Controversial biometric cryptocurrency venture Worldcoin has almost entirely exited Europe after another temporary ban — this time in Portugal. The order from the country’s data protection authority comes hard on the heels of the same type of three-month stop-processing order from Spain’s DPA earlier this month.
Portugal was one of two remaining European countries where Worldcoin still operated its proprietary eyeball scanning orbs after Spain’s ban. This leaves Germany as the only market where it is currently able to collect biometrics in Europe, as privacy watchdogs take urgent action to respond to local concerns.
Portugal’s data protection authority announced it had issued the three-month ban on Worldcoin’s local operations on Tuesday after complaints Worldcoin received that it had scanned the eyes of children.
Other complaints referred to in it Press release The suspension notice, which it notes was issued on Monday, also reflects concerns from Spain’s DPA — including insufficient information given to users about the processing of their sensitive biometric data. and the inability of users to delete their data or withdraw their consent to Worldcoin’s processing.
The business’ use of blockchain technology to store vouchers derived from scanned biometrics means the system is designed to hold personal data permanently — without people having to resort to deleting their information afterwards.
Instead, EU data protection law gives people in the region a range of rights over their personal data, including the ability to correct, amend or delete data about them. So there’s an inherent legal conflict with Worldcoin’s approach — even before you consider other problematic issues, like the quasi-financial incentive it offers to encourage people to get scanned. the highly sensitive biometric data involved; and its primary goal to build and operate a level of identity for “mankind”.
The controversial project is backed by Sam Altman of OpenAI fame, who is simultaneously accelerating the explosion of artificial intelligence generation tools that make it harder for people to distinguish between artificial (machine-generated) and human activity on the internet. Next stop: Renting a collection to every internet person on Earth?
The Portuguese authority, the CNPD, said it took action after receiving “dozens” of complaints about Worldcoin last month.
More than 300,000 people in Portugal are estimated to have had their iris scanned by its proprietary Orbs in exchange for some Worldcoin, a cryptocurrency also coined by the company, noting that the number of locations where it offered bulb scanning nearly doubled in six months. He added that the large influx of people trying to accept the offer of cryptocurrency in exchange for an eye scan led Worldcoin to launch a pre-booking system for scanning in the market.
Regarding the risks to children’s data, the CNPD notes that Worldcoin’s sphere operators did not have age verification – suggesting that it was not taking strict measures to prevent children from accessing the technology.
“Biometric data is classified as special data under the GDPR [General Data Protection Regulation] and therefore enjoys increased protection, the risks of dealing with it being high,” he wrote [in Portuguese, this is a machine translation]. “On the other hand, minors are particularly vulnerable and are also subject to special protection under national and European legislation, as they may be less aware of the risks and consequences of processing their personal data, as well as their rights.”
The Portuguese authority gave Worldcoin 24 hours to comply with the local stop-processing order.
Since the Worldcoin.org website no longer includes Portugal in the decreasing list of countries where bulb scans can be booked (as noted above Germany is the only European country left, along with Argentina, Chile, Japan, Singapore and the USA) appears to have met the deadline.
Coincidentally or not, Germany is the EU market where Worldcoin developer Tools for Humanity has a regional base. Its co-founder, Alex Blania, is also German. The Bavarian data protection authority, which leads the company’s data protection oversight and has been investigating Worldcoin since last year, has yet to take any public intervention, despite urgent interventions by peer authorities in southern Europe to protect citizens in their own markets. .
Worldcoin failed to obtain an injunction against the Spanish order earlier this month, although its appeal against the DPA’s action continues. It is unclear whether he plans to appeal Portugal’s order.
Tools for Humanity has been contacted for a response to the latest EU ban order. The spokeswoman, Rebecca Hahn, has now sent a statement (below) attributed to Jannick Preiwisch, data protection officer, at the Worldcoin Foundation, in which she claims that she is “in full compliance with all laws and regulations governing the collection and transfer of biometric data. including Europe’s General Data Protection Regulation”.
“The Worldcoin Foundation has the utmost respect for the role and responsibilities of data protection authorities, the CNPD in Portugal,” he adds. “Since we have been offering humanity verification services in Portugal, we have been completely transparent and willing to address the CNPD’s questions or concerns. The report from the CNPD is the first time we have heard from them on many of these issues, including reports of underage registrations in Portugal, which we have zero tolerance for and work to address in all cases, even if for some references”.
We also reached out to the Bavarian DPA for an update on its investigation. A spokesperson for the authority told us the investigation remains ongoing. “Based on our role as the primary supervisory authority for the World Coin Foundation, we are in contact with the controller to take reliable preventive measures as quickly as possible to stop potential abuse of the services and violations of the terms of service,” they added. , saying that it is currently examining more than 20 complaints from data subjects in Spain regarding the issue of minors’ data processing.
As Tools for Humanity’s lead DPA, under the bloc’s one-stop-shop (OSS) mechanism in the General Data Protection Regulation (GDPR), she is responsible for investigating privacy and data protection complaints about the company.
This structure means that the Bavarian DPA will prepare a draft decision on its Worldcoin GDPR investigation for peer review. Other authorities will then have the opportunity to object if they do not agree with its findings. The regulation requires majority support for decisions in cross-border cases, which allows weaker enforcement to be overturned where there is consensus that tougher measures are needed. This in turn allows the forum shopping risks inherent in GDPR’s OSS mechanism to be mitigated, albeit over a longer period of time.
The Article 66 powers of the GDPR, which both Spain and Portugal are using to issue the temporary, local bans on Worldcoin, also give authorities tools to deal with urgent risks in cases where a lead authority has not yet acted and/or drags her feet.
Although neither has expressly invoked the Bavarian authority that it was too late. But the fact that they make emergency interventions says a lot.
“Given the current conditions, in which there is illegality in the processing of biometric data of minors, related to possible violations of other GDPR standards, the CNPD understands that the risk to the fundamental rights of citizens is high, justifying urgent intervention to prevent serious or irreparable harm,” the Portuguese authority noted, saying it would continue to investigate Worldcoin’s local activity.
In a statement, CNPD President Paula Meira Lourenço added: “This order to temporarily limit the collection of biometric data by the Worldcoin Foundation is, at this time, a necessary and justified measure to achieve the useful result of defending public interest. in safeguarding the fundamental rights, especially of minors”.
This report has been updated with comments from Worldcoin and the Bavarian DPA.
