The Numbers You Need to Know: PDPA Is No Longer Just a Law on Paper
As of January 2026, Thailand’s Personal Data Protection Committee (PDPC) reported a total of 2,672 complaints. This figure reflects two important trends: Thai citizens are becoming more aware of their rights, and the PDPC is taking enforcement seriously.
On the penalties side, the PDPC has already issued 8 administrative fine orders across 5 cases, with total fines exceeding THB 21.5 million. In August 2025 alone, fines reached THB 14.5 million, pushing the cumulative total past THB 21 million.
These numbers send a clear message: the era of “warnings first” is over. PDPA enforcement in Thailand is now in full swing.
The Worldcoin Case — The Most Expensive Lesson So Far
One of the most significant cases in Thailand’s data protection landscape involved the PDPC’s order against Worldcoin (now operating as World), which offered iris scanning services in exchange for digital currency.
The PDPC ordered Worldcoin to stop providing iris scanning services in Thailand and to delete the biometric data of more than 1.2 million Thai users. According to the PDPC, collecting biometric data in exchange for cryptocurrency violated the PDPA because:
- Biometric data is sensitive personal data and requires explicit consent
- Exchanging data for financial benefits undermines the freedom of consent, since individuals are being incentivized by compensation
- Adequate safeguards were not in place for data of such a highly sensitive nature
This case makes one thing very clear: the PDPC is prepared to act against global technology companies, not just small local organizations. It also confirms that biometric data is a red line organizations should not cross lightly.
8 Fine Orders Across 5 Cases — The Most Common Types of Violations
Based on the 8 fine orders issued so far, several recurring patterns of non-compliance are emerging:
1. Customer Data Leaked to Call Center Scam Networks
The single highest fine so far was THB 7 million, imposed in a case where customer data was leaked and later used by call center scam gangs to defraud victims. This shows that the PDPC places significant weight on the real-world harm suffered by data subjects. When leaked data is used to facilitate criminal activity, the penalties rise accordingly.
2. Government Agency and Software Developer Fined Together
Another notable case involved a cyberattack that exposed the personal data of more than 200,000 individuals. Both the government agency (as the data controller) and the software developer (as the data processor) were fined more than THB 150,000 each.
The key takeaway is simple: data controllers and data processors share responsibility. Outsourcing work does not mean outsourcing accountability.
3. Common Violation Patterns to Watch For
Across all 5 cases, the most common compliance failures include:
- Insufficient security measures — such as lack of encryption or poor access controls
- Failure to report a breach within 72 hours — the PDPA requires notification to the PDPC without undue delay
- No Data Protection Officer (DPO) or no clearly assigned owner of privacy responsibilities
- Excessive data collection — collecting personal data beyond what is necessary for the stated purpose
Sectors Under Closer Scrutiny
In 2026, the PDPC has signaled that it will step up enforcement across several high-risk sectors:
E-Commerce
E-commerce platforms handle large volumes of customer data, including names, addresses, phone numbers, payment details, and shopping behavior. The more AI is used to analyze customer behavior, the more important it becomes to manage consent properly and stay within the permitted scope of data use.
