The upcoming weeks could prove crucial for Worldcoin, the contentious eyeball-scanning cryptocurrency project co-founded by OpenAI’s Sam Altman. Currently, Worldcoin’s operations are largely halted across the European Union due to a slew of privacy complaints from countries including France, Germany, Portugal, and Spain.
As of now, Germany remains the only EU country where Worldcoin continues to scan eyeballs, primarily because its developer, Tools for Humanity (TfH), has a local office there. This situation may change soon, pending the outcome of an investigation by Bavaria’s data protection authority. A spokesperson for the authority indicated that a decision is expected by mid-July.
The investigation by Bavaria’s data protection watchdog began after Worldcoin’s global launch in July 2023. EU privacy complaints allege that Worldcoin violates the General Data Protection Regulation (GDPR), which governs the processing of personal data. GDPR violations can result in fines up to 4% of global annual turnover, and authorities can order non-compliant data processing to cease.
This is particularly significant for Worldcoin, which converts a person’s eyeball scan into an immutable identity token stored on a blockchain. If found non-compliant, Worldcoin might be barred from the EU unless it can allow for the deletion of personal data on request—something blockchains typically do not support.
Concerns have also been raised about the legal basis for processing sensitive biometric data and whether Worldcoin meets GDPR’s transparency and fairness requirements. Critics argue that incentivizing individuals to hand over biometric data in exchange for cryptocurrency conflicts with GDPR, which requires consent to be freely given.
Additionally, some EU regulators have imposed temporary bans on Worldcoin due to concerns about risks to minors. Spain’s data protection authority recently ordered Worldcoin to halt data collection for three months after reports of minors’ eyeballs being scanned. Portugal followed with a similar order.
Despite these bans, German regulators have allowed Worldcoin to continue operating while the Bavarian investigation is underway. However, measures have been implemented, such as an 18+ age restriction for submitting iris scans.
Spain’s data protection authority announced that Worldcoin agreed not to relaunch its operations in Spain after the temporary ban expires. Worldcoin has committed not to resume its activities in Spain until the Bavarian investigation is concluded or until the end of the year.
Worldcoin has reportedly introduced changes to its operations, including advanced age verification controls and the possibility of deleting iris codes. However, it remains unclear whether transforming iris codes into Secure Multi-Party Computation (SMPC) shares meets GDPR’s data deletion requirements.
The final decision from the Bavarian data protection authority is anticipated soon. If there is disagreement among EU data protection authorities, the European Data Protection Board may need to intervene and make the final determination.