Worldcoin, a digital identity project co-founded by OpenAI CEO Sam Altman, is under regulatory scrutiny in Germany for its handling of biometric data. The Bavarian State Office for Data Protection Supervision (BayLDA) has concluded its investigation into the project, demanding compliance with the European Union’s General Data Protection Regulation (GDPR).

BayLDA’s investigation, initiated in 2023, centered on Worldcoin’s flagship technology, World ID. The company’s tech uses iris biometrics to verify digital identity. The process involves scanning individuals’ eyes with devices called “Orbs” to generate unique digital identifiers, intended to distinguish real users from bots.

Data protection concerns

In its findings, BayLDA highlighted significant risks associated with collecting and processing sensitive biometric data. Early phases of Worldcoin’s data practices were flagged as non-compliant, particularly the storage of iris codes in centralized databases without sufficient legal basis. 

The regulator ordered the deletion of all improperly collected data and mandated that Worldcoin implement a GDPR-compliant data deletion procedure within one month of the ruling’s effective date.

Michael Will, President of BayLDA, emphasized the importance of protecting users’ rights. 

“With today’s decision, we are enforcing European fundamental rights standards in favor of the data subjects in a technologically demanding and legally highly complex case,” he said.

The ruling also ensures users can exercise their right to the erasure of iris data provided to Worldcoin.

Worldcoin seeks to clarify issues with BayLDA

Worldcoin has appealed the decision, seeking judicial clarity on whether its Privacy Enhancing Technologies (PETs) satisfy the EU’s legal definition of anonymization. The company argues that the current GDPR framework lacks a clear definition, which hinders efforts to protect personal data in the age of artificial intelligence.

“GDPR currently does not provide this, and both World Foundation and World contributor Tools for Humanity (TFH) believe it is essential for this issue to be addressed quickly,” the World Foundation stated in a blog post.

Damien Kieran, TFH’s chief legal and privacy officer, highlighted the critical role of anonymization in preserving privacy. “Without a clear definition around anonymization, we lose perhaps our most powerful tool in the fight to protect privacy in the age of AI,” he said.

World Foundation data privacy compliance efforts

In response to regulatory concerns from several authorities, Worldcoin voluntarily suspended some of its operations across EU countries during the investigation. It also introduced updates to improve compliance, including cryptographic protocols that split iris codes into encrypted fragments to enhance privacy.

Despite these measures, BayLDA determined that additional adjustments were required. The regulator emphasized the need for explicit user consent at specific stages of data processing and raised questions about the adequacy of Worldcoin’s anonymization methods.

Worldcoin launched in July 2023 under Tools for Humanity, positioning itself as a solution to verify human identity in a digital landscape increasingly populated by bots and AI. However, its reliance on biometric data has drawn scrutiny from privacy advocates and regulators alike.

By May 2024, Worldcoin had already shut down its previous system and deleted stored data, signaling its intent to align more closely with GDPR requirements. In October, the company rebranded itself as “World” and introduced an upgraded version of its iris-scanning device, the “Orb,” as part of its efforts to address regulatory and public scrutiny.

The World Foundation reiterated its commitment to working with EU regulators to resolve outstanding issues. “The World Foundation and TFH will continue to work closely with regulators in the EU and elsewhere to ensure this important question is answered in a way that supports protecting privacy and innovation,” it stated.

Several countries, including Kenya and Portugal, have imposed temporary bans on the project, citing privacy concerns.

Land a High-Paying Web3 Job in 90 Days: The Ultimate Roadmap