German data protection authority, the Bavarian State Office for Data Protection Supervision (BayLDA), has issued corrective measures for the digital identity project World, formerly known as Worldcoin, over its handling of biometric data.
The BayLDA announced on Dec. 19 that it had concluded its investigation into World’s compliance with the European Union’s General Data Protection Regulation (GDPR).
The authority has ordered World to implement a data deletion procedure that adheres to GDPR standards within one month of the ruling’s effective date.
In response, the World Foundation has appealed the decision by asking regulators to provide judicial clarity on whether World Network’s Privacy Enhancing Technologies (PETs) meet the legal definition for anonymization in the EU.
Strengthening rights of World ID users
World, launched in July 2023 by Tools for Humanity (TFH) — co-founded by OpenAI CEO Sam Altman — uses iris biometrics for digital identity verification.
The BayLDA initiated a probe into the project in 2023, citing concerns over biometric data collection. According to the regulator, World voluntarily and temporarily halted its activities in individual EU countries in the light of the proceedings.
BayLDA president Michael Will. Source: BayLDA
According to BayLDA president Michael Will, the authority’s latest decision aims to strengthen the rights of World users.
“With today’s decision, we are enforcing European fundamental rights standards in favor of the data subjects in a technologically demanding and legally highly complex case,” Will said, adding:
“All users who have provided ‘Worldcoin’ with their iris data will in future have the unrestricted opportunity to enforce their right to erasure.”
BayLDA orders World to fulfill multiple obligations
Despite World’s efforts to improve GDPR compliance, BayLDA has identified further adjustments needed to meet regulatory requirements.
In addition to a requirement to set up a compliant data deletion procedure, BayLDA also asked World to provide explicit consent for certain processing steps in the future.
Additionally, World is obliged to delete certain data records “previously collected without a sufficient legal basis was ordered ex officio,” the BayLDA stated.
“The order aims at all those sets of iris codes from its customers which were gathered in the starting phase in summer 2023 until a certain point in this year, where Worldcoin changed its activities to a more lawful basis,” Will told Cointelegraph.
Due to national administrative law, the assessment of whether an administrative offense proceeding will be initiated is reserved for a separate proceeding, BayLDA stated, adding:
“The same applies to the examination of numerous complaints from European users concerning specific individual issues, such as the protection of minors, which were not the subject of the current decision.”
World asks for clarity on anonymization in the EU
According to the World Foundation, BayLDA’s decision clearly illustrates the need to establish a clear and consistent definition of anonymization in the EU to help protect personal data in the age of artificial intelligence.
“GDPR currently does not provide this, and both World Foundation and World contributor TFH believe it is essential for this issue to be addressed quickly,” the World Foundation said in a blog post addressing BayLDA’s decision.
An excerpt from the World Foundation’s blog post on data anonymization from October 2024. Source: World
“Data anonymization, not just data deletion, is essential for enabling people to verify themselves as human online while remaining completely private,” TFH’s chief legal and privacy officer, Damien Kieran, said.
“Without a clear definition around anonymization, however, we lose perhaps our most powerful tool in the fight to protect privacy in the age of AI,” he added.
As such, the Would Foundation said it is appealing BayLDA’s decision to seek clarity on whether World’s tech meets the legal definition for anonymization in the EU.
“The World Foundation and TFH will continue to work closely with regulators in the EU and elsewhere to ensure this important question is answered in a way that supports protecting privacy and innovation,” it added.
Magazine: 13 Christmas gifts that Bitcoin and crypto degens will love