Spain's data protection authority has ordered WorldCoin to temporarily stop collecting and processing personal data from its marketplace. You must also stop processing any data you previously collected there.
The controversial eye-scanning blockchain crypto project founded by Sam Altman began operating on the market in July last year as part of its global expansion.
Spanish authorities are using the “emergency procedure” powers contained in the European Union's General Data Protection Regulation (GDPR) to temporarily suspend data processing. This means the order could last up to three months (i.e. until mid-June).
“The Spanish Data Protection Agency (AEPD) has ordered the Tools for Humanity Corporation to take precautionary measures to stop the collection and processing of personal data carried out in Spain within the framework of the Worldcoin project and to proceed with the blocks already in place. “The data was collected,” the DPA said in a press statement. [in Spanish; this is a machine translation].
The GDPR regulates how personal data of EU citizens is processed and requires entities that handle information such as a person's name, contact details, biometrics and other identifiers to have a valid legal basis for their operations. request. Violations of this regime can result in fines of up to 4% of global annual turnover. Data protection authorities can also request a temporary suspension of unlawful processing if they are concerned that people's rights are at serious risk, as is the case here.
AEPD said it has received several complaints about World Coin since it began operating on the market last summer. Collection of Data from Minors. And how is consent not allowed to be withdrawn?
“The processing of biometric data is [GDPR] As something with special protection, it carries a high risk to people's rights, given the sensitive nature of people. This precautionary measure is therefore a decision based on exceptional circumstances and to immediately stop the processing of your personal data, to prevent any possible transfer to third parties and to protect your fundamental rights to your personal data. It is necessary and appropriate to adopt interim measures aimed at: Data Protection.”
WorldCoin's efforts to sign people up for its proprietary biometric authentication system have been dogged by controversy. The manufacturer claims that the system will allow users to use a unique identifier, also known as a World ID, to verify their humanity online. Crypto joins the mix as it provides named tokens as quasi-payments for iris scans that generate unique identifiers.
Given the sensitivity of the data being processed (eye scans), privacy and data protection concerns are prevalent. Intended purpose (creating a unique and irrevocable identifier); Entities responsible for processing people's data (for-profit organizations and foundations, including self-declared “not-for-profit organizations” incorporated in the Cayman Islands); including organizations with a mixture of organizations). The use of blockchain and cryptocurrencies, to name a few concerns.
Back in December, AEPD confirmed to TechCrunch that it had received a complaint against Worldcoin – which AEPD told us at the time was “under analysis.” We posed questions to the authorities today and it appears that further complaints have since been received, leading to the decision to invoke the powers of Article 66 of the GDPR.
Worldcoin's regional rollout, which took the form of numerous pop-up scanning locations in several European markets, including several locations in Spain, quickly attracted intense scrutiny from European privacy regulators.
French data protection authorities launched an investigation last year. However, the presence of WorldCoin's German subsidiary meant that the investigation was passed to the Bavaria DPA as the regulator determined that the GDPR's One Stop Shop (OSS) mechanism applied. (The AEPD press release also confirms that “Tools for Humanity Corporation has a European presence in Germany.”)
In July, Bavaria's DPA told TechCrunch that the purpose of the WorldCoin investigation was to “clarify questions regarding the transparency and security of data processing” and to ensure that data subjects have a clear understanding of the processing of their data. The purpose of the processing, including whether you have provided sufficient information to. whether data subject rights (including the right to erasure and object, and the ability to withdraw consent) are guaranteed; Whether the company has adequate protection in place against unauthorized data access.
It also said it was seeking to establish whether WorldCoin had conducted a data protection impact assessment.
We have contacted the Bavarian authorities regarding the status of the investigation and will update this report if we receive a response.
The fact that Spanish authorities feel the need to take unilateral action to protect local users suggests that there is disagreement among DPAs about the best course of action to take. He may also be concerned about how long it will take Bavarian authorities to complete their investigation.
As of this writing, Worldcoin's website still lists 29 locations in Spain where you can undergo an eye scan on one of its unique spheres.
Tools for Humanity, the for-profit technology company that led the development of Worldcoin and operates the World App, was contacted about AEPD's actions and asked to confirm whether it had stopped eye scans in Spain. The company did not respond to our questions, but emailed a statement purported to be Yannick Preiwisch, the German-based company's data protection officer (DPO), saying: . ”
In his statement, Preivish further asserted that “World ID was created to give people access, privacy, and protection online,” calling it “a way to assert humanity in the age of AI.” “The most private and secure solution.”
His statement referred to a public investigation into WorldCoin by the Bavarian data protection authority, which he designated as lead DPA for the WorldCoin Foundation and Tools for Humanity under the OSS of the GDPR. , said it was “engaging” with Bavarian authorities. However, Preivish's statement does not confirm whether authorities have concluded their investigation.
Instead, World Coin's DPO went on the offensive, accusing AEPD of “circumventing EU law with today's actions.” It claimed that Spanish authorities were “spreading inaccurate and misleading claims” about the technology.
The rest of Mr. Preivish's statement follows:
Spain's Data Protection Authority (AEPD) is circumventing EU law with today's action, which is limited to Spain rather than the wider EU, and is making inaccurate and misleading claims about our technology globally. It is spread inside. Our efforts to work with AEPD and provide accurate information about Worldcoin and World ID have gone unanswered for months. We are grateful for the opportunity to help them better understand important facts about this essential and legal technology.
We asked AEPD if it would like to respond to World Coin's accusations. But Preivish may want to brush up on Article 66 of the GDPR, based on claims that authorities are “circumventing EU law”. Under the same article, supervisors are allowed to “immediately introduce temporary measures” for up to three months locally if they determine that EU law is being “circumvented.” There is an urgent need to act to protect the rights and freedoms of data subjects. ”
In December, it was revealed that WorldCoin had discontinued eye exams in France, India and Brazil, but the company sought to exit as a temporary downsizing.
Last year, in a further setback, Kenya's data protection authority issued a ban on local processing of WorldCoin. The country's government followed this up with a decree ordering a temporary suspension of scanning. That cease and desist order still stands.
The Worldcoin.org website currently lists nine countries where eye scans are available. In Europe, these are Germany, Spain, and Portugal. Argentina and Chile in Latin America. In Asia, Japan and Singapore.mexico and usa
The Worldcoin.org website still lists 29 eye scan locations in Spain (Screenshot: Natasha Lomas/TechCrunch)