Worldcoin Faces New Ban Order in Europe Over Concerns About Children's Safety

Worldcoin Faces Temporary Ban in Portugal, Limiting Crypto Biometric Operations in Europe

Worldcoin, the controversial crypto biometrics project, has faced another setback as it receives a temporary ban in Portugal from the country’s data protection authority. This prohibitive action follows a similar three-month suspension from Spain’s DPA earlier this month. As a result, Portugal was one of the last two European countries allowing Worldcoin's proprietary iris-scanning orbs to operate, leaving Germany as the sole European market for its biometric harvesting efforts as privacy regulators respond to mounting local concerns.

The Portuguese CNPD, responsible for overseeing data protection, issued the temporary three-month ban after numerous complaints emerged about Worldcoin’s practices, particularly regarding its scanning of children’s irises. Additional concerns reflected those raised by Spain's DPA, including insufficient information provided to users about the handling of their sensitive biometric data and the lack of options for users to delete their data or withdraw consent.

Worldcoin's innovative use of blockchain technology to securely store biometrically-derived tokens leads to a situation where personal data is retained indefinitely, creating challenges for individuals seeking to manage their privacy. In contrast, EU regulations grant individuals substantial rights over their personal data, including correction, modification, or deletion. This fundamental conflict with GDPR regulations raises serious questions about Worldcoin's operational model, especially while considering troubling aspects like its financial incentives to encourage scanning, the sensitivity of biometric data, and its agenda to create an identity framework centered on “humanness.”

The project, with financial backing from Sam Altman of OpenAI, is at the forefront of ongoing discussions regarding the intersection of emerging technologies and personal privacy, raising concerns about how these advancements might impact the understanding of human versus artificial interactions online.

The CNPD reported receiving "dozens" of complaints regarding Worldcoin last month, estimating that over 300,000 individuals in Portugal have participated in iris scans in exchange for the cryptocurrency. The authority observed nearly a doubling of its locations for iris-scanning within a six-month period, leading to the implementation of a pre-booking system due to increased demand.

Highlighting the risks to children's data, the CNPD emphasized that Worldcoin’s operators lacked age verification protocols, raising alarms about potential access to biometric scanning for minors.

"Biometric data is classified as special data under GDPR and thus requires heightened protection due to the significant risks associated with its processing," the CNPD stated. "Minors are particularly vulnerable and must be afforded extra protection under both national and EU laws, as they may not fully grasp the risks and implications of personal data processing."

Worldcoin has been given 24 hours to adhere to the local suspension order. Following this mandate, the Worldcoin.org website no longer lists Portugal among the countries where iris scans can be scheduled, indicating compliance with the directive.

Interestingly, Germany remains the only country in the EU where Worldcoin can continue its biometric operations, coincidentally hosting the headquarters of its developer, Tools for Humanity. Despite ongoing investigations by Bavaria’s data protection authority into Worldcoin’s activities, there has been no public action taken to date, contrasting with the urgent measures implemented by privacy authorities in Southern Europe.

Worldcoin was not successful in obtaining an injunction against Spain’s suspension earlier this month, although its appeal remains ongoing. It remains unclear if the company will seek to contest Portugal’s ban.

In response to the suspension, Tools for Humanity provided a statement from Jannick Preiwisch, its data protection officer, asserting that the organization complies with data protection regulations, including GDPR.

"The Worldcoin Foundation respects data protection authorities' roles and responsibilities, particularly the CNPD in Portugal," the statement asserted. "We have been fully transparent since commencing our verification services in Portugal and are addressing all concerns raised by the CNPD, including those involving underage sign-ups, which we do not tolerate."

Inquiries to the Bavarian DPA regarding its investigation revealed that the probe is ongoing. A spokesperson confirmed their engagement with Tools for Humanity to establish reliable measures for preventing potential misuse of their services, reiterating their examination of over 20 complaints related to the processing of minors’ data.

As the lead data protection authority, Bavaria’s DPA is tasked with conducting several investigations regarding privacy complaints directed at Worldcoin. Following GDPR provisions, they will draft a report for peer review by other authorities, which may object if they disagree with the findings. Given that strong consensus is usually required for decisions impacting cross-border cases, this could mitigate the risk of weaker enforcement of GDPR regulations.

While the CNPD clarified that it did not invoke Article 66 of GDPR for the temporary ban, it emphasized that it launched its investigation independently in August 2023, amid uncertainties regarding which entities held legal responsibility for data processing under the Worldcoin project.

The CNPD noted, “Given the current circumstances, including illegal processing of minors’ biometric data and possible violations of GDPR standards, we perceived high risk to citizens' fundamental rights, prompting an urgent intervention to avert serious harm.”

In concluding remarks, CNPD president Paula Meira Lourenço asserted, “This temporary ban on biometric data collection by Worldcoin Foundation is a vital and justified measure to safeguard the public interest, particularly the rights of minors.”

This article has been updated with comments from both Worldcoin and the Bavarian DPA. The correction regarding the CNPD not relying on Article 66 powers has been made, clarifying the identification of responsible entities within the Worldcoin structure.

Keep updated with the latest developments around Worldcoin and its regulatory challenges in the evolving landscape of crypto and biometric data privacy.