurate protection to Thai users in practice. The 30-day public hearing that opened July 2 is the window to fix the liability allocation before that pattern repeats. ETDA has demonstrated it will iterate — this is the fourth substantive draft in just over a year — so a fifth revision narrowing strict liability and representative exposure is well within reach before the Act reaches Cabinet.