Tag: Digital Asset

on by

Thailand New Draft Digital Platform Economy Act

The outbreak of the COVID-19 pandemic has significantly altered consumer behavior, leading to a surge in reliance on digital platforms for activities like shopping and food delivery. This shift has played a pivotal role in the rapid growth of the digital economy, both in Thailand and globally. Citizens have become increasingly dependent on these platforms, which offer convenience and ease in daily life. As digital platforms now cover almost every facet of modern existence, the government has recognized the need to regulate these services to ensure economic and social stability, enhance credibility, and mitigate any potential risks to the public at large.

In response to this, Thailand initially enacted the Royal Decree on the Operation of Digital Platform Service Business Subject to Prior Notification B.E. 2565 (2022) (“Royal Decree”), which regulates and imposes obligations on digital platform service operators. These operators, such as Shopee or Lazada, manage platforms that connect business users and consumers through data networks to facilitate electronic transactions. However, recognizing the evolving landscape, the Ministry of Digital Economy and Society (“MDES“) has proposed the Draft Digital Platform Economy Act B.E. …. (the “Draft Bill”), which aims to expand regulation to include a broader range of platform services not covered under the Royal Decree, also known as, digital media services.

The Draft Bill seeks to regulate various digital platform services more comprehensively, promoting fair trade, encouraging self-regulation, and supporting operators in adopting good governance principles. Below are the key aspects of the Draft Bill.

Categorization of Digital Media Services

The Draft Bill defines Digital Media Services as any service provided over a computer network, internet system, or telecommunications network that acts as a medium between the sender and the data receiver. It categorizes these services into three types, each with distinct legal responsibilities for the operators:

  1. Mere Conduit Service: This refers to the provision of electronic data transmission services or access to an electronic communications network. Mere conduit providers are not liable for illegal activities during data transmission, as long as they can prove they neither initiated the data nor altered it in any way.
  2. Caching Service: Caching services involve temporary data storage for faster transmission. Providers are not held responsible for illegal activities, provided they meet the terms for data access and follow standard industry practices.
  3. Hosting Service: Hosting services provide data storage on behalf of users. These providers are only held accountable if they are aware of illegal content stored and fail to take action by either removing or blocking access to it.

General Obligations for Digital Media Services Platform Operators

Under the Draft Bill, platform operators are required to comply with obligations prescribed in Chapter 3 of the Draft Bill, which includes notifying the users of their rights and obligations, as well as the risks associated with using digital media services; providing a complaint resolution channel that responds within 24 hours and reports on the investigation outcome within 60 days; disclosing advertising information, publishing clear terms and conditions, as mandated by the law, and appointing a point of contact to liaise with the Electronic Transactions Development Agency (“ETDA“).

Very Large Online Platform (VLOP)

The Draft Bill introduces the concept of Very Large Online Platforms (“VLOP“). To qualify as a VLOP, a platform must meet one of the following criteria:

  1. A net income (before expenses) of over 1,000 million Baht per year from the provision of services in Thailand.
  2. More than 6 million active users per month.
  3. Poses a high risk to the economic or social security of Thailand, as determined by the ETDA.

VLOPs are subject to additional obligations, such as reporting data to the ETDA, tracking business users’ activities, suspending services for users engaged in serious illegal activities, and submitting annual transparency reports.

Core Platform Services & Gatekeepers

Chapter 5 of the Draft Bill defines core platform services and identifies platform operators that act as “gatekeepers” to other service providers. Core platform services currently include 10 types of digital media services such as online search engines, video-sharing services, cloud computing, and online advertising services, among others. A platform operator may be classified as a gatekeeper if it meets three criteria:

  1. Significant impact on the economy, with annual income (before expenses) exceeding 7 billion Baht.
  2. Serves as a critical gateway for business users to reach end users, with more than 15 million consumer users and 10,000 business users annually.
  3. Has the power to limit competition from other platform service providers, maintaining a dominant position.

Gatekeepers are subject to additional responsibilities, such as ensuring fair treatment of business users, facilitating free communication between consumers and businesses, preventing unfair practices that hinder competition, and more.

