The upcoming weeks could be crucial for Worldcoin, the divisive eyeball-scanning crypto initiative co-founded by OpenAI’s Sam Altman, which remains mostly inactive in the European Union due to multiple privacy complaints — notably from France, Germany, Portugal, and Spain.
Currently, Germany is the only EU nation where Worldcoin continues its eyeball scans, as indicated on the Worldcoin.org website. However, this might change soon depending on the outcome of an investigation by Bavaria’s data protection authority.
The authority informed that conclusions on their probe will likely be shared shortly, with a spokesman hinting at a mid-July publication. This investigation started following Worldcoin’s global launch in July 2023.
“Considering additional steps to coordinate with other supervisory authorities, I currently expect results that we can disclose publicly by mid-July 2024,” he stated.
In the EU, concerns have been raised that Worldcoin may be violating the General Data Protection Regulation (GDPR), which prescribes guidelines for processing personal data. The regulation empowers supervisory authorities to issue fines up to 4% of global annual turnover for confirmed breaches and can also halt non-compliant data processing activities.
This is significant because, for a crypto-biometrics project like Worldcoin — which converts an iris scan into a permanent identity token stored on a decentralized blockchain — it could mean imposing conditions that effectively ban it from the EU unless Worldcoin can adapt its system to allow for personal data deletion on request. However, blockchains generally are not designed to accommodate such modifications.
Other GDPR-related issues with Worldcoin include its claimed legal basis for processing sensitive biometric data and whether it complies with the regulation’s transparency and fairness standards.
A key criticism is that Worldcoin incentivizes individuals to provide sensitive biometric data in exchange for cryptocurrency linked to its proof of “humanness” identity system — even though GDPR mandates that consent for data processing must be given freely.
Concerns about risks to children have led some EU regulators to temporarily ban Worldcoin’s operations after complaints that minors’ eyes were scanned.
In March, Spain’s DPA took emergency action by ordering Worldcoin to cease collecting and processing local data for three months due to privacy complaints, including risks to children’s information. Portugal’s DPA issued a similar order shortly thereafter, prompted by complaints about minors’ eye scans.
Despite these urgent measures, German privacy regulators have permitted Worldcoin to continue eye scans while Bavaria’s DPA investigates. The below image of a Worldcoin scanning location in Berlin — featured in a post on X — is noteworthy for a prominent poster indicating an 18+ age limit for eye scans.
On Tuesday, the Spanish DPA announced that Worldcoin has agreed not to resume operations in Spain after its three-month ban ends soon. In a press release, it was stated that Worldcoin’s developer has legally committed not to restart activities in Spain until Bavaria’s investigation is resolved (or not before year-end).
TfH initially contested Spain’s temporary ban in court but was not granted an injunction. The reason for the company’s agreement to await the outcome of the Bavarian probe is unclear but may be a strategy to minimize regulatory risk. They might also be confident that a resolution will be reached soon.
The Spanish authority’s press release mentions that following its emergency order, TfH announced changes to Worldcoin’s operations, including age verification controls and “the possibility of eliminating the iris code.”
TfH was contacted for further details about its agreement with Spain’s DPA and the changes promised. Company spokeswoman Rebecca Hahn referred to a statement on Worldcoin’s website, where the company pledged not to conduct orb operations in Spain until the end of 2024 or until the Bavarian consultation concludes.
Worldcoin’s statement also highlights several privacy and security measures introduced recently to address concerns from DPAs. These measures include “advanced controls for age verification, the transformation of old iris codes into SMPC shares, and optional World ID unverification which includes deleting iris codes.”
It remains uncertain whether transforming iris codes into SMPC shares fulfills the GDPR’s data deletion requirements.
Spain’s DPA anticipates Bavaria’s data protection authority’s investigation concluding “soon” and expects the final decision to account for the views of all involved European supervisory authorities.
In case of disagreements among DPAs regarding actions against Worldcoin, the GDPR includes a cross-border complaint mechanism where authorities can raise issues. If a consensus cannot be reached, the European Data Protection Board may step in to make a definitive decision.
This report has been updated to include Worldcoin’s statement