It took much longer than originally planned weeks, but a pivotal privacy decision that has been hanging over Sam Altman's World (also known as WorldCoin) for months has finally made the block's data secure. The decision was finally made in late December from the Bavarian data protection authority to enforce. The General Data Protection Regulation (GDPR) is a comprehensive privacy framework that enables sanctions reaching up to 4% of global annual revenue.
The results appear to be different than what the eyeball-scanning crypto identity venture was expecting. A remedial order has been issued requiring comprehensive deletion of user data upon request.
“All users who have provided their iris data to WorldCoin will have an unlimited opportunity to exercise their right to erasure in the future,” Michael Will, the Bavarian State Data Protection Supervisor, said in a press statement. said.
The biometric venture has been given one month from the date of the Bavarian authorities' decision to implement deletion procedures “in accordance with the provisions of the GDPR.” So mark your calendars for the beginning of 2025.
A further element of the Bavarian order requires WorldCoin to obtain explicit consent for what is (vaguely) described in a press statement as “certain future processing steps.”
We asked for further details, but this suggests that World's onboarding process will need to provide EU users with more information before conducting an eye scan. The statement said it was ordered to delete “certain data records that were previously collected without a sufficient legal basis.”
In addition to questions about the content of the order, we have asked the Bavarian authorities why fines have not been imposed for a number of suspected GDPR violations and will update this report if we receive a response. .
World has announced that it will appeal this remedial order.
difficult questions
Why does the requirement that users be able to request deletion of their data, a right built into European regulations as part of the GDPR's suite of personal data access rights, seem so elusive for the world? Is it?[coin]?Proof of Humanity The challenge with blockchain projects is that they create a system of immutable and unique IDs to remotely verify identity. Therefore, if a person could edit all traces of themselves from a ledger by simply asking, it would pose a challenge to the ambition to become a global authority on human body verification.
Tools for Humanity (TfH) spokesperson Rebecca Hearn, the organization behind WorldCoin, said the appeal was based on the fact that World's technical architecture was “privacy-protective”, which meant that user data was anonymous. He said that he would focus on the claim that the
What this means is that GDPR data access rights (such as being able to request deletion) should not apply to truly anonymous data, as it is outside the scope of the law.
Damian Kieran, TfH's chief privacy officer, told TechCrunch why World is so reluctant to let users delete their data: That's why we created the world's first anonymous digital passport that proves your humanity. This means that platforms like X allow you to anonymously verify that you are a real person. [which happens to be Kieran’s former employer]completely solves the problem of bots etc.
“The key is that if an anonymous person abuses a platform's policies and the platform suspends that person, that person can delete their world ID, create a new one, or create a new one. as X Therefore, to achieve the goal of increasing online trust in the intelligence era, the underlying data must be anonymized, that is, done in a way that cannot be deleted. We needed to make sure that bad actors couldn't exploit our networks and other platforms.”
Kieran added that World ID holders can “at any time delete personal data that only resides on their phone.”
However, basic account data is not the focus of this GDPR battle. It concerns information that can be used to uniquely identify an individual.
Earlier this year, World introduced an open-source secure multi-party computing system that it claimed would allow “iris codes to be encrypted as shared secrets and distributed to multiple participants.” There is no need to decrypt the code to verify your identity. place.
This technical architecture proposes to transform the iris code through subsequent processing such as encryption and sharding in a way that limits the privacy risks to individuals.
As part of these changes, WorldCoin also introduced the ability for users to request iris code removal. However, the level of control it gives users has been assessed as not meeting the standards of the GDPR, which requires individuals to have control over their information.
And it's important to emphasize that GDPR doesn't just set rules to protect people's privacy. The framework also aims to ensure that individuals have autonomy over the information held about them. The latter element poses the greatest challenge to the mission of proving humanity in the world because it does not allow for supporting that level of personal autonomy.
fundamental rights
The Bavarian DPA said that WorldCoin's biometric-based personal identification procedure entails “a number of fundamental data protection risks, at least for a large number of data subjects.” And while the agency's statement cited “improvements” in the venture's data processing, it stressed that “adjustments still need to be made.”
The agency added that a lengthy investigation ultimately focused on the need for “comprehensive erasure following withdrawal of consent.” and “Related Review of Consent Processes”.
“Today's decision will implement European fundamental rights standards in favor of data subjects in technically demanding and legally very complex cases,” Will said.
World's appeal against Bavaria's rectification order does not address the central data access issue head-on.
Rather, it seeks to frame the issue as a technical question of how European law should define anonymous data. Therefore, the company's blog post about the remediation order begins with the line, “World ID is anonymous by design.” But attempts to build up lobbying momentum to argue that Europeans should have fewer individual rights are unlikely to be popular regionally.
World Coin has already seen its wings clipped in the region. Due to enforcement actions by other data protection authorities, including Portugal and Spain, the company was subject to emergency measures to cease its eye scanning operations on the market. Two DPAs expressed particular concern about the risk of children's data being irrevocably collected.
At the same time, Worldcoin (recently rebranded World) began operations in Austria.