ETDA and Digital Platform Economy Committee’s Power to Enforce Data Platform’s Compliance

In order to enforce the Draft Bill effectively, the Draft Bill grants ETDA various powers to enforce compliance, including but not limited to the power to request data from platform operators to assess compliance, power to access and inspect platforms’ computer systems and physical premises if there is reasonable suspicion of illegal activities, the power to impose fines, service suspensions, or even criminal charges for severe violations.

Regulatory Transition

To ensure a smooth transition in the enforcement of this Draft Bill from the existing Royal Decree, the Draft Bill includes a grandfather clause allowing the platform operators who have already submitted notification under the Royal Decree to be deemed to have been notified under this Draft Bill as well. Nonetheless, they are required to update their information to align with the new requirement within 120 days of its enactment. Whilst the Royal Decree shall cease to be effective on the enforcement date of this Draft Bill, the sub-ordinate regulations issued under the Royal Decree shall remain in effect for as long as they do not conflict with the Draft Bill, or the new-subordinate regulation to be issued under the Draft Bill. 

Conclusion

The Draft Bill represents a proactive step toward regulating the rapidly expanding digital economy in Thailand. By establishing clear guidelines for digital platform operators, categorizing services, and introducing additional obligations for large and influential platforms, the Draft Bill aims to foster fair competition, ensure consumer protection, and maintain economic stability. As digital platforms continue to play an integral role in modern society, this legislation will be crucial in balancing innovation with accountability, ensuring that the digital economy can thrive in a secure and sustainable manner. As such, the passage of the Draft Bill will likely have far-reaching implications, not only for platform operators but also for the broader economy and society.

Source: International Business April 2025 : Antea

Read Full Article

on by

NCSA Tackles Cloud Security with New Measures

The National Cyber Security Agency (NCSA) has recognized the growing reliance on cloud services by both government agencies and private sectors, along with the increasing number of cyberattacks targeting users. In response, the agency has drafted the Notification on Cloud System Cyber Security Standard (“Notification“), aiming to establish a robust standard of security measures for cloud systems.

Applicable Entities and Scope: The draft Notification is applicable to government agencies, supervising or regulating organizations, and organizations of critical information infrastructure (as defined under the Cybersecurity Act B.E. 2562 (2019)) that utilize cloud services and have official contracts with Cloud Service Providers (CSPs). These entities are collectively referred to as Cloud Service Customers (CSCs).

Risk Assessment and Categorization: According to the draft Notification, the risks associated with cloud system usage can originate from either the CSC or the CSP. Despite the fact that the draft Notification’s applicability is extended to only the CSCs, the CSPs are to be bound by its service agreement with CSCs to comply with the requirements of the draft Notification as well. CSCs and CSPs are mandated to assess the level of risk in accordance with the security objectives prescribed by another NCSA’s notification. The risk levels are categorized as low, moderate, and high, each with different minimum requirements for security standards, CSC and CSP assessments, and certifications.

green and white line illustration

Minimum Requirements: The minimum requirements for cloud security depend on the assessed risk level and the related security objectives. These requirements may encompass various aspects, including:

  1. Cloud security governance, encompassing information security policies, organization of information security, supplier relationships, and compliance with rules and regulations.
  2. Cloud infrastructure security and operations, covering human resources security, asset management, access control, cryptography, physical and environmental security, operations security, communication security, system acquisition, development and maintenance, supplier relationships, and information security incident management.

Assessment and Certification: Depending on the risk level and the related security objectives, CSCs or CSPs may be required to conduct compliance assessments as follows:

  1. Self-assessment, conducted in accordance with NCSA’s prescribed requirements.
  2. Assessment by a regulator or regulatory agency (attestation).
  3. Assessment by an advanced certified body.

The frequency of assessments and certifications will also depend on the assessed risk level.

The draft Notification provides greater details, and CSPs and CSCs subject to its provisions are required to carefully assess their associated risks and obligations.

