World does not comply with GDPR, says German regulator

The iris biometrics and digital identity project World has been chastised again, this time by German regulators, who have dealt a heavy blow to the company’s standing in Europe.  World, for its part, has announced that its World App has surpassed 20 million users.

A report from Euro News says a months-long investigation by Germany’s data protection authority, the Bavarian State Office for Data Protection Supervision (BayLDA), has concluded that World’s identification procedure “entails a number of fundamental data protection risks for a large number of data subjects.”

As such, says BayLDA, it does not comply with the European Union’s General Data Protection Regulation (GDPR), and World – previously known as Worldcoin – has been ordered to begin deleting data, as per the rules.

“With today’s decision, we are enforcing European fundamental rights standards in favour of data subjects in a technologically demanding and legally highly complex case,” says BayLDA president Michael Will. “All users who have provided ‘Worldcoin’ with their iris data will in future have the unrestricted opportunity to enforce their right to erasure.”

With roots in Germany, World pledges commitment to Europe

World has already appealed the decision and has asked regulators for “judicial clarity on whether the processes and, in particular, the Privacy Enhancing Technologies (PETs) deployed by World Network meet the legal definition for anonymisation in the EU.”

It is not likely to let go of its claim to Europe easily. The firm responded to suggestions it was backing away from the EU and its sticky biometric privacy regulations by doubling down on its commitment to the continent.

World maintains European headquarters and a manufacturing facility in the German state of Bavaria.

‘We don’t do that anymore’: TFH CPO says company has changed

Damien Kieran is the chief privacy officer for Tools for Humanity, the San Francisco company that was initially called Worldcoin’s parent, but has since been re-framed as a service provider.

He says the German regulator’s decision is based on old processes that have been discontinued, wherein scanned irises were stored in a database.

These days, World claims no ownership of the iris codes, which are encrypted then deleted from their systems. The cryptographic protocol separates the code into three pieces. Those pieces are stored in databases owned by third parties, which include the University of Berkeley, Zurich, Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) university and NeverMind.

Kieran also says Michael Will actually likes World, but is “under a lot of pressure, because I think it’s a complicated environment to be a lead supervisory authority in the EU at the moment.”

To Orb or not to Orb? That is the question

World claims it needs “a clear definition around anonymization” to be able to protect people from getting lost in a sea of AI. While it has tussled with regulators globally, it is currently available in Argentina, Austria, Chile, Colombia, Ecuador, Germany, Japan, Mexico, Peru, Poland, Singapore, South Korea, and the U.S.

And, as expected, it has no plans to slow down in Europe. Kieran says plans are afoot to roll out the technology in Ireland, the UK, France and Italy. It also aims to return to Spain and Portugal, both of which suspended its activities earlier this year over data privacy concerns.

But it will all hinge on the GDPR – which, as of right now, says No Orbs Allowed.

Article Topics

Bavarian State Office for Data Protection Supervision (BayLDA)  |  biometrics  |  data protection  |  digital ID  |  GDPR  |  Germany  |  Tools for Humanity  |  World  |  World ID