On July 13, 2023, Thailand’s Personal Data Protection Committee (PDPC) published a draft notification on the requirements for appointment of a data protection officer (DPO). Under the Personal Data Protection Act B.E. 2562 (PDPA), data controllers or data processors must appoint a DPO if: The data controller or data processor is a state agency as prescribed by the PDPC (the list of state agencies was published in the Government Gazette on July 18, 2023); The activities of the data controller or data processor in relation to the processing of the personal data require “regular monitoring of the personal data or the system,” by reason of “having large-scale personal data” as prescribed by the PDPC; or The core activity of the data controller or data processor is related to the processing of special categories of personal data (e.g., health-related data, biometric data, etc.). The draft notification’s criteria for determining whether a processing activity (1) requires regular monitoring of the personal data or the system, and (2) involves large-scale personal data are outlined below. General Principles When determining whether processing of personal data requires regular monitoring due to having large-scale personal data, it is likely that only the “core activity” of the data controller or data processor is to be taken into consideration. The term “core activity” denotes an essential and integral activity directly related to the primary operations of the data controller or data processor and does not include any supplementary business activities. Regular Monitoring of Personal Data or Systems According to the draft notification, activities related to processing personal data require regular monitoring of the personal data or the system if: The core part of the data controller’s or data processor’s activities consists of tracking, monitoring, analyzing, or predicting the behavior, attitude, or profile of individuals; and These activities

Vietnam’s Decree No. 72/2013/ND-CP, as amended by Decree 27/2018/ND-CP (referred to collectively as “Decree 72”) regulates internet services and online information, and plays a crucial role in governing significant services such as social networks, online games, and aggregated information websites, as well as key matters like domain names and online information security. Given the rapid pace of development in these areas, Decree 72—having been in effect for nearly a decade—is in need of an update. The Ministry of Information and Communications (MIC) had initially intended to draft an amendment to Decree 72 in 2021. However, the magnitude of required changes made it impractical to retain the form of an amending decree, leading the MIC to shift its focus toward replacing Decree 72 entirely. As a result, a new draft decree to replace Decree 72 (the “Draft Decree”) was released by the MIC for public consultation from July 17 to September 15, 2023. The Draft Decree is comprehensive, with six chapters, 87 articles, and an appendix of 56 forms. The following are some of the main issues covered by the new Draft Decree. 1. Social Network Services Classification and licensing/notification Social network services include onshore and offshore social network services. Onshore social network services refer to those provided by organizations or enterprises with legal status in Vietnam, and are divided into “high-visitor” or “low-visitor” categories based on number of regular visitors. The high-visitor category includes social networks with total visits of 10,000 or more per month for six consecutive months or with more than 1,000 regular members in a month. High-visitor onshore social network service providers must obtain a license to provide social network services. Low-visitor onshore social network service providers only need to notify the MIC’s Authority of Broadcasting and Electronic Information (ABEI) and receive the ABEI’s written notification

Myanmar’s Ministry of Commerce (MOC) issued three notifications related to e-commerce on July 21, 2023, classifying online retail businesses as essential services, requiring them to register with the relevant authorities, and setting the criteria for their registration. Under Notification No. 49/2023 the MOC authorized the Department of Trade (DOT) to issue notifications, orders, and directives relating to online retail businesses. This was followed by Notification No. 50/2023, which classifies online retail businesses as essential services under the Essential Supplies and Services Law and requires them to register with the DOT within six months of the issuance of the notification (i.e., by January 21, 2024). Failure to register within the specified period will be punishable by imprisonment for six months to three years and a fine of up to MMK 500,000 (approx. USD 238). Finally, under Notification No. 51/2023, the MOC set out the criteria and requirements for the registration of online retail businesses by entities, business institutions, and individuals, as well as the duties and liabilities of sellers and consumers. Pursuant to this notification, registration should be completed via the DOT’s online system, fees must be paid digitally, and electronic registration certificates will be issued. Certificates are initially valid for two years, and can be renewed. The MOC will provide information at a later time on the prescribed forms, certificate format, registration and online fees, and online registration portal. In applying for registration, an entity or business institution established under the Myanmar Companies Law, Special Company Act, Co-operative Society Law, or any other existing Myanmar laws must have a website with its own domain name or an online channel with an exact address that is used for online sales and a registered business address within Myanmar. Individual applicants must be at least 18 years old, reside in Myanmar, and

Thailand’s Electronic Transactions Development Agency (ETDA) held a briefing session on July 20, 2023, laying out the changes and new requirements in draft sublaws under the Royal Decree on Digital Platform Services. These sublaws are expected to be announced in August 2023. The key changes and new requirements are listed below. The ETDA has drafted guidelines on the methods for identifying active users to give digital platform service operators a better understanding of the calculation methods. The definition of “users” for calculating annual monthly active users (AMAUs) has been reduced in scope to cover only users in Thailand. E-marketplace digital platform services that will suspend or terminate operations for specific users must inform the affected users and provide a period for them to challenge the suspension or termination. Digital platform service operators cannot use the requirements to identify their active users as a legal basis for processing users’ personal data, especially for profiling and tracking activities. The sublaws on announcement of terms and conditions (T&Cs) and changes to T&Cs, once issued, will take effect on January 3, 2024, while the other sublaws will take effect immediately (i.e., August 21, 2023). This shows that the ETDA has acknowledged the private sector’s feedback that the requirements on T&Cs will take more time for operators to comply with. The requirements for changing T&Cs have been adjusted. Under the current draft, the required advance notification period can be exempted if a change in the T&Cs is for the purpose of, for example, rolling out new products or services and improving the platform. Required submissions under the Royal Decree for Digital Platform Services and its sublaws will be made through the ETDA’s online portal. There will likely be no extensions granted for compliance with the Royal Decree for Digital Platform Services and its sublaws