Conclusion: The NCSA’s draft Notification aims to establish a comprehensive framework for ensuring the security of cloud systems used by government agencies, regulatory bodies, and critical infrastructure organizations. By introducing risk-based minimum requirements, assessments, and certifications, the agency seeks to address the growing cybersecurity threats and enhance the overall resilience of cloud services within the country.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Digital Platform Service Operation to Be Regulated

With the rise of modern technology and the spread of COVID-19, businesses are increasingly turning to online platforms as a way to operate without needing to travel. These platforms cover a wide range of services, such as online marketplaces, social commerce and food delivery. In general, terms of use imposed by service operators should be transparent with their users. They should provide clear information about their policies, pricing, data usage and other relevant information. They should also give users the opportunity to make decisions about how their data is used and how they are served by the service. This will ensure that users are aware of how their data is being used and that they are not being taken advantage of.

The regulation of digital platform services to be imposed by the government should be based on a set of fair and transparent rules that are applicable to all parties. These rules should ensure the safety of users, ensure data privacy and security, protect against anti-competitive practices and ensure that the user experience is not compromised. Additionally, government should take an active role in monitoring the digital platform services and enforcing these regulations, as well as providing a framework for dispute resolution between users, companies and government.

The regulation should also consider the innovative nature of digital platform services and allow room for experimentation and innovation. Additionally, the government should also provide incentives for companies to innovate and create new services. This will ensure that digital platform services remain competitive and continue to innovate in order to provide the best user experience possible.

As for Thailand, the Royal Decree on Supervision of Digital Platform Services Operation Requiring a Notification (“Royal Decree”) was announced on 23 December 2022 and will be effective 240 days after the announcement (i.e., 20 August 2023) in order to govern this matter.

person holding white android smartphone

Digital Platform Services shall refer to the provision of electronic platform services as a medium with data management that connects Digital Platform Service Operators (“Platform Operator”), consumers or users via a computer network in order to enable electronic transactions, whether or not a service charge is charged. Digital Platform Service under this Royal Decree excludes the Digital Platform Services that are intended to be used to offer such Platform Operator’s or its affiliates’ goods or services, regardless of whether such goods or services are offered to third parties or its affiliates.

The Platform Operator under the Royal Decree must report its operations to the Electronic Transactions Development Agency (“ETDA”) and examples of qualifications are as follows:

  1. A natural person who operates digital platform service in Thailand and earns more than 1,800,000 THB per year or more than 50,000,000 THB if the Platform Operator is a legal entity; and
  2. Digital platform service with average monthly users in Thailand over 5,000 users.

As the Royal Decree’s main objective is to protect consumers within Thailand, regardless of Platform Operators operating outside of Thailand, this Royal Decree determines that the digital platform services that operate outside Thailand and provide services with one of the following characteristics shall be deemed to provide services to users in Thailand, namely, (1) Thai language digital platforms,  (2) digital platforms with the domain name “.th” or “.ไทย” (3) digital platforms that accept payment in Thai baht, (4) Digital platforms governed by laws of Thailand and subject to the exclusive jurisdiction of the courts of Thailand and others as specified in this Royal decree.

Platform Operators who will operate digital platform services must report the following information and evidence to ETDA:

  1. Platform Operator’s information such as name, surname or legal entity’s name, identification number or company registration number, address, accounting period and contact channel;
  2. Digital platform service information such as platform’s name, type of the platform, platform service channel (i.e., URL or application), value of transaction made on digital platform service (if any), etc.; and
  3. Users’ information such as user type (i.e. person who offers goods or services to consumer through digital platform service, customers and etc.), the total number of user and the total amount for each type of user, service provider’s information (i.e. freight forwarder and warehouse service provider), the total number of service provider and the total amount for each type of service provider, information and type of complaint, along with the handling of the complaint and the settlement of such dispute, the information of representative in Thailand (for the Platform Operator who operates inside Thailand) and the Platform Operator’s consent to for ETDA to access such reported information.

The Platform Operator will be issued a registered receipt and will be able to begin operating the digital platform services once ETDA receives the aforementioned report and evidence. Any major change must be reported to ETDA within 30 days as specified in this Royal Decree. Furthermore, ETDA will provide a channel for publicizing the digital platform services’ list and status (for example, the current list of Platform Operators and those whose receipt has been revoked). Please note that the information and evidence listed above must be reported annually within 60 days from the end of the calendar year (Natural Person Platform Operator) or fiscal year (Legal Entity Platform Operator).

