On June 4, Thailand’s Ministry of Commerce (MOC) issued a new notification on e-commerce business registration pursuant to the Commercial Registration Act B.E. 2499 (1956) (CRA), replacing a similar notification from 2010. The new notification (officially titled “Notification Re: Business Regulations that Commercial Operators Must Register and Businesses that Are Not Subject to the Commercial Registration Act, B.E. 2549 B.E. 2567”) took effect on June 5, 2024. While the previous notification required all individuals and legal entities engaged in regulated activities, such as selling goods or services online, to register their businesses with the local district office, the new notification effectively lifts this requirement for certain legal entities. The new notification clearly states that the CRA does not apply to regulated activities conducted by: Private limited companies, registered ordinary partnerships, and limited partnerships (i.e., legal entities under the Civil and Commercial Code); and Public limited companies (i.e., legal entities under the Public Limited Companies Act). Now that the new notification is in effect, limited companies and other specified legal entities are no longer required to register their e-commerce activities and obtain an e-commerce certificate from the MOC. E-commerce certificates previously issued to these legal entities are also voided by the new notification. Nevertheless, the requirement to register for direct marketing and obtain a direct marketing certificate under the Direct Sales and Direct Marketing Act B.E. 2545 (2002) remains in effect for any online sales or e-marketplace platforms administered by legal entities. Given the recent proactive enforcement of penalties for noncompliance with direct marketing registration requirements, we strongly advise business operators to assess whether their operations fall within the scope of direct marketing regulations and require a direct marketing certificate. For more information on e-commerce and direct marketing registration in Thailand, please contact Athistha (Nop) Chitranukroh at [email protected], Nopparat Lalitkomon

Vietnam’s financial landscape is set to further transform on July 1, 2024, when the government’s long-awaited Decree No. 52/2024/ND-CP dated May 15, 2024 (“Decree 52”), will officially replace Decree No. 101/2012/ND-CP dated November 22, 2012, on non-cash payments (“Decree 101”). Decree 52 marks an important milestone by introducing the country’s first-ever legal definition of e-money. In addition, the decree brings forth new updates to regulations governing payment and intermediary payment services, laying the groundwork for more comprehensive guidance that will be provided in draft circulars now being developed by the State Bank of Vietnam (SBV). Non-Cash Payment Instruments The new definition of non-cash payment instruments under Decree 52 expands upon the previous definition in Decree 101. Notably, it clearly specifies the issuing entities as payment service providers, financial companies licensed to issue credit cards, and e-wallet service providers. Additionally, the new definition further clarifies that bank cards include debit, credit, and prepaid cards, and adds e-wallets to the list of non-cash payment instruments. Unlawful non-cash payment instruments are still defined as those that are not otherwise specified. E-Money Prior to Decree 52, the concept of e-money lacked a precise legal definition, despite its growing prevalence in forms like prepaid cards and e-wallets. The absence of a clear framework for e-money led to confusion with terms like “cryptpcurrency” and “virtual currency” and left significant ambiguity on whether e-money includes certain instruments, such as online game cards and mobile money. Decree 52 addresses this issue by clearly defining e-money as value in Vietnamese dong (VND) stored electronically and prepaid by customers to banks, foreign bank branches, and e-wallet service providers. It also specifically designates e-wallets and prepaid cards as types of storage mechanisms for e-money. Non-Cash Payment Services Decree 52 categorizes non-cash payment services into services with and without client payment

On June 14, 2024, the Personal Data Protection Committee (PDPC) released a draft notification under the Personal Data Protection Act 2019 (PDPA), setting out criteria for how data controllers must delete, destroy, and de-identify personal data. According to the PDPA, a data subject can request that a data controller delete, destroy, or de-identify their personal data in any of the following circumstances: The personal data is no longer necessary for the purposes for which it was collected, used, or disclosed. The data subject has withdrawn their consent for the processing of the personal data, and no other lawful basis for processing remains. The data subject has objected to the processing of their personal data on grounds of legitimate interests or official tasks, the data controller has no other compelling grounds to refuse the request, and the data is not needed for legal claims. The data subject objects to the processing of their personal data for direct marketing purposes. The processing of personal data is unlawful. The draft stipulates that data controllers respond to a data subject’s request to delete, destroy, or de-identify personal data immediately, and within 60 days of receiving the request. If the data controller cannot fulfill the request immediately, they must take interim measures to ensure that the personal data is made difficult to collect, use, or disclose. This includes implementing measures such as preventing access to the data and applying appropriate security measures to protect the data from unauthorized use or disclosure. De-identification or Anonymization of Personal Data In certain circumstances, a data controller may opt to de-identify or anonymize personal data, rather than delete or destroy it. If doing so, the data controller must satisfy the following criteria: There must be a structured process to remove or eliminate all direct identifiers linked to the