You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

November 27, 2023

Thailand: ETDA Stipulates Digital Platform Risk Assessment and Identity Verification

Subscribe to Updates

Thailand’s Electronic Transaction Development Agency (ETDA) has released two new subordinate regulations under the Royal Decree on Digital Platform Services: one detailing the assessment of digital platform services (DPSs) that will be deemed “high-risk” and subject to additional obligations, and another setting guidelines on user verification and authentication for all DPSs.

The two subordinate regulations are summarized below.

Impact Assessment of DPS Operations

Under the Royal Decree on Digital Platform Services, DPS operations that have the risk of seriously impacting financial and commercial security, reliability and credibility of data message systems, or the general public are subject to additional obligations. The first subordinate regulation mentioned above (officially titled Notification of the Electronic Transactions Commission Re: Criteria for Impact Assessment on Operation of Digital Platform Services) outlines the criteria for the ETDA to determine which DPSs are “high-risk.” DPSs falling under this designation include:

  • DPSs whose total value of transactions conducted through the platform in Thailand exceeds THB 100 million (approx. USD 2.8 million) per year;
  • DPSs whose operators have not registered their entities with the Department of Business Development (DBD)—notably overseas operators—and that have 100 or more merchants or business users in Thailand or total users in Thailand between 5 and 10 percent of the country’s population (i.e., approx. 3.3–6.1 million users, calculated using official 2022 figures);
  • DPSs that allow their users to freely post certain messages, or do certain acts, that may affect the public in certain cases, such as: (1) unlawful messages or acts; (2) messages or acts that may affect a child’s rights or people’s fundamental rights; and (3) messages or acts that may negatively affect political opinions of Thai citizens (whether before or after an election) or statements or actions likely to negatively affect other individuals due to gender differences or sexual violence.

After considering these criteria and the details provided by DPS operators when notifying the ETDA, the ETDA will announce a list of the types or names of “high-risk DPSs.”

According to the Royal Decree on Digital Platform Services, the high-risk DPSs must:

  • Conduct risk assessments;
  • Implement risk management measures;
  • Conduct hearings for changes to terms and conditions for providing the DPS;
  • Report on their compliance with the above obligations on an annual basis; and
  • Comply with other obligations to be prescribed by the ETDA.

Identification and Verification

The second subordinate regulation (Notification Re: Manual for Identification and Verification Process) prescribes the manual and standards for the identification and verification of DPS users. The manual serves as a guideline for DPS operators on verifying and authenticating the identity of high-risk or potentially impactful users. This may include users who have greater access rights or the ability to access more features than regular users, users with numbers of followers exceeding a defined threshold (e.g., more than 5,000 followers), and users with transaction volumes or frequencies exceeding specified limits (e.g., a total transaction value of more than THB 50,000 per month).

DPS operators should comply with the identity verification and authentication requirements for user registration on digital platforms by at least undertaking the following:

  • Verifying the identity of applicants for DPS user registration. Information for verifying the identity of service applicants should be from the results of identity verification by identity providers (IDPs) that have previously verified the individual’s identity (such as verifying the Thai ID card information issued by the Ministry of Interior). IDPs should support at least identity assurance level 2 (IAL2).
  • Collecting user data. For the purpose of verification and authentication, DPS operators should collect data such as name and surname, ID card number or passport number, and contact details of individual users (or for corporate entities, name of the company, corporate registration number, and name of any authorized persons). DPS operators should collect additional user data as appropriate to the nature of their DPS. For example, digital platforms categorized as online marketplaces may collect electronic commerce registration numbers.
  • Determining the access rights and features accessible on the platform. DPS operators should specify the access rights and accessible features for users based on the level of identity verification and authentication or based on the user data collected. Users who have undergone identity verification and authentication at a higher level may be granted greater access rights and more accessible features.
  • Displaying symbols or statements confirming identity verification and authentication. DPS operators should have a “verified” badge indicating that a user has completed identity verification using the methods defined by the DPS operator. The badge should be a clear and easily accessible and understandable symbol or statement. The display format should be adaptive to different screen sizes.
  • Confirming the identity of users accessing the DPS. DPS operators should ensure that the identity verification of users logging in to the DPS achieves a reliability level of at least authentication assurance level 2 (AAL2) or rely on the results of identity verification obtained from another IDP that has previously verified the individual’s identity.

For more information on compliance with the requirements for digital platform services in Thailand, please contact Tilleke & Gibbins’ digital platform specialists Athistha (Nop) Chitranukroh at [email protected], Thammapas Chanpanich at [email protected], Rada Lamsam at [email protected], or Karnravee Jitvilai at [email protected].

