On October 1, 2024, the Thai cabinet acknowledged the recommendations proposed by the National Anti-Corruption Commission (NACC) to prevent corruption related to online gambling. The Ministry of Digital Economy and Society (MDES) has been assigned as the lead agency to collaborate with various relevant agencies to reach a consensus on the necessary amendments and updates to laws related to online gambling. In assigning the MDES this role, the cabinet emphasized the importance of the following key items: Establishment of a national committee. The national committee will be chaired by a minister and will comprise relevant agencies, including policymaking bodies, technology agencies, frequency management agencies, law enforcement agencies, and other experts. The committee’s primary responsibility will be to consider amending and updating laws related to online gambling. Urgent action on online gambling. As online gambling has been deemed a serious issue requiring urgent action, joint policies will be developed among relevant agencies such as the Royal Thai Police, the Bank of Thailand, and the Anti-Money Laundering Office to elevate the importance of online gambling issues. Public awareness and law enforcement. Public awareness campaigns are to be conducted to educate the public about the risks and legal consequences of online gambling, and laws against online gambling and related financial crimes are to be strictly enforced. Compliance with the Cybersecurity Act. It is necessary to ensure strict compliance with the Cybersecurity Act B.E. 2562 (2019). At the same time, government data systems are to be moved to cloud computing for enhanced data security. Next Steps The MDES is tasked with summarizing the results of the related discussions, actions taken, and overall opinions and submitting the summary to the cabinet secretariat for further presentation to the cabinet. These measures aim to address and mitigate the risks associated with online gambling and related corruption.

Thailand’s Electronic Transactions Development Agency (ETDA) issued guidelines for managing advertisements on digital platform services (DPSs) earlier this year. These guidelines aim to prevent fraud, illegal product or service offerings, and inducements to commit illegal acts, and are likely to provide a basis for greater regulation of this issue in the future. Key obligations for DPS business operators under the guidelines are detailed below. Advertiser Screening and Data Collection Verification and collection: Business operators must establish processes for verifying and collecting advertiser data. This includes steps, methods, and required information for advertiser registration. Identity verification: Business operators should follow identity verification requirements for advertiser registration. This may include using identity verification results from other identity providers or conducting their own identity verification processes with a minimum identity assurance level (IAL) of IAL2. Data storage: Advertiser data must be stored in a machine-readable format. Business operators must maintain records for watchlists, blacklists, and whitelists. Prepublication Advertisement Review Review process: Business operators should review advertisements before publication. This review should consider factors such as prohibited or restricted advertisements, required permissions, and avoiding sensitive user data. Postpublication Monitoring Advertisement monitoring: Business operators must monitor published advertisements using automated systems, staff, or contracted personnel. Criteria for prioritizing reviews should be established. Reporting channels: Business operators must provide channels for users to report illegal or inappropriate advertisements. Reports must be promptly addressed, prioritizing cases involving intellectual property owners or multiple credible reports. Advertiser account monitoring: Business operators must monitor advertiser accounts. This includes considering factors such as the number of reports/flags received and compliance with service agreements and community standards. For more information on this initiative from the ETDA, or on any aspect related to Thailand’s regulations for DPSs, please contact Athistha (Nop) Chitranukroh at [email protected], Thammapas Chanpanich at [email protected], Pornpan Wichawut at [email protected],

The first draft of Vietnam’s new Personal Data Protection Law (“Draft PDPL”) was released for public consultation on September 24, 2024, and is open for comments until November 24, 2024. (See further details here.) It is expected that the draft will be presented to the National Assembly before the end of 2024 and will be submitted for adoption in May 2025, with a tentative entry into force on January 1, 2026. As the Draft PDPL incorporates most of the provisions of Decree No. 13/2023/ND-CP on Personal Data Protection (“PDPD”), which has been the primary legal instrument on personal data protection since it took effect on July 1, 2023, it is likely that it will supersede the PDPD when it takes effect. [Please contact our Vietnam data protection team to request a detailed comparison of the Draft PDPL to the PDPD.] Noting that there might be further changes to the draft once the public consultation period closes, the Draft PDPL proposes new specific requirements for a number of services. Some highlights of the current version include the following: Marketing services: Although marketing services are already regulated under the PDPD, the Draft PDPL now recognizes that the use of personal data for marketing must comply with anti-spam regulations. The current draft does not clarify whether organizations are exempted from the consent requirement for the purpose of the initial call or message under the anti-spam regime. Marketing service providers are not allowed to outsource the services to another organization to perform or support the implementation of marketing business, which may prevent the sharing of personal data. Behavioral advertising: Behavioral advertising (targeted personalized advertising based on a user’s activity or personal data) requires the consent of the data subject in a modifiable manner that allows the data subject to refuse to share data

On September 24, 2024, the government of Vietnam issued the first draft of a new Law on Personal Data Protection (“Draft PDPL”). As foreshadowed in our previous legal update, the Ministry of Public Security has been very active in developing this draft law. With this draft, they promise to continue their considerable efforts to establish a robust personal data protection culture in Vietnam, as the Draft PDPL indicates a tentative entry into force on January 1, 2026. With a tentative adoption by the National Assembly in May 2025, the Draft PDPL does not include any transition period, save for micro-enterprises, SMEs, and startups, which are only exempted from appointing a data protection department in their first two years of existence, while the timeline to comply with other obligations under the PDPL remains the same as for other enterprises. The Draft PDPL includes 68 articles, divided into seven chapters, making it more extensive than last year’s Decree No. 13/2023/ND-CP on Personal Data Protection (“PDPD”), and expressly addresses personal data protection in many fields, including marketing services, behavioral advertising, big-data processing, AI, cloud computing, labor monitoring and recruitment, financial and credit information, health and insurance, and others. It remains unclear how the PDPL will interact with the PDPD (whether it will replace its predecessor or coexist with it), although the Draft PDPL provides that it will prevail over any laws that have provisions on personal data protection that differ from the provisions of the PDPL. Among the important new developments of the Draft PDPL when compared to the PDPD, we note: Consent remains the main legal basis for processing, with limited exceptions (still not including “legitimate interest”). However, consent for cross-border transfer is further regulated under the Draft PDPL, including for intra-group sharing. Data processing impact assessment dossiers for controllers and