YEREVAN (CoinChapter.com) — The Bavarian State Office for Data Protection Supervision (BayLDA) has issued a directive to Worldcoin, requiring the deletion of specific biometric data. This decision follows an investigation into the company’s handling of sensitive iris data under General Data Protection Regulation (GDPR) standards.
On Dec. 19, BayLDA mandated that Worldcoin, now operating under the name World, create a data deletion procedure compliant with GDPR. The company has been given one month to comply with this ruling.
BayLDA Press Release on Worldcoin Investigation Source: Bayerisches Landesamt für Datenschutzaufsicht
BayLDA’s investigation, launched in 2023, scrutinized the methods used by Worldcoin to collect and store biometric data for its World ID verification system. This development raises critical questions about GDPR compliance in the digital identity sector.
Worldcoin Seeks Clarity on Anonymization Standards
In response to the ruling, World Foundation appealed for clarity on whether its Privacy Enhancing Technologies (PETs) align with EU anonymization standards. The foundation emphasized the absence of a consistent definition of anonymization under GDPR.
In May 2024, Worldcoin stated that it had deleted all previously collected data linked to its old iris data collection system to meet regulatory requirements. However, the current directive includes stricter measures.
According to the foundation, data anonymization plays a crucial role in protecting user privacy. The organization stressed that clear guidelines are needed to balance compliance and technological advancement.
BayLDA Strengthens User Rights
BayLDA President Michael Will highlighted the importance of user rights in the ruling. He stated,
“All users who have provided Worldcoin with their iris data will in future have the unrestricted opportunity to enforce their right to erasure.”
BayLDA president Michael Will. Source: BayLDA
The regulator’s decision aims to ensure that Worldcoin users can exercise their right to delete personal data fully. Additionally, BayLDA requires Worldcoin to obtain explicit consent from users for specific data processing activities in the future.
Worldcoin Ordered to Delete Non-Compliant Data
The directive also includes the deletion of data collected during the project’s initial phase in summer 2023, which BayLDA deemed non-compliant with GDPR. This involves the removal of iris codes collected without a sufficient legal basis.
While the current decision focuses on GDPR compliance, other user complaints, such as concerns about the protection of minors, remain unresolved. BayLDA clarified that these issues will be handled in separate proceedings.
Worldcoin Collaborates with EU Regulators
Worldcoin expressed its commitment to working with EU regulators to address compliance issues. The organization emphasized its intention to meet GDPR compliance while continuing to develop secure digital identity systems.
The World Foundation reiterated its stance that anonymization, alongside data deletion, is essential to safeguard user privacy in the digital era. As the debate over compliance progresses, Worldcoin must implement the required measures within the specified timeframe.