Where’s my Iris?

Worldcoin is a cryptocurrency created by Tools for Humanity (TFM), which offers users access through iris scanning, a biometric data considered as special category of personal data under Article 9 of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR). 

This process generates a unique and non-transferable identity that authenticates individuals on the network. Faced with complaints and uncertainty about the processing of this data, the Authority has ordered TFM to immediately detain the accumulation and processing of personal data in Spain, including iris, eye, and face scanning, as well as locking the data already captured.

The importance of this measure involves that the AEPD has initiated the urgency procedure under Article 66 of the abovementioned regulation, allowing the Authority to adopt provisional measures for a period of three months. This decision is based on complaints coming from Madrid and Barcelona that question the legality of the activities carried out by TFM, suggesting that they might be collecting biometric data, including those minors of age, without obtaining free, specific and informed consent as required by Article 4 (11) of the GDPR. These requirements are necessary to lift the prohibition on the use of sensitive data.

Therefore, Article 9 of the GDPR states that the processing of personal data revealing biometric data will not be prohibited if the data subject explicitly consents and the specific purposes of the processing are known. The measure taken by the Authority does not imply that these requirements are being breached but rather that there are suspicions that they are not being fully complied with. The Audiencia Nacional (the court in which the measure has been appealed) has supported the AEPD and considered that the general interest in safeguarding personal data has to be protected over the financial interest of the company, as in the end, if the legality of Worldcoin's activity is finally accredited, it would be compensable any damages incurred. 

The main concern for the Authority resides in the processing of these data that allow the unequivocal identification of a person, being minors of age, which are the most vulnerable as they do not receive adequate information according to the complaints about the purpose of their data. Spanish legislation and guidelines on the granting of consent proceeding from individuals who are minors of age stipulate that the controller must provide at least basic information, including identity, the purposes of the processing, the recipients of the data, and the exercise of rights (article 13.1 GDPR). About the purposes of the processing, both the Audiencia Nacional and the Authority consider that there is evidence that WorldCoin has not adequately complied with, as the complaints indicate, the information provided is not sufficient and that the revocation of consent only involves uninstalling the application.

The WorldCoin company submitted a statement by claiming a commitment to privacy, promoting a "privacy-first" approach, stating that privacy is a fundamental human right and that individuals should have control over their identity, while in practice processing personal data as intimate as iris scans. 

In addition, Worldcoin considers it a safer way to validate the identity of users with iris scanning than with traditional methods such as passwords and verification codes, which begs the question: Safer for whom? 

The question will have to wait for the resolution by the AEPD regarding the lawfulness of Worldcoin's actions in Spain for the data processing.