Platform Operators may also be required to provide users with terms and conditions of service, assess risk, prepare risk management measure, system security measure, mitigation measure and other duties as specified in the Royal Decree in order to compensate or remedy those damaged by the use of digital platform services. Plus, the ETDA shall consider announcing the rules, procedures and conditions governing the period for business termination, the transfer of digital platform services to another licensee, the management and collection of data relating to digital identity proofing and authentication and any other matters deemed appropriate in order to prevent damage, protect users and ensure that users can use the services continuously.

laptop technology ipad tablet

Platform Operators whose qualifications are required to report ETDA may continue to operate their businesses only if they report their digital platform business operations to ETDA within 90 days of the Royal Decree’s effective date. On the other hand, those who wish to discontinue such operations must notify ETDA within 90 days of the Royal Decree’s effective date as well.

There are also other details regarding the types of digital platform services, duties and various procedures which should be studied further by Platform Operators. Please note that if any law specifically governs over a specific type of digital platform services, the Platform Operator must comply with such law only if it practices in accordance with and in a manner that does not fall below the provisions of this Royal Decree.

Author: Panisa Suwanmatajarn, Managing Partner.

Supervision of Financial Business Groups of Commercial Banks that Operate Business and Transact on Digital Asset

on by

Supervision of Financial Business Groups of Commercial Banks that Operate Business and Transact on Digital Asset

Digital Asset plays a significant role in contributing to the development of innovative financial services which is beneficial to consumers and the economy as a whole. However, Digital Asset exposed to risks in many forms, especially in cases where consumers have an insufficient understanding of Digital Asset, and is also at risk of being used as a tool for money laundering or terrorist financing.

In order to balance between supporting innovations related to Digital Asset of the financial business groups of commercial banks for benefits and managing risks that may arise, it is an important concept for the Bank of Thailand to improve and defines relevant rules for business operation and transaction related to Digital Asset to be more flexible and to allow discreet investment and business relevant to Digital Asset under the rules and investment ratio in Digital Asset Business as required.

Therefore, the Bank of Thailand has issued the Notification of the Bank of Thailand No. SorNorSor. 6/2565 on Regulations on the Supervision of Financial Business Groups of Commercial Banks that Operate Business and Transact on Digital Asset (“Notification”) which comes to force on October 22, 2022,  and applies to commercial banks, parent companies, subsidiaries, and affiliated companies of commercial banks in financial business groups according to the financial institutions business law with key principles such as: (1) to allow companies in financial business groups except commercial banks to discreetly operate a Digital Asset business under flexible regulations, and support technologies or development of financial services to increase financial system’s efficiency for the benefit of the people, business and economy; (2) to supervise and manage the risks from transactions in relation to Digital Asset; (3) to protect consumers and for consumers to receive fair services; and (4) to raise the Digital Asset business standard.

This Notification stipulates that commercial banks can transact on Digital Asset but cannot operate a Digital Asset business, and companies in financial business groups can operate businesses and transact in Digital Asset as prescribed in this Notification without contravening the key principles of this Notification and other relevant laws of Thailand and internationally such as prohibiting the use of Digital Asset as a means of payment or encouraging the general public to hold Digital Asset. However, such transactions are subject to the purpose of developing innovations to increase the efficiency and quality of providing financial business.

Furthermore, this Notification also specifies the principles of risk management governance in the following subjects:

  1. Limiting the amount of credit, investing, creating contingent liabilities, or conducting transactions similar to lending to businesses related to digital assets (Digital Asset Related Business Limit)
  2. Good Governance Supervision
  3. Capital maintenance
  4. Liquid assets maintenance
  5. Classification and provisioning
  6. Supervision of large debtors
  7. Intragroup Contagion Risk
  8. Official supervision (Supervisory Review Process)
  9. Disclosure
  10. Know Your Customer: KYC
  11. Consumer Protection

Author: Panisa Suwanmatajarn, Managing Partner