Thailand currently has no specific law or regulation relating to the metaverse. As a result, the metaverse is governed by general laws and regulations such as the Civil and Commercial Code (CCC), the Electronic Transactions Act B.E. 2544 (2001), the Personal Data Protection Act B.E. 2562 (2019) (PDPA), IP laws and the Cyber Security Act B.E. 2562 (2019) (CSA).

As the metaverse has a persistent virtual environment that allows access to and the co-working of many individual virtual realities, it is likely that a legal relation or a legal dispute may arise in the metaverse. Any agreement or contract made in the metaverse is considered valid under Thai law if the electronic signature can be identified and verified by the signatory as being their own, and if the method/channel used for the signing is reliable for the purpose for which the data is generated or sent, taking into account the circumstances of an agreement between the parties under the Electronic Transactions Act B.E. 2544 (2001).

Furthermore, the relevance of the PDPA may be triggered insofar as personal data is used in the platform. In addition, real-time interaction activities that may occur are likely to involve biometrics data in connection with motion or sentimental expression considered as sensitive data. Consequently, metaverse developers must include a channel/methodology to obtain explicit consent from the user prior to collecting and processing data, and to ameliorate data protection measurements by complying with the PDPA.

Looking into transactions, metaverse platforms necessitate the use of digital assets as a form of payment for goods and services. However, the legislation to facilitate the use of digital assets as a means of payment in Thailand is inadequate.

With respect to IP in the metaverse, Thailand has ensured rights regarding IP in the Copyright Act B.E. 2537 (1994) (CRA), the Patent Act B.E. 2522 (1979) (PA) and the Trademark Act B.E. 2537 (1994). As a result, certain assets in the metaverse, such as computer software, NFTs, software processes, etc, will be protected under Thai IP law, subject to compliance with the relevant laws.

Even though there is legislation in Thailand covering this cutting-edge technology, the laws tend to be defensive instruments rather than preventative as most of them, such as the CSA, designate a committee to create plans or measurements to handle issues that may arise. Following the introduction of the metaverse, Thailand’s government sector is currently in the primary stage in matters regarding this, such as law enforcement, jurisdiction, legislation, etc.

Master Plan for Digital Economy B.E. 2561-2565 (2018–2022)

Thailand currently has the Development of Digitality for Economy and Society Act B.E. 2560 (2017), under which the Master Plan for Digital Economy B.E. 2561-2565 (2018–2022) was prescribed. The plan focuses on four strategies:

• to improve digital manpower;
• to enhance the Thai economic sector towards a digital Thailand;
• to drive communities into the digital economy; and
• to improve infrastructure to support digital innovations.

In order to accomplish these goals, the plan drives the following ten programmes:

• Digital Manpower;
• Digital Citizen;
• Digital Transformation;
• Digital Industry Promotion;
• Digital Startup;
• Digitalised Community;
• Social Digital Innovation;
• Smart City;
• Big Data and Innovation; and
• Cyber Security.

According to the Performance Report produced by the Digital Economy Promotion Agency, three of the strategies have met the target, but the improvement of infrastructure to support digital innovations has not occurred. Moreover, amendments and updates to certain laws and regulations have been planned, as follows:

• tax measures to promote the use of computer programs by Small and Medium Business Entrepreneurs, such as a two-time Corporate Income Tax exemption when purchasing or utilising software services;
• a 2.5-times Corporate Income Tax exemption for training or providing training sessions for employees to enhance skills in science, technology, engineering or mathematics (STEM);
• amendments to laws and regulations that hinder investments, such as pushing forward the CCC to attract foreign investors to invest in start-ups in Thailand, such as Venture Capital;
• issuing a notification and development manuals for a smart city to promote investment and tax benefits for the development of smart city areas and smart city system developing businesses; and
• legislating a royal decree for Capital Gains Tax exemptions in targeted companies.

