Thailand orders halt to iris-scan crypto scheme, deletes 1.2m biometric records over PDPA breaches

The Ministry of Digital Economy and Society (DES) has reported major progress in the investigation into the nationwide “iris-scan for crypto tokens” scheme, which triggered widespread concern over biometric data security and legal compliance. The Office of the Personal Data Protection Committee (PDPC) has been conducting checks since the first irregularities emerged, leading to an administrative order instructing the operator to immediately stop collecting iris data and delete all 1.2 million citizen records.

DES Minister Chaichanok Chidchob said that while the state supports AI technology and human-verification systems, the collection of biometric data must be clear, transparent and strictly compliant with the Personal Data Protection Act (PDPA). The PDPC investigation found that the operator used crypto-token rewards as an incentive for consent, meaning consent was not freely given. The company also claimed the scans were solely for human-verification purposes, yet the system did not allow repeat scans—raising concerns that the data was being used for identity verification beyond the declared purpose.

The PDPC therefore issued two binding orders:

1. Suspend all iris-data collection and provide a compliance report within seven days;
2. Delete the biometric data of 1.2 million users to prevent unlawful transfer abroad.

The PDPC noted that several countries—including Germany, Spain, South Korea, Indonesia and Brazil—have also suspended similar technologies.

A joint investigation with state agencies has uncovered additional suspicious behaviour, including organised groups paid to undergo iris scans so others could claim the crypto rewards, and arrests of unlicensed digital-asset exchangers. These findings are now being expanded upon by the Department of Special Investigation (DSI) and other relevant authorities.

Suraphong Plengkham, Secretary-General of the PDPC, stressed that the priority is protecting the public’s biometric data and maintaining trust in the regulatory system. The objective, he said, is not to block new technologies but to ensure legal compliance to prevent future harm.

He reiterated that the PDPC gives the highest importance to safeguarding sensitive data. The suspension aims to stop unlawful collection practices and reinforce cooperation among agencies to maintain public confidence—while ensuring innovative human-verification technologies can still be used legally.

Service provider warns of user impact

The company behind the iris-scan system issued a statement insisting that it has complied with all Thai regulations and has been fully transparent in providing information to authorities. It argued that the suspension could affect “millions of users” who rely on the technology to protect themselves from fraud and AI-driven cyber threats.

The company said it will continue discussions with DES and the PDPC to develop a safe, appropriate and sustainable operational framework in Thailand, reaffirming its commitment to building a secure digital environment for the public in the long term.