The iris scanning of thousands of European citizens carried out last year by the Worldcoin company violated the General Data Protection Regulation (GDPR), the European regulation that ensures the digital privacy of community citizens. This has been resolved by BayLDA, the data protection authority of Bavaria, Germany, which was the competent authority in this case since the company Tools for Humanity, which collected the iris data in Europe on behalf of the American company, was located in that territory. Worldcoin, recently renamed World.
The resolution of the BayLDA is in line with the precautionary measure imposed by the Spanish Data Protection Agency (AEPD) in March of this year that, given the indications of serious breaches of the RGPD, and “to avoid potentially irreparable damage and protect the rights of citizens”, ordered in a decision unpublished to date the immediate cessation of the collection and processing of personal data that the company was carrying out in Spain, as well as the blocking of those that had already been collected (from some 400,000 Spanish citizens). If the precautionary measure was not respected, Worldcoin was exposed to a fine of between 20 million euros and 4% of its annual turnover.
The company initially complied with the AEPD’s precautionary measure and decided on its own initiative to suspend its activity in Spain for a few months. He later appealed the decision of the AEPD to the National Court, which endorsed the measure and rejected the appeal. In recent months, the Spanish agency was awaiting the verdict of the Bavarian data protection authority, which would mark the line of action in the rest of the EU.
The BayLDA resolution orders the elimination of all iris codes stored since the beginning of the project, stored without the necessary security measures for the processing of biometric data. It also orders that future iris processing be carried out on the basis of the explicit consent of the interested party, something that is understood to have not happened at first, and orders that the right to deletion of data be included in the future.
On the other hand, the resolution confirms that the company did not implement adequate measures to prevent the processing of minors’ data, which was one of the elements that led to the immediate intervention of the AEPD in Spain. This matter, BayLDA determines, will be the subject of further investigation at a later date.
“Our technology is secure, although we understand that it is complex and difficult to understand,” explains Damien Kieran, head of data management at World (the former Worldcoin) in statements to Morning Express. The executive complains that he has been trying to meet with the AEPD for eight months to tell them how they work and why their technology does not offer risks to users. “We have not received any response. It is something that has not happened to us with other European regulators, with whom we have been able to sit down.”
Sources from the Spanish agency explain that they are not in the habit of meeting with companies for which they have a disciplinary file open, even less so if this has been appealed, as is the case. In 2023, the AEPD opened 492 sanctioning files.
Biometric data, such as the iris, is especially sensitive because it is immutable. We can change our password or our address, but the pattern that describes the shape of each person’s iris is unique and hardly changes over the years. The iris is in fact a more effective identification method than the face scan carried out by facial recognition systems. Due to the sensitivity of this data, it is treated especially strictly by the GDPR. Hence, in recent weeks, many privacy experts could not believe that a company could start collecting iris data for everyone to see and without giving hardly any information to those affected.
orb fever
Worldcoin began collecting iris data in Spain in July 2023 in 14 shopping centers in the country. To do this, he used the Orb, or orbs, a metal sphere the size of a futsal ball that photographs the irises of those interested and gives them access to the digital currency Worldcoin, co-founded by the creator of ChatGPT, Sam Altman.
Until February of this year, the orbs did not attract much attention. But at a given moment, large queues began to form around the already 30 stands that Worldcoin had placed in large galleries. The reason: the exchange value of the currency rose to just over six euros, so the 13 Worldcoin coins released after the iris scan were equivalent to about 80 euros. That hook caused such an influx of public, generally young people, that those interested can no longer have their iris scanned without an appointment.
In order to use an Orb, users had to download an application on their mobile phone and receive a QR code. The iris photo acted as “proof of humanity” (the system ensures that the request is made by a person and not a machine), but not only that. It was also associated with the QR code, after which the application transformed into a kind of passport called World ID, the wallet where the Worldcoins are stored.
According to Altman, the passport and wallet promoted by his company will be key to managing financially, and perhaps to collecting a universal income, in a future dominated by artificial intelligence. The company separated itself from the cryptocurrency in the summer and was renamed World.