Worldcoin, the crypto-based digital identity project co-founded by OpenAI CEO Sam Altman, is under scrutiny again as German regulators demand compliance with European Union (EU) data protection laws.
The Bavarian State Office for Data Protection Supervision’s (BayLDA) investigation focused on how Worldcoin’s flagship technology, the World ID, is compliant with GDPR standards, as per a Thursday announcement.
BayLDA has ordered Worldcoin, now rebranded as World, to implement a GDPR-compliant data deletion protocol by no later than January 19.
The GDPR is a comprehensive EU law designed to protect individuals’ personal data and privacy, enforcing strict rules on how data is collected, processed, and stored.
“With today’s decision, we are enforcing European fundamental rights standards in favor of the data subjects in a technologically demanding and legally highly complex case,” said Michael Will, President of the State Office at BayDLA. “All users who have provided “Worldcoin” with their iris data will in future have the unrestricted opportunity to enforce their right to erasure.”
The World ID is generated through “Orbs,” devices that scan a person’s eyeball to create a unique digital identifier designed to verify that individuals are real people rather than bots.
However, BayLDA raised concerns over the “fundamental data protection risks” posed by processing such sensitive biometric data and its compliance with data protection rights.
Worldcoin voluntarily suspended some of its operations across EU countries during the inquiry and introduced updates to improve compliance.
The regulator flagged earlier phases of World’s data collection practices, which involved storing iris codes in centralized databases.
These activities were deemed non-compliant with GDPR, leading to an order to delete all data collected without sufficient legal basis. World is now required to secure explicit consent for certain data processing steps.
Despite implementing cryptographic protocols that anonymize data by splitting iris codes into encrypted fragments, the BayLDA determined that further adjustments were necessary.
Worldcoin has already received the German regulator’s decision and plans to appeal it, according to the agency’s statement.
World Faces Global Privacy Concerns
Worldcoin, launched in 2023, introduced a concept called “proof of personhood,” seeking to establish a vast network of users verified as humans rather than bots or AI algorithms.
However, its vision quickly drew the attention of regulators worldwide.
Countries such as Kenya and Portugal temporarily banned the project over privacy concerns.
By October, Worldcoin transitioned to its new identity as ‘World’ and unveiled an updated version of its iris-scanning “Orb” device.
These devices, with 30% fewer parts and triple the production capacity of its predecessor, were first deployed in Berlin, Germany, in July 2023.
While the initiative gained attention for its innovation, it was equally criticized by privacy advocates who labeled the project as intrusive and potentially exploitative.
Shortly after the project’s launch, France and Germany initiated investigations into its biometric data collection practices. France’s privacy watchdog, CNIL, questioned the legality of the data collection and storage processes, calling them “questionable.”
World did not immediately respond to Decrypt’s request for comment.
Edited by Sebastian Sinclair
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
