Thailand has issued a Royal Decree on the Supervision of Regulated Digital Identification Authentication and Verification Service Businesses B.E. 2565 (2022) (the “Royal Decree”), aimed at regulating business operators that provide digital identification authentication and verification services (“Digital ID Services”). The Royal Decree was published in the Government Gazette in December 2022, and will take effect 180 days from the publication date, i.e., on June 21, 2023. The key details and requirements of the Royal Decree are as follows: Regulated Digital ID Services Under the Royal Decree, the provision of the following Digital ID Services requires prior approval from the Electronic Transaction Development Agency: Identity verification service – Services for collecting and identifying information relating to the identity of a person, and verifying the connections between the person and the identity. Authenticator issuance and management service – Services relating to the connection between a person who has passed the identification process with an authenticator, and managing actions which are used to identify a person. Authentication service – A process to authenticate a person by inspecting his/her authenticator. Digital ID networks/systems – Provision of networks or systems used to exchange information for digital identification purposes, excluding services provided by an intermediary. Exempted Digital ID Services The Royal Decree also specifies a list of Digital ID Services that are exempted from supervision under the Royal Decree, as follows: Issuance of certificates to support the use of electronic signatures in accordance with the Electronic Transaction Act. Digital ID Services conducted for use within the operator’s own business only, and which do not involve the provision of such services to third parties. Other Digital ID Services as prescribed by the Electronic Transaction Committee. Qualifications of Business Operators The types of business operators qualified to operate Digital ID Services include (i) private limited companies;

On January 16, 2023, Thailand’s Securities and Exchange Commission (SEC) prescribed a set of security measures that digital asset business operators must implement if they provide custody of digital assets for their customers. The new security measures are prescribed in two notifications from the SEC and its office on digital asset wallet management systems and cryptographic key management systems, with the aim of safeguarding digital assets in custody against loss, fraud, and cybertheft. The notifications took immediate effect. The new security measures and the management systems are summarized below. Policy and guidelines for managing systems related to digital asset custody Digital asset business operators must have a written risk management policy for all systems relating to digital asset custody, approved by their board of directors and made accessible to all employees. The policy must be reviewed or revised at least once annually, or promptly if any potential risks are identified. Specific procedures must be implemented, such as establishment of a compliance team and internal controls. Management of systems for digital asset wallets and cryptographic keys Digital asset business operators must have policies and procedures for managing all systems relating to digital asset custody. This includes properly designing, developing, and managing digital asset wallets in a safe and secure manner. The same requirement on policies and procedures applies to cryptographic key management as well. Management of incidents that may affect systems related to digital asset custody Digital asset business operators must have measures in place to manage incidents that may impact systems related to digital asset custody. The measures include designating a person responsible for incident management, testing and reviewing the incident management policy annually, reporting any incidents affecting digital asset custody to the designated responsible person and the SEC immediately, and conducting a digital forensic investigation with an independent

Government Approves Legislative Dossier On February 7, 2023, the Vietnamese government issued Resolution No. 13/NQ-CP (“Resolution 13”) to approve the latest version of the draft Personal Data Protection Decree (“Draft PDPD”)—a draft which has not yet been made public. Similar to Resolution No. 27/NQ-CP issued in March 2022 approving the previous version of the Draft PDPD (“Resolution 27”), Resolution 13 stipulates the different cases where data subjects’ consent is exempted for processing personal data. Most of these lawful bases are similar to those under Resolution 27—except for the fourth case, which is brand new—with some changes for better clarity. According to Article 1 of Resolution 13, personal data can be processed without consent in the following five cases: (1) The processing is to protect the life and health of the data subject or others in an emergency situation. Data Controllers, Data Processors, Parties Controlling and Processing Personal Data, and Third Parties are responsible for proving this case; Remarks: Vietnamese law, including the prior published version of the Draft PDPD, has never used the terms “data controller”, “data processor,” and “parties controlling and processing personal data.” The inclusion of these terms suggests that the latest version of the Draft PDPD has adopted the GDPR-like concepts of “data controller” and “data processor.” However, until the latest version of the Draft PDPD can be assessed, it is uncertain how these concepts are defined and whether they are fully in line with GDPR definitions. (2) The disclosure of personal data is in accordance with the law; (3) The processing of data is performed by competent state agencies in the event of a state of emergency related to national defense, national security, social order and safety, major disaster, or dangerous epidemic; when there is a threat to security and national defense but not to

The January–March 2023 issue of Asia Franchise & Business Opportunities magazine features an article by two franchising specialists in Tilleke & Gibbins’ Bangkok office. Written by Alan Adcock, partner, and Sher Hann Chua, consultant, the article provides a summary of the legislative developments of 2022 most relevant to franchisors and franchisees. The update looks especially at amendments to Thailand’s unfair trade practices in franchising, as well as the far-reaching Personal Data Protection Act, which is reshaping the way businesses—including franchises—are handling the personal data of customers, partners, and employees. The article is accompanied by a Chinese-language summary of the developments. The full article can be read online in the January–March 2023 issue of Asia Franchise & Business Opportunities.