On October 31, 2024, Thailand’s Office of the Personal Data Protection Committee (PDPC) opened a public consultation period on its draft notification regarding exemptions from the requirement to create and maintain records of processing activities (ROPAs) under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). This draft notification aims to amend and revoke certain aspects of the first ROPA exemption notification issued in June 2022 and outlines the criteria for data controllers to be exempted from the obligation to prepare and maintain such records. Although it is officially titled “Notification of the Personal Data Protection Committee on Exemption from Record-Keeping Requirements for Small Business Data Controllers,” this draft notification applies to all types of exempted data controllers (see list below), and not only small businesses. The criteria under the draft notification exempt certain data controllers from the obligation to maintain ROPAs, but not from the obligation to retain information on the rejection of data subjects’ requests to exercise certain rights under the PDPA. While these criteria remain consistent with the June 2022 ROPA exemption notification, there are a few notable amendments to certain issues, as detailed below. Types of Exempted Parties The draft notification adds condominium and housing estate juristic persons, as well as individuals, to the list of parties eligible for an exemption, while removing internet cafes from the list. The complete list of parties eligible for ROPA exemptions under the draft notification is as follows: SMEs according to the law on SME promotion, defined as follows: Community or social enterprises, as referred to under the law on community enterprise promotion. Social enterprises, as referred to under the law on social enterprise promotion. Cooperatives, cooperative unions, or agriculturist groups under the law on cooperatives. Foundations, associations, religious bodies, or nonprofit organizations. Household businesses or other businesses of

On October 1, 2024, the Thai cabinet acknowledged the recommendations proposed by the National Anti-Corruption Commission (NACC) to prevent corruption related to online gambling. The Ministry of Digital Economy and Society (MDES) has been assigned as the lead agency to collaborate with various relevant agencies to reach a consensus on the necessary amendments and updates to laws related to online gambling. In assigning the MDES this role, the cabinet emphasized the importance of the following key items: Establishment of a national committee. The national committee will be chaired by a minister and will comprise relevant agencies, including policymaking bodies, technology agencies, frequency management agencies, law enforcement agencies, and other experts. The committee’s primary responsibility will be to consider amending and updating laws related to online gambling. Urgent action on online gambling. As online gambling has been deemed a serious issue requiring urgent action, joint policies will be developed among relevant agencies such as the Royal Thai Police, the Bank of Thailand, and the Anti-Money Laundering Office to elevate the importance of online gambling issues. Public awareness and law enforcement. Public awareness campaigns are to be conducted to educate the public about the risks and legal consequences of online gambling, and laws against online gambling and related financial crimes are to be strictly enforced. Compliance with the Cybersecurity Act. It is necessary to ensure strict compliance with the Cybersecurity Act B.E. 2562 (2019). At the same time, government data systems are to be moved to cloud computing for enhanced data security. Next Steps The MDES is tasked with summarizing the results of the related discussions, actions taken, and overall opinions and submitting the summary to the cabinet secretariat for further presentation to the cabinet. These measures aim to address and mitigate the risks associated with online gambling and related corruption.

Thailand’s Electronic Transactions Development Agency (ETDA) issued guidelines for managing advertisements on digital platform services (DPSs) earlier this year. These guidelines aim to prevent fraud, illegal product or service offerings, and inducements to commit illegal acts, and are likely to provide a basis for greater regulation of this issue in the future. Key obligations for DPS business operators under the guidelines are detailed below. Advertiser Screening and Data Collection Verification and collection: Business operators must establish processes for verifying and collecting advertiser data. This includes steps, methods, and required information for advertiser registration. Identity verification: Business operators should follow identity verification requirements for advertiser registration. This may include using identity verification results from other identity providers or conducting their own identity verification processes with a minimum identity assurance level (IAL) of IAL2. Data storage: Advertiser data must be stored in a machine-readable format. Business operators must maintain records for watchlists, blacklists, and whitelists. Prepublication Advertisement Review Review process: Business operators should review advertisements before publication. This review should consider factors such as prohibited or restricted advertisements, required permissions, and avoiding sensitive user data. Postpublication Monitoring Advertisement monitoring: Business operators must monitor published advertisements using automated systems, staff, or contracted personnel. Criteria for prioritizing reviews should be established. Reporting channels: Business operators must provide channels for users to report illegal or inappropriate advertisements. Reports must be promptly addressed, prioritizing cases involving intellectual property owners or multiple credible reports. Advertiser account monitoring: Business operators must monitor advertiser accounts. This includes considering factors such as the number of reports/flags received and compliance with service agreements and community standards. For more information on this initiative from the ETDA, or on any aspect related to Thailand’s regulations for DPSs, please contact Athistha (Nop) Chitranukroh at [email protected], Thammapas Chanpanich at [email protected], Pornpan Wichawut at [email protected],

The first draft of Vietnam’s new Personal Data Protection Law (“Draft PDPL”) was released for public consultation on September 24, 2024, and is open for comments until November 24, 2024. (See further details here.) It is expected that the draft will be presented to the National Assembly before the end of 2024 and will be submitted for adoption in May 2025, with a tentative entry into force on January 1, 2026. As the Draft PDPL incorporates most of the provisions of Decree No. 13/2023/ND-CP on Personal Data Protection (“PDPD”), which has been the primary legal instrument on personal data protection since it took effect on July 1, 2023, it is likely that it will supersede the PDPD when it takes effect. [Please contact our Vietnam data protection team to request a detailed comparison of the Draft PDPL to the PDPD.] Noting that there might be further changes to the draft once the public consultation period closes, the Draft PDPL proposes new specific requirements for a number of services. Some highlights of the current version include the following: Marketing services: Although marketing services are already regulated under the PDPD, the Draft PDPL now recognizes that the use of personal data for marketing must comply with anti-spam regulations. The current draft does not clarify whether organizations are exempted from the consent requirement for the purpose of the initial call or message under the anti-spam regime. Marketing service providers are not allowed to outsource the services to another organization to perform or support the implementation of marketing business, which may prevent the sharing of personal data. Behavioral advertising: Behavioral advertising (targeted personalized advertising based on a user’s activity or personal data) requires the consent of the data subject in a modifiable manner that allows the data subject to refuse to share data