Master Plan for Digital Economy B.E. 2566-2570 (2023–2027)

This was recently prescribed, with the aim of developing a strong, resilient and dynamic digital economy and society with advanced human capital, technology and innovation. This recent plan focuses on four strategies:

• to adjust human capital to cope with the digital economy and society;
• to change the old-fashioned economy to a high-value digital economy;
• to provide opportunities to spread prosperity equally; and
• to enhance the efficiency of digitalised innovation infrastructure.

Digital Asset Businesses Emergency Decree B.E. 2561 (2018) (DAB)

The DAB was promulgated to address the rising trend of cryptocurrency usage and investments with an exorbitant amount of capital in various digital currency brokers in recent years. The DAB empowered the Securities and Exchange Commission (SEC) to prescribe policies for encouragement and development, together with regulating digital currency and digital currency operators.

After the DAB was enforced, substantial numbers of businesses associated with cryptocurrencies and digital tokens have obtained applicable licences from the SEC. The licence categorises the operators into the following types of business operation:

• Digital Asset Exchange;
• Digital Asset Broker;
• Digital Asset Dealer;
• ICO Portal;
• Digital Asset Advisory Service; and
• Digital Asset Fund Manager.

Digital asset businesses

Digital asset businesses under the DAB are categorised into three types:

• Digital Asset Exchange;
• Digital Asset Broker; and
• Digital Asset Dealer.

Those who intend to operate a digital asset business shall be approved by the Minister of Finance upon recommendation of the SEC. In undertaking digital asset businesses, the approved operators shall comply with the rules, conditions and procedures as specified in the notification of the SEC, such as:

• having adequate sources of capital covering business operation and other several risks;
• having reliable operating systems and data security systems;
• maintaining records of assets belonging to individual clients;
• segregating clients' assets from their own assets; and
• conducting Know Your Customer (KYC) and Customer Due Diligence (CDD) procedures.

When any digital asset business is in a situation where its financial condition or operation may cause damages to the public or is in violation of relevant regulations, the SEC is empowered to order such business to rectify the problem or it can temporarily suspend the business operation wholly or partially. If the digital asset business still fails to comply or has repeated the violations, the Minister of Finance is empowered to revoke business approval, upon a recommendation from the SEC.

Preventing the exploitation of digital assets to facilitate illegal transactions

The DAB obliges issuers of digital tokens who are willing to accept cryptocurrencies in the offering process, or operators of digital asset businesses who are willing to accept cryptocurrencies from the counterparties in any transaction, to only accept cryptocurrencies obtained from or deposited with operators of digital asset businesses that are regulated/licensed under the DAB. The rationale is to preserve the integrity of markets by ensuring that the cryptocurrencies being transacted come from traceable sources.

Furthermore, the DAB states that digital asset businesses and ICO portals are considered “Financial Institutions” under the Anti-Money Laundering Act B.E. 2542 (1999), to prevent the exploitation of digital assets as a channel for money laundering.

Maintaining financial and economic stability

Where transactions, business operations or other activities related to digital assets may significantly affect the stability of the national financial system or economy, the Minister of Finance, upon approval of the Cabinet, is empowered to prohibit digital asset businesses from engaging in any digital asset-related activity, or to suspend their operations wholly or partially.

Preventing unfair trading practices

The DAB imposes offences of unfair trading in relation to the purchase, sale or exchange of digital assets taking place in a Digital Asset Exchange in a similar manner to the corresponding provisions in the Securities and Exchange Act B.E. 2535 (1992), such as false dissemination, insider trading, front running and market manipulation. This is to ensure that secondary markets for digital assets are fair, transparent and efficient, market integrity is preserved, and investors are protected.

Electronic transaction services using cloud and edge computing are common in Thailand due to the rapid advancement of technologies in the country. The notification regarding Guidelines for Using Cloud Services B.E. 2562 (2019) (NGCS) was issued by the Electronic Transactions Commission (ETC) under the Electronic Transactions Act (ETA) B.E. 2544 (2001).

