Thailand Issues New Law to Regulate Digital ID Services
Thailand Issues New Law to Regulate Digital ID Services informed by Tilleke & Gibbins
Tilleke & Gibbins, one of our corporate Members informed us that Thailand has issued a Royal Decree on the Supervision of Regulated Digital Identification Authentication and Verification Service Businesses B.E. 2565 (2022) (the “Royal Decree”), aimed at regulating business operators that provide digital identity authentication and verification services (“Digital ID Services”). The Royal Decree was published in The Government Gazette in December 2022 and will take effect 180 days from the publication date, on June 21, 2023.
The key details and requirements of the Royal Decree are as follows:
Regulated Digital ID Services
Under the Royal Decree, the provision of the following Digital ID Services requires prior approval from The Electronic Transaction Development Agency:
- Identity verification service – Services for collecting and identifying information relating to the identity of a person, and verifying the connections between the person and the identity.
- Authenticator issuance and management service – Services relating to the connection between a person who has passed the identification process with an authenticator, and managing actions which are used to identify a person.
- Authentication service – A process to authenticate a person by inspecting his/her authenticator.
- Digital ID networks/systems – Provision of networks or systems used to exchange information for digital identification purposes, excluding services provided by an intermediary.
Exempted Digital ID Services
The Royal Decree also specifies a list of Digital ID Services that are exempted from supervision under the Royal Decree, as follows:
- Issuance of certificates to support the use of electronic signatures in accordance with the Electronic Transaction Act.
- Digital ID Services are conducted for use within the operator’s own business only and do not involve the provision of such services to third parties.
- Other Digital ID Services as prescribed by the Electronic Transaction Committee.
Qualifications of Business Operators
The types of business operators qualified to operate Digital ID Services include (i) private limited companies; (ii) public limited companies; and (iii) other juristic persons as prescribed by the Electronic Transaction Committee. The Royal Decree also prescribes the qualifications and prohibited characteristics for directors, management, and responsible persons; they shall not be bankrupt, incompetent, quasi-incompetent, etc.
The Electronic Transaction Committee may, as it deems appropriate, impose minimum capital requirements at a later stage, and may also stipulate rules and requirements on other related matters such as risk management measures, security measures, and consumer protection.
Commencement of Business Operation
Before commencing its Digital ID Services business, within 180 days from the approval date, the business operator is required to submit an assessment report to demonstrate that it is ready to commence the business, whereby the business operator must at least be ready and fully prepared with respect to technology and personnel. If necessary, the 180-day period can be extended, but not by more than 240 days.
Actions Required for Existing Business Operators
The Royal Decree allows existing business operators to continue providing Digital ID Services. Still, they must submit an application, together with the assessment report demonstrating their readiness for operation of the Digital ID Services business, within 90 days from the effective date of the Royal Decree by September 18, 2023. Once the application and report have been submitted, the business operators are entitled to continue operating their Digital ID Services businesses until and unless the Electronic Transaction Committee issues an order for them to cease operations.
For other interesting articles from our members and chamber activities, please visit our website.