Latest News & Insights

On 24 November 2025, Mr. Chaiyanok Chidchob, Minister of Digital Economy and Society, together with the Office of the Personal Data Protection Commission (PDPC), held a press conference to announce the results of an investigation into a business operation involving “iris scanning in exchange for cryptocurrency.” The findings were determined by the PDPC’s Expert Committee No. 2, which examined factual evidence, documentary evidence, and explanations provided by the service provider. Following its consideration, the Committee issued the following administrative orders:

1. The service provider is required to suspend or cease the collection of personal data through iris scanning and to report the implementation of such measures to the Office of the Personal Data Protection Commission (PDPC) within seven (7) days.
2. The service provider is required to delete and destroy all iris data that has been collected from the public.

The orders sparked widespread public debate among service users, with questions raised as to whether the Office of the Personal Data Protection Commission (PDPC) had exceeded the scope of its authority and whether the reasons relied upon to conclude that World Thailand’s services failed to comply with personal data protection requirements were sufficiently justified. This article examines and analyses several key legal issues arising from the PDPC’s recent press conference, as outlined below.

Issue 1: Incentivised Consent

Consent is a core concept under personal data protection law. It becomes particularly important where a controller cannot rely on the lawful bases under Section 24 of Thailand’s Personal Data Protection Act B.E. 2562 (PDPA), or where the processing involves sensitive personal data under Section 26—such as political opinions, religious beliefs, food allergy information, health data, or biometric data. Sensitive data is considered high-risk because unlawful or improper processing may lead to discrimination, unfair exclusion, and significant impacts on the data subject’s rights and freedoms.

Accordingly, where the processing of sensitive personal data does not fall within any exception under Section 26, obtaining valid consent is critical. Proper consent provides data subjects with a genuine choice and supports organisational transparency and accountability as a data controller.

In principle, consent must be freely given—meaning the data subject must be able to decide voluntarily whether to consent, without being forced or pressured (for example, being required to consent as a condition of receiving a service, or facing disadvantage if consent is refused). Data subjects must not suffer detriment for refusing consent, and must be able to withdraw consent easily at any time. Consent should also be separate from other terms and conditions and presented in clearly distinguishable items, so the data subject can give specific consent for each purpose that relies on consent.

As for incentives, comparative practice from various data protection authorities suggests that incentives are not prohibited outright. However, the key question is whether the incentive results in unfair disadvantage for those who do not consent, or whether refusal effectively prevents access to the controller’s core service. For example, the UK Information Commissioner’s Office (ICO) has indicated that certain incentives may be acceptable—such as loyalty programmes offering discounts—where refusing consent merely means the user does not receive the additional benefit, and does not suffer an unfair penalty. Controllers must nevertheless be careful not to cross the line into punitive or unfair disadvantage.

In assessing whether consent is freely given, regulators also consider imbalance of power between the controller and the data subject. Where the controller is a public authority and the data subject is a citizen, or where the controller is an employer and the data subject is an employee, consent may not be truly voluntary because the data subject may feel there is no realistic alternative. The European Data Protection Board (EDPB) has similarly noted that assessing imbalance requires considering multiple factors, including the provider’s scale and market power, the necessity of the service, the burden of switching providers, and the impact on daily life if consent is refused.

Applying these principles to World Thailand, the core service of World ID is presented as a proof-of-personhood (human verification) system. In practice, the available method of verification appears to rely solely on iris scanning to generate an “Iris Code.” If there is no alternative method for users to obtain proof-of-personhood without consenting to iris scanning, refusal of consent does not merely result in the loss of a cryptocurrency reward; it may also result in the inability to access the core service itself. In that context, the use of cryptocurrency as an incentive may raise concerns that consent is not freely given.

Further concerns may arise if the data is used in a manner inconsistent with what was described at the point of consent. For example, if the stated purpose of scanning is to generate an Iris Code for proof-of-personhood and then delete the iris data immediately, but individuals who have already scanned are later identified as having scanned before, this may indicate that the Iris Code can be used for authentication (identifying or verifying an individual) and/or that the deletion claims may not align with actual practices. If so, the processing may extend beyond the consented purpose, raising questions about whether the consent obtained was valid under data protection law.

Issue 2: Is Iris Data Comparable to DNA?

During the press conference, the PDPC made the point that iris-scan data may be “as sensitive as DNA and more severe than fingerprints,” which was used to explain that the administrative fine could reach up to THB 5 million. This prompted public questions as to why iris data is viewed as particularly sensitive when both iris data and fingerprints fall within biometric data and are treated as sensitive personal data.

Both Thai and international data protection laws distinguish sensitive personal data as a special category requiring heightened safeguards, given its elevated risks to individuals’ rights and freedoms and its potential to enable discrimination. Under the PDPA, both iris patterns and fingerprints are biometric data—i.e., personal data resulting from techniques or technologies that use unique physical or behavioural characteristics to identify a person (e.g., facial templates, iris templates, fingerprint templates). Biometric data is expressly treated as sensitive personal data.

Importantly, however, the PDPA does not rank categories of sensitive data (such as race, religion, criminal history, or biometrics) by “severity” in legal terms. In that strict legal sense, iris data does not have a higher status than fingerprint data—both are sensitive personal data and require special protection.

From a scientific perspective, iris biometrics are often regarded as highly distinctive and relatively stable over a person’s lifetime. Academic research (including work associated with the University of Cambridge) has described the iris as having extremely complex patterns and very high uniqueness, with low rates of false matches under appropriate conditions. In practical terms, this supports the view that iris data can enable highly reliable identification at very large population scales.

