Spain’s data protection authority halts Worldcoin’s collection and processing of personal data
The controversial, Sam Altman-founded eyeball-scanning blockchain crypto project has been ordered by Spain’s data protection authority to cease the collection and processing of personal data from the market. This includes a halt to any data processing previously collected there.
The project, part of a global rollout that began last July, was ordered to stop through the use of “urgency procedure” powers contained in the European Union’s General Data Protection Regulation (GDPR). This type of order has a maximum duration of three months, set to expire in mid-June.
“The Spanish Data Protection Agency (AEPD) has ordered a precautionary measure against Tools for Humanity Corporation to cease the collection and processing of personal data that it is carrying out in Spain within the framework of its Worldcoin project, and to proceed to block the already collected data,” the DPA wrote in a press statement [in Spanish; this is a machine translation].
The GDPR outlines regulations for how personal data of EU citizens can be processed and requires entities handling this information to have a valid legal basis for their operations. Violations of the regime can result in fines up to 4% of global annual turnover. Additionally, data protection authorities can demand unlawful processing to stop, including temporarily if the rights of individuals are at serious risk, as is the case with Worldcoin.
The AEPD stated that it has received multiple complaints about Worldcoin since it launched in the Spanish market last summer. These complaints relate to the lack of information provided by Worldcoin about their data processing, collection of data from minors, and the inability for individuals to withdraw their consent.
“The processing of biometric data, considered in the [GDPR] as having special protection, entails high risks for people’s rights, taking into account their sensitive nature. Consequently, this precautionary measure is a decision based on exceptional circumstances, in which it is necessary and proportionate to adopt provisional measures aimed at the immediate cessation of this processing of personal data, preventing its possible transfer to third parties and safeguarding the fundamental right to personal data protection,” the AEPD wrote.
Worldcoin’s efforts to sign people up for their proprietary biometric system, which uses iris scans to generate unique identifiers, have sparked controversy and concern for privacy and data protection. Issues such as the sensitivity of the data being collected, lack of transparency about the entities responsible for data processing, and the use of blockchain and crypto have all been points of contention.
In December 2020, the AEPD confirmed that they had received a complaint against Worldcoin and were analyzing the situation. Since then, more complaints have been filed, leading to the use of GDPR Article 66 powers by the Spanish authority.
The regional rollout of Worldcoin, which included pop-up scanning locations in a handful of European markets, quickly attracted scrutiny from European privacy regulators, resulting in an investigation being opened by France’s data protection authority. However, because of the company’s presence in Germany, the probe was passed to Bavaria’s DPA under the GDPR’s one-stop-shop mechanism (OSS). It has been determined that the company’s European establishment is located in Germany.
The Bavarian DPA stated that their investigation aimed to address questions regarding the transparency and security of data processing, the guarantee of data subjects’ rights, and the company’s implementation of data protection measures to prevent unauthorized access. It also stated that it would be investigating whether Worldcoin had conducted a data protection impact assessment.
The fact that the Spanish authority has taken independent action to protect local users suggests differences of opinions among DPAs regarding the best course of action. It may also reflect concern over the length of time it is taking for the Bavarian authority to conclude its investigation.
At the time of writing, Worldcoin’s website still lists 29 locations in Spain where people can undergo eyeball scanning using their proprietary orbs.
Tools for Humanity, the for-profit company leading the development of Worldcoin and operating the World App, did not respond to a question about whether they have halted eyeball-scanning in Spain. They did, however, provide a statement from their Germany-based data protection officer (DPO) Jannick Preiwisch, in which he claims that World ID was created to provide privacy and protection online. He also accuses the AEPD of circumventing EU law and spreading false information about their technology. However, Preiwisch does not confirm whether or not the AEPD has concluded their investigation.
In December, Worldcoin ceased eyeball scanning in France, India, and Brazil, but claimed it was only a temporary scaling back. Additionally, Kenya’s data protection authority issued a ban on Worldcoin’s processing activities, which is still in place. The company’s website currently lists nine countries where eyeball scanning is still available, including Spain, Germany, Portugal, Argentina, Chile, Japan, Singapore, Mexico, and the U.S.
Disclaimer: This is a machine translation of a Spanish press release. As a result, some information may be inaccurate or misleading. The opinions and views expressed in this article are solely those of the original source and do not necessarily represent those of the translator.