Spain’s data protection authority ordered Worldcoin to temporarily stop collecting and processing personal data from the market. It must also stop processing any data it has previously collected there.
The controversial eyeball-scanning blockchain crypto project founded by Sam Altman went live on the market last July as part of a global launch.
The Spanish authority is using “urgent procedure” powers contained in the European Union’s General Data Protection Regulation (GDPR) for the temporary stop order — meaning the order can last a maximum of three months (so until mid-June). .
“The Spanish Data Protection Agency (AEPD) has ordered a preventive measure against Tools for Humanity Corporation to stop the collection and processing of personal data it carries out in Spain in the context of the Worldcoin project and to proceed with the blocking of the data already collected,” it wrote DPA press release [in Spanish; this is a machine translation].
GDPR regulates how EU people’s personal data is processed and requires entities that handle information such as people’s names, contact details, biometrics and other identifiers to have a valid legal basis for their activities. Violations of the regime can attract fines of up to 4% of global annual turnover. Data protection authorities can also demand that unlawful processing be stopped, including temporarily, if they are concerned that people’s rights are at serious risk, as is the case here.
The AEPD said it has received many complaints about Worldcoin since it began operating on the market last summer, including about the level of processing information Worldcoin provides. the collection of data from minors; and how consent may not be withdrawn.
“The processing of biometric data, considered in [GDPR] as it has special protection, it entails high risks for people’s rights, given their sensitive nature. Consequently, this precautionary measure is a decision based on exceptional circumstances, in which it is necessary and proportionate to take temporary measures aimed at immediately stopping this processing of personal data, preventing its possible transmission to third parties and ensuring the fundamental right to personal data protection,” he wrote.
The controversy continued Worldcoin’s attempt to enroll people in a proprietary biometric system that its makers claim will allow them to use a unique identifier, also known as a World ID, to verify their human nature online. Crypto enters the mix as it provides branded tokens as quasi-payment for the iris scans that generate the unique identifier.
Privacy and data protection concerns are strong given the sensitive nature of the data being processed (scans of the eyeball). the purported purpose (creating a unique and irrevocable identifier); opacity around the entities responsible for processing people’s data (which include a mix of for-profits and foundations, including a self-declared “non-profit type” embedded in the Cayman Islands); and the use of blockchain and encryption, to name a few of the issues.
In December, AEPD confirmed to TechCrunch that it had received a complaint against Worldcoin – which it told us it was “looking into”. We reached out to the authority with questions today, but it appears it has received further complaints since then, leading to the decision to trigger Article 66 GDPR powers.
Worldcoin’s regional rollout — which took the form of a series of pop-up scanning sites in a handful of European markets, including several locations in Spain — quickly attracted scrutiny from European privacy regulators.
An investigation by France’s data protection authority was launched last year. But the presence of a Worldcoin subsidiary in Germany meant that the investigation passed to the Bavarian DPA — as regulators determined the application of the GDPR’s one-stop-shop (OSS) mechanism. (The AEPD press release also confirms: “The Tools for Humanity Corporation has its European headquarters in Germany.”)
In July, the Bavarian DPA told TechCrunch its investigation into Worldcoin aimed to “clarify questions about the transparency and security of data processing” — including whether or not data subjects are provided with sufficient information to clearly understand the processing of their data and the purposes of the processing; whether the rights of the data subjects (including the right to deletion and objection and the possibility to withdraw consent) are guaranteed; and whether the company has established sufficient protection against unauthorized access to data.
It also said it would seek to ascertain whether Worldcoin had carried out a data protection impact assessment.
We’ve reached out to the Bavarian authorities about the status of their investigation and will update this report with any response.
The fact that the Spanish authority felt the need to take unilateral action to protect local users suggests differences of opinion among DPAs about the best course of action. He may also be concerned about the length of time it takes the Bavarian authorities to complete their investigation.
At the time of writing, Worldcoin’s website still lists 29 locations in Spain where people can undergo an eyeball scan with one of its proprietary bullets.
We contacted Tools for Humanity, the for-profit tech company that led the development of Worldcoin and runs the World app, about AEPD’s action — and asked them to confirm whether or not it has stopped eyeball scanning in Spain . He did not respond to that question, but sent a statement via email, attributed to Jannick Preiwisch, a data protection officer (DPO) based in Germany, who said: “WThey are always willing to work with regulators, consider their comments and answer their questions.”
In the statement Preiwisch further claimed, “World ID was created to give people access, privacy and protection on the Internet,” dubbing it “the most privacy-preserving and most secure solution for affirming humanity in the age of artificial intelligence.” ».
His statement references the open investigation into Worldcoin by the Bavarian data protection authority, which he clarifies is the lead DPA for the Worldcoin Foundation and Tools for Humanity under the GDPR’s OSS — saying it has been “involved” with Bavarian principle”. for months.” But Preiwisch would not confirm whether or not the authority has completed its investigation.
Instead, Worldcoin’s DPO goes on the offensive — accusing AEPD of “circumventing EU law with their actions today.” and claims that the Spanish authority is “spreading inaccurate and misleading claims’ about its technology.
Here is the rest of Preiwisch’s statement:
The Spanish Data Protection Authority (AEPD) is circumventing EU law with its actions today, which are limited to Spain and not the wider EU, and is spreading inaccurate and misleading claims about our technology worldwide. Our efforts to engage with AEPD and provide them with an accurate picture of Worldcoin and World ID have gone unanswered for months. We are grateful that we now have the opportunity to help them better understand the important facts about this essential and legal technology.
We have asked AEPD if it wishes to respond to Worldcoin’s allegations. However, on the claim that the authority “overrides EU law”, Preiwisch may want to renew Article 66 of the GDPR — which allows supervisory authorities to “immediately take provisional measures” at local level, for up to three months, where they see “an urgent need to act to protect the rights and freedoms of data subjects”.
In December it emerged that Worldcoin had stopped scanning eyes in France, India and Brazil – although the company tried to spin the retreat as a temporary reduction.
In another setback last year, Kenya’s data protection authority issued a ban on local processing of Worldcoin. The country’s government followed with a decree ordering it to suspend the sweeps. This suspension order is still in effect.
In total, the Worldcoin.org website currently lists nine countries where eyeball scanning is available: Germany, Spain and Portugal in Europe. Argentina and Chile in LatAm. Japan and Singapore in Asia. Mexico and USA
The Worldcoin.org website still lists 29 eyeball scanning locations in Spain today (Screengrab: Natasha Lomas/TechCrunch)
