German authority orders Worldcoin to delete iris data collected in Spain

German authority orders Worldcoin to delete iris data collected in Spain

The tech company Worldcoin, known for its ambitious project to create a universal digital identity based on iris scans, has been forced to take drastic measures following a series of concerns regarding the privacy and security of the biometric data it collects. 

Specifically, Germany’s data protection authority has issued a resolution requiring the company to delete all iris data it gathered in Spain, citing violations of several GDPR articles.

World ID with user’s iris photographs

The World ID, envisioned as a universal digital identity, represented an ambitious proposal for a future where digital interactions could be verified through a unique biological attribute: the iris. The objective of this project was to create a more secure and efficient system than traditional identification methods while preserving user privacy.

The process of obtaining a World ID involved capturing a high-resolution image of the user’s iris through a specialized device. This image, containing unique details of the user, was transformed into a sort of biological fingerprint. Using facial recognition algorithms, this image was linked to a unique code (the World ID) which served as a digital identifier across various services and platforms.

However, this approach, which seemed poised to revolutionize the way we manage our digital identity, raised serious concerns among privacy experts.

Operations suspended by the AEPD

On June 4, 2024, the company responsible for the Worldcoin project, Tools for Humanity Corporation, committed to legally binding measures to suspend its activity. This precautionary measure was ordered by the Spanish Data Protection Agency (AEPD) under Article 66.1 of the GDPR. In March 2024, the agency ordered the suspension of the company’s collection of personal data in Spain.

This decision was later upheld by the Spanish National Court, emphasizing that the protection of individuals’ personal data outweighs the particular interests of the company. According to the AEPD, Worldcoin failed to provide sufficient information about its data processing activities, collected data from minors, did not allow users to withdraw consent, and posed a high risk to individuals’ rights.

Report from BayLDA

Following this decision, Germany’s data protection authority (BayLDA) issued a resolution confirming initial suspicions regarding Worldcoin’s practices. The authority concluded that the company violated multiple GDPR provisions, specifically highlighting the lack of adequate security measures to protect biometric data and the absence of informed and explicit consent from users.

This decision sets an important legal precedent regarding the protection of biometric data. From this point forward, companies collecting biometric data will face greater scrutiny from data protection authorities and will need to review their business models to ensure compliance with regulations and safeguard users’ rights.

The case of Worldcoin underscores the urgent and effective need to address challenges posed by the development of biometric technologies. While these tools have tremendous potential to transform the way we manage our digital identities, they also involve significant risks that cannot be overlooked.

One of the primary challenges is ensuring that users have full control over their biometric data. This includes the right to know how their data is being used, to withdraw consent, and to request the deletion of their information if they so choose. Additionally, companies must implement robust security measures to protect this sensitive data from breaches or unauthorized access.

While projects like Worldcoin’s World ID have the potential to revolutionize how we interact in the digital world, they also highlight the importance of balancing technological innovation with the protection of fundamental rights. Data privacy and security must not be sacrificed in the name of technological progress, and it is the responsibility of companies and regulators to ensure that both objectives can coexist harmoniously.