Thailand’s Securities and Exchange Commission (SEC) has revised its regulations on digital asset operators and exchanges to impose stricter governance standards on digital asset business operators and to align digital asset exchange rules with international standards. The new regulations are laid out in SEC Notification No. GorThor. 23/2567 on the Criteria, Conditions, and Procedures for Operating a Digital Asset Business (No. 24) and SEC Notification No. GorLorThor. 24/2567 on Determination of Prohibited Qualifications for Directors and Executives of Digital Asset Business Operators (No. 5). These were published in the Government Gazette on August 16, 2024, with most of the provisions taking effect on the same date. Governance for Digital Asset Businesses The heightened standards for digital asset business operators aim to ensure efficient business supervision and appropriate response to operational risks. The new requirements mainly address: Board of directors composition. Large-sized digital asset business operators (i.e., those with at least 10,000 customers and holding customer assets of at least THB 500 million) who do not provide digital asset custodian services must have at least five directors, at least two of whom must be independent directors. In addition, the business operators must establish an audit committee, with at least two members being independent directors, to create an appropriate “check and balance” mechanism within the organizational structure. Current digital asset business operators must comply with the requirements within 180 days of the notification’s effective date. Qualifications of authorized directors and managers. Authorized directors and managers are now required to (1) either have at least one year of working experience in the digital asset field or have participated in a digital asset course from an SEC-approved list, and (2) participate in a good corporate governance course recognized by the SEC. Current authorized directors and managers who have not previously completed a good

On August 13, 2024, Thailand’s Personal Data Protection Committee (PDPC) published a notification on the Criteria for Personal Data Deletion, Destruction, and De-identification in the Government Gazette, taking effect on November 11, 2024. Most of the content remains unchanged from the June 2024 draft of the legislation that was released for public comment. Only minor amendments have been made, as outlined below: Data controllers must respond to data subjects’ requests to delete, destroy, or de-identify personal data, including any copies or backups, without delay and within 90 days of receiving the request. This timeframe has been extended from the previous draft, which allowed only 60 days. In deleting, destroying, or de-identifying personal data, the data controller must ensure that no one is able to recover or reverse personal data to enable the direct or indirect identification of the data subject by any means that could reasonably be expected. If the data controller cannot fulfill the request within the 90-day period, it must take measures to ensure that the personal data is made difficult to collect, use, or disclose until the personal data can be deleted, destroyed, or de-identified according to the notification. In such cases, appropriate organizational, technical, and physical measures must be implemented to protect the data, meeting the criteria set forth by the notification. One newly added provision allows data controllers to delete, destroy, or de-identify a data subject’s personal data using a different method than the one requested by the data subject, provided they inform the data subject of the alternative method. However, this is not allowed when the data subject exercises this right on the grounds that the personal data has been unlawfully collected, used or processed, and there are no grounds to reject the request. In relation to the de-identification or anonymization of personal

Thailand’s Securities and Exchange Commission (SEC) amended its utility token supervisory framework by issuing seven notifications that came into effect on August 13, 2024. Ready-to-use utility tokens (tokens that can be used immediately to acquire specific goods or services), which were previously unregulated, are now subject to the supervisory scheme set forth by the seven new notifications in both primary and secondary markets. This is intended to provide an investor protection mechanism that responds to the characteristics, risks, and usage of the different types of ready-to-use utility tokens. Under the new notifications, ready-to-use utility tokens are categorized into two groups. These are detailed below. Group 1 Utility Tokens Group 1 utility tokens include ready-to-use utility tokens issued for consumption purposes or as a digital representation of a certificate. Examples include loyalty points, digital movie or concert tickets, NFTs, and carbon credits, among others. Principally, there is no change in the regulation of group 1 utility tokens under the new notifications. In the primary market, issuance of this type of token is not subject to the initial coin offering (ICO) requirements. In the secondary market, providing services related to group 1 utility tokens is not considered to be the same as operating a digital asset business with licensing requirements under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018). Licensed digital asset operators (including exchanges, brokers, and dealers) are not permitted to list or trade group 1 utility tokens. To provide services in relation to group 1 utility tokens, these licensed digital asset operators must establish a separate entity to provide those services and must not use names or messages that could cause the public to misunderstand that the separate entity is engaged in a digital asset business under SEC supervision. Group 2 Utility Tokens Group 2 utility tokens

The Personal Data Protection Committee (PDPC) of Thailand’s Ministry of Digital Economy and Society (MDES) has announced the first administrative fine under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). A major private company was fined THB 7 million for noncompliance with specific PDPA requirements, resulting in the unauthorized disclosure of personal data to a call center gang (phone scam fraudsters). Key Findings of Noncompliance The PDPC determined that there were three key violations of specific requirements of the PDPA: Failure to appoint a data protection officer (DPO): Despite processing personal data for over 100,000 individuals as part of its core operations, the company did not appoint a DPO. Inadequate security measures: The company lacked the required security measures, leading to a data breach involving a call center gang, causing widespread damage. Delayed data breach notification: The company did not notify authorities of the data breach within the required timeframe and failed to address the breach promptly, making it impossible to remedy the situation. In addition to the monetary fine, the PDPC, along with the PDPA’s Expert Committee, issued a corrective order requiring the company to undertake the following actions and notify the Office of the PDPC of the relevant correction measures within seven days of receiving the order: Implement up-to-date security measures: The company must improve its current security measures to prevent future breaches and ensure that the security measures are up-to-date with changing technologies. Raise awareness of personnel: The company must provide training to relevant personnel to ensure awareness of data compliance and protection practices. This significant administrative action establishes a precedent for addressing data breaches in both governmental and commercial sectors in Thailand. It also confirms the importance of PDPA compliance, particularly the need for robust security measures, timely breach notifications, and the appointment of