A German subsidiary involved in Sam Altman’s controversial blockchain digital identity venture Worldcoin was reported on Friday to have filed a legal challenge against a suspension order from Spain’s data protection authority. He also told us that he has stopped services in the market.
Earlier this week it emerged that the Spanish authority, AEPD, had ordered Worldcoin to temporarily stop scanning people’s eyeballs or further processing data already collected from people on the market.
As we reported on Wednesday, the AEPD announced an “urgent procedure” under Article 66 against Worldcoin under the European Union’s General Data Protection Regulation (GDPR), saying it was acting after receiving a number of complaints. Issues of concern he cited include the level of information Worldcoin provides about processing. the collection of data from minors; and how consent may not be withdrawn. He also highlighted the sensitive nature of the biometric data involved, which he said posed “high risks to people’s rights”.
While Worldcoin’s operating company, Tools for Humanity, is considered “principally established” in Germany, which allows it to benefit from streamlined regulatory oversight through the GDPR’s one-stop-shop mechanism — with the Bavarian data protection authority (BayLDA) to act as the lead authority for monitoring and investigating complaints — the regulation contains powers to allow any other DPA to issue interim orders, lasting up to three months, if it believes there is an “urgent need” to act to protect the rights of locals.
Such orders only apply to the authority’s own market and not across the EU. Therefore, AEPD’s temporary ban on Worldcoin only applies in Spain.
Despite the GDPR providing for urgent interventions by non-lead DPAs, Worldcoin challenges the AEPD mandate.
The development was first reported in the German press. A Worldcoin spokeswoman, Rebecca Hahn, emailed a link to the report published by Schwäbisch, saying he wanted to bring it to TechCrunch’s attention. It also sent a statement (below), attributed to Worldcoin, in which Tools for Humanity claims its eyeball scanning business is “fully compliant” with all EU laws on biometrics, data transfer, data processing and data protection. The statement also accuses the AEPD of circumventing “accepted EU procedure and rules” — which it claims left it with “little recourse” short of filing a lawsuit.
Here is Worldcoin’s full statement:
Worldcoin fully complies with all laws and regulations governing biometric data collection and data transfer, including the European General Data Protection Regulation (“GDPR”). Therefore, we have been in consistent and ongoing dialogue with the main EU Data Protection Authority, BayLDA, for months. We are disappointed that the Spanish regulator has bypassed accepted EU procedure and rules, which leaves us with little option other than to file a lawsuit.
Hahn did not respond to questions seeking more details about the legal arguments Tools for Humanity plans to make against the AEPD order. Nor to confirm whether Worldcoin and its operators in Spain have complied with the local order to stop scanning and processing people’s data from the market.
Modernize: Worldcoin told us that it has “ceased” operations in Spain. He has also issued a suspension confirming that a lawsuit has been filed against the AEPD order.
AEPD was contacted for comment about the Worldcoin challenge — but had not responded at press time.
According to Schwäbisch’s report, Worldcoin was “largely developed” in Erlangen in Bavaria, Germany. It names German computer scientist Alex Blania (pictured above) as a co-founder of Tools for Humanity, along with OpenAI’s Altman. Blania’s LinkedIn profile lists him as based in San Francisco.
At the time of writing, the Worldcoin.org website it still lists five “pop-up” locations in Spain (three in Barcelona, one in Madrid and one in Malaga) where it says people can go and get their eyes scanned by one of Worldcoin’s proprietary spheres. But on Wednesday, Worldcoin’s website listed 29 locations around the country where people could go and collect their biometrics in exchange for some crypto tokens. Which suggests that it may be in the process of discontinuing its scanning functions in the market.
Modernize: Shortly after we wondered why Worldcoin’s website still listed five pop-up locations in Spain today, the remaining five listings disappeared after the website was updated to remove “Spain” from the list of countries where eyeball scanning is available. Below is an image showing a StreetView of the address of one of the pop-ups that was still being advertised for booking to watch an eyeball scan on the Worldcoin website until a few hours ago.
Google StreetView shows the address of one of the Worldcoin bulb scanning ‘pop-ups’ that were still up in Barcelona earlier today (Screenshot: Natasha Lomas/TechCrunch)
One of the controversies surrounding the business is the acquisition of people’s sensitive biometrics in exchange for some form of payment. Worldcoin claims that users consent to the processing of their data for its purpose. However, in the EU, the GDPR requires consent to be freely given — and a financial incentive creates an obvious incentive that may mean people cannot freely consent as the law understands it.
Other GDPR concerns regarding Worldcoin include transparency and fairness of processing. issues related to the rights of data subjects, such as the right to erasure of personal data; risks to minors; and questions about data transfers and security.
BayLDA’s investigation into whether Worldcoin is GDPR compliant, which began last year, remains ongoing. However, yesterday the authority told us it expects to send a draft decision with its findings to the other European data protection authorities for review “very soon”.
Under the GDPR, other authorities with concerns about cross-border processing may object to a draft decision if they disagree with the lead authority’s findings. If this happens, disputes over decisions are either resolved by majority vote or, if DPAs remain divided, the European Data Protection Board has a casting vote. This means that while the regulation allows entities like Worldcoin to be overseen by a single authority, it is designed to ensure that other concerned authorities remain involved in decisions that affect users in their own markets.
In Catalonia, the autonomous community of Spain where Worldcoin currently lists the most eyeball scanning pop-ups (three), the local press recently reported that the regional government had responded to concerns about the company’s biometric scanning operations by publishing article containing advice and warnings from the Catalan Data Protection Authority.
The article warns about “Highly sensitive personal data” collected through iris scans; the risks of harm from the misuse of such data; and raises specific concerns about the collection of children’s data without the necessary consent of a parent or guardian.
The article also notes that “several” EU authorities are currently investigating whether Worldcoin is GDPR compliant.
