The Spanish Data Protection Agency (AEPD) today ordered a precautionary measure that prevents Worldcoin, which since the summer has collected high-resolution photographs of the irises of 400,000 users in exchange for money, from continuing to process data in Spain for three months. The agency demands the immediate cessation of the collection and processing of biometric data from the company Tools for Humanity Corporation, which works for WorldCoin, after having received at least 13 complaints denouncing insufficient information, collection of data from minors or that the collection is not allowed. withdrawal of consent, among others. It is the first time that the AEPD takes a precautionary measure of this type.
“We have acted urgently because the situation required it,” said the director of the agency, Mar España, after announcing the extraordinary measure. She has also highlighted that Worldcoin is currently being investigated at the request of Spain by the European Data Protection Committee, the body that brings together the EU data protection offices. “The response we give will be coordinated,” Spain has indicated, although it has not specified deadlines. She has said that, after three months of the precautionary measures, the Agency could invoke article 66.2 of the General Data Protection Regulation (GDPR), which would allow Worldcoin’s activity in Spain to be permanently suspended.
The AEPD has already notified Tools for Humanity, based in Germany, that it cannot continue collecting more iris data in Spain, and that it cannot process the data it already has from 400,000 users. This data is blocked, so it cannot be shared with third parties. If the precautionary measure is not respected, Worldcoin would be exposed to a fine of between 20 million euros and 4% of its annual turnover.
Worldcoin has not taken the AEPD initiative well. “The Spanish data protection authority is circumventing EU law with its actions today, which are limited to Spain and not the EU as a whole, and spreading inaccurate and misleading claims about our technology globally,” says Jannick Preiwisch, data protection officer at Worldcoin, in statements to this newspaper. “Our efforts to collaborate with the AEPD and provide them with an accurate view of Worldcoin and World ID (the wallet in which Worldcoins are housed) have gone unanswered for months,” he says.
“We want to send a message of calm, we are investigating and European regulations provide options so that even urgently a permanent decision can be made on this matter,” Spain expressed. The director also had words for young people, who are the ones who have mostly consented to having their irises read, to think twice before giving up critical data. “It may be tempting to receive 80 euros, but giving up biometric data has many consequences in adult life.”
Biometric data is especially sensitive because it is immutable. We can change our password or our address, but the pattern that describes the shape of each person’s iris is unique and hardly changes over the years. The iris is in fact a more effective identification method than the face scan carried out by facial recognition systems. Due to the sensitivity of this data, it is treated especially strictly by the General Data Protection Regulation, the reference European standard. Hence, many privacy experts could not believe in recent weeks that a company could start collecting iris data for everyone to see and without giving hardly any information to those affected.
The decision to freeze Worldcoin iris scanning “is justified to avoid potentially irreparable damage. Not taking it would deprive people of the protection to which they are entitled according to this agency,” Spain defended. The investigation being carried out by the AEPD and the rest of the European authorities covers not only the treatment that has been done of the users’ biometric data, but also whether they were duly informed of the risks to which they were exposed. “Now we have to review contracts, analyze what each user has signed and see in detail what they are doing with that data,” said the director of the agency.
The orb phenomenon
Worldcoin began collecting this data in July of last year in 14 shopping centers throughout Spain. To do this, it uses an Orb, a metal sphere the size of a futsal ball that photographs the irises of those interested and gives them access to the digital currency Worldcoin, co-founded by the creator of ChatGPT, Sam Altman.
Until two weeks ago, the orbs didn’t attract much attention. But then large queues began to form around the already 30 stands that Worldcoin has placed in large galleries. The reason: the exchange value of the currency rose to just over six euros, so the 13 Worldcoin coins released after the iris scan are equivalent to about 80 euros. That hook caused such an influx of people, generally young people, that those interested can no longer have their iris scanned without an appointment.
In order to use an Orb, users must download an application on their mobile phone and receive a QR code. The iris photo acts as “proof of humanity” (the system makes sure that the request is made by a person and not a machine), but not only that. It is also associated with the QR code, after which the application transforms into a passport called World ID, the wallet where the Worldcoins are stored. According to Altman, the passport and the wallet that it promotes will be key to managing financially, and perhaps to collecting a universal income, in a future dominated by artificial intelligence.
Spain is not the only country in which Worldcoin has collected iris data. It already accumulates more than four million registrations from 36 countries, from the United States to Argentina and from South Africa to Norway, passing through Turkey, India, Japan and Indonesia. In other countries, such as Kenya, taking photographs of irises has been prohibited because authorities doubt the legality and safety of the practice. Several US states strictly prohibit the collection of biometric data. The data protection authorities of France and Germany, for their part, began investigations in the summer when they considered that it violates the General Data Protection Regulation (GDPR).
You can follow The USA Print in Facebook and x or sign up here to receive our weekly newsletter.
Subscribe to continue reading
Read without limits
_