On May 22, the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong issued an enforcement notice to the Worldcoin Foundation, directing an immediate cessation of its cryptocurrency project operations throughout the territory. This decision arises from significant concerns regarding privacy and the safeguarding of personal data, spotlighting the controversial use of biometric data collection methods by the project.
The regulatory body specifically criticized Worldcoin for its practices involving the scanning and collection of iris and facial images of the public. The PCPD described these data collection methods as “excessive and unnecessary,” raising alarms about the potential risks these practices pose to personal privacy. Worldcoin, known for offering a digital ID and free cryptocurrency in exchange for iris scans through its “orb” devices, claims to have processed over 5 million volunteers across more than 160 countries.
Worldcoin’s Defense
Responding to the enforcement notice, the Worldcoin Foundation expressed disappointment with the PCPD’s stance. In an emailed statement, the foundation asserted its compliance with international data protection laws, including Hong Kong’s Personal Data (Privacy) Ordinance. “Worldcoin operates lawfully and is designed to be fully compliant with all laws and regulations governing data collection and use,” the foundation stated, emphasizing its adherence to legal standards.
The controversy extends beyond Hong Kong, with global regulators, particularly in Europe, also expressing apprehensions about how the collected data might be misused. Worldcoin, co-founded by OpenAI CEO Sam Altman, aims to develop a global identification and financial network, aspiring to differentiate humans from AI bots and drawing parallels with India’s Aadhaar biometric ID system. This ambitious goal has prompted a broader debate on the ethical and security implications of using biometric data on such a scale.
Kenyan Government Halts Worldcoin Registrations Amid Privacy Concerns
However Hong Kong is not only the one fighting Worldcoin as Kenyan government earlier in 2023 has issued a directive for the cryptocurrency project to halt its registration of new members. This decision arises from concerns over data protection as the project offers free cryptocurrency tokens to individuals in exchange for biometric data through eye scans.
Large numbers of Kenyans, driven by economic hardship, were queuing at Worldcoin’s pop-up registration centers. The appeal of receiving roughly $49 worth of cryptocurrency has led to crowded lines and escalated to a security concern, prompting the government to intervene.
Amid rising public participation, the Ministry of the Interior has initiated a thorough investigation into Worldcoin’s operations. This scrutiny spans the storage of biometric data, the ethical concerns of exchanging money for personal data, and the control of such data by a private entity. Furthermore, the Kenyan Capital Markets Authority has noted that Worldcoin is not a regulated entity within the country, adding to the controversy.
In response to the governmental concerns, Worldcoin has asserted its compliance with Kenyan laws and expressed its intention to collaborate with authorities to implement better crowd control measures before it can resume its operations. The company highlighted its mission to establish a global identity and financial network that is accessible regardless of geographical or socioeconomic background.
Portugal Suspends Worldcoin’s Biometric Data Collection
In another related regulatory action, Portugal’s data protection authority (CNPD) has issued a temporary ban on the Worldcoin Foundation’s collection of biometric data. Following a detailed investigation into the company’s practices, the CNPD has prohibited Worldcoin from engaging in biometric data collection for a period of 90 days. This decision, documented in CNPD’s decision No. 2024/137 dated March 26, 2024, aims to address breaches of the General Data Protection Regulation (GDPR).
The CNPD began investigating Worldcoin on August 10, 2023, after becoming aware of its extensive biometric data collection practices, including iris scans, in exchange for cryptocurrency. The inquiry revealed that Worldcoin’s activities spanned several locations within Portugal, where they processed the biometric information to create a World ID. This digital identifier is intended to serve as a global identification system. However, the CNPD’s initial findings pointed to several compliance issues, including the absence of age verification, challenges in the exercise of the right to erasure, and the collection of children’s biometrics without legal consent.
GDPR Compliance Concerns
The investigation further uncovered that Worldcoin failed to secure informed consent for processing biometric data and did not provide a mechanism for withdrawing consent, violating Articles 5(1)(a) and 13(2)© of the GDPR. Additionally, Worldcoin’s practices hindered the right to deletion as outlined in Article 17 of the GDPR and Article 7(3), which concerns the withdrawal of consent.
The CNPD’s decision to halt Worldcoin’s data collection activities highlights the potential risks to individuals’ rights and privacy. The authority has indicated that the current decision is provisional and that their investigation will conclude with a final decision in the near future. This ongoing scrutiny underlines the importance of compliance with GDPR standards, especially concerning the sensitive nature of biometric data.
