On 6 May 2026, Thailand's Board of Investment approved six projects worth a combined 958 billion baht — roughly US$29 billion — in what its press release (No. 67/2569) framed as confirmation of the country's arrival as a regional digital hub. The anchor is enormous: a 842 billion baht (~US$25 billion) data-infrastructure buildout by TikTok System (Thailand), spread across Bangkok, Samut Prakan and Chachoengsao. Three data-center and cloud projects in the batch account for about 913 billion baht (~US$27 billion) on their own. BOI Secretary General Narit Therdsteerasukdi called it a reflection of "investor confidence in the country's potential as a regional technology hub."
The optimism is warranted. This is exactly the kind of capital — long-lived, infrastructure-grade, employment-generating — that a middle-income economy should want. But the same data those servers will store and move sits inside a data-protection regime that is tightening at precisely the moment the hardware lands. Whether the US$29 billion compounds into a genuine hub, or merely a cluster of buildings serving foreign demand, will turn less on the BOI's tax holidays than on how predictably Thailand administers its Personal Data Protection Act (PDPA, B.E. 2562).
The cross-border bottleneck
A data hub is, by definition, a place data flows through. Thailand's cross-border transfer rules — subordinate regulations under PDPA Sections 28 and 29, published in the Government Gazette on 25 December 2023 and effective 24 March 2024 — set out how that flow is permitted. Per Baker McKenzie's analysis, transfers are lawful through one of three channels: an adequacy decision (the "whitelist"), Binding Corporate Rules, or appropriate safeguards such as standard contractual clauses.
The problem is the first channel. More than two years after the rules took effect, the Personal Data Protection Committee (PDPC) still has not published a list of "adequate" jurisdictions. In practice every multinational must fall back on BCRs or bespoke safeguards — slower, lawyer-intensive, and uncertain. For a hyperscaler routing traffic across a dozen markets, that friction is a tax on the very interoperability a hub is supposed to provide.
Steelmanning the regulator
The case for caution is real and should be stated plainly. Biometric and behavioral data — the kind a short-video platform and its recommendation engine generate at scale — is genuinely high-risk: an iris template or a face print, once leaked, cannot be reset like a password. A country inviting the world's data onto its soil has a legitimate interest in ensuring that data does not then leak back out, unprotected, through a jurisdiction with weaker safeguards. An adequacy whitelist that is too permissive would hollow out the protection the PDPA promises Thai citizens. Regulators are right to want enforcement teeth before they wave traffic through.
And they have shown those teeth. In 2025 the PDPC issued fines across five enforcement cases totaling roughly 11.4 million baht, per DLA Piper's review — including a 7 million baht penalty against a technology retailer for inadequate security and failure to report a breach. In late 2025, Thai authorities ordered the operator of a crypto-linked iris-scanning service (widely reported as World, formerly Worldcoin) to halt collection and delete the biometric data of some 1.2 million Thai users. The signal is unmistakable: the PDPC is no longer a paper regulator.
Enforcement and predictability are not the same thing
Here is where a pro-innovation, evidence-based position diverges from the regulator's current posture — not on whether to enforce, but on how to make the rules legible. Active enforcement is welcome; arbitrary enforcement is not. The two are distinguished entirely by predictability.
A US$25 billion data center is a multi-decade commitment underwritten today on assumptions about what will be legal tomorrow. If the adequacy whitelist remains permanently empty, if "appropriate safeguards" are assessed case-by-case with no published benchmark, and if biometric-handling standards arrive through enforcement actions rather than ex-ante guidance, then the compliance cost is not the 5-million-baht fine ceiling — it is the impossibility of pricing the risk at all. Capital can absorb a known tax. It struggles to absorb discretion.
The fix is not deregulation. It is administrative clarity:
- Publish the adequacy whitelist. A transparent list — even a short one anchored to the EU, ASEAN partners, or jurisdictions with comparable laws — converts an open-ended legal question into a checkbox.
- Issue ex-ante biometric guidance. Tell operators what compliant iris- and face-data handling looks like before, not after, an enforcement order.
- Standardize the safeguards route. Pre-approved standard contractual clauses, as the EU and now several Asian regimes offer, let firms self-certify against a known template.
The window is now
The BOI approval and the PDPA build-out are not separate stories; they are the same story told from two ministries. Thailand has just won the hardware. The harder, cheaper, and more decisive contest is over the rulebook that governs what runs on it. Singapore did not become Asia's data hub on tax incentives alone — it did so on regulatory legibility. Thailand has the capital commitment Singapore would envy. If the PDPC pairs its new enforcement credibility with published adequacy decisions and clear biometric standards, the US$29 billion becomes a foundation. If it leaves the rules to discretion, the servers will run — but the higher-value flows will route around them.