The fastest-moving risk in global cannabis right now is not a hacker. It is a policy reversal.

In the past eighteen months, two of the world’s most-watched cannabis markets have swung hard in opposite directions, and both swings left a data problem in their wake. Thailand, which became Asia’s first country to broadly decriminalize cannabis in 2022, re-criminalized recreational use in 2025 and has spent 2026 dismantling the open-dispensary market it created. Germany, which legalized adult-use possession and cultivation clubs in 2024, saw medical cannabis imports more than double while its government openly debates tightening the rules. The lesson for operators is not which way any single market is heading. It is that the ground can move under a licensed business overnight — and when it does, the customer data that business collected does not simply disappear with it.

Thailand: a market built and dismantled in three years

Thailand’s reversal is the clearest cautionary tale of the cycle. After 2022’s decriminalization, tens of thousands of cannabis shops opened almost overnight. Then, on June 25, 2025, Public Health Minister Somsak Thepsuthin introduced regulations re-criminalizing recreational use and pushing the country back toward a medical-only model.

The effect was swift. More than 7,000 cannabis shops chose not to renew their licenses or could not meet the new requirements, and most had closed by early 2026. As of February 21, 2026, cannabis in Thailand operates under strict medical oversight: dispensaries must have medical supervision and certified traditional-medicine practitioners on site, and recreational sales are no longer permitted.

Now ask the security question almost nobody asks during a rollback: what happened to the data? Those 7,000-plus shops collected customer names, ages, ID scans, purchase histories, and in many cases tourist passport details. When a business closes under regulatory pressure, that data does not get a careful, audited wind-down. It gets left on a laptop, a POS terminal sold secondhand, an unpaid cloud account, or a vendor server that no one is monitoring anymore. Orphaned data — records that outlive the entity responsible for protecting them — is one of the most under-appreciated breach vectors in the industry, and a market-wide closure event manufactures it at scale.

Germany: growth that outpaces governance

Germany is the mirror image, and it carries its own risk. Following 2024’s reforms, the medical market exploded: Germany imported 201,094 kg of cannabis in 2025, up from 72,850 kg the prior year — well more than double, with Canada the largest single source. At the same time, German officials have signaled a real chance of tightening medical-cannabis rules in 2026, with the timing and final shape still uncertain.

Rapid growth under a strict data regime is its own hazard. Germany sits inside the EU’s GDPR, which treats health and identity data as special-category information demanding the highest level of protection. A medical-cannabis supply chain that doubles in a year — new clinics, new telemedicine intermediaries, new importers, new logistics partners — adds data-handling parties faster than anyone can vet them. Every new link is a new place for a record to leak, and every cross-border import relationship raises questions about where patient and transaction data flows and under whose law it is protected. We examined this dynamic in our briefing on global regulatory and data-security trends, and Germany is the live test case.

The looming tightening adds a second layer. If rules contract, some of those newly minted intermediaries will exit — and we are back to the orphaned-data problem, this time involving genuine patient health records under the strictest privacy law in the world.

The pattern: regulatory volatility is a data-governance problem

Step back and the through-line is clear. Around fifty countries now run formal medical-cannabis regimes, and the global map is a patchwork that keeps redrawing itself. For any operator with cross-border exposure — a multinational brand, an importer, a software vendor serving clubs in several countries, or simply a dispensary in a tourist market — regulatory whiplash creates four concrete data risks:

1. Orphaned data from forced closures. When a market contracts, businesses fold without a secure data-disposal plan. The customer IDs and purchase histories they collected become unowned and unmonitored — exactly the conditions that produced the Cannaleaks exposure, where a verification vendor’s stored documents sat open across clubs in multiple countries.

2. Cross-border transfer exposure. Data collected in one jurisdiction often lives on servers in another. When the legal status changes in either, the lawful basis for holding or transferring that data can evaporate. Under GDPR, transfers out of the EU already require specific safeguards; a policy reversal can turn a compliant flow into a violation without anyone touching the data.

3. Conflicting and shifting retention rules. A document you were required to keep under one regime may become a document you are forbidden to keep under the next. Operators that hoard identity data by default — rather than following a verify-don’t-store discipline — are most exposed when the rules flip, because they are holding the most.

4. Tourist and visitor data. Markets like Thailand drew international customers whose passport and identity data is now scattered across thousands of defunct shops. That data is subject to the privacy laws of the visitors’ home countries as well as Thailand’s — a multi-jurisdiction liability that survives the businesses that created it.

What operators should do in a volatile market

You cannot control the policy cycle. You can control how exposed your data is when it turns.

  • Minimize first. The less identity data you retain, the less becomes orphaned or unlawful when rules change. Default to verifying and discarding, and keep only what a specific, current law requires.
  • Know where your data physically lives and under whose law. Map every system and vendor that stores customer or patient data, the country it sits in, and the legal basis for holding it. You cannot manage cross-border risk you have not mapped.
  • Build a data-disposal plan into your wind-down and vendor contracts. Before you ever need it, define how customer data will be securely deleted if a market closes or a vendor relationship ends. Put deletion obligations and proof-of-deletion in every processor contract.
  • Vet new partners as fast as you onboard them. In a fast-growing market, the temptation is to plug in vendors and sort out security later. The Cannaleaks clubs did exactly that. Run the same vendor-risk questions on partner number fifty as on partner number one.
  • Track the rules per market, continuously. Retention and transfer obligations are moving targets. Assign ownership for monitoring regulatory change in each jurisdiction you touch, and revisit your retention schedule whenever a market shifts.

The bottom line

Thailand built and dismantled a national cannabis market in three years. Germany doubled its medical imports while debating whether to pull back. Neither story is mainly about cybersecurity — and that is exactly why the data risk inside them gets missed. Regulatory whiplash does not announce itself as a breach. It shows up later, as a database nobody owns anymore, a cross-border flow that is suddenly unlawful, or a tourist’s passport scan sitting on a server in a shop that closed eighteen months ago.

The operators who weather the volatility will be the ones who held less, knew where it lived, and planned for its disposal before the rules forced the question. In a global market that keeps changing its mind, data discipline is not a compliance nicety — it is how you avoid becoming the next headline when the next market turns.

This article is provided for informational purposes only and does not constitute legal advice.