Latest News & Insights

On 24 November 2025, Thailand’s Minister of Digital Economy and Society, Mr. Chaichanok Chidchob, together with the Personal Data Protection Committee (PDPC), held a press conference to announce the findings of an investigation into the “iris-scan-for-crypto” service. The PDPC’s Expert Committee (Panel 2) concluded that the business in question had violated Thailand’s Personal Data Protection Act (PDPA) in several respects:

• Invalid consent — The company induced individuals to participate by offering crypto tokens, meaning the consent was not freely given.

• Purpose mismatch — The stated purpose was to verify “proof of personhood,” yet users who had previously scanned their irises were unable to scan again, suggesting the data was also used for identity verification. This constituted processing beyond the stated purpose.

• Risk of unlawful cross-border transfer — Evidence suggested that biometric data may have been transferred abroad without proper notification or safeguards.

Based on the evidence and clarifications provided, the PDPC issued the following orders:

1. Immediately cease all further iris data collection and report compliance within seven days.

2. Delete the iris data and all associated personal data of approximately 1.2 million individuals, to prevent misuse or unauthorized data export.

The PDPC stated that the order was necessary to prevent potential harm such as data leakage, unauthorized commercial use, or illicit trading of personal data. The decision also aligns with international data protection principles, as similar services have been suspended in several countries, including Germany, Spain, South Korea, Indonesia and Brazil. The committee also noted indications of individuals being hired to undergo iris scans on behalf of others, which warrants further investigation.

Although the PDPC has held similar press conferences in the past, this is the first instance that has captured significant public attention and triggered widespread negative reactions. The case raises important questions regarding the business model of such services and the adequacy of Thailand’s biometric data protection framework.

Understanding World ID

World ID is a proof-of-personhood system developed by Tools for Humanity, founded by Sam Altman (CEO of OpenAI) and Alex Blania. The initiative aims to provide digital identity infrastructure capable of distinguishing real humans from bots or AI agents—an increasingly complex challenge in the age of advanced artificial intelligence.

How World ID Works

World ID operates through the Orb, a device that scans a user’s iris and generates an “Iris Code” — a numerical representation that the company claims cannot be reverse engineered into the original image.

According to information disclosed by the company:

• No identifying information such as name, address, or ID number is collected.

• The original iris image is deleted immediately after the Iris Code is generated.

• The Iris Code is stored in encrypted form within the user’s World App.

• Tools for Humanity claims it cannot access or retrieve the stored data.

Trust-Building Measures Announced by World ID

• Open-source code is published on GitHub for public review.

• Independent security audits have been conducted by Trail of Bits, a cybersecurity firm known for auditing Ethereum and advising U.S. government agencies.

However, in several countries, World ID’s rollout has involved promotional incentives — including the distribution of digital tokens — which raises concerns about whether user consent is truly voluntary.

What Personal Data Does World ID Use?

The primary data used by World ID is iris biometrics, which qualifies as biometric data and is considered sensitive personal data under Section 26 of Thailand’s PDPA. Collection, use, or disclosure of such data requires explicit consent.

Biometric data carries elevated risks because:

1. It uniquely and accurately identifies an individual.

2. It is permanent and cannot be changed, unlike passwords or ID documents.

3. A breach can cause irreversible harm due to the permanence of the data.

Beyond the inherent risks of biometric processing, World ID also faces concerns regarding:

• Necessity and proportionality, given that iris scans may exceed what is required for human verification compared to less intrusive alternatives.

• Transparency, including whether the purposes and downstream uses of biometric data are fully disclosed.

• Validity of consent, especially where individuals receive financial or token-based incentives.

• Potential cross-border data transfer risks, which could have significant implications for data subjects’ rights.

While the World ID case has drawn significant public attention in Thailand, this is not the first time regulators around the world have intervened decisively in high-risk data practices involving biometric or large-scale personal data processing. Comparable cases include:

1) Clearview AI – Facial Recognition

Clearview AI scraped billions of facial images from the internet without consent and sold facial recognition services to law enforcement globally. Regulators in the UK, France, Italy, Australia, Canada and others found the company lacked legal basis, transparency and valid consent. Orders included:

• Deleting all facial images of citizens

• Halting processing

• Imposing substantial fines

2) Meta / Facebook – Shadow Profiles & Off-Facebook Activity

Meta tracked users’ behaviour across the internet via Pixels and other tracking technologies, often without clear disclosure or valid consent. Regulators in the EU and UK imposed large fines and ordered Meta to modify its data processing practices.