Related Professionals

Industries

Fintech

Technology

Location

RELATED INSIGHTS​

April 4, 2024
On March 18, 2024, the president of the Supreme Court of Thailand announced the establishment of a specialized Technology Crime Division within the Criminal Court of Thailand. This represents a significant commitment to cybercrime within the Thai judiciary and a step forward in Thailand’s ability to investigate cybercrime. The rise in cybercrime investigations in recent years has made it increasingly difficult for Thailand’s traditional criminal courts to consider and issue enforcement orders in support of ongoing investigations in a timely manner. The new Technology Crime Division addresses this challenge. This new division has jurisdiction over cybercrime and technology-related crime, fraud or extortion using computers, and criminal offenses relating to personal data protection laws. In addition, this new division has jurisdiction over all requests from competent law enforcement officers seeking court orders under the Computer Crimes Act B.E. 2550, the Personal Data Protection Act B.E. 2562, and the Cybersecurity Act B.E. 2562. The Technology Crime Division will have trainees and judges with expertise in technology and cybercrime—not only to facilitate expert prosecution of cybercrime but also to offer critical and time-sensitive support to law enforcement investigations of alleged cybercrime. The Technology Crime Division is not yet operational. The president of the Supreme Court is expected to announce the division’s opening date in the coming months. For more details on Thailand’s measures for dealing with cybercrime, please contact Michael Ramirez at [email protected] or Piyawat Vitooraporn at [email protected].
Read More
March 29, 2024
Thailand’s Cybersecurity Regulating Committee (CRC) released a notification under the Cybersecurity Act on February 22, 2024, setting key operational obligations for critical information infrastructure (CII) organizations. The notification takes effect on June 20, 2024. CII organizations are state or private entities that carry out services related to national security, public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health. CII organizations will be identified by the National Cyber Security Committee (NCSC) and notified of their status. The key obligations of CII organizations are laid out below. Reporting to the National Cyber Security Agency (NCSA) CII organizations must provide the following to the NCSA: A list of executive and operational staff, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list within 15 days following any changes. A list of internal departments or individuals who are the responsible persons, owners, and holders of the computer systems, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list at least 7 days prior to any changes (or within 15 days after the change if there is a necessary reason). Policies, Guidelines, and Procedures As specified in the National Cyber Security Committee (NCSC) guidelines, CII organizations must prepare the following internal documents by June 20, 2025: Cybersecurity practice guidelines, consisting of an inspection plan, risk assessment, and incident response plan. Cybersecurity standards framework, consisting of measures for risk identification, risk prevention, threat detection and monitoring, incident responses, and resilience and recovery. CII organizations must also prepare the following: Mechanisms, procedures, and steps for monitoring and detecting
Read More
March 29, 2024
Vietnam’s Ministry of Public Security (MPS) is drafting two reports to present to the government in May 2024 to advocate for the development and adoption of a Law on Personal Data Protection. These reports include an assessment of the policy impact of the proposal to develop a personal data protection law, and an assessment of the current state of social relations related to personal data protection. Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD), adopted in April 2023, became the first comprehensive legal instrument on data protection in Vietnam. When the National Assembly was debating its text and adoption in 2022 and 2023, questions were raised as to the status of this new regulation and the legality to adopt a decree before a law. In accordance with the public announcements made throughout the development of the PDPD assuring that a law would be developed at a later stage, the MPS is now advocating for the development of a Personal Data Protection Law and has drafted the two reports pursuant to the Law on the Promulgation of Legal Documents. The main arguments advanced by the MPS in the two reports are as follows: As the right to privacy is enshrined in the Constitution, any restrictions thereof must be made through a law and not a decree. The MPS is notably referring to the lawful basis for processing and limited exceptions to consent under the PDPD. This may be a sign that the MPS intends to widen the exceptions to consent under the new law. The definitions of “personal data” and “personal data protection” need to be harmonized to consolidate the regulatory framework. The MPS indicates that there are 69 legal documents directly related to “personal data protection” in Vietnam with more than 10 different definitions, while “personal information” appears in
Read More
March 28, 2024
Recently, Vietnam has witnessed a dramatic increase in cyber fraud, causing significant financial losses and posing a grave threat to both Vietnamese and foreign entities. With the increasing reliance on digital technology and the widespread adoption of online platforms, the country has become fertile ground for cybercriminals to exploit vulnerabilities and conduct various fraudulent activities. This article aims to present an overview of addressing cyber fraud in Vietnam and offers practical advice for businesses to safeguard themselves from becoming victims of such illicit activities.
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice