The Data Protection Agency prohibits Worldcoin from continuing to collect data on Iris, which gave in exchange for cryptocurrencies | Technology

The Spanish Data Protection Agency (AEPD) today ordered a precautionary measure that prevents Worldcoin, which since the summer has collected high-resolution photographs of the irises of 400,000 users in exchange for money, from continuing to process data in Spain for three months. The agency demands the immediate cessation of the collection and processing of biometric data from the company Tools for Humanity Corporation, which works for WorldCoin, after receiving at least 13 complaints denouncing the insufficient information, the collection of data on minors or the fact that collection is not authorized. …the withdrawal of consent, among others. This is the first time that the AEPD has taken a precautionary measure of this type.

“We acted urgently because the situation demanded it,” said the agency’s director, Mar España, after announcing the extraordinary measure. He also pointed out that Worldcoin was currently under investigation at Spain’s request by the European Data Protection Board, the body that brings together the EU’s data protection offices. “The response we provide will be coordinated,” Spain said, without specifying deadlines. He specified that after three months of precautionary measures, the Agency could invoke article 66.2 of the General Data Protection Regulation (GDPR), which would make it possible to permanently suspend Worldcoin’s activity in Spain.

AEPD has already informed Germany-based Tools for Humanity that it cannot continue to collect more iris data in Spain and cannot process the data it already has from 400,000 users. This data is blocked and therefore cannot be shared with third parties. If the precautionary measure is not respected, Worldcoin would face a fine of between 20 million euros and 4% of its annual turnover.

Queues to have their iris photographed and register in Worldcoin at the small stand of the Stock Exchange on Avenida de América (Madrid).Pablo Mongé

“We want to send a message of calm, we are investigating and European regulations provide options so that, even in an emergency, a permanent decision can be taken on this issue,” Spain said. The director also asked young people, the majority of whom consented to having their iris read, to think twice before providing such critical personal data to third parties. “It may be tempting to get 80 euros, but giving up biometric data has many consequences in adult life.”

Worldcoin has not taken the AEPD initiative well. “The Spanish Data Protection Authority is today circumventing EU law with its actions, which are limited to Spain and not the EU in general, and is spreading inaccurate and misleading claims about our technology to globally,” says Jannick Preiwisch, Data Protection Officer at Worldcoin. “Our efforts to collaborate with AEPD and provide them with an accurate view of Worldcoin and World ID (the wallet in which Worldcoins are housed) have gone unanswered for months,” he says.

Biometric data is particularly sensitive because it is immutable. We can change our password or our address, but the pattern that describes the shape of each person’s iris is unique and hardly changes over the years. The iris is in fact a more effective method of identification than the facial scan carried out by facial recognition systems. Due to the sensitivity of this data, it is treated particularly strictly by the General Data Protection Regulation, a European reference standard. So in recent weeks, many privacy experts couldn’t believe that a company could start collecting iris data in plain sight and without providing virtually any information to those affected.

The decision to freeze Worldcoin’s iris scanning “is justified to avoid potentially irreparable damage.” Not taking it would deprive people of the protection to which they are entitled according to this agency,” defended Spain. The investigation carried out by the AEPD and the rest of the European authorities concerns not only the processing carried out of users’ biometric data, but also the question of whether they were duly informed of the risks to which they were exposed. “Now we need to review the contracts, analyze what each user signed and see in detail what they do with this data,” said the agency director.

The orb phenomenon

Worldcoin started collecting this data in July last year in 14 shopping centers across Spain. To do this, it uses an Orb, a metal sphere the size of a futsal ball that photographs the irises of interested people and gives them access to the digital currency Worldcoin, co-founded by ChatGPT creator Sam Altman.

The director of the Spanish Data Protection Agency (AEPD), Mar España, during the press conference held this Wednesday in Madrid.
Sergio Pérez (EFE)

Until two weeks ago, the orbs didn’t attract much attention. But then large queues began to form around the 30 stands already set up by Worldcoin in large galleries. The reason: the exchange value of the currency rose to just over six euros, so the 13 Worldcoin coins released after the iris scan are equivalent to around 80 euros. This hook has caused such an influx of people, generally young people, that those interested can no longer have their iris scanned without an appointment.

To use an Orb, users must download an app to their mobile phone and receive a QR code. The photo of the iris serves as “proof of humanity” (the system ensures that the request is made by a person and not by a machine), but not only that. It is also associated with the QR code, after which the application turns into a passport called World ID, the wallet where Worldcoins are stored. According to Altman, the passport and the wallet it promotes will be essential to financial management, and perhaps to the receipt of a universal income, in a future dominated by artificial intelligence.

Spain is not the only country in which Worldcoin collected iris data. It already has more than four million registrations from 36 countries, from the United States to Argentina and from South Africa to Norway, including Turkey, India, Japan and Indonesia. In other countries, such as Kenya, taking photos of irises has been banned because authorities question the legality and safety of the practice. Several US states strictly prohibit the collection of biometric data. French and German data protection authorities, for their part, opened an investigation this summer when they considered that this violated the General Data Protection Regulation (GDPR).

You can follow EL PAÍS Technology In Facebook And X or sign up here to receive our weekly newsletter.

Subscribe to continue reading

Read without limits

_