German Data Protection Office Sets January Deadline for World’s GDPR Compliance

TLDR

  • German regulator BayLDA orders Worldcoin (now World) to implement GDPR-compliant data deletion protocol by January 19, 2024
  • Concerns center on biometric data collection through iris-scanning “Orbs” and compliance with EU privacy laws
  • Project has faced regulatory challenges in multiple countries including Kenya and Portugal
  • Company rebranded from Worldcoin to World in October 2024, launching updated Orb devices
  • World plans to appeal the German regulator’s decision

The Bavarian State Office for Data Protection Supervision (BayLDA) has ordered World, formerly known as Worldcoin, to establish a GDPR-compliant data deletion protocol by January 19, 2024. The crypto-based digital identity project, co-founded by OpenAI CEO Sam Altman, must now address concerns about its handling of sensitive biometric data.

BayLDA’s investigation centered on World’s flagship technology, the World ID system, which uses devices called “Orbs” to scan users’ eyes. These scans create unique digital identifiers designed to verify that individuals are real people rather than automated bots.

The regulatory body’s president, Michael Will, emphasized the importance of protecting user rights in this case. “With today’s decision, we are enforcing European fundamental rights standards in favor of the data subjects in a technologically demanding and legally highly complex case,” Will stated in the announcement.

The General Data Protection Regulation (GDPR) serves as the European Union’s primary framework for protecting personal data and privacy. It sets strict rules for how companies can collect, process, and store user information. BayLDA’s investigation revealed that World’s earlier data collection practices, which involved storing iris codes in centralized databases, did not meet GDPR standards.

In response to regulatory scrutiny, World voluntarily paused some of its operations across EU countries during the investigation. The company also introduced updates to improve its compliance with data protection regulations. However, these changes did not fully address the regulator’s concerns.

Despite World’s implementation of cryptographic protocols that split iris codes into encrypted fragments to anonymize data, BayLDA determined that additional changes were necessary to protect user privacy. The regulator has ordered the deletion of all data collected without proper legal basis.

The company launched in 2023 with the introduction of “proof of personhood,” aiming to create a network of verified human users. This concept quickly drew attention from regulators worldwide, leading to temporary bans in several countries including Kenya and Portugal.

In October 2024, the project underwent a rebranding from Worldcoin to World and introduced an updated version of its Orb device. The new Orbs feature 30% fewer parts and triple the production capacity compared to their predecessors. These devices were first deployed in Berlin, Germany, in July 2023.

The project’s deployment in Germany prompted investigations from both German and French privacy watchdogs. France’s privacy regulator, CNIL, raised questions about the legality of World’s data collection and storage methods, describing them as “questionable.”

World has stated its intention to appeal BayLDA’s decision, though the company has not provided specific details about its planned response. The regulatory order requires World to implement clear protocols for users who wish to exercise their right to have their data erased.

The current regulatory action focuses specifically on ensuring that World’s data deletion processes comply with GDPR requirements. Users who have provided their iris data to World must have unrestricted ability to enforce their right to erasure under the new protocols.

Privacy advocates have consistently expressed concerns about World’s approach to biometric data collection since the project’s launch. Critics have labeled the initiative as potentially intrusive and raised questions about its data protection measures.

BayLDA’s investigation highlighted fundamental data protection risks associated with processing sensitive biometric information. The regulator’s order emphasizes the need for explicit user consent in specific data processing steps.

The company must now demonstrate that its data handling practices align with European privacy standards while maintaining its ability to verify unique human identities through its technology.

World has not responded to requests for comment on the regulatory decision or its plans for implementing the required changes.

Source: https://blockonomi.com/german-data-protection-office-sets-january-deadline-for-worlds-gdpr-compliance/