Worldcoin forced to delete all records of the iris it obtained

Initially, it was positioned as one of the most interesting companies on the market: Worldcoin aimed to confirm the identity of people on the internet through an iris scan. The initiative would prevent counterfeits, crimes and facilitate identification in a digitalized world. That was the goal. But data protection acted to clarify some problems and the Spanish agency The person responsible for this made sure to keep the privacy of the users safe.

And now, the Bavarian data protection authority, the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), considers that the company did not adopt the necessary security measures for the processing of biometric data. The consequence? Worldcoin will have to delete all data related to the irises it spent months scanning in exchange for a reward of 30 euros in cryptocurrencies.

With this measure, the BayLDA has agreed with the Spanish Data Protection Agency (AEPD), which in March had ordered Worldcoin to stop the campaign and block the information it had obtained in our country. At that time, the AEPD considered that there was “indications of serious non-compliance”, which led to publishing the measure to “avoid potential irreparable damage and protect the rights of citizens.”

The BayLDA initiative (an organization whose headquarters is also where Worldcoin has its European headquarters) has ratified the precautionary measure imposed by Spainand has ordered the elimination of all stored irises given that the necessary security measures have not been adopted for the processing of biometric data.

Along with this measure, The Bavarian body requires that future iris processing be carried out on the basis of the explicit consent of the interested party and that must include the right to deletion of data. And that’s not all: BayLDA claims that Worldcoin did not implement the essential protocols to guarantee the processing of minors’ data, something that will be concluded in a new investigation.

Knowing this, Worldcoin has reacted with a statement in which, among other things, it highlights that in “an effort to go beyond the requirements of the GDPR (data protection law), Iris codes used to verify a person’s World ID are no longer storedand previously collected iris codes were voluntarily deleted to ensure that no personal data is retained to operate World ID.”

But it goes further. Not only does it ensure that some of the premises highlighted by the BayLDA are based on year-old reports, which have already been resolved, and it also highlights something to seriously consider: “Existing European law does not provide a clear standard on what constitutes anonymization – adds the statement -, and neither the Court of Justice of the European Union nor the EU data protection authorities have agreed on a guide. This makes it extremely difficult to build systems that preserve privacy and securely harness data for good in the EU. More importantly, it puts citizens at risk.”

If this is true, there is still a lot of work to be done when it comes to privacy. By everyone.