France’s privacy watchdog questions legality of Worldcoin’s biometric data collection
France’s privacy watchdog CNIL has raised concerns about the legality of Worldcoin’s biometric data collection, stating that it seems questionable
France’s privacy watchdog CNIL (The Commission nationale de l’informatique et des libertés) has expressed doubts about the legality of Worldcoin’s biometric data collection, which requires users to provide iris scans in exchange for a digital ID and free cryptocurrency. This is recognized as a risk for sensitive biometric data. CNIL has initiated investigations and determined that Germany’s Bavarian state authority has jurisdiction. The company claims to have signed up 2.1 million people, mostly in a trial over the last two years. The Worldcoin Foundation, based in the Cayman Islands, says it complies with all laws and regulations governing the processing of personal data and is committed to ensuring privacy and meeting regulatory requirements.
Following the launch of Worldcoin, a pandora box of privacy protection concerns has opened, having some European countries questioning its compliance with data protection regulations.
CNIL’s decision came after UK’s Information Commission Office (ICO) positioning on the launch of Worldcoin where it emphasized that before initiating any processing activities that may entail high risks, such as handling particular category biometric data, organizations are required to carry out a Data Protection Impact Assessment (DPIA). They added that they must seek consultation from the ICO if they encounter high risks that cannot be adequately mitigated. As people would go to the designated location and consent to scan their irises, ICO also emphasized that consent needs to be ‘freely given and capable of being withdrawn.’
A spokeswoman for Tools For Humanity, which led the development of Worldcoin and operates the World App, confirmed that consent is the legal basis for processing European biometrics data. It was also emphasized that for Worldcoing to comply with GDPR, the consent threshold should be even higher. Meaning that users would have to be informed clearly and specifically about data processing before their biometrics are harvested. At the same time, it is questionable how this could occur considering the complexity of Worldcoin’s governance structure, which may be complicated for people to understand.