Worldcoin hit with temporary ban in Spain over privacy concerns

Spain’s data protection authority has ordered Worldcoin to temporarily stop collecting and processing personal data from the market. It must also stop processing any data it previously collected there.

The controversial, Sam Altman-founded eyeball-scanning blockchain crypto project started operations in the market last July, as part of a global rollout.

The Spanish authority is using “urgency procedure” powers contained in the European Union’s General Data Protection Regulation (GDPR) for the temporary data processing cessation order — which means the order can have a maximum duration of three months (so until mid June).

“The Spanish Data Protection Agency (AEPD) has ordered a precautionary measure against Tools for Humanity Corporation to cease the collection and processing of personal data that it is carrying out in Spain within the framework of its Worldcoin project, and to proceed to block the already collected data,” the DPA wrote in a press statement [in Spanish; this is a machine translation].

The GDPR regulates how EU people’s personal data can be processed and requires entities handling information such as people’s names, contact details, biometrics and other identifiers to have a valid legal basis for their operations. Violations of the regime can attract fines of up to 4% of global annual turnover. Data protection authorities can also demand unlawful processing to stop, including temporarily if they are concerned people’s rights are at serious risk, as is happening here.

The AEPD said it has received several complaints about Worldcoin since the venture started operating in the market last summer, including related to the level of information about the processing Worldcoin provides; the collection of data from minors; and how withdrawal of consent is not allowed.

“The processing of biometric data, considered in the [GDPR] as having special protection, entails high risks for people’s rights, taking into account their sensitive nature. Consequently, this precautionary measure is a decision based on exceptional circumstances, in which it is necessary and proportionate to adopt provisional measures aimed at the immediate cessation of this processing of personal data, preventing its possible transfer to third parties and safeguarding the fundamental right to personal data protection,” it wrote.

Controversy has dogged Worldcoin’s effort to sign people up to a proprietary biometric system whose makers claim will let them use a unique identifier, aka the World ID, to verify their humanness online. Crypto comes into the mix as it provides eponymous tokens as quasi-payment for the iris scans that generate the unique identifier.

Privacy and data protection concerns are rife, given the sensitive nature of the data being processed (eyeball scans); the purported purpose (creating a unique and irrevocable identifier); opacity around the entities responsible for processing people’s data (which include a mix of for-profits and foundations, including a self-declared “type of non-profit” that’s incorporated in the Cayman Islands); and the use of blockchain and crypto, to name a few of the issues.

Back in December the AEPD confirmed to TechCrunch it had received a complaint against Worldcoin — which it told us then it was “analyzing”. We’ve reached out to the authority with questions today but it appears to have received further complaints since then, leading to the decision to trigger GDPR Article 66 powers.

Worldcoin’s regional rollout — which took the form of a number of pop-up scanning locations in a handful of European markets, including at several locations in Spain — quickly attracted scrutiny from European privacy regulators.

An investigation was opened by France’s data protection authority last year. But the presence of a Worldcoin subsidiary in Germany meant the probe was passed to Bavaria’s DPA — as regulators determined the GDPR’s one-stop-shop (OSS) mechanism applied. (The AEPD’s press release also confirms: “The Tools for Humanity Corporation company has its European establishment in Germany.”)

Back in July the Bavarian DPA told TechCrunch its investigation of Worldcoin aimed to “clarify questions regarding the transparency and security of data processing” — including whether or not data subjects are provided with sufficient information to get a clear understanding of the processing of their data and the purposes of the processing; whether data subjects’ rights (including the right to erasure and objection; and the ability to withdraw consent) are guaranteed; and whether the company has put in place sufficient protection against unauthorised data access.

It also said then that it would be seeking to ascertain whether Worldcoin had carried out a data protection impact assessment.

We’ve contacted the Bavarian authority about the status of its investigation and will update this report with any response.

The fact Spain’s authority has felt the need to take unilateral action to protect local users suggests differences of opinion among DPAs about the best course of action to take. It may also be concerned about the length of time it’s taking the Bavarian authority to conclude its probe.

At the time of writing, Worldcoin’s website still lists 29 locations in Spain where people can undergo eyeball scan