It took far longer than originally planned weeks to arrive, but a critical privacy decision that has been hanging over Sam Altman’s World (aka Worldcoin) for months has finally landed, via a late December decision by the Bavarian data protection authority enforcing the block General Data Protection Regulation (GDPR), a comprehensive personal data protection framework that allows for penalties that can reach up to 4% of global annual turnover.
The result is not what the crypto identity scanning business had hoped for: A remedial order has been issued requiring it to completely delete user data upon request.
“All users who have provided ‘Worldcoin’ with their iris data will in the future have an unlimited opportunity to enforce their right to erasure,” said the Bavarian Data Protection Supervisory Office, Michael Will, in press release.
The biometric venture has been given a month from the date the Bavarian authority decided to implement a “GDPR-compliant” erasure process — so mark your calendars for early 2025.
A further element of the Bavarian order requires Worldcoin to obtain express consent for what the press release (vaguely) describes as “certain processing steps in the future”.
We asked for more details, but this suggests that the world’s onboarding process should provide EU users with more information before taking eyeball scans. It has also been ordered to delete “certain data files previously collected without sufficient legal basis,” according to the statement.
In addition to our questions about the substance of what has been ordered, we asked the Bavarian authority why it has not been sanctioned for what appears to be a number of breaches of the GDPR.
World responded to the corrective order by saying it would appeal.
Modernize: The Bavarian authority told us its enforcement timetables have been suspended pending World’s appeal.
The DPA also confirmed that the erasure order concerns “biometric templates” linked to iris scans that are stored by World in a “regular database” and can therefore be erased.
“As we consider the entire dataset not (yet) anonymous, it is now up to the world/coin to prove [how] they change their processing structure to accommodate the deletion requirement — if necessary, even deleting many or all segments,” Will told us.
On the legal basis, he added: “In our analysis there is no other possible legal basis [than] express consent for the specific service/processing activities.”
Difficult question
Why the requirement to allow users to request the erasure of their data, a right built into the European regulation as part of the GDPR’s suite of rights to access individuals’ data, seems so difficult for people[coin]? The problem with the proof-of-humanity blockchain project is that it creates a system of immutable and unique identifiers for remote identity verification. So if a person can edit all traces of themselves from their ledger just by asking, it’s a challenge to their ambition to become a global authority on human verification.
Tools for Humanity (TfH) spokeswoman Rebecca Hahn – who does comms for the entity developing Worldcoin – said her grounds of appeal would focus on claims that Worldcoin’s technical architecture “preserves privacy” and that data of users are rendered anonymous.
This means that GDPR data access rights (such as the ability to request erasure) should not apply, as truly anonymized data is outside the scope of the law.
In response to why World is so reluctant to allow users to delete data, Damien Kieran, TfH’s chief data protection officer, told TechCrunch: “Our aim is to increase trust in digital interactions. To do this, we created the world’s first anonymous digital passport to prove humanity. This means that a person can anonymously verify that they are a real person on a platform like X [which happens to be Kieran’s former employer]solving problems like bots once and for all.
“The key to this is to ensure that if an anonymous person abuses a platform’s policies and the platform suspends them, that person cannot delete their World ID, create a new one and return to X presenting themselves as new man. So to achieve our goals of increasing trust in the Internet in the age of intelligence, we needed to ensure that we did so in a way that anonymized the underlying data, meaning it could not be deleted and could not be misused by bad actors of the world network and other platforms”.
Kieran added that World ID holders “can always delete their personal data, which resides solely on their phone.”
However, basic account data is not where this GDPR battle is focused. It refers to information that can be used to uniquely identify an individual.
Earlier this year World introduced a secure open source Multi-Party Computing system which he argued “allows iris codes to be encrypted as secret commons and distributed to multiple participants” — without requiring the codes to be decrypted in order to perform authentication.
The proposal is that this technical architecture transforms iris codes through post-processing, including encryption and sharing, in a way that limits individual privacy risks.
As part of these changes, Worldcoin also introduced a feature allowing users to request deletion of their iris codes. However, the level of control it gives users has – apparently – been judged to fall short of GDPR’s standard of requiring individuals to be in control of their information.
And it’s important to stress that GDPR doesn’t just set rules to protect people’s privacy. The framework also aims to ensure that individuals can have autonomy over the information held about them. It is this last element that poses the greatest challenges to the mission of proving the humanity of the Universe, as it does nothing to support this level of individual autonomy.
Fundamental rights
The Bavarian DPA said Worldcoin’s biometric-based individual verification process entails “a number of fundamental data protection risks for at least a large number of data subjects”. And while the authority’s statement refers to “improvements” made to the company’s data processing, it stresses that “adjustments are still required.”
The authority added that its long-term investigation had focused on the need for “total deletion after consent has been withdrawn” and “the relevant review of the consent process”.
“With today’s decision, we are enforcing European fundamental rights standards in favor of data subjects in a technologically demanding and legally highly complex case,” Will said.
The world’s appeal against the Bavarian corrective order does not address the core issue of data access.
Rather, it seeks to frame the issue as a technical question of how European law should define anonymous data. Hence blog post about the corrective order starts with the line that “World ID is anonymous by design”. But trying to build momentum for a lobby that Europeans deserve fewer individual rights is unlikely to be regionally popular.
Worldcoin has already seen its wings clipped in the region. Enforcement actions by other data protection authorities — including Portugal and Spain — led it to take emergency action that shut down its eyeball scanning features in their markets. The two DPAs expressed particular concerns about the risks of permanently recording children’s data.
At the same time, Worldcoin — or World as it was recently renamed — opened its operations in Austria.
