Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) establishes a comprehensive framework governing the collection, use, and disclosure of personal data, with heightened protections for sensitive personal data, including biometric identifiers. Among these, iris recognition data represents one of the most intrusive forms of personal data, requiring strict compliance with statutory consent, transparency, and security obligations.
1. Legal Framework for Iris Recognition Data under the PDPA
Under the PDPA, personal data refers to information relating to an identifiable data subject whose rights are protected by law. The Act distinguishes between general personal data and sensitive personal data, which includes biometric data capable of uniquely identifying an individual, such as iris scans.
Biometric data may be processed only on specific legal bases, including:
✓ explicit consent of the data subject;
✓ necessity for research or statistical purposes;
✓ protection of vital interests;
✓ performance of a contract;
✓ exercise of official authority or public interest functions;
✓ compliance with legal obligations; or
✓ legitimate interests that do not override the fundamental rights of the data subject.
When collecting personal data, data controllers must clearly, transparently, and separately inform data subjects of the specific purposes for which the data will be collected, used, or disclosed. For sensitive personal data, the PDPA imposes enhanced obligations, including:
✓ implementation of appropriate technical and organisational security measures;
✓ prevention of unauthorised access or disclosure;
✓ proper data retention, management, and deletion protocols;
✓ breach notification to the PDPC within 72 hours;
✓ maintenance of processing records; and
✓ appointment of a Data Protection Officer (DPO) where required.
Non-compliance may result in civil liability (including punitive damages of up to twice the actual loss), criminal penalties (up to one year’s imprisonment and/or fines of up to THB 1,000,000), and administrative fines of up to THB 5,000,000.
2. PDPC Enforcement Action Against the “World” Project
On 24 November 2025, the PDPC issued a final administrative order suspending a biometric data collection project operated by World, a business established by a group of founders including Sam Altman, CEO of OpenAI. The project involved public iris scanning in exchange for cryptocurrency tokens and resulted in the collection of biometric data from more than 1.2 million individuals in Thailand.
The PDPC determined that the project posed significant risks to data subjects and constituted a serious violation of the PDPA, particularly in relation to consent, transparency, and purpose limitation.
3. Regulatory Findings and Procedural History
The PDPC initiated an investigation after identifying risks associated with mass iris scanning conducted in public settings. During the investigation, the PDPC engaged with World through meetings held on 22 July 2025 and 4 September 2025, as well as a public system demonstration on 19 September 2025.
Despite these engagements, the PDPC found:
✓ unclear and insufficient documentation relating to data processing activities;
✓ risks of re-identification of individuals;
✓ inadequate disclosure of data processing purposes; and
✓ deficiencies in explaining how biometric data would be stored, used, and safeguarded.
As a result, the matter was referred to the Expert Committee on 3 October 2025, culminating in an administrative order dated 14 November 2025 requiring suspension of the project and deletion of the collected data.
4. Invalid Consent and Purpose Limitation Breaches
A central finding of the PDPC was that World collected iris recognition data without valid consent as required under the PDPA. Specifically:
✓ consent was obtained by inducing members of the public with cryptocurrency tokens, which the PDPC determined meant that consent was not freely given;
✓ the stated purpose of collection was limited to “human verification”; however,
✓ individuals who had already undergone iris scanning were unable to repeat the process, demonstrating that the data was also used to identify returning individuals.
The PDPC concluded that the use of biometric data exceeded the scope of the purpose communicated at the time consent was obtained and could not be justified as human verification alone. This constituted a breach of the PDPA’s purpose limitation and transparency principles.
5. Regulatory Orders and Cross-Border Risk Mitigation
The PDPC ordered World to:
✓ suspend any further collection of personal data through iris scanning in exchange for cryptocurrency tokens;
✓ report the outcome of compliance measures to the PDPC within seven (7) days; and
✓ delete and permanently destroy all iris scan data and related personal data of approximately 1.2 million individuals.
The PDPC expressly cited the need to prevent unlawful cross-border transfers of biometric data as a key consideration in ordering the destruction of the data.
6. Post-Order Developments
Following the PDPC’s order, World announced via its official Facebook page that it would:
✓ suspend the service in Thailand;
✓ refund the cryptocurrency tokens provided to participants; and
✓ continue to engage constructively with Thai authorities, including the Ministry of Digital Economy and Society (MDES) and the PDPC.
World also publicly reaffirmed its commitment to building a safer digital environment.
Key Takeaways for Organizations
The World case represents one of the most significant PDPA enforcement actions to date and sends a clear regulatory signal that:
✓ biometric data, particularly iris recognition data, will be subject to strict scrutiny;
✓ consent obtained through financial or economic inducement may be deemed invalid;
✓ vague or evolving purposes for data processing are incompatible with PDPA requirements; and
✓ regulators will act decisively where large-scale biometric data collection presents systemic risk.
Organizations deploying biometric technologies in Thailand should urgently review their consent mechanisms, transparency disclosures, data governance frameworks, and cross-border data transfer controls to ensure full PDPA compliance.