3) TikTok – Children’s Data & Biometric Processing

TikTok processed children’s data—including behavioural data and biometric information extracted from videos—without adequate consent or safeguards. EU and UK regulators fined the company hundreds of millions of euros and required changes to youth default settings and data practices.

4) Aadhaar – National Biometric Registry (India)

Aadhaar, operated by the Unique Identification Authority of India (UIDAI), collects iris, fingerprint and facial biometrics from over 1.3 billion people, forming the world’s largest biometric database. The project raised concerns about proportionality, surveillance risk and nationwide data leakage. In the landmark Puttaswamy (2018) judgment, the Supreme Court of India held that Aadhaar may operate but with strict limitations:

• Private entities cannot mandate Aadhaar

• Usage must be restricted to essential public services

• The right to privacy is a fundamental constitutional right

5) Grindr – Sharing Sensitive Data with Third-Party Advertisers

Grindr, an LGBTQ+ dating app, was found by the Norwegian DPA to have disclosed sensitive data—including sexual orientation indicators and location—to advertisers without valid consent. Users were forced to accept all tracking to use the app, and were not informed that data would be shared externally. Grindr was fined €6.3 million and ordered to halt such disclosures.

Shared Lessons: Data Protection in a High-Risk Technological Landscape

Across all cases—including World ID—the following common themes emerge:

1. Limited Public Understanding

Both regulators and the general public often have incomplete information about how novel technologies collect and use personal data, particularly in complex biometric systems.

2. Preventive Regulatory Intervention

Authorities intervene proactively—even without mass complaints—whenever the technology poses high risks to individual rights or societal interests.

3. High-risk Categories of Data

The cases frequently involve data such as:

• Biometric identifiers (iris, fingerprints, facial images)

• Children’s data

• Sensitive behavioral patterns

• Data that cannot be replaced once compromised

4. Core Principle: Safeguarding Rights in High-Risk Environments

The global trend shows that regulators have a duty to act when data-processing practices carry significant risks, while individuals must be provided with sufficient, transparent information to make informed decisions. This principle is directly reflected in Thailand’s World ID case.

Balancing Innovation with Data Protection

Avoiding new technologies is not a realistic solution. Instead, organizations must:

• Conduct thorough risk assessments

• Implement appropriate security measures

• Ensure legal and transparent data practices

• Build trust with users through responsible innovation

This enables both public and private sectors to benefit from emerging technologies while upholding strong personal data protection standards.

Need Guidance on High-Risk Data Processing?

If you have questions about high-risk personal data processing or require support in implementing robust data protection practices, Athentic Consulting is available to provide expert guidance through our various contact channels.

Reference:

• cover photo https://positioningmag.com/1537014
• Tools for Humanity — World ID Overview. https://world.org/world-id
• https://www.marketingoops.com/digital-life/world-id-iris-scan-proof-of-human/
• KU Leuven Centre for IT & IP Law (CiTiP) — Worldcoin’s biometric proof of personhood: data protection analysis. https://www.law.kuleuven.be/citip/blog/worldcoins-biometric-proof-of-personhood
• ICO (UK): https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/05/ico-fines-clearview-ai-inc-7-5m
• CNIL (France): https://www.cnil.fr/en/cnils-sanctions-clearview-ai
• Garante (Italy): https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9753708
• OAIC (Australia): https://www.oaic.gov.au/privacy/privacy-decisions/investigation-into-clearview-ai-inc
• OPC (Canada): https://www.priv.gc.ca/en/opc-actions-and-decisions/ar_index/202103/
•   EDPB Binding Decisions: https://edpb.europa.eu
• Irish DPC Press Release: https://www.dataprotection.ie
• ICO Off-Facebook Activity info: https://ico.org.uk
•   Irish DPC: https://www.dataprotection.ie
• UK ICO: https://ico.org.uk
• FTC COPPA enforcement: https://www.ftc.gov