The next few weeks can be decisive for Worldcointhe controversial eyeball-scanning crypto venture co-founded by OpenAI’s Sam Altman, whose operations remain almost entirely shuttered in the European Union after a series of privacy complaints — including in France, Germany, Portugal and Spain.
The only EU market where Worldcoin is still scanning the eyes according to Worldcoin.org website is Germany, where the developer Tools for Humanity (TfH) has a local office. But that could change soon, depending on the outcome of an investigation launched by the Bavarian data protection authority.
The authority told TechCrunch it expects to reach a decision on the investigation soon — a spokesperson suggested it would be ready to release its findings in mid-July. The watchdog began reviewing Worldcoin last year following its global launch in July 2023.
“Considering further steps to align with other A.E [supervisory authorities] I am currently expecting results that we can use publicly in mid-July 2024,” he told us.
In the EU, complaints have been made that Worldcoin is in breach of the bloc’s General Data Protection Regulation (GDPR), which sets out rules for how personal data is processed. The regime not only gives supervisory authorities, also known as data protection authorities (DPAs), powers to issue fines of up to 4% of global annual turnover for confirmed breaches. They can also order non-compliant processing to stop.
This is important because in the case of a cryptobiometrics project like Worldcoin – which turns a person’s eyeball scan into an immutable identity token stored on a decentralized blockchain – it could mean setting conditions that effectively bar it from the EU for good .Unless Worldcoin is able to revise its system to allow deletion of personal data upon request. But, uh, blockchains don’t usually work like that.
Other GDPR concerns linked to Worldcoin include the legal basis it claims to process people’s sensitive biometric data for the purpose of its identification. and whether it meets the transparency and fairness requirements of the regulation.
A key criticism of his approach is that it incentivizes people to hand over their sensitive biometric data in exchange for the eponymous cryptocurrency built on the “humanity” identity system he has devised — while GDPR requires consent to data processing to freely provided.
Fears that Worldcoin poses risks to children have also led some EU regulators to impose temporary bans on its operations on their own markets this year, following allegations that Worldcoin operators had scanned the eyes of minors.
In March, Spain’s DPA took one such emergency action – ordering Worldcoin to stop collecting and processing local data for up to three months. It said it was acting on a number of privacy complaints, including risks to children’s information. The move quickly followed a similar order from Portugal’s DPA, which was also acting on allegations that Worldcoin had scanned the eyes of minors.
Despite these emergency interventions, German privacy regulators have allowed Worldcoin to continue scanning the market while the Bavarian DPA investigates. Although the image below of a Worldcoin scan site in Berlin — embedded in a post on X — is notable for including a prominent poster in the window displaying an 18+ age limit for submitting iris to the ball.
On Tuesday the Spanish DPA was announced that Worldcoin has agreed not to resume market operations once the three-month ban order expires soon. In a press release, it said that the developer of Worldcoin has committed – in what it described as a “legally binding way” – not to continue its activity in Spain until the Bavarian authority passes a final resolution on the investigation (or otherwise not before the end of the year).
TfH had initially sought to challenge Spain’s temporary ban in court, including seeking injunctive relief (which was not granted). It is not clear why the company agreed to wait for the outcome of the Bavarian investigation, but it may have decided it is the best course of action to reduce its regulatory risk. He may also feel confident that he won’t have to wait long for a decision.
The Spanish authority’s press release contains another interesting tidbit — suggesting that following its emergency order the TfH announced changes to the operation of Worldcoin, which it said included the introduction of checks to verify the age of users. and “the ability to eliminate the iris code.”
TfH has been contacted with questions about its agreement with the Spanish DPA and the changes it has committed to. The representative of the company, Rebecca Hahn, indicated to us a statement on the Worldcoin website — in which the company writes that “it has committed not to carry out sphere operations in Spain until the end of the calendar year 2024 or, if earlier, until the BayLDA [Bavarian DPA] the consultation process with other EU data protection authorities has been completed.”
Worldcoin’s statement also points to what it refers to as TfH “a series of privacy and security measures,” which she said have been implemented in recent months to address the concerns of DPAs. He said this includes “advanced checks for age verificationThe delete old iris codes turning them into SMPCs [Secure Multi-Party Computation] shares, optional removal of World ID verification (including the ability to delete iris codes) and more”.
It is unclear whether converting iris codes to SMPC shares would constitute data deletion under the GDPR.
In its statement, Spain’s DPA said it expected the investigation by the Bavarian data protection authority to conclude “soon” — adding that it expected the final decision to reflect the positions of all the European supervisory authorities involved.
In case there are disagreements between DPAs about what to do about Worldcoin, it is worth noting that the GDPR contains a mechanism for handling cross-border complaints that allows the authorities concerned to raise objections. If a majority still cannot be found, the European Data Protection Board may be asked to step in and make the final call.
This report has been updated to include Worldcoin’s statement