The NGCS provides cloud computing service guidelines, as follows.

Technical Precautions

Service providers shall have safeguards for technical security and reliability, such as Virtual Infrastructure, access control identity verification, System Development Life Cycle (SDLC), maintain the security in software development and Application Programming Interface (API), etc.

Service Efficiency

A cloud computing user shall consider the efficiency of the service in the Service Level Agreement, which covers points such as availability, response time, capacity, service support and an exit plan.

Security

A cloud computing user shall consider the security measurements of the service in the Service Level Agreement, which covers points such as international standard reliability, authentication level and outsourcing, data classification and key access control policy, security management and incident reports, data entry and system usage verification, vulnerability assessments and penetration testing, and good governance.

Data Management

A cloud computing user shall consider the Service Level Agreement in regard to data classification, data reserve and recovery, data cycle and data transfer.

Financial Institutions

The Bank of Thailand (BOT) has notified the Criteria for Supervising Information Technology Risk, SorNorSor. 21/2562 (2019) (“BOT notification”), which focuses mainly on regulating the IT outsourcing of finance institutions, such as cloud computing, which must be the subject of an annual IT report submitted to the BOT. The BOT notification also prescribes the Third-Party Risk Management Implementation Guideline (“BOT Guideline”), under which finance institutions must comply with the BOT notification. The BOT Guideline mainly targets risk governance, third-party risk management and BOT IT outsourcing reports.

In regard to cloud computing, financial institutions shall maintain the confidentiality of clients' personal data, as prescribed in the PDPA and the BOT notification regarding Market Conduct B.E. 2563 (2020) (“Market Conduct notification”). The Market Conduct notification focuses on supervising the protection of clients' personal data and the disclosure thereof to a third party.

Insurance

The Office of Insurance Commission (OIC) notified the OIC notification regarding the criteria to supervise and manage the information technology risk of insurance companies B.E. 2563 (2020) (“OIC notification”). Consequently, the Guideline of Supervising the Use of IT Outsourcing Service B.E. 2564 (2021) (“OIC Guideline”) was prescribed to comply with the OIC notification. The OIC Guideline mainly targets the supervision of IT outsourcing, the risk management of IT outsourcing, the criteria involved in outsourcing, the model for insurance companies to manage unexpected scenarios, business continuity management (BCM), outsourcing security and IT outsourcing reports.

In regard to cloud computing, the company shall have an international data protection standard, such as data encryption and key management. In addition, the company shall have measurements to recall all user data from the outsourcer and ensure that the outsourcer is competent to destroy users' data after the termination of service. Moreover, the outsourcer shall maintain data protection standards that comply with the relevant laws and international standards.

Thailand has no specific law or regulation relating to artificial intelligence (AI) and big data. As a result, AI and big data are governed by general laws and regulations, such as the CCC, intellectual property law and personal data protection law. This represents a challenge for those involved with these subject matters, as the general laws must be used and applied in any disputes that arise. Regarding personal data, the data controller must comply with the specific regulations under the PDPA, which will apply across all businesses that involve the collection, disclosure and/or utilisation of personal data.

There are debates in Thailand on the status of AI as a property or non-property. However, the CCC defines “property” as corporeal objects and incorporeal objects that are susceptible of having a value and of being appropriated. Therefore, AI may be considered as property (incorporeal object) under Thai law if it has a value.

AI as a property is protected by the intellectual property law. To begin with, the CRA protects computer programs, which it defines as instructions, sets of instructions or any other things that are used with a computer so as to operate the computer or to generate an output, whatever the computer language is. Therefore, the CRA only protects the source code, and not the algorithm. If a product was created by AI, the copyright of the product would belong to the owner of the AI.

However, the PA does not protect the invention of computer programs and scientific or mathematical rules or theories. “Algorithm” has been defined in academic circles as a part of a scientific or mathematical theory, so AI is not protected under the PA.

