Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
It took a few more weeks than originally intended to arrive, however basic privacy decision it depended on Sam Altman’s world (aka Worldcoin) finally came down within months with a last December decision by the Bavarian data protection authority enforcing the bloc’s General Data Protection Regulation (GDPR), a comprehensive privacy framework that allows for sanctions that can reach 4% of global annual turnover.
The result does not appear to be what the crypto-scanner had hoped for: it was issued with a remediation order requiring a thorough deletion of user data upon request.
“All users who provide iris data to Worldcoin will have an unlimited opportunity to exercise their right to erasure in the future,” said Michael Weil, the Bavarian State Data Protection Authority. press statement.
The biometric business has been given one month from the date the Bavarian authorities decided to implement a “GDPR-compliant” erasure procedure – so mark your calendars for early 2025.
Another component of the Bavarian order requires Worldcoin to obtain express consent for what the press statement (vaguely) described as “certain future processing steps.”
We asked for more details, but this suggests that the world’s recruitment process will need to provide more information to EU users before eyeball scanning. The statement also ordered the deletion of “certain data records previously collected without sufficient legal basis.”
In addition to our questions about the merits of the order, we asked why the Bavarian authorities were not penalized for what appeared to be a number of GDPR violations.
World responded to the rectification order, saying it would appeal.
Update: The Bavarian authorities have told us that its execution periods have been suspended until the World Appeal.
The DPA also confirmed that the deletion order concerned “biometric templates” associated with iris scans stored by World in a “normal database” and could therefore be deleted.
“Since we (still) consider the entire data set anonymous, it’s now up to World/coin to demonstrate (how) they’ve changed their processing structure to accommodate the deletion request – even by deleting some or all fragments if necessary,” Will told us.
On legal grounds, he added: “In our analysis, there is no possible legal basis for these specific service/processing activities other than express consent.”
A difficult question
Why does the requirement to allow users to request the deletion of their data, a right enshrined in European regulations as part of the GDPR’s rights of access to personal data, seem so difficult for World (coin)? The hitch of the Proof of Humanity blockchain project is that it builds a system of immutable and unique identifiers for remote identity verification. So if a person can redact all of his or her tracks by simply asking the ledger, it challenges his or her ambition to be the world’s most comprehensive authority on human verification.
Rebecca Hahn, a spokeswoman for Tools for Humanity (TfH), the agency that developed Worldcoin, said the grounds for the appeal would focus on claims that the world’s technical architecture “preserves privacy” and results in the anonymization of user data.
This means that GDPR data access rights (such as the ability to request erasure) should not apply, as truly anonymous data is outside the scope of the law.
Damien Kieran, chief privacy officer at TfH, told TechCrunch in response to why World would not allow users to delete data: “Our goal is to increase trust in digital interactions. For this, we created the world’s first anonymous digital passport to prove humanity. This means that a person can anonymously verify that they are a real person on a platform like X (which, incidentally Kieran’s former employer), a one-time solution to problems like bots.
“The key to this is that if an anonymous person abuses the platform’s policies and the platform suspends them, that person cannot delete their World ID, create a new one, and come back to X pretending to be a new person. So, to achieve our goals of increasing trust online in the age of intelligence, we must do so by anonymizing key data, ensuring that it cannot be deleted and that bad actors cannot abuse the World. network and other platforms.”
Kieran added that World ID holders “can always delete their personal data only on their phone”.
However, key account data is not where this GDPR battle is focused. It is about information that can be used to uniquely identify an individual.
Earlier this year, World introduced the open source Secure Multi-Party Computation system he claimed “allows iris codes to be encrypted as private shares and distributed across multiple participants” — without the need to decrypt the codes for identity checks to take place.
The proposal is that this technical architecture converts iris codes through post-processing including encryption and decryption in a way that limits individual privacy risks.
As part of these changes, Worldcoin also introduced a feature allows users to request removal of iris codes. However, the level of control it gives users has – obviously – been judged to fall short of the GDPR standard, which requires individuals to control their own data.
And it’s important to emphasize that GDPR doesn’t just set rules to protect people’s privacy; The framework also aims to ensure that individuals have autonomy over the information held about them. It is this last element that poses the greatest challenges for the World’s Humanity Proof mission, as it does not support a level of individual autonomy.
Fundamental rights
The Bavarian DPA said Worldcoin’s biometric-based personal verification procedure contained “a number of fundamental data protection risks, at least for a large number of data subjects”. The authority’s statement cited “improvements” in the company’s data processing, but emphasized that “regulations are still required.”
The authority added that its lengthy investigation focused on the need for “comprehensive erasure after withdrawal of consent”; and “related review of consent process”.
“With today’s decision, we apply European fundamental rights standards for the benefit of data subjects in a technologically demanding and legally highly complex case,” Will said.
The world’s appeal against Bavaria’s rectification order does not solve the problem of access to basic data.
Rather, it attempts to frame the issue as a technical question of how European law should define anonymous data. That’s why it’s his blog post about the fix command starts with the line “World ID is anonymous by design”. But trying to push for lobbying that Europeans deserve fewer individual rights is unlikely to be popular in the region.
Worldcoin has already seen its wings clipped in the region. Other data protection enforcement actions, including Portugal and Spain – has seen its markets hit by emergency action that shuts down pupil-scanning operations. Two DPAs raised specific concerns about the risks of indelibly capturing children’s data.
At the same time, Worldcoin – or World, as it was recently rebranded – opened operations in Austria.
