The UK’s Information Commissioner’s Office (ICO) has joined other global data protection regulators in scrutinising the controversial biometric cryptocurrency project, WorldCoin, issuing a statement announcing its intention to make enquiries.
Background
WorldCoin is the latest project from Sam Altman, the founder of OpenAI (the company behind ChatGPT), which aims to establish a global digital system for verifying individuals’ identities. The system uses iris scans to authenticate identities and distinguish humans from AI bots online. The biometric scanning is performed by devices referred to as “orbs”, currently produced and distributed by WorldCoin. In return, WorldCoin issues a “World ID”, a digital identifier, that could potentially serve as an alternative to traditional login methods for websites, mobile, and decentralised applications. As of 13 July 2023, WorldCoin reported that over 2 million people worldwide had signed up to use World ID1, and announced that its “Sign in with Worldcoin” feature is available on Okta’s Auth0 Marketplace, a leading platform for single sign-on services2.
The ICO’s Response
Following WorldCoin’s launch in the UK, the UK’s ICO issued a statement3 emphasising the need for organisations to conduct a Data Protection Impact Assessment (DPIA) before initiating any processing likely to result in high risk to individuals, such as processing special category biometric data. If organisations identify high risks that cannot be mitigated, they must consult the ICO. The statement also stressed the requirement for organisations to have a clear lawful basis for processing personal data, and if consent is relied upon, it must be freely given and capable of being withdrawn without any detriment to the individual. Finally, the ICO noted that it would be making enquiries. WorldCoin has subsequently confirmed that they prepared a DPIA with the help of an external law firm4.
The ICO has been active in policing cases involving biometric data, demonstrating its readiness to enforce compliance through fines and enforcement actions. For example, in May 2022, the US-based facial recognition company, Clearview AI, was fined by the ICO and ordered to erase all data of UK residents from its databases. The company was penalised for data scraping images from the internet and using biometric data for facial recognition, which involved the misuse of over 20 billion images of individuals’ faces5. The ICO also issued an enforcement notice to HM Revenue and Customs (HMRC) in May 2019, due to HMRC’s unlawful processing of the biometric data of approximately 7 million customers via a voice authentication system on its helpline. The ICO instructed HMRC, and any suppliers involved in processing the biometric data, to delete over 5 million customer records for which explicit consent was not obtained6.
Similarly in the EU, the misuse of biometric data led to Sweden’s data protection authority issuing its first fine under the EU General Data Protection Regulation in 2019. The authority fined a municipality for unlawfully processing sensitive biometric data to monitor student attendance at a school7.
If the ICO does proceed to investigate and finds any compliance issues, it has the power to fine WorldCoin up to the higher of £17.5 million or 4% of total annual worldwide turnover. It could also issue an enforcement notice requiring deletion of data of UK users.
The Global Response
Privacy concerns over WorldCoin have been echoed by various data protection authorities. For instance, the Bavarian State Office for Data Protection Supervision (DPS) in Germany has been scrutinising WorldCoin since November 2022 due to its extensive handling of sensitive data. Similarly, the French National Commission for Informatics and Liberty (CNIL) has questioned the legality of WorldCoin, particularly its conditions for storing biometric data. The CNIL began investigations into WorldCoin and passed its preliminary investigations to the DPS after establishing it is WorldCoin’s lead EU supervisory authority under GDPR “one-stop shop” procedures; the DPS has since been conducting the investigation with support from the CNIL as needed.
Taking things one step further, Kenya’s Ministry of the Interior and National Administration suspended WorldCoin’s ability to collect new user data pending an investigation by government agencies. The Kenyan Office of the Data Protection Commissioner (ODPC) had expressed concerns about WorldCoin’s methods of data collection and storage. In a joint statement8, with the Communications Authority of Kenya, the ODPC had advised the public to be cautious when using WorldCoin due to uncertainties surrounding the security and storage of biometric data, insufficient information on cybersecurity policies and issues around obtaining individuals’ consent for processing their data in exchange for monetary reward9.
Argentina’s Agency for Access to Public Information has become the latest data protection authority to express concern about WorldCoin, further intensifying the global scrutiny the company is facing10. The agency has launched an investigation into WorldCoin’s methods of collecting, storing, and use of personal data.
What’s Next?
As technology is increasingly used in new ways involving personal data, privacy regulators are becoming increasingly vocal. Official findings from regulators, and WorldCoin’s response to them, will be an interesting watch over the coming months. This latest regulatory scrutiny highlights the critical balance between innovation and privacy, and the need for innovative projects to ensure that robust data protection measures are in place, or risk being shut down.