Looking into the liabilities in the event that AI causes damages, the injured person can take action under general laws such as tort law under the CCC, with the liability stipulated by law falling to the AI controller or possessor unless it can be proved that the injury results from force majeure or is the fault of the injured person.

Thai laws apply specific requirements – such as insurance, minimum capitalisations or individual licences – on the primary business operation alone, without further considering the technology or platform with which the business operates. As a result, business operators are not subject to additional regulations, particularly those pertaining to AI and big data.

There is currently no specified law to regulate internet of things (IoT) devices in Thailand. The CSA focuses on regulating, planning, coping with and minimising cyber threats to the security of the state, government services, banking and finance, media and telecommunications, logistics, energy and public utilities and public health, through committees under the CSA.

The Industrial Product Standard Act B.E. 2511 (1968) (ISPA) – which indicates industrial product standards and prevents price competitions among manufacturers that lead to lower product quality – cannot be a tool to regulate IoT importers or manufacturers regarding systems or personal data due to the ISPA targeting the regulation of physical products.

However, there are laws and regulations related to the IoT, as follows.

Computer-Related Crime Act B.E. 2550 (2007) (CRCA)

The CRCA prescribes preventative and suppression measures in the event of a person (or persons) causing a computer system to not operate as ordered or to operate incorrectly, or illegally accessing another person’s computer data in order to modify or destroy the data or utilise the computer system to disseminate false computer data or obscene images, causing damage affecting the economy, society and state security, including peace and the good morals of the people.

The IoT is defined as a computer system under the CRCA, and is therefore subject to criminal punishments. However, the CRCA cannot be considered as a mechanism to protect the preventative use of IoT devices and the safety of use, nor for requiring IoT devices to have appropriate security systems in order to prevent offences committed against an IoT device.

PDPA

The PDPA indicates the obligations for organisations that collect, use or disclose personal data to be cautious and maintain the standards of data security as prescribed by the PDPA. Moreover, the PDPA prescribes data subject rights regarding requests to:

• access or copy personal data;
• disclose personal data for which consent has not been given;
• delete or destroy personal data;
• modify personal data so that it cannot be identified.

As a result, the data controller that received the personal data via the IoT must obtain consent from the data subject in order to collect, use or disclose said data without causing any damages or operating beyond the consent of the data subject. Failure to comply with the PDPA may lead to complaints and administrative or criminal penalties.

The PDPA may assure IoT users of the obligations that require IoT device manufacturers to create a path to obtain consent in each utilisation of IoT devices. However, some IoT devices require users to give consent in several accesses of personal data, such as location tracking, cookies and internet usage, which leads to abundant personal data; if the user or data subject did not give consent, the IoT device could not be used under the terms and conditions imposed by the IoT service provider.

The Radio Communications Act B.E. 2498 (1955) (RCA)

The RCA requires a business operator who performs transactions (such as producing, possessing, trading, importing and exporting) on radio communication equipment to obtain a licence from the National Broadcasting and Telecommunications Commission (NBTC) before commencing any such transaction. Such transactions must be reported to the NBTC or subject to an importation licence obtained from the NBTC.

There is a licence exemption for specific radio communication equipment, such as that using Wi-Fi 2.4GHz. The NBTC may also issue a Notification on exemptions on a case-by-case basis. In addition to the licence requirement, such radio communication equipment must meet the technical and safety standard prescribed by the NBTC. Therefore, each radio communication equipment's technical and safety standard shall be specified in the NBTC Notification.

In Thailand, audio-visual media services (eg, TV, radio) are regulated by the NBTC under the Broadcasting and Television Business Act B.E. 2551 (2008) (“Broadcasting Act”). The content of films, videos and their advertising media are also regulated under the Film and Video Act B.E. 2551 (2008). Therefore, a censorship committee of officials will review, approve or censor the content of films, videos and advertisements, and approve other film and video-related activities in Thailand, such as the production or distribution of foreign films.

The Broadcasting Act categorises licences for audio-visual media service into three types, each of which has the following foreign ownership restrictions.