Taken together, it may be understandable—scientifically—why iris data is sometimes compared to DNA in terms of its identification capability. Nevertheless, within the legal framework of personal data protection, different forms of biometric data are generally treated with equal weight as sensitive personal data, given their potential impact on rights and freedoms if processed unlawfully or without adequate safeguards. The PDPC’s position may therefore be read as incorporating scientific context into its regulatory assessment, while the determination of administrative fines is likely influenced by multiple factors beyond identifiability alone—such as the number of affected data subjects, the scope and purpose of processing, and the adequacy of security measures.

Comparative Developments: Worldcoin Enforcement Abroad

Thailand is not the only jurisdiction to intervene in similar iris-scanning operations. Other countries—including Spain, Brazil, Hong Kong, and Indonesia—have taken measures to suspend or restrict Worldcoin-related activities.

1) Spain

Spain’s data protection authority (AEPD) imposed interim measures requiring the service provider to stop collecting and processing personal data in Spain, including halting processing of already collected data. Reported concerns included inadequate information to users, collection involving minors, and barriers to withdrawing consent.

2) Brazil

Brazil’s data protection authority (ANPD) issued preventive measures ordering the provider to stop using cryptocurrency rewards to incentivise consent for iris scanning. The authority expressed concern that digital-currency rewards could unduly influence economically vulnerable individuals to consent without fully understanding the risks of processing sensitive biometric data—thereby undermining the requirement that consent be freely given.

3) Hong Kong

Hong Kong’s Privacy Commissioner for Personal Data (PCPD) ordered the Worldcoin project to stop collecting and processing iris data, citing breaches of the Personal Data (Privacy) Ordinance (PDPO) and several Data Protection Principles (DPPs), including: (i) excessive and unnecessary collection for proof-of-personhood purposes (DPP1), (ii) lack of transparency, including inadequate explanation and documentation practices (DPP5), and (iii) retention of iris data for up to ten years for AI model training, deemed longer than necessary (DPP2).

4) Indonesia

Indonesia’s Ministry of Communication and Digital Affairs (Komdigi) temporarily suspended the provider’s operations, including its electronic system service registration, to examine whether large-scale collection of sensitive iris data complied with personal data protection requirements. Komdigi raised concerns around data subject rights, transparency, and security measures, conducted both technical and legal review, and later maintained the suspension while ordering deletion of collected biometric data and requiring improvements to personal data management, security safeguards, and privacy protections before any potential resumption.

Notably, the PDPC’s reasoning appears consistent with enforcement trends in other jurisdictions—particularly regarding incentivised consent, large-scale processing of sensitive biometric data, and shortcomings in transparency, security, and data subject rights. The broader question raised is whether, despite rapid technological advancement, core privacy safeguards are increasingly overlooked—including by data subjects themselves. This case illustrates that responsible use of biometrics requires more than advanced technology: it demands robust privacy governance, appropriate technical and organisational measures, and a high standard of accountability to prevent technological innovation from becoming a long-term threat to individuals’ rights and personal security.

Reference :

•   The Office of the Privacy Commissioner for Personal Data (PCPD), Privacy Commissioner’s Office Finds That the Operation of the Worldcoin Project in Hong Kong Contravenes the Personal Data (Privacy) Ordinance, https://www.pcpd.org.hk/english/news_events/media_statements/press_20240522.html.
•   Komdigi, Affirming Commitment to Protect the Public, Komdigi Continues to Sanction Platform World, https://www.komdigi.go.id/berita/siaran-pers/detail/tegaskan-komitmen-lindungi-publik-komdigi-tetap-beri-sanksi-platform-world.
• AEPD, The Agency Orders a Precautionary Measure Which Prevents Worldcoin from Continuing to Process Personal Data in Spain, https://www.aepd.es/en/press-and-communication/press-releases/agency-orders-precautionary-measure-which-prevents-Worldcoin-from-continuing-toprocess-personal-data-in-spain.
•   ANPD, ANPD Determines Suspension of Financial Incentives for Iris Collection, https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-determina-suspensao-de-incentivos-financeiros-por-coleta-de-iris.
•   John Daugman, How Iris Recognition Works, DEPARTMENT OF COMPUTER SCIENCE AND TECHNOLOGY, CAMBRIDGE UNIVERSITY, https://www.cl.cam.ac.uk/~jgd1000/irisrecog.pdf.
•   John Daugman, Collision Avoidance on National and Global Scales: Understanding and Using Big Biometric Entropy, DEPARTMENT OF COMPUTER SCIENCE AND TECHNOLOGY, CAMBRIDGE UNIVERSITY, https://www.cl.cam.ac.uk/~jgd1000/BiomEntropy.pdf.
• ศูนย์วิจัยกฎหมายและการพัฒนา คณะนิติศาสตร์ จุฬาลงกรณ์มหาวิทยาลัย, B3. การประมวลผลข้อมูลส่วนบุคคลที่มีความอ่อนไหวเป็นพิเศษ (Special Categories or Sensitive Data), in THAILAND DATA PROTECTION GUIDELINES 3.0 แนวปฏิบัติเกี่ยวกับการคุ้มครองข้อมูลส่วนบุคคล , https://www.law.chula.ac.th/wp-content/uploads/2021/04/TDPG3.0-Extension-20210413-1.pdf.
• European Data Protection Board, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-082024-valid-consent-context-consent-or_en.
•  European Data Protection Board, Guidelines 05/2020 on Consent under Regulation 2016/679, https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en.
• Information Commissioner’s Office, Consent, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/consent/why-is-consent-important/#why2.