The next few weeks could be pivotal for Worldcoin, the controversial eyeball-scanning crypto venture co-founded by OpenAI’s Sam Altman, whose operations remain almost entirely shuttered in the European Union following a series of privacy complaints — including in France, Germany, Portugal and Spain.
The only EU market where Worldcoin is still scanning eyeballs according to the Worldcoin.org website is Germany, where its developer Tools for Humanity (TfH) has a local office. But that could change imminently depending on the outcome of an investigation instigated by Bavaria’s data protection authority.
The authority told TechCrunch it expects to reach a decision on the probe soon — a spokesman suggested it will be ready to publish its conclusions in mid July. The watchdog began looking into Worldcoin last year following its global launch in July 2023.
“Taking into account further steps to align with other SA’s [supervisory authorities] I currently expect results that we are able to use in public in mid July 2024,” he told us.
In the EU, complaints have been raised that Worldcoin is breaching the bloc’s General Data Protection Regulation (GDPR), which sets rules for how personal data may be processed. The regime not only gives supervisory authorities, aka data protection authorities (DPAs), powers to issue fines of up to 4% of global annual turnover for confirmed breaches. They can also order non-compliant processing to stop.
That’s important because in the case of a crypto-biometrics project like Worldcoin — which turns a person’s eyeball scan into an immutable identity token stored on a decentralized blockchain — it may mean setting conditions that essentially bar it from the EU for good. Unless Worldcoin is able to revise its system to allow for personal data to be deleted on request. But, er, blockchains don’t typically work like that.
Other GDPR concerns attached to Worldcoin include the legal basis it claims for processing people’s sensitive biometric data for its identification purpose; and whether it’s meeting the regulation’s transparency and fairness requirements.
A key criticism of its approach is that it incentivizes people to hand over their sensitive biometric data in exchange for the eponymous cryptocurrency baked into the proof of “humanness” identity system it’s devised — whereas the GDPR requires consent to data processing to be freely given.
Fears that Worldcoin is posing risks to children have also driven some EU regulators to slap temporary bans on its operations in their own markets this year, after complaints Worldcoin operators had scanned minors’ eyeballs.
Back in March Spain’s DPA took such emergency action — ordering Worldcoin to stop collecting and processing locals’ data for up to three months. It said it was acting on a number of privacy complaints, including about risks to children’s information. The move was quickly followed by a similar order by Portugal’s DPA also acting on complaints Worldcoin had scanned minors’ eyeballs.
Despite these urgent interventions, German privacy regulators have allowed Worldcoin to continue scanning eyeballs in the market while the Bavarian DPA investigates. Although the below image of a Worldcoin scanning location in Berlin — embedded in a post on X — is notable for including a prominent poster in the window displaying an 18+ age limit for submitting irises to the orb.
On Tuesday the Spanish DPA announced that Worldcoin has agreed not to relaunch its operations in the market once its three-month ban order expires shortly. In a press release, it said Worldcoin’s developer has committed — in what it described as “a legally binding manner” — not to resume its activity in Spain until the Bavarian authority has adopted a final resolution on the investigation (or else not before the end of the year).
TfH had initially sought to challenge Spain’s temporary ban in the courts, including by seeking an injunction (which it was not granted). It’s not clear why the company has agreed to wait for the outcome of the Bavarian investigation but it may have decided it’s the best course of action to reduce its regulatory risk. It may also feel confident it won’t have too long to wait for a decision.
The Spanish authority’s press release contains another interesting tidbit — suggesting that following its emergency order TfH announced changes to Worldcoin’s operation which it said included the introduction of controls to verify the age of users; and “the possibility of eliminating the iris code”.
TfH was contacted with questions about its agreement with Spain’s DPA and changes it’s committed to. Company spokeswoman, Rebecca Hahn, pointed us to a statement on Worldcoin’s website — in which the company writes that it has “committed not to perform orb operations in Spain through the end of calendar year 2024, or if sooner, until the BayLDA [Bavarian DPA] consultation process with other EU data protection authorities is concluded”.
Worldcoin’s statement also flags what TfH refers to as “a series of privacy and security measures” which it says have been implemented in recent months aimed at addressing DPAs’ concerns. It said this includes “advanced controls for age verification, the deletion of old iris codes by transforming them into SMPC [Secure Multi-Party Computation] shares, optional World ID unverification (including the ability to delete iris codes) and more”.
It is not clear whether transforming iris codes into SMPC shares would constitute deletion of the data under the GDPR.
In its statement, Spain’s DPA said it expects the Bavarian data protection authority’s investigation to be concluded “soon” — adding that it anticipates the final decision to reflect the positions of all concerned European supervisory authorities.
Should there be disputes between DPAs over what to do about Worldcoin, it’s worth noting the GDPR contains a mechanism for handling cross-border complaints that allows concerned authorities to raise objections. If a majority way forward still cannot be found the European Data Protection Board may be asked to step in and make the final call.
This report was updated to include Worldcoin’s statement
Comment