The coming weeks could be pivotal for WorldCoin, the controversial eye-scanning crypto venture co-founded by OpenAI's Sam Altman, whose operations remain almost entirely shuttered following a series of privacy violation complaints in the European Union, including in France, Germany, Portugal and Spain.
According to the Worldcoin.org website, the only EU market where Worldcoin is still under investigation is Germany, where developer Tools for Humanity (TfH) has a local office, but that could soon change depending on the outcome of an investigation launched by the Bavarian data protection authority.
The agency told TechCrunch that it expects a decision on the investigation to be made soon, with a spokesperson suggesting it will be ready to announce its conclusions in mid-July.The agency began its investigation last year, following WorldCoin's global launch in July 2023.
“Considering further steps to liaise with other S.A. [supervisory authorities] “At present, we expect to have results available for public release in mid-July 2024,” he said.
There have been complaints in the EU that WorldCoin is violating the EU's General Data Protection Regulation (GDPR), which governs how personal data should be processed. The regulation gives supervisory authorities, or Data Protection Authorities (DPAs), the power to impose fines of up to 4% of annual global turnover in the event of confirmed violations, as well as to order the cessation of non-compliant processing.
This matters because for a crypto-biometrics project like Worldcoin, which turns a person's eye scans into immutable identity tokens stored on a decentralized blockchain, it could mean setting conditions that essentially lock you out of the EU forever, unless Worldcoin fixes its system to allow it to delete personal data upon request. But blockchains don't usually work that way.
Other GDPR concerns regarding WorldCoin include its legal basis for processing people's sensitive biometric data for identification purposes and whether it meets the regulation's transparency and fairness requirements.
The main criticism of this approach is that it encourages people to hand over sensitive biometric data in exchange for a cryptocurrency of the same name that is embedded in the company's devised “humanity” proof identity system. Meanwhile, GDPR requires that consent to data processing be freely given.
Concerns that WorldCoin posed a danger to children led some EU regulators to temporarily ban it from operating in their markets this year after complaints that the company's operators were scanning the eyeballs of minors.
In March, Spain's Data Protection Authority (DPA) took emergency measures ordering WorldCoin to stop collecting and processing data of local residents for up to three months. The authority said it was responding to a number of privacy complaints involving risks to children's information. Shortly after the action, Portugal's DPA issued a similar order in response to complaints that WorldCoin was scanning the eyes of minors.
Despite this emergency intervention, Germany’s privacy regulator allowed WorldCoin to continue scanning eyeballs at its marketplace while the Bavarian DPA investigates. However, the image below of WorldCoin’s scanning location in Berlin, embedded in X’s post, is notable for including a prominent poster in the window stating that the age limit for submitting irises to the orb is 18+.
Sam Altman's @World Coin You are opening a shop on the street in Berlin. You have to download the app, enter the shop, scan your iris and get your ID and a crypto token. Is this legal in Germany, a country of data protection and informational self-determination? translator pic.twitter.com/U1CNGYiapm
— Francesca Bria (@francesca_bria) May 31, 2024
The Spanish DPA announced on Tuesday that WorldCoin has agreed not to resume operations on the market after the three-month ban expires soon. In a press release, the company said that the developer of WorldCoin has committed in a “legally binding manner” not to resume its activities in Spain until the Bavarian authorities have made a final decision on their investigation (or until the end of the year).
TfH initially tried to challenge Spain's temporary ban in court, including by seeking an injunction (which it failed to win). It's not clear why the company agreed to wait for the results of the Bavarian investigation, but it may have decided this was the best way to mitigate regulatory risks, or it may be confident that waiting for a decision won't take too long.
The Spanish authorities' press release contains another interesting tidbit: following the emergency decree, TfH announced that it would make changes to WorldCoin's operations, including the introduction of controls to verify users' ages and “possible abolishment of the iris code.”
When asked about its agreement with Spain's DPA and the changes it has committed to making, TfH spokesperson Rebecca Hahn pointed to a statement on WorldCoin's website, in which the company wrote that it has “committed not to operating Orb in Spain until the end of 2024, or, if earlier, until approval by BayLDA.” [Bavarian DPA] The consultation process with other EU data protection authorities has been completed.
WorldCoin's statement also references what TfH calls a “series of privacy and security measures” that it says have been implemented in recent months to address the DPA's concerns, including “advanced controls for age verification, the conversion of outdated iris codes to SMPC codes and the removal of such codes.” [Secure Multi-Party Computation] Sharing, optional World ID Unverified (including ability to remove iris code), and more.
It is not clear whether converting iris codes into SMPC shares constitutes data deletion under the GDPR.
The Spanish DPA said in a statement that it expected the Bavarian data protection authority's investigation to be concluded “soon”, adding that it expected the final decision would reflect the position of all European supervisory authorities involved.
It is important to note that if a dispute arises between the DPAs over how WorldCoin should be treated, the GDPR has mechanisms for handling cross-border complaints that can be challenged by the relevant authorities. If no solution can still be found by majority vote, the European Data Protection Board may be asked to step in and make a final decision.
This report has been updated to include a statement from WorldCoin