Thai Data Privacy Regulator Orders “World Tools for Humanity” Deletion of 1.2 Million Iris Scan Records

Brickinfo News Agency – Thailand’s Personal Data Protection Committee (PDPC) has issued a significant administrative order against a “crypto-for-iris-scan” business, citing non-compliance with the country’s Personal Data Protection Act (PDPA). The order mandates the immediate cessation of further iris data collection and the deletion or destruction of personal data belonging to approximately 1.2 million individuals. This action follows an ongoing investigation by the PDPC and comes amid growing public concern over the security of biometric information. The Ministry of Digital Economy and Society (MDES) has also confirmed that the Department of Special Investigation (DSI) will be expanding the probe into potential related legal violations.

The decision was made by the Expert Committee 2 of the PDPC after reviewing evidence and explanations from the service provider, identified in its statement as World. The committee found that the method used to obtain consent for collecting biometric data, which falls under sensitive personal data, was unlawful. Specifically, the practice of offering cryptocurrency as compensation to incentivize individuals to consent to the iris scan was deemed to constitute non-freely given consent, violating the legal requirements. Furthermore, while the stated purpose for data collection was merely “human verification,” the committee’s investigation found that repeat scanning was impossible, indicating a second, undisclosed purpose of individual identification, thereby exceeding the initial scope of consent.

Police Colonel Surapong Plengkam, Secretary-General of the PDPC, announced the administrative orders issued: “The Expert Committee 2 has ordered the service provider and all related parties to immediately suspend or cease the collection of personal data through the iris scan for cryptocurrency process, and report the operational results to the PDPC within seven days.” He added that the second crucial order is for the service provider to delete and destroy all iris scan data and other related personal information for the 1.2 million people to prevent the illegal transfer of this data abroad. This decision is aimed at protecting personal data from being improperly used, potentially leading to unauthorized commercial use or sale.

Minister of Digital Economy and Society Chaiyanok Chidchob stated that the Ministry supports modern technology, including AI, used for “human verification.” However, he stressed that the collection of biometric data must be conducted under clear conditions and strictly within the framework of data protection laws to prevent harm to data owners. The PDPC noted that its decision aligns with international standards, pointing out that at least eight other countries, including Germany, Spain, South Korea, Indonesia, and Brazil, have also ordered suspensions of this operation.

In addition to the PDPA violations, the joint investigation with other agencies has uncovered other suspicious activities, including alleged schemes to hire individuals to undergo the iris scan for the purpose of transferring the resulting cryptocurrency to others. The Securities and Exchange Commission (SEC) and the Cyber Police have already made arrests concerning unauthorized digital asset exchange. The DSI will continue the expanded investigation into potential violations of other laws. In response to the order, World issued a statement confirming the temporary suspension of its “human verification process” in Thailand, though it maintained that it had fully complied with all Thai laws and regulations throughout its operation and would continue discussions with the MDES and PDPC to find an appropriate path forward.