Thailand's Personal Data Protection Committee (PDPC) has turned a long-promised compliance route into a live one. Following publication of the PDPC Regulation on the Examination and Certification of Binding Corporate Rules B.E. 2568 in the Royal Gazette on 17 February 2026, the BCR regime is now operational as a lawful cross-border transfer mechanism under the Personal Data Protection Act B.E. 2562 (2019). A Baker McKenzie insight published on 28 April 2026 confirmed the framework is working in practice, with the PDPC having approved the first two corporate groups on 30 September 2025.
For a publication that backs the open internet, this is a welcome piece of regulatory plumbing — and a model of how data-protection law can enable cross-border commerce rather than wall it off.
Why the bottleneck existed
First, the steelman. Thailand's PDPA, like the GDPR it borrows from, treats personal data leaving the country as inherently risky: once data sits on a server in another jurisdiction, a Thai data subject can lose any practical ability to enforce their rights. Section 28 lets controllers transfer to countries the PDPC deems "adequate," and Section 29 permits transfers under "appropriate safeguards" that preserve enforceable rights and effective remedies. The logic is sound — protection should follow the data, not stop at the border.
The problem was implementation. The PDPC has never published an adequacy whitelist. The Section 28 and 29 notifications took effect only on 24 March 2024. With no "adequate" destinations designated, nearly every routine transfer — a Thai subsidiary syncing HR records to a regional headquarters, a Bangkok call centre using a cloud CRM hosted abroad — defaulted to the Section 29 safeguards route. In effect, the law switched on a broad prohibition before the lawful exits were built. Multinationals were left relying on standard contractual clauses and consent workarounds while the most robust intra-group mechanism, BCRs, existed only on paper.
That gap matters for an economy this digital. Thailand's digital sector was projected to reach roughly $140 billion in 2025, growing 7.3% against overall GDP growth of just 2.8%, according to the U.S. International Trade Administration. The World Bank rates it the second-largest digital economy in ASEAN, contributing around 6% of GDP. An economy that increasingly runs on cross-border cloud services cannot afford a transfer regime that is theoretically strict but practically unworkable.
What the BCR framework actually does
Binding Corporate Rules are group-wide, legally binding privacy policies that let a multinational move personal data among its own entities under a single enforceable standard. The B.E. 2568 regulation establishes Thailand's first formal certification process for them, administered by the PDPC, in both controller (BCR-C) and processor (BCR-P) flavours.
The certification criteria are demanding but coherent. Per analyses from Tilleke & Gibbins and LawPlus, approved BCRs must grant Thai data subjects third-party beneficiary rights — the ability to enforce the rules directly — and must accept the PDPC's supervisory authority and the jurisdiction of Thai courts. Applicants must designate a Thai "liable BCR member" answerable for remedies. The PDPC reviews submissions within up to 180 days of receiving complete documentation, and — notably — charges no government fee. Certified BCRs carry no fixed expiry unless amended or revoked.
This is proportionate regulation done well. It asks for genuine, verifiable accountability rather than box-ticking, but it does not nickel-and-dime applicants or trap them in indefinite review.
The interoperability move
The most pro-innovation feature is the accelerated pathway for groups that already hold EU or UK GDPR-approved BCRs. Rather than forcing those companies to rebuild from scratch, the PDPC lets them submit their existing approved documentation alongside a "Thai-specific BCR addendum" covering PDPA particulars — the liable Thai entity, PDPC oversight, Thai court jurisdiction, and local beneficiary rights.
This is regulatory interoperability, and it is the right instinct. A company that has already satisfied a European supervisory authority has demonstrated the substance the PDPC cares about; demanding full duplication would impose cost without adding protection. Recognising prior approvals lowers compliance friction, speeds market entry, and quietly nudges global privacy standards toward convergence rather than fragmentation — exactly what a mid-sized digital economy competing for data-centre and cloud investment should want.
Where the friction remains
The regime is not frictionless, and honest analysis should say so. Applications and supporting documents must be in Thai, with certified, notarised translations of any foreign-language materials — a real cost for groups whose BCRs run to hundreds of pages of English legalese. A 180-day clock is reasonable on paper but long for fast-moving deployments, and the addendum-plus-translation burden may blunt the fast track's promised speed. Most tellingly, only two groups had been certified as of late September 2025; uptake will reveal whether the process is as workable as its design suggests.
The deeper fix would be to publish an adequacy whitelist, so that transfers to genuinely well-regulated jurisdictions need no bespoke mechanism at all. Until the PDPC does that, BCRs and SCCs will carry load that an adequacy finding should bear.
The bottom line
Thailand has taken a transfer regime that was effectively a prohibition-by-default and given it a credible, enforceable, fee-free exit — one that respects work companies have already done under the GDPR. It is a textbook example of data-protection law that protects rights while keeping data flowing. The next test is whether the PDPC pairs it with an adequacy list, so that the open internet's default in Thailand becomes lawful movement, not bureaucratic exception.