World pauses German operations for Orb update amid regulatory faceoff

World is facing a potential cease-and-desist order in the Philippines, and has put its iris scanning stations on hold in Germany.

At the moment, the Germany section in World’s online search tool for finding an iris scanning Orb says, “We’re making improvements behind the scenes. Our Orbs will return shortly.” According to DL News, that return will include the opening of a flagship store in Munich.

World appears to have no plans to stop operating in Germany. However, its promised updates will have to satisfy German regulators. In December 2024, the country’s data protection authority, the Bavarian State Office for Data Protection Supervision (BayLDA), concluded that World’s practices posed “fundamental data protection risks for a large number of data subjects,” and as such did not comply with the European Union’s General Data Protection Regulation (GDPR).

In its 132-page enforcement order, the agency also reprimanded the company for storing plain-text iris codes in a database from July 24 2023, to May 14 2024.

World says it deleted the iris codes when it introduced its secure multiparty computation (SMPC) system in May 2024. And it has filed an appeal with a Bavarian court refuting BayLDA’s judgment. The court procedure is ongoing, and technically, the company is not required to stop operations during the appeals process.

German regulator believes SMPC system is up to task

For its part, BayLDA believes World is up to the task of bringing itself into compliance. DL News quotes Michael Will, president of the BayLDA, who says a change to World’s storage method in May looks like it will cut the regulatory mustard.

Will compares the SMPC system, which stores and encrypts iris biometrics across several servers, including those at UC Berkeley and the University of Erlangen-Nuremberg, to a puzzle in an Indiana Jones film.

“Like in a Harrison Ford story, as long as no one has all the puzzle pieces of this former picture, you do not have personal information,” Will told DL News. “As long as this is really enforceable and really guaranteed, we have anonymization.”

Will and his team intend to call upon external support from scientists to evaluate the process.

World has provided no timeline for resuming its operations in Germany, but says it is updating its EU terms of service and data privacy policy to reflect the changes.

Open questions need addressing in clear communications

Exactly how much this reassures investors is up for debate. An article in AI Invest suggests the lack of a timeline for resuming its services in Germany leaves “many questions about its operational future in a region known for stringent privacy regulations.”

“Countries like Germany, with the European Union’s General Data Protection Regulation (GDPR) as its backbone, have some of the strictest privacy laws globally,” the piece says.  “GDPR mandates explicit consent, data minimization, and robust security measures. Worldcoin’s model has been challenged on whether it fully adheres to these principles, particularly regarding informed consent and the necessity of collecting such extensive biometric data for its stated goals.”

It says a “significant challenge” for World is “overcoming the trust deficit.”

“Clear, concise, and proactive communication about their data handling, security protocols, and the long-term benefits of their project will be crucial. The issues faced in Germany are indicative of broader global concerns.”

World standing Philippines tenuous as NPC investigates

Like, for instance, those in the Philippines. Mlex reports that the company is facing a possible cease-and-desist order from the country’s privacy regulator, over potential violations of regulations regarding consent and data retention.

World launched operations in the Philippines in February, and immediately attracted the attention of the National Privacy Commission (NPC), which issued a statement clarifying its stance on collecting biometrics and warning the public to “exercise extreme caution” in the matter.

The NPC is now investigating whether World complies with Philippine privacy regulation, and is aiming to issue an opinion on the case within the next few months. In tandem, the NPC is developing guidelines on processing of biometric data, as the technology becomes more widespread.

Article Topics

Bavarian State Office for Data Protection Supervision (BayLDA)  |  biometric data  |  data protection  |  GDPR  |  Germany  |  National Privacy Commission (NPC)  |  Philippines  |  World  |  World ID Orb