Controversial crypto biometrics venture Worldcoin has been almost entirely booted out of Europe after being hit with another temporary ban — this time in Portugal. The order from the country’s data protection authority comes hard on the heels of a similar-looking three-month stop-processing order from Spain’s DPA earlier this month.
Portugal was one of just two European countries left where Worldcoin was still operating its proprietary eyeball-scanning orbs after Spain’s ban. This leaves Germany as the only market where it’s currently able to harvest biometrics in Europe as privacy watchdogs take urgent action to respond to local concerns.
Portugal’s data protection authority said it issued the three-month ban on Worldcoin’s local ops Tuesday after receiving complaints Worldcoin had scanned children’s eyeballs.
Other complaints cited in its press release announcing the suspension, which it notes was issued Monday, also mirror Spain’s DPA’s concerns — including insufficient information being provided to users about the processing of their sensitive biometric data; and the inability of users to delete their data or revoke consent to Worldcoin’s processing.
The venture’s use of blockchain technology to store tokens derived from scanned biometrics means the system is designed to retain personal data permanently — without recourse for people to erase their information after the fact.
By contrast, EU data protection law gives people in the region a suite of rights over their personal data, including the ability to have data about them corrected, amended or deleted. So there’s an inherent legal conflict with Worldcoin’s approach — even before you consider other problematic issues like the quasi-financial incentive it offers to encourage people to get scanned; the highly sensitive biometric data involved; and its overarching goal of building and operating an identity layer for “humanness”.
The controversial project is backed by Sam Altman, of OpenAI fame, who is simultaneously supercharging the boom in generative AI tools that are making it harder for people to distinguish between artificial (machine-produced) and human activity online in the first place. Next stop: Rent collection on every online human on Earth?
The Portuguese authority, the CNPD, said it took action after receiving “dozens” of complaints about Worldcoin last month.
It estimates more than 300,000 people in Portugal have submitted to having their irises scanned by its proprietary Orbs in exchange for some Worldcoin, a cryptocurrency also devised by the company, noting that the number of locations where it was offering eyeball-scanning almost doubled in six months. It added that the large influx of people trying to take up the offer of cryptocurrency in exchange for an eye-scan led to Worldcoin instigating a pre-booking system for scanning in the market.
On risks to children’s data, the CNPD notes Worldcoin’s orb operators had no age verification in place — suggesting it was not taking robust steps to prevent children from accessing the technology.
“Biometric data qualifies as special data under GDPR [General Data Protection Regulation] and therefore enjoys increased protection, with the risks of its treatment being high,” it wrote [in Portuguese, this is a machine translation]. “On the other hand, minors are particularly vulnerable and are also subject to special protection under national and European law, as they may be less aware of the risks and consequences of the processing of their personal data, as well as their rights.”
The Portuguese authority gave Worldcoin 24 hours to comply with the local stop processing order.
Given the Worldcoin.org website no longer includes Portugal in the dwindling list of countries where eyeball scans can be booked (as noted above Germany is the only European country left, alongside Argentina, Chile, Japan, Singapore and the U.S.) it appears to have complied with the deadline.
Coincidentally or not, Germany is the EU market where Worldcoin developer, Tools for Humanity, has a regional base. Its co-founder, Alex Blania, is also German. Bavaria’s data protection authority, which leads on data protection oversight of the company in some other cases and has been investigating Worldcoin since last year, has yet to take any public intervention despite peer authorities in Southern Europe making urgent interventions to protect citizens in their own markets.
Worldcoin failed to get an injunction against the Spanish order earlier this month, although its appeal against the DPA’s action continues. It’s not clear whether it intends to try to appeal Portugal’s order.
Tools for Humanity (TFH) was contacted for a response to the latest ban order in the EU. Spokeswoman, Rebecca Hahn, has now sent a statement (below) attributed to Jannick Preiwisch, data protection officer, at the Worldcoin Foundation, in which it claims to be “fully compliant with all laws and regulations governing the collection and transfer of biometric data, including Europe’s General Data Protection Regulation”.
“The Worldcoin Foundation has the utmost respect for the role and responsibilities of data protection authorities, in the CNPD in Portugal,” he adds. “Since offering humanness verification services in Portugal, we have been completely transparent and happy to address CNPD’s questions or concerns. The report from CNPD is the first time we are hearing from them regarding many of these matters, including reports of underage sign-ups in Portugal, for which we have zero tolerance for and are working to address in all instances, even if a matter of a few reports.”
We also reached out to the Bavarian DPA for an update on its investigation. A spokesperson for the authority told us its probe remains ongoing. “Based on our role as lead supervisory authority for World Coin Foundation we are in contact with the controller to establish as quick as possible reliable precautionary measures stopping possible misuse of the services and violations of the terms of services,” they added, saying they are currently examining more than 20 complaints from data subjects in Spain which touch on the question of processing minors’ data.
As TFH’s lead DPA, under the one-stop-shop (OSS) mechanism in bloc’s General Data Protection Regulation (GDPR), it is responsible for investigating a number of privacy and data protection complaints about the company.
This structure means the Bavarian DPA will produce a draft decision on its Worldcoin GDPR investigation for peer authorities to review. Other authorities will then have the chance to object if they do not agree with its findings. The regulation requires majority backing for decisions on cross-border cases, which allows for weaker enforcements to be overruled where there is a consensus that stronger measures are warranted. This in turn allows for forum shopping risks inherent to the GDPR’s OSS mechanism to be mitigated, albeit over a longer time-frame.
The GDPR’s Article 66 powers, which Spain is using for its temporary, local ban on Worldcoin, also provide authorities with tools to respond to urgent risks in cases where a lead authority has yet to act and/or is dragging its feet.
However Portugal’s DPA told us it is not relying Article 66 powers in this case. Rather it said it instigated its own volition enquiry into the Worldcoin project, back in August 2023, when it was not clear to it which of the various involved entities was legally responsible for the data processing.
“Based on the declarations provided by both companies… [Cayman Island-based] Worldcoin Foundation presents itself as data controller of the biometric data and other related data processing with the World ID, and [US-based] Tools for Humanity Corporation is the processor for that data processing and it is the controller for the World App data processing,” a spokesperson for the authority told us. “Therefore, since Worldcoin Foundation is the controller of the biometric data from July 24, 2023, and TFH is only the processor, we did not refer any complaint to Germany as the one-stop-shop does not apply to this specific data processing.”
Neither the Spanish nor Portuguese authority has explicitly called out the Bavarian authority for taking too long to investigate TFH. But the fact of other DPAs making their own urgent interventions speaks volumes.
“Given the current circumstances, in which there is an illegality in the processing of biometric data of minors, associated with potential violations of other GDPR standards, the CNPD understood that the risk to citizens’ fundamental rights is high, justifying urgent intervention to prevent serious or irreparable harm,” the Portuguese authority noted, saying it will continue to investigate Worldcoin’s local activity.
In a statement, the CNPD’s president, Paula Meira Lourenço, added: “This order to temporarily limit the collection of biometric data by the Worldcoin Foundation is, at this moment, an indispensable and justified measure to obtain the useful effect of defending the public interest in safeguarding fundamental rights, especially of minors.”
This report was updated with comment from Worldcoin and the Bavarian DPA. We also made a correction after Portugal’s DPA told us it is not relying on the GDPR’s Article 66 powers for its stop-processing order, as we originally reported. It said this is because it identified US- and Cayman Island-based entities attached to the local Worldcoin operations as the responsible entities in this case — meaning the one-stop-shop does not apply