A subsidiary of Worldcoin, a company involved in Sam Altman’s controversial crypto blockchain digital identity business, has reportedly filed a legal challenge against a suspension order from Spain’s data protection authority on Friday.
Earlier this week, it was revealed that the AEPD (Spanish data protection authority) had directed Worldcoin to temporarily stop scanning people’s eyeballs and processing data collected from individuals in the market.
The AEPD initiated an Article 66 “urgency procedure” against Worldcoin under the European Union’s General Data Protection Regulation (GDPR), citing numerous complaints received. The concerns raised included the amount of information provided by Worldcoin, the collection of data from minors, and the lack of allowance for consent withdrawal. Additionally, the AEPD emphasized the sensitivity of the biometric data being collected, stating it poses a high risk to people’s rights.
Although Worldcoin’s operating company, Tools for Humanity, is considered “main established” in Germany and can benefit from streamlined regulation under the GDPR’s one-stop-shop mechanism, the regulation allows other data protection authorities (DPAs) to issue temporary orders lasting up to three months if there is a perceived “urgent need” to protect the rights of locals. However, these orders only apply within the authority’s own market and not EU-wide. Therefore, the AEPD’s temporary ban on Worldcoin only applies in Spain.
Despite the possibility for urgent interventions by non-lead DPAs under the GDPR, Worldcoin has decided to challenge the AEPD’s order.
The news was first reported in German press, and Worldcoin’s spokesperson, Rebecca Hahn, sent TechCrunch a statement from Tools for Humanity addressing the situation. The statement affirmed their full compliance with EU laws governing biometric data collection, transfer, processing, and protection, and expressed disappointment in the AEPD for bypassing accepted EU processes and rules, leaving them with no choice but to take legal action.
Worldcoin is fully compliant with all laws and regulations governing biometric data collection and data transfer, including Europe’s General Data Protection Regulation (“GDPR”). As such, we have been in consistent and ongoing dialog with our lead Data Privacy Authority in the EU, BayLDA, for months. We were disappointed that the Spanish regulator circumvented the accepted EU process and rules, which leaves us little recourse but to file suit.
Hahn did not respond to inquiries seeking further details on the legal arguments against the AEPD’s order or confirm whether Worldcoin and its operators in Spain have complied with the suspension order.
The AEPD was also contacted for comment on Worldcoin’s challenge but had not responded as of the time of press.
According to the reports from Schwäbisch, Worldcoin was primarily developed in Erlangen, Bavaria in Germany. The co-founder of Tools for Humanity, Alex Blania, a German computer scientist, was named alongside Sam Altman of OpenAI. Blania’s LinkedIn profile states that he is currently based in San Francisco.
At the time of writing, Worldcoin’s website still lists five locations in Spain where individuals can have their iris scanned by Worldcoin’s proprietary “orbs” in exchange for cryptocurrency. However, the website previously listed 29 locations, indicating that they may be in the process of shutting down their operations in the country.
One of the major controversies surrounding Worldcoin is their practice of acquiring people’s sensitive biometric data in exchange for payment. Worldcoin claims that individuals consent to the processing of their data for their purposes. However, under the GDPR, consent must be freely given, and financial incentives can create a conflict of interest that may hinder individuals’ ability to give informed consent.
Other GDPR concerns raised about Worldcoin include the transparency and fairness of their data processing, potential violations of data subject rights, such as the right to have personal data deleted, risks to minors, and questions about data transfers and security.
The investigation by BayLDA into Worldcoin’s compliance with the GDPR, which began last year, is still ongoing. The authority stated that they expect to send a draft decision with their findings to other European data protection authorities for review “very soon.” Under the GDPR, other concerned authorities can object to the lead authority’s findings on cross-border data processing, which may result in disputes being resolved by majority vote or by the European Data Protection Board’s casting vote. This means that although one authority may lead the oversight on entities like Worldcoin, other DPAs remain involved in decisions that affect individuals in their own markets.
In Catalonia, an autonomous community in Spain where Worldcoin currently lists three locations for iris scanning, local press reported that the regional government responded to concerns about the company’s biometric data operations by publishing an article containing guidance and warnings from the Catalan Data Protection Authority. The article alerts readers to the sensitivity of the biometric data being collected, the potential risks associated with its misuse, and specifically mentions concerns about the harvesting of children’s data without proper parental consent. It also notes that “several” EU authorities are currently investigating Worldcoin’s GDPR compliance.