Thai regulators have dismantled a controversial iris-scanning project that rewarded citizens with cryptocurrency tokens, ordering the immediate shutdown of the scheme and the deletion of 1.2 million biometric records. The decision followed a review by the Ministry of Digital Economy and Society and the Office of the Personal Data Protection Committee, which concluded that the initiative violated key provisions of the country’s Personal Data Protection Act, particularly those concerning the collection and handling of sensitive data. Investigators determined that the operator failed to obtain lawful consent and used biometric information in ways that exceeded publicly stated purposes, raising concerns about potential misuse and cross-border data transfers.
Authorities became involved after irregularities in the program sparked nationwide concern. The PDPC found that participants were not genuinely providing voluntary consent because they were incentivised with crypto tokens, rendering the agreement legally invalid under the PDPA. Regulators also questioned the stated purpose of the data collection. While the operator claimed the scans were required solely for human verification, the system’s architecture prevented repeat scans from the same user, indicating that the biometric data was being used for identity verification—an intention never disclosed to participants. This inconsistency strengthened the view that the project expanded its data usage far beyond its original purpose.
Following the inquiry, the PDPC issued two binding directives. One ordered an immediate halt to all biometric data collection and required a compliance report within seven days. The second instructed the company to permanently erase the stored iris data of 1.2 million users to prevent any possibility of overseas data transfer. Digital Economy and Society Minister Chaichanok Chidchob said the government supports the use of advanced verification tools but emphasised that the collection of highly sensitive information must strictly comply with Thailand’s privacy laws.
The investigation has since broadened. Officials say evidence suggests that groups organised mass participation in exchange for token rewards, raising questions about improper incentives and manipulation of the system. The probe also uncovered individuals conducting unlicensed digital-asset exchange activities, resulting in several arrests. The Department of Special Investigation and partner agencies are now expanding their review to map all suspicious links connected to the scheme. Regulators noted that similar projects have faced restrictions in countries such as Germany, Spain, South Korea, Indonesia, and Brazil, which have also paused or limited iris-scan reward systems.
China’s Ministry of State Security has issued similar warnings, flagging iris-based crypto initiatives as potential national-security risks due to concerns about large-scale biometric data harvesting by foreign firms.
In response to Thailand’s decision, the company behind the project insisted it had followed all regulatory requirements. It warned that suspending its service could disrupt millions of users who rely on iris-matching tools for online protection. The operator expressed willingness to work with authorities to establish a framework that satisfies legal and safety standards. PDPC Secretary-General Suraphong Plengkham stressed that the goal is to safeguard the public’s data and ensure trust in the system, not to hinder technological innovation. He said the priority is preventing unlawful practices while ensuring that advanced verification technologies can operate responsibly and securely within Thailand.
