Biometric data and free cryptocurrencies. Precautionary measures imposed by the AEPD
On 6 March, the Spanish Data Protection Agency (AEPD) ordered a precautionary measure preventing Worldcoin from continuing to process personal data in Spain.
The AEPD has received several complaints against the company, complaining, among other things, about insufficient information, the collection of data from minors and the failure to allow the withdrawal of consent.
Who is Worldcoin and what does it collect biometric data for?
Worldcoin is a cryptocurrency project that aims to provide global access to financial services through biometric identification. It was launched by OpenAI CEO Sam Altman, Alex Blania and Max Novendstern in 2020.
Worldcoin offered a virtual sum of money equivalent to $60 in exchange for the scanning of the iris of those who agreed to participate. They did so under the premise of guaranteeing the security of future transactions through biometric data, given the hypothesis that in the future an image created by artificial intelligence could circumvent the scanners and harm users.
Worldcoin’s proposal was to implement a unique identification system based on eye-scanning; a solution that, a priori, would generate greater trust and discern between real humans and digital entities in a world “increasingly dominated by AI”.
In colloquial terms, in order to have an identity on the platform, it is necessary to provide biometric data, which is converted into an alphanumeric code. To date, more than 2.6 million people in 120 countries already use the service.
Reasons for the AEPD to impose precautionary measures
The processing of biometric data, considered in Article 9 of the General Data Protection Regulation (GDPR) to be of special protection, entails high risks to the rights of individuals, given the sensitive nature of the data.
“The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data intended to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”.
Consequently, this precautionary measure is a decision based on exceptional circumstances, in which it is necessary and proportionate to adopt provisional measures aimed at the immediate cessation of such processing of personal data, preventing its possible transfer to third parties and safeguarding the fundamental right to the protection of personal data.
Article 66 of the GDPR authorises the AEPD “in exceptional circumstances, where a supervisory authority concerned considers that urgent action is necessary to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65, or the procedure referred to in Article 60, immediately adopt interim measures intended to produce legal effects in its own territory, with a specified period of validity which may not exceed three months.
The supervisory authority shall communicate those measures, together with the reasons for their adoption, without delay to the other supervisory authorities concerned, the Committee and the Commission”.
In this context, the Agency considers that the adoption of urgent measures temporarily prohibiting the activities is justified in order to avoid potentially irreparable damage and that not taking them would deprive individuals of the protection to which they are entitled under the GDPR.
What do the AEPD’s precautionary measures consist of?
The measure taken by the AEPD requires the cessation of the collection and processing of special categories of personal data, as well as the blocking of data already collected. With a maximum duration of three months, the Spanish Agency has taken the decision based on exceptional circumstances, arguing that it is necessary to adopt measures aimed at the immediate cessation of processing and to prevent the possible transfer of data to third parties and to safeguard the fundamental right to the protection of personal data.
This measure is aimed at avoiding potentially irreparable damage and if it had not been taken, the AEPD fears that it would deprive individuals of the protection to which they are entitled under the General Data Protection Regulation.
Worlcoin appealed the measure imposed by the AEPD before the Administrative Chamber of the Audiencia Nacional, which rejected the precautionary measure requested by Tools for Humanity Corporation GMBH (TFH).
The First Section, in an order, considers that in view of the weighing of the conflicting interests and, in view of the circumstances, “the safeguarding of the general interest consisting of the protection of the right to the protection of personal data of the data subjects must prevail over the particular interest of the appellant company, which is fundamentally economic in content”.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
More from my site
The AEPD pronounces on the Worldcoin case
Beyond fingerprints: Iris scan as biometric identification in an AI-dominated world
Global strategy on minors, digital health and privacy of the AEPD
The AEPD sanctions Endesa for exposing data of more than 4.8 million customers
Minors’ consent regarding privacy: The AEPD publishes an age verification system
The AEPD and the General Council of Official Medical Associations agree to collaborate to promote the medical data protection n the digital world