Spain’s data protection authority has ordered Worldcoin to temporarily stop collecting and processing personal data from the market. It must also stop processing any data it previously collected there.
The controversial, Sam Altman-founded eyeball-scanning blockchain crypto project started operations in the market last July, as part of a global rollout.
The Spanish authority is using “urgency procedure” powers contained in the European Union’s General Data Protection Regulation (GDPR) for the temporary data processing cessation order — which means the order can have a maximum duration of three months (so until mid June).
“The Spanish Data Protection Agency (AEPD) has ordered a precautionary measure against Tools for Humanity Corporation to cease the collection and processing of personal data that it is carrying out in Spain within the framework of its Worldcoin project, and to proceed to block the already collected data,” the DPA wrote in a press statement [in Spanish; this is a machine translation].
The GDPR regulates how EU people’s personal data can be processed and requires entities handling information such as people’s names, contact details, biometrics and other identifiers to have a valid legal basis for their operations. Violations of the regime can attract fines of up to 4% of global annual turnover. Data protection authorities can also demand unlawful processing to stop, including temporarily if they are concerned people’s rights are at serious risk, as is happening here.
The AEPD said it has received several complaints about Worldcoin since the venture started operating in the market last summer, including related to the level of information about the processing Worldcoin provides; the collection of data from minors; and how withdrawal of consent is not allowed.
“The processing of biometric data, considered in the [GDPR] as having special protection, entails high risks for people’s rights, taking into account their sensitive nature. Consequently, this precautionary measure is a decision based on exceptional circumstances, in which it is necessary and proportionate to adopt provisional measures aimed at the immediate cessation of this processing of personal data, preventing its possible transfer to third parties and safeguarding the fundamental right to personal data protection,” it wrote.
Controversy has dogged Worldcoin’s effort to sign people up to a proprietary biometric system whose makers claim will let them use a unique identifier, aka the World ID, to verify their humanness online. Crypto comes into the mix as it provides eponymous tokens as quasi-payment for the iris scans that generate the unique identifier.
Privacy and data protection concerns are rife, given the sensitive nature of the data being processed (eyeball scans); the purported purpose (creating a unique and irrevocable identifier); opacity around the entities responsible for processing people’s data (which include a mix of for-profits and foundations, including a self-declared “type of non-profit” that’s incorporated in the Cayman Islands); and the use of blockchain and crypto, to name a few of the issues.
Back in December the AEPD confirmed to TechCrunch it had received a complaint against Worldcoin — which it told us then it was “analyzing”. We’ve reached out to the authority with questions today but it appears to have received further complaints since then, leading to the decision to trigger GDPR Article 66 powers.
Worldcoin’s regional rollout — which took the form of a number of pop-up scanning locations in a handful of European markets, including at several locations in Spain — quickly attracted scrutiny from European privacy regulators.
An investigation was opened by France’s data protection authority last year. But the presence of a Worldcoin subsidiary in Germany meant the probe was passed to Bavaria’s DPA — as regulators determined the GDPR’s one-stop-shop (OSS) mechanism applied. (The AEPD’s press release also confirms: “The Tools for Humanity Corporation company has its European establishment in Germany.”)
Back in July the Bavarian DPA told TechCrunch its investigation of Worldcoin aimed to “clarify questions regarding the transparency and security of data processing” — including whether or not data subjects are provided with sufficient information to get a clear understanding of the processing of their data and the purposes of the processing; whether data subjects’ rights (including the right to erasure and objection; and the ability to withdraw consent) are guaranteed; and whether the company has put in place sufficient protection against unauthorised data access.
It also said then that it would be seeking to ascertain whether Worldcoin had carried out a data protection impact assessment.
We’ve contacted the Bavarian authority about the status of its investigation and will update this report with any response.
Update: A spokesperson for the Bavarian authority told us: “Our investigation of individual legal and technical issues is progressing. As the lead authority, we have already analyzed an extensive number of documents and also carried out on-site checks that should allow us to present the procedure to our European colleagues very soon with a final evaluation. This will also include assessments on the topics that were referred to us by our Spanish colleagues.”
“So far, considering the preliminary findings of our investigations, our assessment of risks for data subjects’ rights, and as our investigation will be concluded soon, we did not see a sufficient justification for formal interim measures against the controller,” they added.
The fact Spain’s authority has felt the need to take unilateral action to protect local users suggests differences of opinion among DPAs about the best course of action to take. It may also be concerned about the length of time it’s taking the Bavarian authority to conclude its probe.
At the time of writing, Worldcoin’s website still lists 29 locations in Spain where people can undergo eyeball scanning with one of its proprietary orbs.
We contacted Tools for Humanity, the for-profit technology company that led the development of Worldcoin and which operates the World App, about the AEPD’s action — and to ask it to confirm whether or not it has stopped eyeball-scanning in Spain. It did not reply to that question but sent an emailed statement, attributed to Jannick Preiwisch, its Germany-based data protection officer (DPO), who said: “We are always willing to engage with regulators, examine their feedback and answer their questions.”
In the statement Preiwisch further claimed: “World ID was created to give people access, privacy and protection online”, dubbing it “the most privacy preserving and safest solution for asserting humanness in the age of AI”.
His statement makes a reference to the open investigation of Worldcoin by the Bavarian data protection authority, which he specifies is the lead DPA for the Worldcoin Foundation and Tools for Humanity under the GDPR’s OSS — saying it has been “engaged” with the Bavarian authority “for months”. But Preiwisch does not confirm whether or not the authority has concluded its investigation.
Instead, Worldcoin’s DPO goes on the attack — accusing the AEPD of “circumventing EU law with their actions today”; and claiming the Spanish authority is “spreading inaccurate and misleading claims” about its technology.
Here’s the rest of Preiwisch’s statement:
The Spanish data protection authority (AEPD) is circumventing EU law with their actions today, which are limited to Spain and not the broader EU, and spreading inaccurate and misleading claims about our technology globally. Our efforts to engage with the AEPD and provide them with an accurate view of Worldcoin and World ID have gone unanswered for months. We are grateful to now have the opportunity to help them better understand the important facts regarding this essential and lawful technology.
We’ve asked the AEPD if it wishes to respond to Worldcoin’s accusations. But on the claim the authority is “circumventing EU law”, Preiwisch may want to brush up on Article 66 of the GDPR — which allows supervisory authorities to “immediately adopt provisional measures” locally, for up to three months, where they see “an urgent need to act in order to protect the rights and freedoms of data subjects”.
In December it emerged Worldcoin had stopped scanning eyeballs in France, India and Brazil — although the company sought to spin the retreat as a temporary scaling back.
In another set-back last year, Kenya’s data protection authority issued a ban on Worldcoin’s local processing. The country’s government followed with a decree ordering it to suspend scans. That suspension order is still in place.
In total, Worldcoin.org’s website currently lists nine countries where its eyeball scanning is available: Germany, Spain and Portugal in Europe; Argentina and Chile in LatAm; Japan and Singapore in Asia; Mexico and the U.S.
Worldcoin’s official launch triggers swift privacy scrutiny in Europe