On May 30, 2022, Thailand’s Securities and Exchange Commission (SEC) announced that it would start regulating ready-to-use utility tokens, a type of digital token that had previously been exempted from the SEC’s approval and regulatory control. A public forum was open for comments from various stakeholders until June 29, 2022, and the draft regulation is expected to be issued soon. So far, the SEC has only supervised the issuance of not-ready-to-use utility tokens—digital tokens with the underlying right to acquire specific goods or services, which cannot be utilized upon issuance but at a later date. Due to the growing digital asset industry and lack of regulatory control, ready-to-use utility tokens have become more popular and many are listed for trading in digital asset exchanges. The SEC claimed that it is now necessary to regulate ready-to-use utility tokens as some issuers appeared to be exploiting the regulatory loophole to manipulate the price and supply of these tokens in both the primary and secondary markets, while providing insufficient data disclosure to investors. The SEC’s proposed principles include the following key points: Pre-Approval Requirements The same pre-approval requirement applicable to not-ready-to-use utility tokens will apply to ready-to-use utility tokens which an issuer intends to list on a digital asset exchange. This means that the issuer must proceed with the standard formalities, i.e., obtaining prior approval from the SEC, filing a draft prospectus, and offering the approved tokens via a SEC-approved ICO portal operator only. The SEC offers a fast-track (15 days) approval for qualifying ready-to-use utility tokens, which are those with plain-vanilla characteristics; with an offering price corresponding to the value of the underlying goods/services; for which the supply of goods and services does not vary with the price of the tokens (i.e., fixed coins); and which are not intended to be

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) became fully effective and enforceable on June 1, 2022. To ensure that the PDPA will be smoothly and efficiently enforced, the Personal Data Protection Commission (PDPC) is issuing various subordinate regulations. On June 20, 2022, the first set of these regulations was issued and published in the Government Gazette, and according to the Ministry of Digital Economy and Society (MDES), another set of subordinate regulations is expected to be issued by the end of June 2022. The first set consists of the following four subordinate regulations:   1) Notification of the PDPC Re: Exemption to the Record of Processing Activities Requirement for Data Controllers that Are Small Businesses B.E. 2565 (2022) (“ROPA Exemption Notification”) Under the PDPA, data controllers are obligated to prepare and maintain a record of processing activities (ROPA) containing information specified in Section 39 of the PDPA, including the personal data collected, the purposes of the processing of the personal data, the retention period, etc. However, under this ROPA Exemption Notification, a data controller will be exempted from the obligation to prepare and maintain a record of such required information (except information related to the rejection of a request from a data subject to exercise (i) right of access; (ii) right to data portability; (iii) right to object; and (iv) right to rectification), if its business falls within the scope of any of the following: Small or medium-sized business according to the law on small and medium-sized enterprise promotion, defined as follows: Community enterprise or social enterprise, as referred to under the law on community enterprise promotion. Social enterprise, as referred to under the under the law on social enterprise promotion. Cooperative, cooperative union, or agriculturist’s group under the law on cooperatives. Foundation, association, religious body, or

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) entered into force in full on June 1, 2022. The PDPA, which contains similarities to the EU’s General Data Protection Regulation (GDPR) introduces obligations and restrictions relating to the collection, use, and disclosure of personal data in Thailand. While the new law applies to franchisors and franchisees in the same way that it applies to other businesses, there are a number of issues that are of specific importance in franchise businesses. As franchisors and franchisees have the power and duty to make decisions concerning the collection, use, and disclosure of customers’ and employees’ personal data in the course of their operations, they are considered “data controllers” under the PDPA. The Trade Competition Commission of Thailand, via its Notification on the Guidelines for the Consideration of Unfair Trade Practices in Franchise Businesses issued under the Trade Competition Act B.E. 2560 (2017), defines a franchise relationship as one which, among others, involves an element of control by the franchisor over the business operations of the franchisee. It follows then that in some situations, franchisees’ collection, use, and disclosure of personal data will be according to the instructions of their franchisors. In such circumstances, a franchisee will be considered a “data processor” under the PDPA. Whether acting as data controllers or data processors, franchisors and franchisees must nonetheless comply with the requirements of the PDPA in the course of their operations. To ensure their activities are in compliance with the law, franchise businesses should consider five major actions: 1. Auditing existing data collection and retention practices Whether operating online or via a brick and mortar shop, it is increasingly common for franchise businesses to store and process customers’ personal data. This may include the storage and transmission of credit card information for auto-billing

During the first quarter of 2022, Thailand’s Securities and Exchange Commission (SEC) announced a series of notifications aiming to strengthen the regulatory regime for digital assets while safeguarding investors’ interests. The updated rules and conditions apply to digital asset business operators licensed by the SEC. The key features of the new notifications, which took effect in March and April 2022, are summarized below. Custody of customers’ assets (effective March 1, 2022) As custodians of their customers’ assets, digital asset business operators must: Segregate customers’ assets in their custody so that the operators can clearly identify which assets belong to which investors. If customers’ digital assets are to be deposited with a third party, the operators must inform the customers accordingly. Refrain from seeking benefits from customers’ assets in any manner other than the purpose for which the assets are held. This includes refraining from using customers’ assets to provide benefits to others or to the customers themselves, and from depositing customers’ digital assets with a custodian that intends to lend out the digital assets (but does not include giving the customer’s assets to a licensed digital asset fund manager for investment in digital assets). Reconcile customers’ assets and keep evidentiary documentation for a period of at least five years. Privacy coin services (effective April 1, 2022) Digital asset business operators are prohibited from providing privacy coin services that can conceal (or allow the concealing of) specific transactional information, such as data about the transferor, the transferee, and the transfer amount. Digital asset business operators that provided privacy coin services to customers before the effective date of these new regulations may continue to provide such services, but they must arrange for their customers to disclose at least the required transactional information or agree not to engage in information concealment. Digital