The next few weeks could be decisive for Worldcoin, the controversial eyeball-scanning cryptocurrency venture co-founded by OpenAI’s Sam Altman.
Following a series of privacy complaints, the company’s operations remain largely halted across the European Union, including in France, Germany, Portugal, and Spain.
Currently, Germany is the only EU market where Worldcoin is still scanning eyeballs, as listed on the Worldcoin.org website. This is primarily due to the presence of a local office for its developer, Tools for Humanity. However, this situation could change soon, pending the outcome of an investigation by Bavaria’s data protection authority.
The Bavarian authority has indicated that it expects to conclude its investigation and publish its findings by mid-July. The probe began last year following Worldcoin’s global launch in July 2023.
“In alignment with other supervisory authorities, we expect to release public results by mid-July 2024,” a spokesman for the authority told TechCrunch.
In the EU, concerns have been raised that Worldcoin might be violating the General Data Protection Regulation, which dictates how personal data should be processed. GDPR allows supervisory authorities to impose fines of up to 4% of global annual turnover for confirmed breaches and to order non-compliant processing to cease.
For a crypto-biometrics project like Worldcoin—which converts an eyeball scan into an immutable identity token stored on a decentralized blockchain—this could mean being barred from the EU unless it can modify its system to allow for the deletion of personal data on request. However, blockchains generally don’t function in a way that facilitates data deletion.
Other GDPR concerns related to Worldcoin include the legal basis for processing sensitive biometric data and compliance with transparency and fairness requirements. Critics argue that incentivizing people to exchange their biometric data for cryptocurrency conflicts with GDPR’s requirement that consent to data processing be freely given.
Additionally, fears about the potential risks to children have prompted some EU regulators to impose temporary bans on Worldcoin’s operations.
Despite these interventions, German regulators have allowed Worldcoin to continue operations while the Bavarian DPA conducts its investigation. Notably, Worldcoin locations in Germany display prominent notices indicating an 18+ age limit for iris scans.
On Tuesday, Spain’s DPA announced that Worldcoin agreed not to resume operations in Spain until the Bavarian authority completes its investigation or until the end of the year, whichever comes first. This decision follows an initial attempt by TfH to challenge Spain’s temporary ban in court.
The Spanish DPA’s press release also noted that TfH had made changes to Worldcoin’s operations, including implementing age verification controls and the possibility of eliminating the iris code. Worldcoin’s statement on its website highlights these and other privacy and security measures introduced to address regulatory concerns.
It remains uncertain whether transforming iris codes into Secure Multi-Party Computation shares would satisfy GDPR’s deletion requirements.
Spain’s DPA expects the Bavarian investigation to conclude soon, with the final decision reflecting the positions of all involved European supervisory authorities. If disputes arise between DPAs, the European Data Protection Board may be asked to intervene and make the final decision.