• Licence to operate public services: a licence issued for business operations, the main objectives of which are to provide public services (only available to government entities and specific associations, charities, foundations and educational institutions, and not to private sector operators). This licence can be divided into three types, as follows:
1. Type One Public Services Licence, which shall be issued for sound broadcasting business or television business mainly intended for enhancing knowledge, education, religions, art and culture, science, technology, the environment and agriculture, and for promoting other occupations, health, sanitation, sports or the quality of life of the public;
2. Type Two Public Services Licence, which shall be issued for sound broadcasting business or television business mainly intended for state security or public safety; and
3. Type Three Public Services Licence, which shall be issued for sound broadcasting business or television business mainly intended for distributing news and information for:
1. the promotion of good understanding between the government and the public, and between the National Assembly and the public;
2. distributing news and information for the promotion and support of the dissemination and provision of education to the public with regard to the administration under the democratic form of government with the King as Head of State;
3. providing news and information services publicly beneficial for the disabled, underprivileged or interest groups who conduct social activities; or
4. providing news and information services for other public interests.
• Licence to operate community services: a licence for business operations that have the same objectives as those of public services businesses, provided they must provide a benefit that meets the needs of the community or locality receiving the services (only available to government entities and specific associations, charities, foundations and educational institutions, and not to private sector operators).
• Licence to operate business services: where the main objective is to generate profit, these are subdivided into three levels: national, regional and local. Foreign ownership is limited to 25%. The foreign ownership restriction under this sector-specific law applies above the general Foreign Business Act, so the holder of such licence may only have up to 25% of its shares held by non-Thai shareholders.

An applicant must be of Thai nationality, must not be on a probationary period restricting them from using the licence, and cannot have exceeded three years of a licence withdrawal period. The approval process usually takes up to 60 days after submitting all the necessary documents. If approved, the applicant will be granted the right to operate under the express terms of the given licence. A broadcasting schedule may be allocated to other licensed broadcasters if the broadcaster complies with the rules and regulations prescribed by the NBTC.

The NBTC will grant a seven-year term for sound broadcasting licensees and five years for television broadcasting licensees. Licences may be renewed 90 days before expiry. Licensees must pay annual fees for their respective licences.

Under the Notification regarding Broadcasting and Television Business Licence fee, there are fees for a licence application consideration (which depends on the type of licence) and an annual fee. The annual fee is collected at progressive rates, as follows:

• 0.5% of the first THB5 million (~USD150,000) income;
• 0.75% between THB5 million and THB50 million (~USD1.5 million) income;
• 1% between BHT50 million and BHT500 million (~USD15 million) income;
• 1.75% between THB500 million and THB1 billion (~USD30 million) income; and
• 2% above THB1 billion income.

These requirements do not apply to video-sharing platform services or over-the-top (OTT) services (eg, video platforms with user-generated content or videos on demand). According to the NBTC, the scope of what constitutes “broadcasting” will be determined with the goal of regulating OTT Services. OTT operators have been informed that they must register themselves with the NBTC and that they would be governed by specific rules and regulations, regardless of nationality.

Organisation to Assign Radio Frequency and to Regulate Broadcasting and Telecommunications Services Act B.E. 2553 (2010) (“NBTC Act”)

The NBTC Act defines “Telecommunications service” as a service that sends, transmits or receives signs, letters, figures, pictures, sounds, codes or anything else made comprehensible by frequency waves, wireless, lighting, electromagnetic systems or any other systems, or other activities prescribed by law to be telecommunications services. Therefore, a device that meets this definition is deemed to fall within the scope of Thai telecommunications rules.

The NBTC Act establishes the NBTC as an independent broadcasting and telecommunications business regulator. Subject to supervision by the NBTC, the Telecommunications Committee regulates telecoms business in compliance with the Telecommunications Business Act B.E. 2543 (2001) (“TA”), which applies to operators of telecommunications services.

