Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Where’s my Iris?

PrintMailRate-it

​​​​​​​​​​​​​​​​​​​​​​published on 29 April 2024 | reading time approx. 4 minutes


Early in March, the Spanish Data Protection Authority (the ‘Authority’ or ‘AEPD’ for its acronym in Spanish) issued an interim injunction preventing Worldcoin from continuing the processing of personal data in Spain. The measure carried out by the Authority involves the temporary cessation of collecting and processing personal data in Spain through biometric data, in this case the iris, eye, and face in exchange for payment in cryptocurrencies for further processing.

Worldcoin is a cryptocurrency created by Tools for Humanity (TFM), which offers users access through iris scanning, a biometric data considered as special category of personal data under Article 9 of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR). 

This process generates a unique and non-transferable identity that authenticates individuals on the network. Faced with complaints and uncertainty about the processing of this data, the Authority has ordered TFM to immediately detain the accumulation and processing of personal data in Spain, including iris, eye, and face scanning, as well as locking the data already captured.

The importance of this measure involves that the AEPD has initiated the urgency procedure under Article 66 of the abovementioned regulation, allowing the Authority to adopt provisional measures for a period of three months. This decision is based on complaints coming from Madrid and Barcelona that question the legality of the activities carried out by TFM, suggesting that they might be collecting biometric data, including those minors of age, without obtaining free, specific and informed consent as required by Article 4 (11) of the GDPR. These requirements are necessary to lift the prohibition on the use of sensitive data.

Therefore, Article 9 of the GDPR states that the processing of personal data revealing biometric data will not be prohibited if the data subject explicitly consents and the specific purposes of the processing are known. The measure taken by the Authority does not imply that these requirements are being breached but rather that there are suspicions that they are not being fully complied with. The Audiencia Nacional (the court in which the measure has been appealed) has supported the AEPD and considered that the general interest in safeguarding personal data has to be protected over the financial interest of the company, as in the end, if the legality of Worldcoin's activity is finally accredited, it would be compensable any damages incurred. 

The main concern for the Authority resides in the processing of these data that allow the unequivocal identification of a person, being minors of age, which are the most vulnerable as they do not receive adequate information according to the complaints about the purpose of their data. Spanish legislation and guidelines on the granting of consent proceeding from individuals who are minors of age stipulate that the controller must provide at least basic information, including identity, the purposes of the processing, the recipients of the data, and the exercise of rights (article 13.1 GDPR). About the purposes of the processing, both the Audiencia Nacional and the Authority consider that there is evidence that WorldCoin has not adequately complied with, as the complaints indicate, the information provided is not sufficient and that the revocation of consent only involves uninstalling the application.

The WorldCoin company submitted a statement by claiming a commitment to privacy, promoting a "privacy-first" approach, stating that privacy is a fundamental human right and that individuals should have control over their identity, while in practice processing personal data as intimate as iris scans. 

In addition, Worldcoin considers it a safer way to validate the identity of users with iris scanning than with traditional methods such as passwords and verification codes, which begs the question: Safer for whom? 

The question will have to wait for the resolution by the AEPD regarding the lawfulness of Worldcoin's actions in Spain for the data processing.

Authors:
Inés Olalquiaga
Jorge Cabet - Senior Associate

DATA PROTECTION BITES

Read all releases »​​​​​​

contact

Contact Person Picture

Patricia Ayala Jiménez

Abogado

Partner

+34 91 5359 977

Invia richiesta

RÖDL & PARTNER SPAIN

​​Discover more about our offices in Spain. Read more »
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu