A German subsidiary involved in Sam Altman’s controvercial crypto blockchain digital identity business, Worldcoin, was reported Friday to have filed a legal challenge against a suspension order from Spain’s data protection authority. It also told us it has paused services in the market.
Earlier this week it emerged that the Spanish authority, the AEPD, had instructed Worldcoin to temporarily stop scanning people’s eyeballs or further processing data already collected from people in the market.
As we reported Wednesday, the AEPD announced an Article 66 “urgency procedure” against Worldcoin under the European Union’s General Data Protection Regulation (GDPR), saying it was acting after receiving a number of complaints. Issues of concern it cited include the level of information Worldcoin provides about the processing; the collection of data from minors; and how withdrawal of consent is not allowed. It also emphasized the sensitive nature of the biometric data involved which it said entails “high risks for people’s rights”.
While Worldcoin’s operating company, Tools for Humanity, is considered “main established” in Germany, which allows it to avail itself of streamlined regulatory oversight via the GDPR’s one-stop-shop mechanism — with the Bavarian DPA (aka BayLDA) acting as its lead authority for oversight and investigating complaints — the regulation contains powers that permit any other DPA to issue temporary orders, lasting up to three months, if it believes there is an “urgent need” to act to protect locals’ rights.
Such orders only apply in the authority’s own market, rather than being EU-wide. So the AEPD’s temporary ban on Worldcoin only applies in Spain.
Despite the GDPR providing for urgent interventions by non-lead DPAs, Worldcoin is challenging the AEPD’s order.
The development was first reported in German press. A spokeswoman for Worldcoin, Rebecca Hahn, emailed a link to the report published by Schwäbisch, saying she wanted to draw it to TechCrunch’s attention. She also sent a statement (below), attributed to Worldcoin, in which Tools for Humanity claims its eyeball-scanning business is “fully compliant” with all EU laws pertaining to biometrics, data transfer, data processing and data protection. The statement also accuses the AEPD of circumventing “accepted EU process and rules” — which it claims has left it “little recourse” but to file suit.
Here’s Worldcoin’s statement in full:
Worldcoin is fully compliant with all laws and regulations governing biometric data collection and data transfer, including Europe’s General Data Protection Regulation (“GDPR”). As such, we have been in consistent and ongoing dialog with our lead Data Privacy Authority in the EU, BayLDA, for months. We were disappointed that the Spanish regulator circumvented the accepted EU process and rules, which leaves us little recourse but to file suit.
Hahn did not respond to questions asking for more details about the legal arguments Tools for Humanity intends to make against the AEPD’s order. Nor to confirm whether Worldcoin and its operators in Spain have complied with the local order to stop scanning and processing data of people from the market.
Update: Worldcoin told us it has “paused” operations in Spain. It has also published a blog post confirming a suit has been filed against the AEPD’s order.
The AEPD was contacted for comment on Worldcoin’s challenge — but had not responded at press time.
According to Schwäbisch’s report, Worldcoin was “largely developed” in Erlangen in Bavaria, Germany. It names the German computer scientist, Alex Blania (pictured above), as a co-founder of Tools for Humanity, along with OpenAI’s Altman. Blania’s LinkedIn profile lists him as based in San Francisco.
At the time of writing, the Worldcoin.org website still lists five “pop-up” locations in Spain (three in Barcelona, one in Madrid and one in Malaga) where it says people can go and get their eyeballs scanned by one of Worldcoin’s proprietary orbs. However, on Wednesday, Worldcoin’s site was listing 29 locations around the country where people could go and have their biometrics harvested in exchange for a few crypto tokens. Which suggests it may be in the process of shuttering scanning ops in the market.
One of the controversies around the business is it’s acquiring people’s sensitive biometrics in exchange for a form of payment. Worldcoin claims users are consenting to their data being processed for its purpose. But in the EU, the GDPR requires consent to be freely given — and a financial incentive creates an obvious incentive that may mean people are not able to freely consent as the law understands it.
Other GDPR concerns about Worldcoin include the transparency and fairness of the processing; issues over data subjects’ rights, such as the right to have personal data deleted; risks to minors; and questions about data transfers and security.
The BayLDA’s investigation of whether Worldcoin complies with the GDPR, which started last year, remains ongoing. But yesterday the authority told us it expects to send a draft decision with its findings to the other European data protection authorities for review “very soon”.
Under the GDPR, other authorities with concerns about cross-border processing may raise objections to a draft decision if they disagree with the lead authority’s findings. If that happens, disputes over decisions are either resolved via majority votes or, if DPAs remain split, the European Data Protection Board gets a casting vote. This means that even though the regulation allows for oversight on entities like Worldcoin to be led by a single authority, it has been designed to ensure other concerned authorities remain involved in decisions that affect users in their own markets.
In Catalonia, the autonomous community in Spain where Worldcoin currently lists the most pop-ups (three) for eyeball scanning, local press recently reported that the regional government had responded to concerns about the company’s biometric scanning ops by publishing an article containing advice and warnings from the Catalan Data Protection Authority.
The article warns about the “particularly sensitive personal data” being collected via the iris scans; the risks of harms from misuse of such data; and raises specific concerns about children’s data being harvested without the necessary consent of a parent or guardian.
The article also notes that “several” EU authorities are currently investigating whether Worldcoin complies with the GDPR.