Telecommunications licences are divided into the following three types:

• Type 1 licence, for telecommunications business operators who provide telecommunications services without operating a telecommunication network;
• Type 2 licence, for operators who provide services to a specific group of customers with or without operating a telecommunication network; and
• Type 3 licence, for operators who operate a network providing services to the general public.

The TA imposes various foreign ownership restrictions for each type of telecoms licence, as follows:

• Type 1 licence – no ownership restrictions apply, so operators with a Type 1 licence are only subject to the Foreign Business Act, and a foreign business licence is required;
• Type 2 licence – foreign ownership is limited to 49% of the total shares, so a Type 2 licence holder may only have up to 49% of its shares held by non-Thai shareholders; and
• Type 3 licence – the restrictions for Type 3 licence holders are the same as for Type 2 licence holders.

The different categories of licences cover various services as indicated in the operator’s licence application. The applicant must be a legal person as established under Thai law, and must not be a bankrupt or a party that has previously had a telecommunications licence revoked. In addition, technical and commercial information relating to the business operations of the applicant – including the network structure, financial investment plan, marketing plan, service details and equipment details – must be provided to the NBTC for its consideration.

The approval of all types of licences usually takes approximately 60 to 90 days after all necessary documents and information have been submitted to the NBTC. If approved, the applicant will be granted the right to operate strictly under the express terms of the licence. Licensees must pay annual fees for their respective licences.

NBTC Inspection

Business operators who wish to manufacture, sell or import devices that have been inspected and approved by the NBTC shall not be required to provide samples of such devices for the NBTC’s inspection and approval; they can skip the inspection process and go straight for the manufacture, sell or import certificate.

However, the operator must provide samples of any devices that have not yet been inspected or approved by the NBTC to the NBTC for inspection and approval prior to obtaining the certificate required for its business operation. This will require some extra time (approximately ten working days) and effort from the applicant, especially for brand-new devices with new technology that is unknown to the NBTC. After the consideration, the NBTC will notify the result to the applicant within seven days.

In addition to the NBTC inspection and approval, operators who wish to manufacture, sell or import certain telecommunication devices that have obtained certain international inspections/approvals (such as certain ISO marks) may file documentation relating to the international approval (such as the ISO certificate) to the NBTC for its consideration rather than submitting product samples for the NBTC’s inspection/approval. The goal is to shorten the process to obtain the relevant certificate required (whether manufacture, sell or import) prior to operating such telecommunication business in Thailand.

There are no specific laws and regulations that apply to technology agreements, and there is currently no particular law or regulation that requires data to be stored locally in Thailand. Nevertheless, industry-specific regulations mandate that some data is to be available or processed within Thailand. The banking industry, for example, requires banks to process debit card transaction data and make electronic payment system data available in Thailand.

As there is no direct legal requirement for the terms and conditions in a technology agreement, the challenge is to establish an agreement with terms and conditions that cover all the necessary elements. The provisions stated therein shall be based on the intention of the parties and the work for hire concept under the CCC. Except for the specific commercial and technical terms prescribed in the service agreement, the following terms should be noted and stated therein:

• terms and conditions regarding personal data protection should be prescribed in the service agreement if there are performance results in the collection, use or disclosure of the individual’s personal data under the PDPA;
• the scope of work must be specified;
• the timeframe of the services – or milestones – and delivery methods must be specified;
• there must be a provision regarding the confidential information of the parties, such as trade secrets, know-how methods, etc; and
• there must be a provision regarding intellectual property, and the ownership thereof must be clearly specified. Under a standard work for hire agreement, the hirer (the customer who hires the service provider) is considered the owner of the work products, but a service agreement can specify the owner of specific intellectual property, so as to protect the ownership of the works and assets.

