It took a lot more than the initially slated few weeks to arrive, but a pivotal privacy decision that’s been hanging over Sam Altman’s World (aka Worldcoin) for months has finally landed, via a late December decision from the Bavarian data protection authority enforcing the bloc’s General Data Protection Regulation (GDPR), a comprehensive privacy framework that allows for sanctions that can reach up to 4% of global annual turnover.
The outcome doesn’t look like what the eyeball-scanning crypto identity venture was hoping for: It has been issued with a corrective order that requires it to comprehensively delete user data on request.
“All users who have provided ‘Worldcoin’ with their iris data will in future have the unrestricted opportunity to enforce their right to erasure,” said the Bavarian State Office for Data Protection Supervision, Michael Will, in a press statement.
The biometric venture has been given one month from the Bavarian authority’s decision date to implement a deletion procedure “that complies with the provisions of the GDPR” — so mark your calendars for early 2025.
A further component of the Bavarian order requires Worldcoin to obtain explicit consent for what the press statement (vaguely) describes as “certain processing steps in the future.”
We’ve asked for more details but this suggests World’s onboarding process will have to provide EU users with more information prior to eyeball scans being taken. It has also been ordered to delete “certain data records previously collected without a sufficient legal basis,” per the statement.
In addition to our questions about the substance of what’s been ordered, we’ve asked the Bavarian authority why no penalty has been issued for what appear to be a number of GDPR breaches.
World has responded to the corrective order by saying it will lodge an appeal.
Update: The Bavarian authority told us its enforcement timelines are suspended pending World’s appeal.
The DPA also confirmed that the deletion order pertains to “biometric templates” linked to iris scans which are stored by World in a “normal database” and can therefore be deleted.
“As we regard the whole data set as not (yet) anonymous, it’s now up to World/coin to demonstrate [how] they change their processing structure to meet the requirement of deletion — if necessary even by deleting several or all fragments,” Will told us.
On legal basis, he added: “In our analysis there is no other possible legal basis [than] explicit consent for this specific service/processing activities.”
Tricky ask
Why does a requirement to let users ask for their data to be deleted, a right that’s baked into the European regulation as part of the GDPR’s suite of individuals data access rights, look so tricky for World[coin]? The proof-of-humanness blockchain project’s jam is that it’s building a system of immutable and unique IDs for verifying identity remotely. So if a person can edit all trace of themselves out of its ledger simply by asking, it’s a challenge to its ambition of becoming a world-spanning authority on human verification.
Tools for Humanity (TfH) spokeswoman, Rebecca Hahn — who does comms for the entity that develops Worldcoin — said its grounds for appeal will focus on claims that World’s technical architecture is “privacy-preserving” and that results in user data being anonymized.
The implication of that being that GDPR data access rights (such as being able to ask for deletion) should not apply, since truly anonymous data falls outside the scope of the law.
Responding on why World is so reluctant to let users delete data, Damien Kieran, TfH’s chief privacy officer, told TechCrunch: “Our goal is to increase trust in digital interactions. To do that, we created the World’s first anonymous digital passport to prove humanness. That means a person can anonymously verify they are a real human on a platform like X [which happens to be Kieran’s former employer], solving problems such as bots once and for all.
“Key to that is ensuring that if an anonymous person abuses a platform’s policies and the platform suspends them, that person cannot delete their World ID, create a new one, and go back to X presenting themselves as a new human. Thus, to meet our goals of increasing trust online in the intelligence age, we had to ensure we did this in a way that anonymized the underlying data, meaning it can’t be deleted, and ensures that bad actors can’t abuse the World network and other platforms.”
Kieran added that World ID holders “can always delete their personal data, which resides solely on their phone.”
However basic account data isn’t where this GDPR battle is focused. It’s about information that can be used to uniquely identify an individual.
Earlier this year World introduced an open source Secure Multi-Party Computation system which it claimed “allows iris codes to be encrypted as secret shares and distributed over multiple participants” — without the need for the codes to be decrypted in order for identity checks to take place.
The suggestion is that this technical architecture transforms iris codes through subsequent processing, including encryption and sharding, in a way that limits individual privacy risks.
As part of these changes, Worldcoin also introduced a feature letting users request deletion of their iris codes. However, the level of control it’s giving users has — evidently — been assessed as not meeting the GDPR’s standard requiring individuals to have control over their information.
And it’s important to stress that the GDPR not only sets rules to protect people’s privacy; the framework also aims to ensure individuals can have autonomy over information held about them. It’s that latter element that poses the biggest challenges to World’s proof-of-humanness mission as it does not factor in supporting that level of individual autonomy.
Fundamental rights
The Bavarian DPA said Worldcoin’s biometric-based individual verification procedure entails “a number of fundamental data protection risks for at least a large number of data subjects.” And while the authority’s statement makes a reference to “improvements” made to the venture’s data processing it stresses that “adjustments are still required.”
The authority added that its lengthy investigation ended up centered on the need for “comprehensive erasion following withdrawal of consent,” and “the associated review of the consent process.”
“With today’s decision, we are enforcing European fundamental rights standards in favor of the data subjects in a technologically demanding and legally highly complex case,” said Will.
World’s appeal against the Bavarian corrective order does not address the crux data access issue head on.
Rather it’s seeking to frame the matter as a technical question, of how European law should define anonymous data. Hence its blog post about the corrective order kicks off with the line that “World ID is anonymous by design.” But trying to build momentum for a lobbying that Europeans deserve fewer individual rights is unlikely to be regionally popular.
Worldcoin has already seen its wings clipped around the region. Enforcement action from other data protection authorities — including in Portugal and Spain — saw it subject to emergency action that shut down its eyeball scanning ops in their markets. The two DPAs raised particular concerns about the risks of children’s data being indelibly captured.
At the same time, Worldcoin — or World as it recently rebranded — has opened ops in Austria.