After a prolonged wait that exceeded the anticipated timeline of a few weeks, a significant privacy ruling affecting Sam Altman’s Worldcoin has finally emerged. This decision was issued in late December by the Bavarian data protection authority, which is upholding the General Data Protection Regulation (GDPR) of the EU. This comprehensive privacy framework allows for penalties that can reach up to 4% of a company’s global annual revenue.
Unfortunately for the eyeball-scanning cryptocurrency identity platform, the ruling did not align with its expectations. The authority has placed a corrective order on Worldcoin, mandating the deletion of user data upon request.
“All users who have provided their iris data to ‘Worldcoin’ will subsequently have the unfettered right to request their data deletion,” stated Michael Will, from the Bavarian State Office for Data Protection Supervision, in a press release.
Worldcoin has one month from the date of the Bavarian authority’s decision to establish a deletion procedure that adheres to GDPR requirements—mark your calendars for early 2025.
Additionally, the Bavarian ruling stipulates that Worldcoin must secure express consent for certain unspecified processing activities in the future.
We have sought further clarification from the Bavarian authority, but it appears this will require Worldcoin’s onboarding process to provide EU users with more detailed information before collecting iris data. The firm has also been directed to delete “certain data records collected without adequate legal justification,” according to the statement.
Aside from seeking clarity on the specifics of this ruling, we have also inquired why no fines have been levied for what seem to be multiple instances of GDPR violations.
In response to the corrective order, Worldcoin announced its intention to file an appeal.
Update: The Bavarian authority stated that the enforcement timelines are currently on hold while Worldcoin’s appeal is processed.
The authority also confirmed that the deletion order applies to “biometric templates” linked to iris scans, which are stored by Worldcoin in a “normal database,” allowing for their deletion.
“Since we consider the entire dataset not yet anonymous, it’s now up to Worldcoin to demonstrate how they will alter their processing methods to comply with the deletion requirement—if necessary, by deleting multiple or all fragments,” Will informed us.
Regarding the legal basis, he remarked: “Our analysis indicates that there is no alternative legal basis aside from explicit consent for these specific processing activities.”
Challenging Requirement
Why does the obligation to allow users to request data deletion—a right established by the GDPR—pose a challenge for Worldcoin? The issue for this proof-of-identity blockchain project is that it is designed to create immutable and unique identifiers for verifying identity remotely. If users are able to completely erase their information from the ledger upon request, it undermines Worldcoin’s ambition of becoming a universal authority on human verification.
A spokesperson for Tools for Humanity (TfH), Rebecca Hahn, who manages communications for Worldcoin’s developer entity, stated that the basis for the appeal will argue that Worldcoin’s technical infrastructure is “privacy-preserving,” asserting that this results in user data being anonymized.
The implication here is that GDPR data access rights (like the right to request deletion) would not apply, as truly anonymous data is excluded from the regulation’s scope.
In response to queries about Worldcoin’s reluctance to permit data deletion, Damien Kieran, the chief privacy officer at TfH, explained to TechCrunch: “Our aim is to bolster trust in digital interactions. We have created the world’s first anonymous digital passport to validate humanity, enabling individuals to verify their identity anonymously on platforms like X [Kieran’s former workplace], thereby addressing issues such as bots effectively.
“Crucially, it is important that an anonymous individual, who may face suspension from a platform for misconduct, cannot erase their World ID, create a new one, and return to X misrepresenting themselves as a different individual. To foster trust online during the age of intelligence, we have to ensure that we achieve this with anonymized data, which cannot be deleted, and protect against abuse of the World network and other platforms.”
Kieran also emphasized that holders of World IDs “can always request the deletion of their personal data, which exists solely on their personal devices.”
However, the current GDPR struggle isn’t about basic account data; it’s focused on information that can uniquely identify individuals.
Earlier this year, Worldcoin launched an open-source Secure Multi-Party Computation system, which it claimed “allows iris codes to be securely encrypted as secret shares and distributed over various participants”—without requiring the codes to be decrypted for identity verification.
This approach aims to transform iris codes through various processing stages, such as encryption and sharding, to mitigate individual privacy risks.
As part of these updates, Worldcoin also rolled out a feature allowing users to request the deletion of their iris codes. Nonetheless, it appears that the level of control it offers users has not been deemed sufficient to meet the GDPR’s standard of individual data control.
Importantly, the GDPR not only establishes rules to safeguard individuals’ privacy but also seeks to grant them autonomy over the data held about them. This latter objective poses substantial challenges to Worldcoin’s commitment to proving human authenticity, which does not adequately support such autonomy.
Core Rights
The Bavarian DPA noted that Worldcoin’s biometric verification approach poses “numerous fundamental data protection risks for a significant number of data subjects.” While the authority acknowledged “improvements” made to Worldcoin’s data processing, it emphasized that “additional modifications are still necessary.”
The authority stated that its exhaustive investigation ultimately focused on the need for “comprehensive deletion upon consent withdrawal” and “the thorough evaluation of the consent procedure.”
“With today’s ruling, we are enforcing European fundamental rights standards in favor of data subjects in a case that is both technologically intricate and legally complex,” Will remarked.
Worldcoin’s appeal against the Bavarian corrective order fails to directly confront the core issue of data access.
Instead, it attempts to frame the discussion as a technical debate about how European law defines anonymous data. Consequently, its blog post regarding the corrective order opens with the assertion that “World ID is designed to be anonymous.” However, lobbying for fewer individual rights in Europe is unlikely to gain traction.
Worldcoin has already faced restrictions across the region. Enforcement actions from other data protection authorities, including those in Portugal and Spain, saw the suspension of its eyeball scanning operations, with the authorities expressing concerns about the potential permanent capture of children’s data.
Simultaneously, Worldcoin—now rebranded to just World—has expanded its operations in Austria.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