Banking and Insurance

The BOT and the OIC) have notified the terms that should be stated in the business partner (ie, outsourcing) agreement, as follows:

• details regarding scope of service, responsibility, risk management, internal control systems and the financial institution’s asset security system;
• the service level agreement to indicate the standards of services in both common and uncommon situations;
• the business continuity plan;
• the process to follow, examine and evaluate efficiency;
• service fee;
• the timeframe, terms and conditions regarding the termination, amending and renewal of the contract;
• the scope of responsibility in case of service interruption; 
• the data security, confidentiality and data privacy of customer and financial institution, including access rights and data ownership, such as methods to transmit information and data storage, etc, as well as an indication of penalties in the event of information disclosure;
• no prohibition on providing the same services to other financial and insurance institutions;
• compliance with Thai laws;
• conditions to subcontract under BOT and OIC regulations; and
• an indication of the rights of BOT and OIC under BOT and OIC regulations.

The Royal Decree on Security Procedures regarding Electronic Transactions B.E. 2553 (2001) (SPET) is prescribed under the Electronic Transactions Act B.E. 2544 (2001) (ETA) and mainly indicates the criteria of a reliable electronic transaction and divides the security procedure into three levels: strict, intermediate and basic. These three levels are categorised under the notification regarding the standard for maintaining information security, which mainly focuses on the establishment of administrative security, information security in respect of personnel, physical security and the environment, etc.

The Royal Decree regarding the supervision of services related to licensed digital authentication B.E. 2565 (2022) (“Digital Authentication Decree”) was promulgated on 22 December 2022 under the ETA, and will become effective 180 days after the promulgation date. Digital authentication service providers are subject to be approved for a licence by the Electronic Transactions Development Agency (ETDA). Services deemed to fall within the scope of such a licence are authentication services, issuing and managing authentication services and information exchange services for the authentication and verification of digital identity. However, the authentication of electronic signature service providers under the ETA does not fall within the scope of a licence under the Digital Authentication Decree.

Therefore, digital authentication service providers are obliged to comply with the regulations under the Digital Authentication Decree, including the duty to report and comply with notifications notified by the ETDA regarding authentication data outsourcing, change of corporate structures, cessation of service, lawsuits against the service provider, director or manager qualifications, minimum company limited or public company limited registered capital, business and authentication system assessments, etc.

Regarding the use of electronic signatures, the ETA prescribes that the method of electronic signature must be:

• capable of identifying the signatory and indicating that the signatory has approved the information contained in such data message as being their own; and
• reliable and appropriate for the purpose for which the data message is generated or sent, having regard to the surrounding circumstances or an agreement between the parties.

Therefore, electronic signatures are legally effective and enforceable in Thailand, except in those transactions prescribed by a Royal Decree to exclude electronic signatures under the ETA (ie, transactions relating to family and succession).

Regarding digital identity, the Royal Decree regarding Digital platform service business that must notify B.E. 2565 (2022) (“Digital Platform Decree”) was promulgated on 22 December 2022 under the ETA and will become effective 240 days after the promulgation date.

The Digital Platform Decree prescribes that any digital platform that provides a service in Thailand and has an annual income of more than THB1.8 million (~USD53,000) for a natural person operator or THB50 million (~USD1.5 million) for a juristic person operator, or any platform that provides to more than 5,000 users per month, must provide the ETDA with information concerning the operator, digital platform, users, co-ordinator (if a digital platform operates overseas), etc. The definition of digital platform service is wide, so most digital platform services in Thailand are deemed to fall under the Digital Platform Decree.

Furthermore, the co-ordinator must not be a foreign business operator, and a digital platform entity establishment is not required. In addition, the ETDA is empowered to restrict the digital platform in the event of non-compliance with Thai laws and regulations. The digital platform must inform the terms and conditions of use and provide mitigation and compensation measures to compensate those who have been damaged through the digital platform operation. In order to cease operation, the co-ordinator must notify the ETDA under the regulation prescribed by the ETDA. However, any digital platform that needs to notify the ETDA and operated before the effective date of the Digital Platform Decree is able to notify the ETDA within 90 days after the effective date.